Data Management Policy
for the partners of the Szatyor Community for the Support of Environmentally Conscious Lifestyle Association, the users of its services, as well as the visitors and registered users of the websites https://szatyoregyesulet.hu and https://kozossegifacilitatorok.hu.
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data of natural persons and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as "GDPR") Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "Infotv.").
- Act V of 2013 on the Civil Code (hereinafter referred to as "Civil Code")
- Act C of 2003 on Electronic Communications (in particular Article 155 thereof)
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (in particular Article 13/A thereof)
- Act XC of 2005 on Freedom of Electronic Information;
- Act XLVII of 2008 - on the Prohibition of Unfair Commercial Practices against Consumers;
- Act XLVIII of 2008 - on the basic conditions and certain restrictions on commercial advertising (in particular § 6 thereof);- Act C of 2000 on Accounting (in particular § 169(2) thereof)
(Article 169 of the CPA).
- NAME AND CONTACT DETAILS OF THE SERVICE PROVIDER, DATA CONTROLLER
Name / company name: Szatyor Community for the Support of Environmentally Conscious Lifestyle Association
Tax number: 18204632-1-07
E-mail: . email@example.com
III. PURPOSE OF THE CODE
The Data Subject shall be informed before the processing starts whether the processing is based on consent or is mandatory and shall be provided with clear and detailed information on all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and the processor, and the duration of the processing.
GDPR (General Data Protection Regulation) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
personal data: any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be uniquely identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
data subject's consent: a voluntary, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation;
a personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
recipient: a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- DATA PROCESSING GUIDELINES
The processing of personal data shall be lawful, fair and transparent to the data subject.
Personal data must be collected for specified, explicit and legitimate purposes, ensuring that they are not processed in a way incompatible with the original purpose. Further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose.
The purposes for which personal data are processed must be adequate, relevant and limited to what is necessary.
Personal data must be accurate and kept up to date. Inaccurate personal data must be deleted without delay.
Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary. Personal data should be stored for longer periods only if the storage is for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes.
Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.
The principles of data protection shall apply to any information relating to an identified or identifiable natural person for which the controller is responsible.
Vi. GENERAL DATA PROCESSING INFORMATION
ON THE LEGAL BASES FOR PROCESSING:
A.) Voluntary informed consent of the Data Subject to the processing (Article 6(1)(a) GDPR)
Where the processing is based on the data subject's voluntary consent, the data subject shall provide it in the following ways:
- In relation to the websites operated by the Association pursuant to point II, in addition to registration, consent is also deemed to be given if, when opening the website, the data subject ticks a relevant box or makes other technical settings or otherwise makes a statement that clearly indicates the data subject's consent to the intended processing.
- In addition, with regard to certain IT data, the provisions of this Policy and Information Notice are accepted as binding on the Data Subjects by visiting, reading, visiting and/or accessing the website(s) operated by the Association in accordance with point II for the purpose of obtaining information. By accessing the site, the Data Subject automatically consents to the processing of his/her data in accordance with this Policy.
- On a paper basis (e.g.: personal registration, use of services, event registration, conclusion of a contract, etc.), the Data Subject gives his/her consent by filling in his/her data and signing the form after reading the consent form on the data request form.
The data subject may withdraw his or her consent to the processing at any time, without prejudice to the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal. The controller may process the personal data after the withdrawal of the data subject's consent if:
is necessary for compliance with a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data. In any case, the controller shall carry out a so-called "balancing of interests test" before processing on the basis of legitimate interest.
Where there are other legal obstacles to erasure. Otherwise, the data subject's data will be deleted.
It should be possible to withdraw consent in the same simple way as it is given. Consent may be withdrawn at any time by sending a declaration to the notification addresses provided by the Association.
(B) processing is necessary for the performance of a contract to which the individual is a party [Article 6(1)(b) GDPR].
Where the provision of the data is necessary for the conclusion of a contract with a private individual, the provision of personal data is a precondition for the conclusion of the contract with the Association.
- C) Processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR)
The legal basis for the processing may also be, in the relevant cases, the provisions of the Infotv. 5 (1) (b) of Article 5 (1) (b) of the GDPR. In certain cases, the controller may be obliged to carry out mandatory processing required by law or other legislation, which is independent of the consent of the data subject. In addition, the data controller is obliged to comply with any requests from public authorities, which may also involve the processing or transmission of personal data, which is also a statutory obligation of the data controller.
