PUBLIC FOUNDATION FOR THE RESEARCH OF CENTRAL AND EAST EUROPEAN
HISTORY AND SOCIETY
Effective from: 25 May 2018
1./ GENERAL PROVISIONS
1.1./ This Policy sets out the scope of data processed by the Public Foundation for the Research of Central and East European History and Society (henceforward: the Public Foundation), the purpose and legal basis for processing, as well as the rights available to the data subjects.
1.2./ The Public Foundation processes all data according to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, henceforward: the Regulation) and the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (henceforward: the Information Act).
1.3./ The Public Foundation implemented the necessary measures to ensure that the rights of the data subjects set out by the two laws mentioned above shall fully prevail during the processing of their personal data.
2./ AIM AND SCOPE OF THE POLICY
2.1./ The aim of the Policy is to provide clear and plain information to the data subjects on the scope of their personal data that the Public Foundation and its data processors process during the course of carrying out their public service obligations, the sources from where these data are collected, the aim and legal basis of the data processing, its possible duration, the identity and contact information of the data controllers, the data processing activities carried out, as well as the aim, legal basis and recipients of data transfers.
2.2./ This Policy is relevant for the Public Foundation for the Research of Central and East European History and Society (the Data Controller).
3./ NAME AND INFORMATION OF THE DATA CONTROLLER
Name: Public Foundation for the Research of Central and East European History and Society
Seat: 1122 Budapest, Határőr út 35.
Registration number: 01-01-0007526 (Fővárosi Törvényszék (Court of Budapest))
Tax ID: 18237010-2-43
Phone number: +361/374-2600
Postal address: 1062 Budapest, Andrássy út 60.
NAIH ID of the Public Foundation: NAIH-97531/2016.
Institutes operated by the Data Controller: XX. Század Intézet (Institute for the Twentieth Century), XXI. Század Intézet (Institute for the Twenty-first Century), Habsburg Történeti Intézet (Institute for the History of the Hapsburgs), Kommunizmuskutató Intézet (Institute for the Research of Communism), Kertész Imre Intézet (Imre Kertész Institute), Terror Háza Múzeum (House of Terror Museum). The institutes and the Museum do not have a legal personality.
To aid you in understanding the concepts used in this Policy, please read the following definitions based on the Regulation:
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller means the natural or legal person (...) which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data subject: natural persons who are explicitly defined or identified, or can explicitly or implicitly identified by the use of personal data.
5./ POSSIBLE LEGAL BASES FOR DATA PROCESSING
5.1./ According to the Regulation, processing of personal data is considered legal if at least one of the following legal bases is met:
processing is based on consent,
processing is needed to perform a contract or enter into a contract,
processing is necessary for compliance with a legal obligation,
processing is necessary in order to protect vital interests (e.g. life),
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
5.2./ If processing is based on consent, the Public Foundation as the Data Controller shall be able to prove that the data subject has consented to the processing of his/her personal data. Consent may only be used as a legal basis for processing if it is freely given, specific, informed and unambiguous. The data subject is entitled to withdraw his/her consent at any time. The withdrawal does not affect the legality of the processing activities carried out before the withdrawal. It shall be as easy to withdraw as to give consent.
5.3./ If data is provided on the basis of a contractual or legal obligation, if the data subject does not provide such data, it is possible that the data subject will not be able to use the service provided by the Public Foundation or cannot enter into a legal relationship with the Public Foundation.
5.4./ The Public Foundation acting as the Data Controller does not verify the personal data provided by the data subjects. The provider of the data is solely responsible for the data.
5.5./ A prerequisite to the application of the legal basis of “legitimate interest” is that the legitimate interest of the Public Foundation acting as the Data Controller shall be proportionate with the limitation of the right to the protection of personal data. To ascertain this, a balance of interests test shall be carried out. The Public Foundation as the Data Controller shall with the balance of interests test:
identify its legitimate interest related to the personal data being tested,
establish the interests and rights of the data subject with regard to the personal data subject to the “balance of interests” test,
examine the legitimate interests of the data subject and the Data Controller, and based on this, determines whether the personal data may be processed or not.
DESCRIPTION OF THE DATA PROCESSING ACTIVITIES
(purpose, legal basis, duration, scope of the processed data)
6./ SURVEILLANCE BY CAMERA
6.1./ The Public Foundation does not operate an electronic surveillance system (henceforward: electronic surveillance system, camera system, surveillance system) in its offices and meeting rooms, such a system is only in operation in the areas of the House of Terror Museum.
