Privacy Policy
PRIVACY POLICY
Kecskemét Animation Film Festival XV 2021
organised by Kecskemétfilm Kft.
I. GENERAL PROVISIONS
1. The purpose of Privacy Policy
KECSKEMÉTFILM Kft. (hereinafter: Data Controller) provides information in this Privacy Policy concerning the data processing and management of the KECSKEMÉTI ANIMATION FILM FESTIVAL, to be held on 11–15 August 2021. (hereinafter: KAFF, Festival).
Data protection is a set of principles, rules, procedures, data management tools and methods that ensure the lawful processing of personal data and the protection of data subjects, with the aim of protecting the rights of data subjects and preventing unauthorized access to personal data.
This Privacy Policy’s purpose is to establish those internal regulations and measures which aim to ensure the compliance of data processing activity of KECSKEMÉTFILM Kft. as Data Controller, with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: Regulation, GDPR),- furthermore to ensure compliance with the regulations of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Info Law).
Issues not covered by this document are governed by the applicable laws.
The Data Controller gives priority to the protection of the privacy and personal data of the persons who come into contact with it during the management of the KAFF, continuously complying with the principle of accountability to the data subjects. In accordance with this, the Data Controller handles the personal data provided to it in all cases in compliance with the applicable Hungarian and European Union legislation and ethical requirements, and in all cases takes the technical and organizational measures necessary for proper secure and lawful data management.
2. Scope of data management
The personal scope of this Privacy Policy extends to the creators and their contacts who apply for KAFF, as well as to the natural persons (hereinafter: the Data Subject) and the Data Processors participating in the event on the nominating or visiting side of the event or participating in the Festival.
In this Privacy Policy, the Data Controller provides detailed information on the essential circumstances, methods, principles, legal basis, purpose and duration of data management during the organization and management of KAFF and the related follow-up.
3. Name and contact details of Data Controller
Kecskeméti Animációs Filmgyártó és Forgalmazó Korlátolt Felelősségű Társaság
short name: KECSKEMÉTFILM Kft.
registered seat: H-6000 Kecskemét, Liszt Ferenc utca 21.
company registry no.: Cg. 03 09 102262
solely represented by: MIKULÁS Ferenc, Executive Director
tax no.: 11029245-2-03
electronic contact: kfilm@kecskemetfilm.hu, kaff@kecskemetfilm.hu
website: www.kaff.hu, www.kecskemetfilm.hu, www.magyarnepmesek.eu
phone no.: 00 36 76 481788
hereinafter: Company or Data Controller
4. Definitions
’Personal data’ means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
’Data subject’ is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
’Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
’Controller or controller responsible for the processing’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
’Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
’Consent of the data subject’ is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
’Recipient’ is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
’Third party’ is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
’Special categories of personal data’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and the sexual life or sexual orientation of natural persons; personal data which are prohibited under Article 9 (1) of the GDPR may be processed only in the exceptional cases provided for in Article 9 (2) of the GDPR, in particular with the express consent of the data subject
II. INFORMATION ON DATA MANAGEMENTS FOR EACH CATEGORY OF DATA
Data category |
Personal data of data subjects processed | Legal basis for data processing | Purpose of data processing | Duration of data processing |
PERSONAL DATA PROCESSED IN CONNECTION WITH REGISTRATION AND ENTRY TO THE FESTIVAL |
Personal data provided in the KAFF registration system:
|
Freely given consent of the data subject under Article 6 (1) (a) of the GDPR. Fulfilment of the legal obligation of the Data Controller under Article 6 (1) (c) of the GDPR). |
|
In the case of the nominating contact, until the start of the next Festival or the withdrawal of the person's consent. In the event of withdrawal of consent, all personal data will be deleted. The mandatory indication of name credits in line with Copyright Act: indefinite period- |
DETAILS OF PERSONS PARTICIPATING IN THE FESTIVAL |
Jury members requesting accreditation for the Festival (including members of the pre-jury, children's jury), invited guests (representatives of creators, production companies, representatives of the supporting organization, contact persons and representatives of the press)
the name, place of birth, time, address and telephone number of the legal representative of the jury member. The organizers of the Festival (members of the Organizing Committee of the Festival, the staff of the Festival), the volunteers of the Festival
|
The Data Controller's legitimate interest in organizing the Festival and preserving the works presented at the Festival as cultural heritage pursuant to Article 6 (1) (f) of the GDPR. (Balancing test is available upon request.) Professional CVs and portraits will always be discussed with the members of the jury (or, in the case of a child jury member, its legal representative) or with the professional invitee. |
For jury members, professional invited guests
|
For an indefinite period, with particular regard to the principles of data management. |