- D) Processing based on the controller's legitimate interests (Article 6(1)(f) GDPR)
Processing may also be carried out pursuant to Article 6(1)(f) GDPR if the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, and pursuant to Article 6(1) of the GDPR, the controller may also process the personal data of the data subject where obtaining the data subject's consent would be impossible or would involve disproportionate costs and the processing of the personal data is necessary for the purposes of the legitimate interests pursued by the controller or a third party and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data. In any case, the controller shall carry out a so-called balancing of interests test before proceeding with the processing on the basis of that legitimate interest.
Where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override the legitimate interests of the controller or a third party, the processing may not be carried out. Particular attention should be paid to the case where the data subject is a child.
VII. THE PURPOSES, LEGAL BASIS, SCOPE OF THE DATA PROCESSED, DURATION OF THE PROCESSING
SENDING OF NEWSLETTERS
Purpose of the processing: event announcements, information, information on projects; from which the data subject can unsubscribe at any time without any consequences.
Legal basis for processing: consent of the data subject. Please be informed that the user may give his/her prior and explicit consent to be contacted by the service provider with information and other mailings at the e-mail address provided upon registration; the service provider will process the necessary personal data for this purpose.
The data subjects concerned are the members and users of the website(s) operated by the Association and those who have subscribed to receive the newsletter on paper.
Form of processing: electronically, on a separate processing list in the IT system of the data controller; and also by means of paper contracts/declarations for the purpose of sending the newsletter.
Duration of data processing and erasure of data: data are processed until consent is withdrawn. The data subject may withdraw his or her consent to the processing at any time.
The data will be deleted when consent to processing is withdrawn. In addition to the methods described in the general information notice, consent may also be withdrawn by means of a link in the newsletters sent out (unsubscribe). In the event of unsubscription The Association will not contact the data subject with further newsletters, information, brochures, offers. The data subject may unsubscribe from the newsletter at any time free of charge and withdraw his/her consent.
The data may be accessed by: the controller and its employees, agents and officers.
Please note that if you wish to receive a newsletter from us, you are required to provide the necessary information. If you do not provide this information, the Association will not be able to send you a newsletter. If the user does not subscribe to the newsletter service, this will not affect his/her use of the website and its other services, and the Association will not make the subscription to the newsletter service a condition for the subscription to any of its other services. The user may unsubscribe from the newsletter at any time by clicking on the link "unsubscribe from newsletter" or by sending a written request to firstname.lastname@example.org.
Please note that neither the username nor the e-mail address need to contain any personally identifiable information. For example, it is not necessary that the username or e-mail address contains the name of the data subject. It is entirely up to the data subject to decide whether to provide a username or an e-mail address that contains information that identifies him or her. However, the e-mail address, which is used for contact purposes, is strictly necessary for the delivery of a newsletter or technical information sent to the data subject.
As the operator of this website, the Association declares that the information and brochures published by it comply fully with the relevant legal provisions. It also declares that it is not in a position to verify the authenticity of the contact details when subscribing to a newsletter.
The registration number of the controller:
The authority keeping the register:
National Authority for Data Protection and Freedom of Information Address. Postal address: 1530 Budapest, PO Box 5.
Phone: +36 1 391 1400; Fax: +36 1 391 1410
E-mail: email@example.com Website: http://www.naih.hu/
Personal data that can be processed:
Scope of data processed
Date of subscription
Specific purpose of the data processing
Technical information operation.
Purpose of processing: issuing and sending (electronic) invoices as e-mail attachments or on paper.
Legal basis for processing: mandatory processing based on law, obligation to issue and keep supporting documents under the Accounting Act.
Data subjects: the service provider's customers. Form of processing: electronic or paper-based.
Duration of data processing and erasure of data: data processing is carried out until the expiry of the legal obligation to issue and keep the accounting law document (8 years) or until the withdrawal of consent for the recipient e-mail address, in which case the data subject may withdraw his consent at any time.
The data will be deleted when consent to data processing is withdrawn. The deletion of billing data may be carried out in accordance with the law (8 years).
The modification or deletion of billing data can be initiated by e-mail or by letter using the contact details provided above.
The data may be accessed by: the controller and its employees, the agent providing accounting services to the controller, the legal representative acting for the controller in the event of a claim.