6.2./ The purpose of data processing: Protection of the areas of the Museum and the museum pieces exhibited there, the protection of assets. A further legitimate purpose for the procession of data is the detection and prevention of unlawful acts, as well as the protection of the life and physical integrity of the visitors and employees.
6.3./ The electronic surveillance system is operated in line with the applicable legal provisions and requirements, especially the relevant provisions of the Regulation.
6.4./ Legal basis for data processing: The personal data of the visitors (those who enter the House of Terror Museum other than the employees) is processed on the legal basis of consent (Article 6, Paragraph 1. Point (a) of the Regulation). Regarding the data processing with camera surveillance, for the Public Foundation, besides the Regulation, Act CXXXIII of 2005 on security services and the activities of private investigators applicable to personal and property protection activities and private investigation (henceforward: Act CXXXIII of 2005) applies. According to Article 30 Paragraph 2. Of CXXXIII of 2005, the data subjects acknowledge the use of the camera surveillance system and provide their freely given consent to the processing of their personal data with their implicit conduct. It is especially considered implicit conduct if a person enters an area in spite of the warning signs and indications placed at the private property, and the specific circumstances do not indicate otherwise.To fulfil the prerequisites of consent given with implicit conduct,
6.5./ The purpose of data processing: According to the regulations quoted above, the protection of the museum area, the protection of assets. A further legitimate purpose for the procession of data is the detection and prevention of unlawful acts, as well as the protection of the life and physical integrity of the customers and employees.
6.6./ Scope of the processed data: The likeness of the visitors and employees of the Museum. The recordings made and handled by the electronic surveillance system are considered personal data, as they can be linked with the data subject, and conclusions can be drawn based on them.
6.7./ Duration of data processing: The personal data (recordings) made during the surveillance operations carried out at the museum area shall be held for 14 days at the most from the date of recording.
6.8./ Place of storage of the personal data: The camera recordings are stored on the data storage devices in the cameras. When the storage becomes full, the system automatically overwrites the earliest recordings.
6.9./ Purpose limitation: The Public Foundation shall only process the personal data where that is necessary for the exercising of certain rights and fulfilment of obligations, and in line with the fundamental principles of data processing set out by the Regulation. To uphold the principles of purpose limitation, necessity and proportionality, the Public Foundation shall stop processing the personal data of the data subjects if the purpose of processing is no longer valid. When the purpose of processing is no longer valid, the Public Foundation shall destroy and delete all relevant data, when there are no legal provisions excluding this. The camera recordings may be used to detect and prevent unlawful acts, to catch the perpetrators in the act, and as evidence in administrative or legal procedures related to the uses mentioned earlier. The data processing principle of purpose limitation is also applied to the view angle of the specific cameras. This means that the cameras are always pointed at an area which is in line with the purpose of the specific camera.
6.10./ Continuous live surveillance is carried out at the Museum.
6.11./ Viewing the recordings: The recordings kept in the camera surveillance and storage system operated by the Public Foundation may only be accessed by authorised persons with the intent of proving infringements and identifying the perpetrators. Only a small circle of employees are authorised to handle the recordings. The persons and designated job roles responsible for processing the personal data created by the recording system in the Museum are the following: security service, IT administrator and the designated professional leader. Lawyers/law firms acting on behalf of the Public Foundation may also be authorized to access the recordings in the context of administrative or judicial procedures. In the event of a criminal offence, if possible, the designated professional leader shall watch the recordings.
6.12./ A log is kept of occasions when the recordings are accessed, this log shall contain the name of the person accessing the recordings, and the reason for and the time of accessing the data.
6.13./ Data transfer: The recordings and the other personal data associated with them may be transferred to the relevant authorities or courts, but only when this is needed in connection with an ongoing case related to unlawful activities or infringements. In such cases, only those recordings (made by the camera system) will be transferred that contain relevant information.
6.14./ Detailed information on the placement of cameras (location, area under surveillance, method and purpose of surveillance, “balance of interests” test) is available in the applicable policy of the Public Foundation, entitled “Data Processing Policy regarding the use of an electronic surveillance system”.
7./ DATA PROCESSING RELATED TO RETAIL STORE CUSTOMERS
7.1./ The Public Foundation operates a store at the premises of the House of Terror Museum. When visitors make purchases at this shop, their personal data may be recorded and subsequently processed.
7.2./ Short description of the data processing: The visitor may purchase the products available at the shop operated by the Public Foundation on the spot. If the customer does not ask for an invoice of the purchase, he/she will not need to provide his/her personal data to the Public Foundation, and thus no data processing will take place.