INFORMATION REQUIRED FOR ONLINE REGISTRATION |
In case of online stream of the Festival, natural persons registering as visitors to the kaff.hu website
|
Freely given consent of the data subject under Article 6 (1) (a) of the GDPR. |
|
Personal data affected by the registration: until the end of the event or the withdrawal of the data subject's consent: In the event of withdrawal of consent, all personal data will be deleted. |
DATA BY NATURAL PERSONS CONTRACTING PARTIES (excluding employees) |
Natural persons contracting with the Controller
|
In the context of the recording of the contractor's data, the legal basis for data processing is the performance of the contract under Article 6 (1) (b) of the GDPR. With regard to the issuance and retention of accounting documents, the legal basis for data processing is the fulfilment of the legal obligation to the Data Controller under Article 6 (1) (c) of the GDPR. |
Concluding, fulfilling and terminating the contract between the Data Controller and the data subject
|
Pursuant to the obligation of the Data Controller in line with the Section 169 of Act C of 2000 on Accounting (hereinafter: the "Accounting Act"), the accounting certificate shall be kept for 8 (eight) years after the termination of the Contract, in case of legal dispute, if the later date for the period of 5 (five) years following the conclusion of the legal dispute, manages it on the legal basis of the fulfilment of its legal obligation. The Data Controller shall comply with the provisions of Act CXXVII of 2007 on Value Added Tax. on the basis of its obligation under Section 179 of the VAT Act (hereinafter: the "VAT Act") . The Data Controller shall comply with the 2017 CL. on the basis of the obligation pursuant to Section 78 (3) of the Act (hereinafter: "Art."), the documents issued by him and in his possession or otherwise available and the personal data contained therein until the expiry of the right to assess the tax, in the case of a deferred tax, for 5 (five) years from the last day of the calendar year of its due date, and in the case of a legal dispute for 5 (five) years after its closing. |
DATA RELATING TO BUSINESS CONTACTS OF ENTERPRISES CONTRACTING WITH A DATA CONTROLLER |
Employees of third parties contracting with the Data Controller or other persons in a legal relationship with them who are involved in the performance of the contract as contact persons
|
Legitimate interest in facilitating cooperation and communication between the parties for the purpose of concluding, performing and terminating the contract under Article 6 (1) (b) of the GDPR. (Balancing test is available on request.) |
|
• In the period of Art The Accounting Act, the and the VAT tv., as explained above. |
CREATING AND USING A PICTURE / SOUND RECORDING AT THE FESTIVAL VENUE / ONLINE BROADCASTING ON THE DATA CONTROLLER'S ONLINE PLATFORMS (INCLUDING SOCIAL MEDIA PLATFORMS) | The image, voice and other personal data (name, occupation) of the persons included in the photographs and possible video recordings taken by the Data Controller at the Festival. In the case of a written statement of consent, the name, address and signature of the data subject. The pictures taken from the festival will be uploaded to the gallery of kaff.hu, as well as to the festival's facebook and Instagram page, as well as to the YouTube channel of the Festival. | The data subject's freely given consent under Article 6 (1) (a) of the GDPR) by the person concerned by implied conduct (deemed to be such implied conduct if the person concerned knows that a recording is being made or may be made in the room he enters), or express statement. No consent is required for the making and use of the photograph and camera in the case of mass photography and public appearances. |
|
• The processing lasts until the data subject's request for deletion, or the data is deleted as a result of the data subject's protest. |
NEWSLETTER DATABASE |
Name and email address of newsletter subscribers. Subscribe to www.kaff.hu You can click the button "Sign up for the festival newsletter!" to enter the subscriber's name and email address. Those with whom the Data Controller has previously been contacted as a nominee or participant in connection with the festival will be informed by the Data Controller in an email about the newsletter subscription option on the website with a link to the subscription interface on the website. By ticking the checkbox on the registration interface, the data subject consents to the sending of the newsletter by accepting the Privacy Policy. |
Entry data will be used by the Data Controller in the legitimate interest of informing about the possibility of subscribing to the newsletter, pursuant to Article 6 (1) (b) of the GDPR. (Balancing test is available on request.) Subsequently, after clicking on the newsletter button on the website, the data subject's freely given consent to the processing of data for the purposes of the newsletter pursuant to Article 6 (1) (a) of the GDPR will also be granted in this case. |
We provide information on film entries, participation in the festival, and up-to-date information on the events of the festival. | Until the withdrawal of the data subject's consent. In the event of withdrawal of consent, all personal data will be deleted. The newsletter always includes a link to unsubscribe. |
III. INFORMATION ON THE TRANSMISSION OF DATA - RECIPIENTS OF THE TRANSMISSION OF DATA
The name of the director of the nominated animated films will be communicated to the members of the jury, among other details of the film. The Data Controller provides information on the identity of the members of the jury on the kaff.hu website.