The personal data that can be processed:
Scope of data processed
Address/place of residence:
Tax number/tax identification number:
Date of invoice:
Bank account number:
Specific purpose of the data processing
Identification, contact, billing.
Identification, contact details.
Identification of the customer.
Identification of the account.
Technical information operation.
THE PROCESSING OF PERSONAL AND STATISTICAL DATA RELATING TO PARTICIPANTS IN EVENTS ORGANISED BY THE ASSOCIATION
The purpose of the processing of personal data is to maintain contact, keep application documents and send newsletters.
The data subjects concerned by the processing of the data are: registrants, participants and contributors to the events organised by the Association.
Form of data processing: electronically, on a separate processing list in the IT system of the controller or on paper.
Duration of data processing and erasure of data: data processed for the purposes of identification, registration or receipt of newsletters based on the data subject's consent will be erased by the controller at the data subject's request, unless the data are also recorded on another legal basis. The data are deleted when consent to processing is withdrawn. The data subject may at any time request the controller to erase his or her data.
The data may be accessed by the controller and its employees or persons acting on its behalf.
Source of personal data: registration of participants, attendance sheet.
Scope of data processed:
Name E-mail address
Date of registration:
Specific purpose of the data processing
Technical information operation
PROCESSING OF DATA RELATING TO CONTACT, MESSAGE RECEPTION AND REPLY
Purpose of processing personal data. The purpose of the processing is to enable the User to exchange messages with the Controller; and to reply to messages sent to the Controller by the above means.
Legal basis for processing: the data subject's consent. By voluntarily sending or communicating e-mails, messages, telephone, Facebook, etc. sent by the user, the user consents to the processing of the data he/she has provided and, where applicable, of other data he/she has indicated in his/her message.
The data subjects concerned by the processing Users who send messages to the controller using the contact details provided by the Association in this notice or on the website(s) operated by the Association.
Form of the processing: electronically, on a separate processing list in the controller's IT system, until the end of the information exchange period.
Duration of data processing and erasure of data: data are processed until the purpose is achieved (until the message is answered or the user's request is fulfilled, until the end of the information exchange). After that, the data controller deletes the data.
The data may be accessed by: the controller and its employees or persons acting on its behalf. Source of personal data: the declaration of the data subject.
The personal data that may be processed: any data voluntarily provided by the user in the message (including e-mail messages). In the case of the communication of unexpected personal data other than the name, e-mail address, telephone number of the user, the unexpected personal data will not be stored by the controller and will be immediately deleted from its IT system.
DATA PROCESSING LISTS
The data controller stores the data in its IT system in the form of the following electronic lists and databases, separately for each processing purpose, as well as the data processed for the purpose of sending newsletters, by printing paper contracts/statements.
Registration list: the list containing the registration data of registered users listed in VII.1 and VII.2. The data will remain on this list until the registration is cancelled by the user or the controller or until the user's request for cancellation is processed.
List for newsletter purposes: held for the purpose of sending newsletters, messages, information material and awareness-raising offers by e-mail, with the data listed in point VII.3. The data will be processed by the controller until the user's consent is withdrawn (unsubscribe) or the data is deleted at the user's request.
Lists related to information technology processing: anonymous lists containing data indicative of the browsing habits of users, as listed in point VII.16, and a temporary list of IP addresses of the devices of users who are currently browsing, kept exclusively in the information system of the controller. (The other data are stored on the user's device and are not kept by the controller in its own possession.)
List kept for messaging: a list containing the data of users who have sent a message using the contact details on the website, as listed in point VII.11, and containing the data of the persons concerned by an ongoing exchange of information, for the duration of the exchange of information only. Once the information exchange has ended, the data of the data subject will be deleted from the list.
Data transfer register: the controller shall keep a data transfer register for the purpose of monitoring the lawfulness of the transfer and informing the data subject, which shall include the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.
Data protection incident register: a register of unlawful processing or processing of personal data and of the measures taken to rectify such unlawful processing or processing. It includes the scope of the personal data concerned by the personal data breach, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, and, in the case of processing based on a legal obligation, other data specified in the law requiring the processing.
PROCESSING OF DATA RELATED TO THE PROVISION OF AN INFORMATION TECHNOLOGY SERVICE
- A) COOKIES
Cookies are therefore small files created by the websites visited. They improve the user experience by saving browsing data. Cookies help the website remember your site settings and offer you locally relevant content.