7.3./ Regarding the data processing activities carried out in relation to the Photo Gallery operated by the Public Foundation, please see the following policy: http://www.terrorhazafoto.hu/pages/privacy-policy.html
8./ INVOICES PROVIDED FOR THE PURCHASES MADE AT THE STORE
8.1./ Short description of the data processing: If the customer asks for this, the Public Foundation makes out an invoice for the purchase using an invoicing software.
8.2./ Legal basis for data processing: The data processing is carried out for the purpose of complying with legal obligations pertaining to the Data Controller [Point c) of Paragraph (1) of Article 6 of the Regulation]. Applicable law: Act CXXVII of 2007 on the Value Added Tax (VAT Act): Article 159 (on the obligation to issue invoices), Article 169 (mandatory content elements), Act C of 2000 on accounting (Accounting Act): Articles 166-169 (accounting documents, strict accountability documents, obligation to keep documents).
8.3./ The purpose of data processing: The support and documentation of the economic event (supply of goods) which is a legitimate purpose for data processing.
8.4./ Scope of the processed data: The name, address, date and time of purchase of the customer (natural person). The name, registered seat, tax ID and the date and time of purchase (legal person or other organization).
8.5./ Duration of data processing: 10 years
8.6./ Relevant IT systems: Novitax
9./ BOOK OF CUSTOMERS, MANAGING CONSUMER RIGHTS ISSUES
9.1./ Short description of the data processing: The customers (consumers) who shop at the store are entitled to lodge complaints. The customer may submit his complaint in person or in writing to the Public Foundation or the person acting in the interests of or on behalf of the Public Foundation in relation to the behaviour, activities and omissions of those employees whose task is to sell the products to the costumers (consumers) at the store. The customer has the right to directly enter his complaints and suggestions in the Book of Customers. In case of oral complaints submitted in person, on the phone or by means of other electronic media, the Public Foundation is obliged to compile a log with the contents specified in Act CLV of 1997 on consumer protection, and also to label the complaint with a unique identification number. The Public Foundation shall answer the complaint in writing within 30 days, and send its response to the customer. A copy of the logs and replies related to the complaint must be kept for five years, and presented to the controlling authorities. Authorities may review the entries of the Book of Customers and the copies of the replies to the complaints going back 2 years.
9.2./ The log compiled concerning the complaint shall contain the following:
a) the name and address of the consumer,
b) the place, time and manner of the submission of the complaint,
c) the detailed description of the complaint submitted by the customer, with a list of documents and other evidence presented by the customer,
d) the statement made by the enterprise regarding the complaint, where the complaint is suitable to be investigated immediately,
e) signatures of the customer and the employee compiling the log (with the exception of oral complaints made over the phone or via other electronic media),
f) the place and time of compiling the log,
g) if the complaint is made orally over the phone or other electronic media, the unique identification number of the complaint.
9.3./ Legal basis for data processing
As a legal basis for data processing, refer to Article 6 (1) (c) of the Regulation: compliance with a legal obligation pertaining to the Data Controller. Applicable laws:
with regards to the filing of complaints: Section 17/A of Act CLV of 1997 on Consumer Protection
With regards to the Book of Customers, Sections 5 (4)-(5) of Act CLXIV of 2005 on commerce; Section 25 of Government Decree 210/2009 (IX.29.) on the conditions for conducting commercial activities
9.4./ The purpose of data processing: To ensure the customer’s right to lodge a complaint, which is a legitimate purpose for data processing.
9.5./ Scope of the processed data: Name, address. Other possible data: phone number, e-mail address and other personal data provided by the customer on a voluntary basis.
9.6./ Duration of data processing: The log compiled concerning the complaint, the copy of the answer given: 5 years; 2 years in case of copies made of entries to the Book of Customers.
9.7./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
10.1./ In relation to the access of the House of Terror Museum operated by the Public Foundation, the Public Foundation grants discounts to certain groups of people based on special characteristics. The list of discounts is available at the following address: http://www.terrorhaza.hu/hu/muzeum. In all cases, the application of the specific discount is subject to the presentation of the relevant document or card (passport, identity card, driver’s license, teacher ID, student ID).
10.2./ The Public Foundation does not make copies of the documents/cards presented for the purpose of purchasing the discount tickets in order to enter the Museum, their contents are not recorded in any form, the presentation of the documents/cards is only needed for the validation of discounts, so data processing does not take place.