The personal data of the guests of the Festival for whom the Data Controller is booking accommodation or travel will be transferred to the accommodation or transport service provider, based on the prior consent of the guest concerned, with the data content contained therein.
Personal data will be transmitted for postal service and delivery company: Magyar Posta Zrt. and the authorized courier service (GLS General Logistics Systems Hungary Kft., FedEx Trade Networks Transport & Brokerage (Hungary) Kft.).
In addition, the data of the data subject - if absolutely necessary e.g. in connection with a legal dispute or in order to make a financial or accounting assessment of an economic event - they may be transferred on an ad hoc basis to the service providers entrusted by the data controller, e.g. lawyers, auditors, financial advisers who are bound by professional or contractual confidentiality.
Photographs and videos taken at the Festival can be used in next year's catalogues of the Festival, so they can be forwarded to the companies participating in its production.
Organizations providing film professional support (National Cultural Fund, National Film Institute) also become recipients of personal data during the presentation of contracts, accounting documents, performance certificates and image documentation certifying the implementation of tenders.
The name and contact details of the winner will be forwarded to the supporting companies or organizations offering the prize.
The recipients process the personal data transmitted to them as an independent data controller, in accordance with the provisions of their own Privacy Policy, and joint data management does not take place.
The Data Controller does not intend to transfer the personal data of the data subject to a third country (not a non-EEA Member State), for which this cannot be excluded, he draws special attention to this in this document.
IV. DATA PROCESSING RECORDS
The Data Controller shall keep a record of the data processing activities performed under his / her responsibility pursuant to Article 30 (1) of the GDPR.
This Privacy Policy contains the following information from this record in the above tabular forms:
(a) the name and contact details of the controller and, if any, the name and contact details of the controller, the controller 's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and the categories of personal data;
(d) the categories of recipients to whom the personal data will or will be communicated, including recipients in third countries or international organizations;
(e) where applicable, information on the transfer of personal data to a third country or international organization, including the identification of the third country or international organization and, in the case of a transfer pursuant to the second subparagraph of Article 49 (1), appropriate guarantees;
(f) where possible, the time limits for deleting the different categories of data;
(g) where possible, the technical and organizational measures referred to in Article 32 (1) of the GDPR.
V. PROCESSORS
Companies that are involved in the data processing:
Website operation
Raster Studio Korlátolt Felelősségű Társaság
short name: Raster Studio Kft.
registered office: 6000 Kecskemét, Thököly u. 3.
email: titkarsag@rasterstudio.hu
The data processor operating the IT system of our company:
System administrator
BESTCOM Pénzügyi Tanácsadó és Számítástechnikai Szolgáltató Korlátolt Felelősségű Társaság
short name: BESTCOM Kft.
registered office: HU-6000 Kecskemét, Kőhíd utca 10.
email: bestcom@bestcom.hu
The data processor operating the sending of our company's newsletter:
ListMaster is an online newsletter software, owned and operated by
Bithuszárok Bt.
registered office: 2051 Biatorbágy, Damjanich utca 8.
e-mail: info@bithuszarok.hu
In all its activities, the Data Controller uses only such partners (subcontractors) who comply with the requirements of the data protection legislation in force at any time.