The types of cookies can be temporary, deleted at the end of the browsing session, or persistent; or they can be set by the website itself or by a third party. By type, they may be "security cookies", "essential cookies", "functional cookies", "cookies responsible for managing website statistics".
- a) Placement and processing of third-party cookies
Third party cookies are not issued by the controller or the server hosting your website, but by third parties. These cookies are also stored on the user's computer, phone or tablet when visiting the site (e.g. Google Analytics, social media, etc.).
This website uses the web analytics service Google Analytics (hereinafter referred to as "Google Analytics") provided by Google, Inc.
Google Analytics also uses "cookies", which are stored on the user's browsing device. In this way, it compiles reports for its customers to better understand how users use its website, based on their usage patterns. As an additional service, it generates reports related to website activity for the website operator to provide additional services, which the user can delete at any time in his/her browser settings.
The data is stored by Google's servers in encrypted form to make it more difficult and to prevent misuse.
The controller will store part of the data for a variable period of time, up to a maximum of 26 months. Cookies used: _gid, _ga, _gat, NID.
In addition to generating reports from website usage statistics, Google Analytics may also be used to provide more relevant
In addition to reporting website usage statistics, Google Analytics can also be used to make your website more relevant
display more relevant ads on Google services (such as Google Search) and across the web, and to measure interactions with the ads displayed by Google.
_ga: 2 years,
_gat: 1 second,
_gid: 1 day,
NID: 6 months,
1P_JAR: 1 month,
CONSENT: no expiry date
You can disable Google Analytics as follows:
For more information on data use and protection, please see the links above. For details on data protection: https://static.googleusercontent.com/media/www.google.com/en//intl/hu/policies/privacy/google_privacy_policy_hu.pdf
For more information about the information technology data processing process and the information technology data processing using Google Analytics tools, please visit Google Analytics at https://www.google.com/intl/hu_ALL/analytics/support.
- B) TRACKING IDENTIFIERS
The data controller may also use tracking IDs in its newsletters or other services sent to users for the purpose of developing and tracking user habits for Google AdWords, Facebook (likebox, share, remarketing.
C)LOG FILE ENTRIES
Your website's IT background uses log entries. Log entries may store IP address, type of browser used by the visitor, internet service provider, date/time stamp, referring and exit page addresses, number of clicks during the visit. This is done in order to be able to trace back the circumstances of a malfunction, thus making browsing safer in the future. It makes it easier for us to manage and administer the site. The data is stored anonymously. If you do not consent to the processing of your data by such means, please do not use our website.
VIII. DATA PROCESSORS
The Association has the primary right to know the data, it does not disclose them, does not transfer them to unauthorised third party(ies), and the Association processes the data through its own IT systems. The use of a data processor does not require the prior consent of the data subject, but the data subject must be informed.
The Association uses the following data processors:
Name, location: Google, Inc. headquarters: 1600 Amphitheatre Parkway Mountain View CA 94043)
The data provided by the data subject is stored on a server operated by the IT service provider. The data can only be accessed by the staff operating the server, but they are all responsible for the secure handling of the data.
The purpose of the data processing: to ensure the functioning of the website.
Legal basis for processing: consent of the data subject or processing based on law.
Duration of processing and time limit for deletion of data: processing until the end of the website's operation or in accordance with the contractual agreement between the Association and the IT service provider. If necessary, the data subject may request the deletion of his/her data by contacting the IT service provider.
Personal data that may be processed: personal data provided by the data subject
Name : Webador
Address : Torenallee 20, 5617BC Eindhoven, The Netherlands
The data provided by the data subject is stored on a server operated by the hosting provider. The data can only be accessed by our staff or by the staff operating the server, but each of them is responsible for the secure handling of the data.
The name of the activity: hosting service, server service. Purpose of processing: to ensure the functioning of the website.
Legal basis for processing: consent of the data subject or processing based on law (Article 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services).
Data subjects concerned by the processing: all data subjects. Form of data processing: electronic.
Duration of processing and time limit for deletion of data: processing until the end of the operation of the website or in accordance with the contractual agreement between the website operator and the hosting provider. If necessary, the data subject may request the deletion of his/her data by contacting the hosting provider.