11./ PROCESSING OF DATA RELATED TO APPLICANTS AND CONTRACTING PARTNERS
11.1./ Short description of the data processing: The Public Foundation as a public service body enters into a number of contracts to facilitate its operation (typically service contracts, works contracts and grant contracts). The contracting partners of the Public Foundation are typically legal persons, and as such the provisions governing the processing of personal data does not apply to them. However, during the operation of the Public Foundation, natural persons may also apply for grants, claim support from the Public Foundation, and the Public Foundation may sign contracts with natural persons. In case the applicant or the contractor is not a business organization, he/she must provide the Public Foundation with certain personal data in order to submit the application or conclude the contract in question.
11.2./ Legal basis for data processing: As a legal basis for data processing, Article 6 (1) (b) of the Regulation can be identified as data processing is necessary for the conclusion of the contract with the Public Foundation and the performance of the concluded contract.
11.3./ The purpose of data processing: The purpose of data processing is to establish and maintain a contractual relationship, to perform the contract, to check whether the clearing and reporting obligations related to grant contracts are met, and to fulfil the reporting and clearing obligations of the Public Foundation.
11.4./ Scope of the processed personal data: Name, maiden name, mother’s maiden name, place and date of birth, address, tax ID, Hungarian social security number, bank account number, e-mail address.
11.5./ Duration of data processing: The Public Foundation keeps record of the personal data made available for 10 years.
11.6./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
12./ HANDLING OF CONTACT DETAILS SPECIFIED IN CONTRACTS
12.1./ Short description of the data processing: Contracts entered into by the Public Foundation during the course of its normal operations often contain contact details.
12.2./ Legal basis for data processing: As a legal basis for data processing, refer to Article 6 (1) (f) of the Regulation: the legitimate interest of the partner and that of the Public Foundation to perform and to maintain their contractual relationship. The results of the “balance of interests” test show that the legitimate interest of the Public Foundation does not impose a disproportionate restriction on the rights of the contact person in protecting his/her personal data.
12.3./ The purpose of data processing: To maintain the contractual relationships between the parties, which is a legitimate purpose for data processing.
12.4./ Scope of the processed personal data: The name, e-mail address and phone number of the person designated as the contact person.
12.5./ Duration of personal data processing: 10 years.
12.6./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
13./ ENFORCEMENT OF CLAIMS
13.1./ Short description of the data processing: In order to collect outstanding invoiced amounts and other claims by legal means, external contractual partners (e.g. law firms) employed by the Public Foundation are tasked with performing claims management activities.
13.2./ Legal basis for data processing: As a legal basis for data processing, the performance of contractual obligations as defined in Article 6 (1) (b) of the Regulation, or in case of non-contractual claims (e.g. compensation), the legitimate interest as defined in Article 6 (1) (f) of the Regulation can be identified. According to Section 6:137 of the Civil Code, non-performance of an obligation means any failure to perform that obligation. According to Section 6:138, in the event of non-performance, the aggrieved party shall be entitled to require performance of the obligation.
13.3./ The purpose of data processing: The lawful collection of debts and the enforcement of other claims, which is a legitimate purpose for data processing. Where the contractually commissioned claims managers are concerned, the contents of the specific order decides whether they act as data controllers or independent data processors.
13.4./ Scope of the processed data: In most cases, information found on the invoice (name, address, date and time when the debt was incurred), contact details (phone number, e-mail address).
13.5./ Duration of data processing: For the period of time necessary to enforce the claim, recover the debt. Until the end of the statutory limitation period.
14./ PROCESSING OF PERSONAL DATA PROVIDED UPON “FREEDOM OF INFORMATION” REQUESTS
14.1./ Short description of the data processing: The Public Foundation is a public service body, and as such receives “freedom of information” requests from natural persons on a regular basis.
14.2./ Legal basis for data processing: The data processing is carried out for the purpose of complying with legal obligations pertaining to the Data Controller [Point c) of Paragraph (1) of Article 6 of the Regulation]. Applicable laws: Article 26, Paragraph (1) of the Information Act.
14.3./ The purpose of data processing: The fulfilment of legal responsibilities which is a legitimate data processing objective. The personal data of the requester may only be processed only so far as needed for the performance of the request, the assessment of the request based on the criteria defined in Section 29 (1a) of the Information Act and the reimbursement of costs associated with the fulfilment of the request.
14.4./ Scope of the processed data: The name of the requester and the contact details through which information and notices related to the data request may be communicated [Section 29 (1b) of the Information Act].