Email server: Google LLC (cloud), hosting: Google LLC (Google Drive)
Google LLC (cloud), hosting: For information about GDPR compliance with Google LLC (Google Drive), visit:
https://cloud.google.com/security/gdpr#tab7
The GDPR compliance of Google LLC’s services is ensured by the fact that the data protection complience of the contractual clauses of the Google model has been recognized by the European Data Protection Authorities (DPA’s), given that G Suite and the Google Cloud Platform the transfer to any part of the world fully complies with the legal requirements of the GDPR.
In accordance with the GDPR, the data processor undertakes to:
(a) |
processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; |
(b) |
ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; |
(c) |
takes all measures required pursuant to Article 32 of GDPR;
|
(d) |
respects the conditions for engaging another processor; |
(e) |
taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR |
(f) |
assists the controller in ensuring compliance with the obligations pursuant to the provisions on Security of personal data taking into account the nature of processing and the information available to the processor; |
(g) |
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; |
(h) |
makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
(i) upon termination of the provision of the data processing service, at the discretion of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies, unless Union or Member State law provides for the storage of personal data;
(j) provide the Data Controller with all information necessary to verify the erasure of the data or copies and to enable and facilitate audits, including on-site inspections, by the Controller or another auditor appointed by him. The Data Processor shall immediately inform the Data Controller if it considers that any of its instructions violate this GDPR or the data protection provisions of the Member States or the Union.
k) report the data protection incident to the Data Controller within 72 hours of becoming aware of it. That notification shall include at least:
(i) a description of the nature of the data protection incident, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident;
(ii) the name and contact details of the data protection officer or other contact person for further information;
The Data Controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
External service providers:
In the systems of External Service Providers, the data providers' own data protection policies apply to the data provided there. It handles the data received by the Data Controller from an external service provider (in the managed circle described above) in accordance with this document. With regard to the content made available within the framework of each service and shared on various social media sites, the external service provider enabling the sharing of the content qualifies as the controller of personal data, its activities are governed by its own terms of use and data protection policy. Examples of such external intermediary services are: Facebook, google, etc.
Facebook Inc. Headquartered in Palo Alto, California, USA, available at: www.facebook.com/help/feedback https://www.facebook.com/facebook
KAFF uses the video sharing service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, “YouTube”) (the “YouTube Platform”). In doing so, we use YouTube’s technical platform and services and operate our own YouTube channel at https://www.youtube.com/KAFFanimation. The interactive features of the YouTube platform, such as "Sharing", "rating" or "posting" is at your own risk.
Data obtained from you through the use of the YouTube Platform will be handled by YouTube and may be transferred to countries outside the European Union. When you visit our fan page, the information you obtain may be transferred to and processed by Google LLC (1600 Amphitheater Parkway, Mountain View, CA 94043) in the United States. We have no control over the type and extent of data handled by YouTube, the nature of the processing and use of such data, or the transfer of such data to third parties, particularly in countries outside the European Union. Information about what data YouTube processes and for what purpose can be found in the Google Privacy Statement: https://www.google.de/policies/privacy/.
VI. DATA SECURITY
The Data Controller reduces the risk that the data provided by users during registration may become available in the event of an unauthorized intrusion by:
The Data Controller and the Data Processor shall take appropriate technical and organizational measures to take into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing and the varying likelihood and severity of risks to the rights and freedoms of natural persons. To guarantee a level of data security commensurate with the level of risk. The Data Controller complies with the principles of the GDPR. Contributions, subscriptions, etc. the systems are saved in an identifiable manner. Data controller protects access to documents and your desktop computer with a strong password - other security measures: firewall application, regular IT maintenance, control, closed system vpn access - documents are stored electronically, paper-based documentation is kept in an exceptional and lockable cabinet, records are kept , regular review, verification of compliance with legal requirements, the performance assistant employed outside the Data Controller does not have access to the data, so there is no need to control the internal access rights to the data.
Existing security measures are sufficient to manage the risks, based on the current state of technology and the experience gained from the Data Controller's activities to date.