The personal data that may be processed: all processed data.
AGENT PROVIDING ACCOUNTING SERVICES
The personal data held by the accountancy service agent is stored in its own computerised or paper-based system and is responsible for the secure handling of the data in accordance with the legal, professional and chamber rules applicable to it.
The purpose of the processing is to provide accounting services and fulfil accounting obligations.
Legal basis for processing: processing based on law and Article 6(1)(a) to (b) to (c) to (f) of the GDPR.
Data subjects concerned by the processing: all data subjects.
Form of processing: electronic and paper-based.
Duration of processing and time limit for erasure of data: as laid down by law. In the case of accounting documents, pursuant to Article 169(2) of Act C of 2000 on Accounting, these data must be kept for 8 years.
Personal data that may be processed: the personal data processed are those relevant for the performance of the task.
- THE LEGAL REPRESENTATIVE ACTING IN A SPECIFIC CASE CONCERNING THE PERSONAL DATA.
The legal representative stores the personal data that he/she has access to in his/her own IT or paper-based system and is responsible for the secure handling of the data in accordance with the legal, professional and chamber rules applicable to him/her.
The purpose of the processing: to pursue the legitimate interests and fulfil the obligations of the controller.
Legal basis for processing: processing based on law.
Duration of processing and time limit for deletion of data: as laid down by law.
Personal data that may be processed: personal data provided by the data subject which are relevant for the performance of the task.
The data controller shall make every effort to ensure the security of the data subjects' data. Accordingly, the Association does not sell, rent or in any way make available information about users to other companies or individuals, nor does it make any posting to or on behalf of external companies or individuals, except for the provision of data as described in this notice. Access to personal data provided by users, as well as to data automatically collected for technical operations, shall be restricted to employees of the controller who have access rights related to the purpose of the processing. The controller does not transfer personal data to third parties. This does not apply to any mandatory transfers of data required by law; or to the provision of data as described in this notice.
The controller must take appropriate security measures to protect personal data stored in electronic and automated files against accidental or unlawful destruction or accidental loss, and against unlawful access, alteration or disclosure.
The controller shall take into account the state of the art when defining and implementing measures to ensure the security of the data. The controller shall notify the user of any change that causes a substantial change in the service or in the way the data are processed. The controller shall protect its IT systems and telecommunications equipment, including those containing personal data stored in electronic form, with multiple levels of password protection, while documents containing personal data on paper shall be kept in a locked cabinet or room.
In order to ensure the security of personal data, the Association shall take the technical and organisational measures and establish the procedural rules necessary to comply with the provisions of the GDPR Regulation and the Law on Information.
THE RIGHTS RELATING TO DATA PROCESSING
- THE RIGHT TO REQUEST INFORMATION
The Data Subject may request information from the controller, through the contact details provided, about the data processed, on what legal basis, for what purpose, from what source and for how long. He or she may also request information about the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed; and about his or her rights in relation to the processing. Upon request, information will be sent promptly, but within 30 days at the latest, to the e-mail address provided by the data subject. The right to request information is available to the Data Subject in all cases of processing based on our legal basis.
- RIGHT TO RECTIFICATION
The data subject may request us to correct inaccurate personal data through the contact details provided. We will take action on your request without delay, but within 30 days at the latest, by sending you an e-mail to the e-mail address you provided. Taking into account the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, inter alia, by means of a supplementary declaration.
The amendment of the data may be initiated by e-mail or by letter to the contact details given above.
The right to rectification is available to the Data Subject in all cases of processing on the basis of the legal basis on which we rely.
- RIGHT TO ERASURE
The controller shall erase personal data if its processing is unlawful, if the user concerned requests it, if the purpose of the processing has ceased, or if the statutory time limit for storing the data has expired, or if a court or data protection authority has ordered it.
The data subject may request us in writing to erase his or her personal data using the contact details provided. Upon request, we will do so without undue delay and within a maximum of 30 days if the purpose or legal basis for the processing has ceased, if the data subject objects to or withdraws consent to the processing and there are no overriding legitimate grounds for the processing, if the personal data have been unlawfully processed, or if the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller. The erasure will be notified to the e-mail address provided by the data subject.