14.5./ Duration of data processing: 1 year [Article 29, Paragraph (1a) of the Information Act].
14.6./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
15./ PROCESSING OF PERSONAL DATA RELATED TO THOSE REGISTERING TO THE EVENTS ORGANIZED BY THE PUBLIC FOUNDATION
15.1./ Short description of the data processing: The Public Foundation organizes public or private events on a regular basis where participation is subject to a written registration.
15.2. Legal basis for data processing: Voluntary consent given by the Data Subject [Article 6, Paragraph (1) Point a) of the Regulation]. If a natural person expresses his/her willingness to attend an event organized by the Public Foundation by registering to the event and provides his/her name, telephone number and e-mail address through the registration process, he/she agrees to the Public Foundation processing his/her personal data in order for him/her to participate in the event.
15.3./ The purpose of data processing: The purpose of data processing is to ensure that the persons expressing their intention (by registering) to participate in an event organized by the Public Foundation are able to attend the event, to register the participants, to determine the number of participants expected at the event and to assess whether they are allowed to participate, as well as to provide answers to the requests, questions and complaints of the data subjects.
15.4./ Scope of the processed personal data: The name, e-mail address and phone number of the person registering to the system.
15.5./ Duration of data processing: If at the time of the registration, the registrant consents to the Public Foundation processing his/her personal data until this consent is withdrawn, and to receiving invitations to later events, the Public Foundation shall delete all personal data related to the registrant within 3 working days upon the withdrawal of consent. In the absence of such consent, the Public Foundation shall delete all personal data within 3 working days following the event.
15.6./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
16./ PROCESSING OF PERSONAL DATA RELATED TO THOSE ATTENDING THE EVENTS ORGANIZED BY THE PUBLIC FOUNDATION
16.1./ Short description of the data processing: The Public Foundation organizes public and private events on a regular basis. During these events, images – photographs and/or videos – may be recorded of the participants and the performers attending the event. The Public Foundation shall always enter into a contract with the performers, and in this contract, obtain the consent of the performers to record their likeness. Other persons attending the events shall be informed in the invitation to the event and through this Policy about the rules of data processing related to their personal data (their likeness).
16.2./ Legal basis for data processing: Voluntary consent given by the Data Subject [Article 6, Paragraph (1) Point a) of the Regulation]. In cases where natural persons attend one of the public or private events organized by the Public Foundation, and prior to the event, the Public Foundation has informed the attendees that their likeness may be recorded, the attendees with their attendance or implicit conduct gives their voluntary consent to the recording of their likeness and to the processing, use and disclosure of their likeness (their personal data).
16.3./ The purpose of data processing: The purpose of data processing is to document and promote the events organized by the Public Foundation.
16.4./ Scope of the processed personal data: The likeness of the attendees at the event.
16.5./ Duration of data processing: 10 years
16.6./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
17./ HANDLING OF DOCUMENTS AND E-MAILS
17.1./ Short description of the data processing: The documents generated during the operation of the Public Foundation may be created on paper and in scanned versions. The paper-based documents are stored in the offices of the Public Foundation. The electronic documents are stored in the software products used to operate the website of the Public Foundation, as well as on the server owned by the Public Foundation.
17.2./ Legal basis for data processing: The legal basis for data processing in the case of the documents depends on the legal basis for data processing of the data contained in the given document. This means that no separate, unique legal basis can be identified for data processing carried out in connection with the handling of such documents.
17.3./ The purpose of data processing: The storage of information contained in the paper-based and electronic documents, to allow their later use, and to fulfil the legal responsibilities of the Public Foundation (such as the reporting and clearing obligations, as well as the storage and transfer of public records).
17.4./ Scope of the processed personal data: Personal data contained in the paper-based and electronic documents.
17.5./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
18./ DATA PROCESSING RELATED TO WEBSITE VISITORS, COOKIES
18.2./ The Public Foundation operates the following websites:
18.3./ Short description of the data processing: Information related to the activities of the visitors to the site are considered personal data when it is possible to connect them to the data subjects. Scope of data subjects: all data subjects who visit the websites of the Public Foundation.
18.4./ The purpose of data processing: Producing statistics, tracking visitors.
18.5./ Legal basis for data processing: As a legal basis for data processing, we refer to Article 6. (1) a) of the Regulation: the consent of the data subjects.
18.6./ Scope of the processed personal data: unique ID number, dates, times.