VII. RIGHTS AND OBLIGATIONS RELATING TO PERSONAL DATA BREACH
A PERSONAL DATA BREACH is when personal data or data are accidentally or unlawfully: - destroyed, - lost, - altered, - communicated unauthorized, or - made unauthorized.
The GDPR imposes a notification obligation on the Data Controller, depending on the extent to which the incident endangers the rights and freedoms of natural persons.
Pursuant to Article 33 of the GDPR, the Data Controller is obliged to notify the incident to the competent supervisory authority without undue delay and may waive this incident only if the personal data breach is not likely to endanger the rights and freedoms of natural persons.
If the personal data breach occurs in connection with the activities of the data processor, it is obliged to notify it to the Data Controller without undue delay.
Upon the occurrence of a personal data breach, the Data Controller shall immediately take measures to remedy the personal data breach, taking into account the mitigation or prevention of any adverse consequences arising from the incident.
The Data Controller keeps a record of personal data breaches.
The purpose of the register is to enable the Data Controller to verify compliance with the GDPR during the audit of NAIH as the competent supervisory authority.
The Data Controller is obliged to inform the data subject without undue delay about the personal data breach if it poses a high risk to the rights and freedoms of natural persons. If a high-risk personal data breach affecting the personal data of the data subject occurs during the data processing of the Data Controller, the Data Controller will inform the data subject of the following facts and circumstances:
- description of the personal data breach,
- the name and contact details of the contact person responsible for data protection matters,
- a description of the likely consequences of the personal data breach,
- a description of the measures planned or taken by the controller to remedy the incident, including measures to mitigate any adverse consequences of the personal data breach.
VIII. PRINCIPLES OF DATA MANAGEMENT
The GDPR stipulates that the Data Controller's data processing activities must comply with the principles listed below in Article 5 of the GDPR, throughout the period of data processing. The Data Controller is committed to continuously enforcing the principles and regulations of the GDPR in the course of its personal data management activities.
1. Lawfulness, fairness and transparency
Data processing must be lawful, fair and transparent throughout the data processing period (Article 5 (1) (a) GDPR). The Data Controller shall ensure the transparency of its data processing by publishing this Privacy Policy or by directly informing the data subjects as defined in Article 13 of the GDPR (where applicable in accordance with Article 14). This Privacy Policy contains detailed information regarding the data processing of the Data Controller in relation to the data subjects, the scope of the data processed, the title of the data processing, the duration of the data processing and the rights of the data subjects concerned. The Data Controller shall provide basic information related to data processing by providing direct information in accordance with Article 13 and, if necessary, Article 14. The Data Controller ensures the lawfulness of data processing by carrying out its data processing activities on the grounds specified in Article 6 of the GDPR, in these Privacy Policy and other data processing-related documents, in accordance with the GDPR principles.
2. The Data Controller ensures the fairness of data processing by providing adequate information, making the data processing process transparent to the various data subjects, explaining the content of data processing legislation, the rights of data subjects, and implementing organizational measures to ensure data security.
3. The purpose of all these measures is for the Data Controller to assist all data subjects in exercising their rights under the GDPR.
2. Purpose limitation
The purpose limitation principle means that the Data Controller may only process personal data for a clearly defined, legitimate purpose (Article 5 (1) (b) GDPR). The purpose limitation principle also means that the collection of data and other data processing operations (eg recording, storage, transmission, deletion, etc.) must be tailored to the purpose of the data management. It follows from the purpose limitation principle that personal data may only be processed until the purpose of the data processing has been achieved. Thus, if a data processing purpose has been achieved, personal data can only be further processed on the basis of an additional data processing purpose or title.
The Data Controller processes the personal data of the data subjects for the purpose indicated in the table.
1. Data minimisation
The principle of data protection means that only data that are strictly necessary for the purposes of data processing can be lawfully processed (Article 5 (1) (c) GDPR).
2. Accuracy
The principle of accuracy means that the data stored in the registration systems must be accurate throughout the data processing process (Article 5 (1) (d) GDPR). If the data is inaccurate or incorrect, the Data Controller, in cooperation with the data subject, shall ensure the restoration of the accuracy of the data on the basis of the data subject's request.