Please be informed that we may refuse to erase personal data of the data subject where the processing is necessary for the purposes of complying with an obligation to process personal data under EU or Member State law applicable to the controller (e.g. billing, registration of event participants), for the establishment, exercise or defence of legal claims (e.g. an outstanding claim against the data subject, the handling of a complaint, etc.) or for exercising the right to freedom of expression and information.
- THE RIGHT TO BE FORGOTTEN
Where the controller has disclosed personal data and is under an obligation to erase it, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the erasure of the links to or copies of the personal data in question.
- RIGHT TO RESTRICTION
The data subject shall have the right to obtain, at his or her request, the restriction of the processing of his or her personal data by the Association if
the data subject contests the accuracy of the personal data (in which case the restriction shall apply for the period of time necessary to allow the controller to verify the accuracy of the personal data); or
the Association's processing is unlawful and the data subject opposes the erasure of the data and requests instead that the use of the data be restricted; or
the Association no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
the data subject has objected to the processing.
Please note that where the processing is restricted, such personal data, with the exception of storage, may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.
The right to restriction is available to the data subject in all cases of processing based on our legal basis. Please note, however, that in certain cases, the restriction of the right to data processing may have other consequences, such as the loss of benefits that go hand in hand with the processing (e.g., buying season tickets online, obtaining discounts or even losing the right to compete as a competitor). We will inform you of such eventualities when you exercise your right.
- RIGHT TO BLOCKING
The data subject may ask us to block his/her data by using the contact details provided. The blocking lasts as long as the reason indicated by the data subject makes it necessary to store the data. At the data subject's request, we will do so without delay, but within a maximum of 30 days, by sending information to the e-mail address provided by the data subject.
- THE RIGHT TO OBJECT
The data subject may object, via the contact details provided, to the processing of personal data necessary for the purposes of the legitimate interests pursued by the Association on grounds relating to the data subject's particular situation. The objection will be examined within the shortest possible period of time from the date of the request, but not later than 15 days, and a decision will be taken on the merits of the objection, and the data subject will be informed of the decision by e-mail.
In the event of an objection, the controller may no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- RIGHT TO DATA PORTABILITY
The data subject has the right to receive the personal data relating to him or her that he or she has provided to the Association in a structured, commonly used, machine-readable format (which we provide in .xml format) and to transmit such personal data to another controller, if the processing is based on consent or a contract and the processing is carried out by automated means.
In exercising the right to data portability, the data subject has the right to request, where technically feasible, the direct transfer of personal data between controllers.
9.RIGHT TO WITHDRAW CONSENT
The data subject shall have the right to withdraw his or her voluntary consent to the processing of data relating to him or her by the Association at any time; however, this shall not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal. Unless there is a legal obstacle to the deletion, in which case his/her data will be deleted.
MEANS OF REDRESS, PROCEDURAL RULES
In the event of unlawful processing or the exercise of the above rights by the data subject, we ask you to notify us so that we can restore the lawfulness of the processing within a short period of time and exercise your rights quickly and effectively. We will do our utmost to resolve the problem described in the complaint in the interests of the data subject.
If you consider that the law cannot be restored or that your complaint has not been properly dealt with, you can notify the authority using the contact details below or pursue your rights in court.
PROCEDURAL RULES ON THE EXERCISE OF RIGHTS RELATING TO DATA MANAGEMENT
The data subject may notify the Association of any requests or comments concerning the exercise of his or her rights in relation to data processing by using the following contact details:
in writing by post to the address of the Association's headquarters
by electronic means: firstname.lastname@example.org. Requests sent by e-mail shall be considered valid by the controller only if they are sent from the e-mail address provided to the controller and registered by the users; otherwise, if they are confirmed in writing by the controller by answering a question on the registered identification data as a control question to an e-mail request for confirmation. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the sending of the e-mail.
The Association shall inform the data subject of the processing of his/her request and of the measures taken without undue delay and at the latest within 30 days of receipt of the request. If necessary, this may be extended by 2 months. The data controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within 1 month of receipt of the request. The Association shall notify the data subject of its decision in writing or, in the case of a request made by electronic means, by electronic means, and shall also notify all those to whom the data were previously disclosed for processing. The notification may be omitted if this does not harm the legitimate interests of the user concerned with regard to the purposes of the processing.
If the Association does not take action on the data subject's request, it shall inform the data subject without delay and at the latest within 30 days of receipt of the request of the reasons for the non-action, of the possibility to lodge a complaint with a supervisory authority and of the right to judicial remedy. The Association shall provide the information and action free of charge.
Where the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Association, as controller, shall, subject to the administrative costs of providing the information or information requested or of taking the requested action:
charge a reasonable fee, or
refuse to act on the request.
The burden of proving that the request is manifestly unfounded or excessive shall lie with the Association.
MEANS OF REDRESS
- A) Right to lodge a complaint with the supervisory authority
The data subject shall have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) as supervisory authority regarding the decision of the controller or if the data subject considers that the processing of personal data concerning him or her infringes the GDPR Regulation.
Contact details of the National Authority for Data Protection and Freedom of Information:
Postal address: 1530 Budapest, Pf. 5, 1530 Budapest.
Phone number: +36 1 391 1400
Official e-mail address: email@example.com The Authority's website address is https://naih.hu
- B) Right to judicial remedy
In the event of a breach of the rights of the data subject, and where the controller does not comply with the data subject's objection to the processing of personal data, the data subject may have recourse to the courts within 30 days of the notification of the decision or the last day of the period referred to above. You also have the right to a judicial remedy
against a legally binding decision of the supervisory authority concerning the data subject, if the supervisory authority does not deal with the complaint,
or if it fails to inform the data subject within 3 (three) months of the procedural developments concerning the complaint lodged or of the outcome of the complaint. The Tribunal shall have jurisdiction to rule on the case. The person concerned may, at his or her option, bring the action before the competent court in the place where he or she resides or is domiciled.
The data subject shall have the right to enforce his or her rights in all cases of processing on the basis of our legal basis.
XII. OTHER PROVISIONS
If the Association wishes to carry out further processing of the data collected for purposes other than those for which they were collected, it will inform the Data Subject of the purposes of the processing and the information set out below before carrying out the further processing:
the duration of the storage of the personal data or, if this is not possible, the criteria for determining the duration; the rights of the Data Subject in relation to the processing,
the rights of the data subject with regard to the processing of personal data,
whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, and whether the Data Subject is under an obligation to provide the personal data; and the possible consequences of not providing the data;
the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information on the logic used and the significance of such processing and the likely consequences for the Data Subject.
Processing may only start after that. Where the legal basis for the new processing is consent, the processing will require the consent of the Data Subject in addition to the information.
Data processing takes place exclusively in Hungary.
In the event of processing of data under this Policy, the Data Subject shall not be entitled to claim any compensation, indemnity, damages or other claims against the Controller.
The Association shall provide specific information on data processing not listed in this information notice at the time of data collection.
Knowledge of and compliance with the provisions of this Data Protection Policy and Information Notice shall be mandatory for all employees, staff members, other employees in employment relationships and volunteers of the Association, and it shall be stipulated in their contracts that compliance with and enforcement of these provisions is an essential employment or contractual obligation of all employees.
XIII. DATA PROTECTION INCIDENTS
A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Typical examples: loss of a laptop or mobile phone, unsecure storage of personal data (e.g.: trashed contract drafts, payrolls, etc.), unsecure transmission of data, unauthorised copying or sharing of partner lists, website hacking, server attacks, etc.).
The prevention, handling, compliance and enforcement of data breaches are the responsibility of the Association's management. If a data protection incident is detected, it must be reported immediately to the person exercising the employer's rights or to the Association's manager (by post: at the Association's head office address, by e-mail: firstname.lastname@example.org).
The Association shall notify the data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of the Data Subject.
The Association shall inform the Data Subject of the personal data breach without undue delay if it is likely to result in a high risk to the rights and freedoms of the Data Subject.
The information provided to the data subject shall clearly and prominently describe the nature of the personal data breach and provide the name and contact details of the Data Protection Officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The data subject need not be informed if any of the following conditions are met:
the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular where the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure ensuring similarly effective information of the data subjects.
Where the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.
In the event of a notification of a personal data breach, the following should be examined: the place and time of the occurrence of the personal data breach, the description, circumstances and effects of the personal data breach, the scope and number of data subjects affected by the personal data breach, the persons or categories of persons affected, the measures taken to remedy the personal data breach, the measures taken to prevent, prevent, remedy or mitigate the damage.
Records of data breaches shall be kept, LD VII.15, and the data shall be kept for 5 years.
Budapest, 10 October 2023 (last update)