18.7./ Duration of data processing: Session cookie: to identify the user for the login procedure, PHP session id: the system deletes it when the browser is closed.
18.8./ Relevant IT systems: Software used to operate the website of the Public Foundation, as well as the server owned by the Public Foundation.
19./ OTHER DATA PROCESSING ACTIVITIES
19.1./ The Public Foundation does not send newsletters and does carry out direct marketing activities.
19.2./ The Public Foundation does not make recordings of the phone conversations.
19.3./ The Public Foundation uses access cards to provide access to its premises located at 1054 Budapest, Báthory utca 20. III/3. And its seat located at 1122 Budapest, Határőr út 35 Given that the Public Foundation does not ask visitors to provide data for entering and exiting the premises, the Public Foundation does not carry out data processing regarding this.
20./ USE OF DATA PROCESSORS ON BEHALF OF THE PUBLIC FOUNDATION
20.1./ To aid in the performance of its duties, the Public Foundation as a Data Controller may obtain the use of other data processors in certain cases. The data processors record, manage and process personal data transferred to them by the Public Foundation in accordance with the provisions of the Regulation, and shall make a statement regarding this to the Public Foundation.
20.2./ For the fulfilment of its tax and accounting obligations, within the framework of bookkeeping and auditing service contracts, the Public Foundation hires external service providers to process the personal data of contracted natural persons or those standing in paid relationships in order to fulfil the tax and accounting obligations imposed on the Public Foundation.
20.3./ The Public Foundation uses an external data processor for the purpose of performing payroll, legal service and public procurement consultancy activities.
20.4./ Where the contractually commissioned claims managers are concerned, the contents of the specific order decides whether they act as data controllers or independent data processors.
20.5./ The Public Foundation transfers the data to its data processors based on and in the manner specified in the Data Processing Contracts. The data processors used by the Public Foundation have their principal place of business in Hungary.
21./ DATA TRANSFERS
21.1./ The Public Foundation does not transfer personal data outside of Hungary.
21.2./ The Public Foundation as a public service body founded by the Government of Hungary is obliged to transfer personal data related to several legal relationships to its founder, to the national supervisory bodies and, in case of supporting relationships, to its supporters. If the Public Foundation is required to transfer the personal data related to a natural person and made available to the Public Foundation within the framework of a contractual relationship to an outside body, the Public Foundation shall inform the data subject of this no later than the establishment of the legal relationship.
21.3./ Based on Paragraph 1 of Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives, the Public Foundation is required to hand over the complete and bounded volumes of its public documents that shall be kept for an unlimited period to the competent public archives before the end of the fifteenth year following the calendar year when the documents have been created.
22./ THE RIGHTS OF THE DATA SUBJECTS
22.1./ According to the language of the Regulation, “data subject” is a natural person who can be identified, directly or indirectly by reference to relevant information or personal data. In relation to the data processing activities carried out by the Public Foundation, the data subjects are entitled to the rights described below.
22.2./ We would like to notify the data subjects that prior to the fulfilment of claims regarding the enforcement of rights, the Public Foundation is obliged to identify the person submitting the request. Where the Public Foundation has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the requestor.
22.4./ Requests for information
The data subject has the right to receive information about the management of his personal data and the exercise of his rights. If you would like to file a request, please, contact the Public Foundation in writing (via e-mail or postal mail). The Public Foundation will provide the requested information according to the provisions of this Policy, in writing. The Public Foundation may refuse to comply with the request if it can prove that it is not in a position to identify the data subject. We would like to notify the data subjects that the right to request information does not apply to data processed under legal provisions.
22.5./ The right of access
The data subject is entitled to request and receive information from the Public Foundation about whether the processing of his personal data is still ongoing or not. If the data processing is ongoing, he has the right to access the personal information being processed as well as the following information:
a) the purposes of data processing,
b) the categories of personal data records concerned,
c) recipients or categories of recipients to whom the personal data was or will be disclosed or transferred, including especially recipients from Third Countries and international organizations,
d) where appropriate, the intended duration of the storage of personal data or, where this is not possible, the criteria for determining that period,
e) the right to request the data controller to correct, delete or restrict the processing of personal data related to him and to object to the processing of such personal data,
f) the right to file a complaint addressed to a supervisory authority,
g) if the relevant data was not collected from the data subject, all available information about their source,
h) the fact that automated decision-making (including profiling) is in use, and at least the logic used and information about the nature of such data processing and its likely consequences in relation to the data subject (this information shall be provided in a clear and understandable form).
Method for ensuring the right of access at the Public Foundation: Upon requests related to this right sent by data subjects, the Public Foundation provides the customer a copy of the personal data subject to data processing. If the data subject submits the request by electronic means or data is processed in an electronic format, the information shall be provided in a commonly used electronic format (unless the customer specifically requests a different format). The Public Foundation is obliged to respond to such requests sent by the data subject without undue delay and at the latest within 30 days, and to give reasons where it does not intend to comply with such requests. The copy of personal data shall normally be provided free of charge. The Public Foundation may charge a reasonable fee based on the administrative costs where more than one copy is requested, or if a simpler, quicker and more cost-effective method than the one requested by the data subject is available to comply with the data request.
22.6./ The right to rectification
The data subject shall have the right to obtain from the Public Foundation without undue delay the rectification of inaccurate personal data concerning the data subject. Where the purpose of data processing makes this relevant, the data subject is also entitled to request the completion of incomplete personal data. Completion will be carried out by way of a supplementary written statement submitted by the data subject.
22.7./ Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the Public Foundation the erasure of personal data concerning the data subject without undue delay and the Public Foundation shall erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his/her consent which served as the legal basis of processing, and there is no other legal basis available to continue processing;
c) the data subject objects to the processing based on the relevant provisions of the Regulation, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for the sake of compliance with a legal obligation in Union or Member State law to which the Public Foundation is subject;
The Public Foundation is not obliged to delete the data if processing is necessary for the following reasons:
a) the exercising of fundamental rights (the right of freedom of expression and information);
b) in cases where processing is mandatory (in order to comply with legal obligations stemming from EU or Member States law applicable to the data controller on the processing of personal data);
d) public interest reasons (e.g. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing); or
e) for the establishment, exercise or defence of legal claims.
The right to erasure should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him/her for the performance of a contract to the extent that and for as long as the personal data is necessary for the performance of that contract. Furthermore, the right to erasure is not applicable in cases where the duration of data processing is governed by law, e.g. in case of invoices, as the law states that all invoices must be kept for 8 years.
Where the Public Foundation has made the personal data public and is obliged to erase the personal data, the controller, taking account of the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. Rules regarding exceptions are relevant even in this case.
22.8./ Right to the restriction of processing
The data subject shall have the right to obtain from the Public Foundation the restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject (in this case, the restriction shall apply for the period until the Public Foundation is able to verify the accuracy of the personal data);
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Public Foundation no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to the processing of data pursuant to the relevant provisions of the Regulation; in this case the restriction shall apply until it is proven that the legitimate motivations of the Public Foundation as a data controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Public Foundation shall inform the data subject (upon whose request the restrictions have been introduced) about the fact of lifting the restrictions prior to such event.
22.9./ Right to data portability
The data subject is entitled to receive the personal data concerning him/her, which he/she has previously provided to the Public Foundation, in a structured, commonly used and machine-readable format and have the right to transmit these data to another data controller without any hindrance from the Public Foundation, where:
a) the legal basis for processing is consent or a contract; and
b) the processing is carried out by automated means.
In exercising his/her right of data portability, the data subject shall have the right to have his/her personal data transmitted directly from one controller to another, where technically feasible.
We would like to inform the data subjects that the right of data portability may only be exercised when all the above conditions are met (i.e. the processing is based on consent or a contract AND the processing is carried out by automated means). This means that the right of data portability, for example, does not apply to data processed under legal provisions. According to the guidelines of the Data Protection Working Group (WP29) created under Article 29 of the Regulation, the right of data portability applies only to automated data processing, consequently, it does not apply to paper-based data processing activities.
22.10./ Right to object
The data subject is entitled to object, on grounds relating to his/her particular circumstances, at any time to processing of personal data concerning him/her which is based on the legitimate interests of the Public Foundation. In this case the Public Foundation shall no longer process the personal data unless the Public Foundation demonstrates compelling legitimate grounds for the procession that override the interests, rights and freedoms of the data subject, or legitimate grounds showing that the data is needed for the establishment, exercise or defence of legal claims.
23./ METHOD FOR EXERCISING THE RIGHTS
23.1./ The Public Foundation shall inform the data subject without undue delay, at the latest within 25 days of the reception of the request about the measures taken in response to the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by two additional months. The Public Foundation shall inform the data subject of the extension of the deadline, and shall also indicate the causes of the delay within 25 days of receiving the request. When the request was made in an electronic form, unless otherwise requested by the data subject and if possible, the information shall be provided in an electronic form.
23.2./ If the Public Foundation does not wish to take actions in response to the request made by the data subject, the Public Foundation shall, without undue delay and at the latest within 25 days of the reception of the request, inform the data subject of the reasons for the lack of action and his/her right to file a complaint with a supervisory authority, and of the option to exercise his/her right of appeal.
23.3./ The Public Foundation shall also provide the information required based on the right to information and the information related to the exercise of certain rights free of charge. However, if the request made by the data subject is undoubtedly unfounded or – because of its extremely repetitive nature – excessive, the Public Foundation, depending on the administrative costs of the provision of the requested information or the requested actions:
may charge a reasonable amount, or
may refuse to take action with regards to the request.
It is the responsibility if the Public Foundation to prove that a certain request is undoubtedly unfounded or excessive.
24.1./ Without prejudice to other administrative or judicial remedies, the data subject is entitled to file a complaint with a supervisory authority – in particular in the Member State of his/her habitual residence, his/her place of work or where the suspected infringement took place –, if he/she believes that the procession of his/her personal data violates the Regulation.
24.2./ Without prejudice to other administrative or non-judicial remedies, the data subject is entitled to an effective judicial remedy where the competent supervisory authority does not handle the complaint or or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
24.3./ Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, the data subject is entitled to an effective judicial remedy where he/she considers that his/her rights under the Regulation have been infringed by the Public Foundation as a result of the processing of his/her personal data in non-compliance with this Regulation. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his/her habitual residence.
25./ DATA SECURITY MEASURES
25.1./ The Public Foundation takes all the technical and organizational measures necessary for the protection of personal data and establishes procedural rules required for the fulfilment of the provisions of the Regulation and the Information Act in relation to all the data processing activities carried out by the Public Foundation.
25.2./ The Public Foundation protects the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access.
25.3./ The Public Foundation treats personal data as confidential information. The Public Foundation requires its employees to undertake a confidentiality obligation in relation to the processing of personal data. Access to personal data within the Public Foundation is limited with the use of permission levels.
25.4./ The Public Foundation protects its IT systems with firewalls and uses virus protection.
25.5./ Safety requirements regarding paper-based personal data processed by the Public Foundation:
personal data – regardless of the type of media it is displayed on – can only be accessed by authorized persons; unauthorized persons cannot access them, and the data shall not be disclosed to unauthorized persons,
the documents shall be placed in a dry room which is lockable with a key and has fire and property protection,
the person tasked with processing the data at the Public Foundation may only leave the office or the room where the data is being processed upon locking the documents away or locking the room,
the same safety rules apply in cases where the data is accessed by employees working from home.
25.6./ To ensure the security of personal information stored on computers or in a network or a cloud:
the Public Foundation applies security requirements for the computers used for the processing of personal data,
personal data stored on computers, in a network or a cloud may only be accessed with a valid, personal, identifiable permission,
where the purpose of the data processing activities is met, the duration set for data processing has expired or the legal basis for the data processing is lost for any reason, the file containing the data shall irrevocably be deleted in such a way that the data contained therein can no longer be recovered,
the Public Foundation provides firewall security and virus protection for its computers,
during the processing of personal data, continuous backup is carried out on computers, and network systems are backed up on a regular basis,
the Public Foundation continuously ensures the IT protection of the personal data it processes by applying appropriate, state-of-the-art IT tools and methods.
25.7./ For the automated processing of personal data, the Public Foundation provides additional measures:
a) the prevention of unauthorized data entry;
b) the prevention of unauthorized access to the automated data processing systems by means of data transmission equipment;
c) a method to monitor and verify which bodies received or may receive the personal data by way of transfer with data transmission equipment;
d) a method to monitor and verify the time of entry as well as the identity of the person that entered the personal data into the automated data processing systems for each data item;
e) assurance that the installed systems are recoverable in case of malfunctions (reinstallation, data restoration to the last saved state) and
f) assurance that a report is compiled with regard to all errors that occur during the automated processing activities.
25.8./ The hosting service is operated in-house.
25.9./ Only the relevant administrators have access to the ongoing cases and to the files being processed; the Public Foundation keeps the documents containing personal data securely locked and ensures that the keys to these rooms (lockers) can only be accessed by authorized persons.
26./ EFFECTIVE DATE OF THE POLICY AND FURTHER AMENDMENTS
26.2./ The Public Foundation reserves the right to unilaterally modify and update this Policy without any prior notice. These amendments shall enter into force with the publication of the updated version of the Policy.