3. Storage limitation
The principle of limited storage means that personal data may only be stored for as long as the purpose of the processing is achieved, ie personal data may not be accumulated or stored for an indefinite period (Article 5 (1) (e) GDPR). The principle of limited storage is reflected in the data controller's obligation to determine the duration of the data processing and, if this is not possible, the criteria for determining the duration. The Data Controller is obliged to inform the data subject about the above circumstances. The Data Controller shall enforce the principle of limited storageability with respect to the data processed in the framework of the provision of services as follows, based on the provisions of the applicable legislation. The Data Controller is entitled to process personal data only to the extent, in the manner and for the time necessary to perform the tasks of the Data Controller.
4. Integrity and Confidentiality
Maintaining integrity and confidentiality means that the Data Controller must protect personal data with organizational and security measures that guarantee adequate data security, damage resulting from unauthorized or unlawful handling, accidental loss, destruction or damage (Article GDPR5 ( Paragraph 1 (e)).
The Data Controller treats the personal data provided to it as confidential. The personal data of the data subjects may be accessed by the employees and agents of the Data Controller who, based on their job or duties, with the social and educational activities of the Data Controller and with the managerial and administrative tasks ensuring the operation of the Data Controller.
5. Accountability
The principle of accountability means that the controller must be able to demonstrate the lawfulness of the processing, ie compliance with the GDPR (Article 5 (2) GDPR). For the sake of accountability, the Data Controller keeps a record of the transfer and publication of the necessary information, the data processing performed by him, the measures taken for data security, data protection incidents and requests related to data protection, and documents his data management activities in accordance with the GDPR.
IX. RIGHTS OF THE DATA SUBJECT
The data subject may contact the Data Controller regarding the enforcement of his / her rights related to data management and his / her questions at the contact details included in this Privacy Policy.
The Data Controller shall inform the data subject of his / her actions or the reasons for their non-compliance within one month after the submission of the data subject's request (the data subject may file a complaint in this connection), this period may be extended by 2 months if necessary.
The procedure is free of charge (if justified and not excessive) and preferably electronic.
The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
- a) Right of confirmation
Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the Controller.
- b) Right of access
Each data subject shall have the right to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.
- c) Right to rectification
Each data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
- d) Right to erasure (Right to be forgotten)
Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
- The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the Data Controller, he or she may, at any time, contact any employee of the controller. An employee of Data Controller shall promptly ensure that the erasure request is complied with immediately.
Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. Employees of the Data Controller will arrange the necessary measures in individual cases.
- e) Right of restriction of processing
Each data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by Data Controller, he or she may at any time contact any employee of the controller. The employee of the Data Controller will arrange the restriction of the processing.
- f) Right to data portability
Each data subject shall have the right, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
In order to assert the right to data portability, the data subject may at any time contact any employee of the Data Controller.
- g) Right to object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.
Data Controller shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If the Data Controller processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the Data Controller to the processing for direct marketing purposes, the Data Controller will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the Data Controller for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may contact any employee of the Data Controller. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
- h) Automated individual decision-making, including profiling
Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, the Data Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.
If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of the Data Controller.
- i) Right to withdraw data protection consent
Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of the Data Controller.
ENFORCEMENT
Without prejudice to other administrative or judicial remedies, any data subject shall have the right to complain to a supervisory authority, in particular in the Member State of his or her habitual residence, place of employment or suspected infringement, if he considers that the processing of personal data concerning him violates the GDPR.
Anyone may file a complaint with the National Data Protection and Freedom of Information Authority (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság) alleging that there has been or is an imminent threat of a breach of the right to process personal data.
Name: National Data Protection and Freedom of Information Authority
(in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság NAIH)
Head office: 1055 Budapest, Falk Miksa u. 9-11.
Phone: 391-1400 Fax: 391-1410
Website: http: //www.naih.hu E-mail: ugyfelszolgalat@naih.hu
The supervisory authority to which the complaint has been lodged must keep the customer informed of the progress of the complaint procedure and its outcome, including the customer's right to a judicial remedy under Article 78.
Judicial remedies: Proceedings against the controller must be brought before the courts of the Member State in which the controller is established (Hungary), but may also be brought before the courts of the Member State of the habitual residence of the data subject.
Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority.