Data protection

Introduction

Keszthely City Council (headquarters: 8360 Keszthely, Fő tér 1.), (hereinafter referred to as: Service Provider, Data Controller) is subject to the following regulations:

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) we provide the following information.

This data protection policy regulates the data processing of the following pages: https://keszthely.hu/
The data protection policy is available from the following page: https://keszthely.hu/adatvedelem/
Any amendments to the policy will take effect upon publication on the above address.

Data Controller and Contact Details:

Name: Keszthely City Council
Registered Office: 8360 Keszthely, Fő tér 1.
E-mail: info@keszthely.hu
Telephone: +36 83 505 500

Data Protection Officer: Dr. Krupla-Takács Zsófia
Contact: adatvedelem@keszthely.hu

Definition of Terms

1. “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.;

2. “Data processing”: any automated or non-automated operation or set of operations performed on personal data or data sets, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.s;

3. “Data Controller”: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.;

4. “Data Processor”: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.;

5. “Recipient”: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, irrespective of whether it is a third party. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.;

6. “The data subject’s consent”: The data subject’s voluntary, specific and informed expression of his/her will, based on adequate information, by which the data subject unambiguously expresses his/her consent or confirmation by statement or other clear affirmative action.;

7. “Data Protection Incident”: A security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

Principles for Personal Data Processing

Personal Data:

• a) Processing must be done lawfully and fairly, and in a transparent manner for the data subject (“lawfulness, fairness and transparency”);
• b) Collection should only take place for specified, explicit and lawful purposes and should not be processed in a manner incompatible with those purposes; according to Article 89 (1), further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes (“purpose limitation”);
• c) They must be appropriate and relevant from the point of view of the purposes of the processing, and must be limited to what is necessary (“data minimization”);
• d) They must be accurate and up-to-date where necessary; all reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay for the purposes of the data processing (“accuracy”);
• e) Storage must be done in a form that only allows the identification of the data subjects for as long as necessary to achieve the purposes of the processing of personal data; storage for a longer period may take place only if the processing of personal data is carried out for the purposes of public archiving pursuant to Article 89(1) of this Regulation, for scientific or historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of the data subjects as required by this Regulation (“restricted storage”);
• f) The processing must be carried out in such a manner that appropriate technical or organizational measures are taken to ensure the proper security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage [Integrity and Confidentiality].

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

The data controller declares that the data processing is carried out in accordance with the principles laid down in this point.

Scope of Personal Data Processed by the Data Controller, Purpose of Processing, Legal Basis and Storage Duration

The Data Controller processes personal data, which is to be managed in accordance with the relevant legal regulations, provided by or received from other data controllers regarding the data subjects, for the purpose of fulfilling both mandatory and voluntary municipal tasks and state administrative tasks.

Legal basis of data processing: Performance of a legal obligation of the Data Controller, processing of data in the public interest or in the exercise of official authority vested in the Data Controller (GDPR Article 6 (1) c) and e) point).

Duration of Data Storage: the period of time specified in the applicable legislation.

2. Personal data provided in connection with inquiries sent to the Data Controller [strong]

The Data Controller processes the personal data not included in the categories listed in point 3.1 of this Information in accordance with the provisions of this Information, which the data subject has communicated verbally or in writing to the Data Controller (including all employees of the Data Controller and any person acting on its behalf).

Scope of processed data: the name of the data subject, contact details (e-mail address, telephone number, address), other personal data necessary for handling the request.

Purpose of data processing: identification of the data subject, maintaining contact with the data subject, fulfilling the request, and handling the matter according to the request.

Legal basis for data processing: the data subject’s voluntary, specific and informed consent (GDPR 6. Article (1) a) point), which the data subject gives by sending the request.

The user is entitled at any time to withdraw his/her consent to the processing of any personal data or part thereof by sending an email to the address dataprotection@keszthely.hu. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent before its withdrawal.

If the data subject does not provide the data requested by the Data Controller, which is necessary for the purpose of data processing, the consequence may be that the Data Controller cannot comply with the request.

Duration of data processing: until the withdrawal of consent, in the absence of which for one year after the closure of the request according to the request. In the former case, the deletion of personal data shall take place within 30 days of the Adatkezelő’s receipt of the withdrawal of consent. In the event of a withdrawal of consent, the Data Controller is also entitled to process the personal data of the data subject if it has another legal basis for the data processing (e.g. for the fulfilment of a legal obligation or for the assertion of a legitimate interest).

3. Contractual Partners and their Collaborators Personal Data

The Data Controller processes the personal data of contractual partners, their employees, contacts, natural persons’ representatives and contractors in accordance with the information provided in this Information.

Scope of the processed data: name, position, workplace, contacts (e-mail address, phone number, address, etc.)

Purpose of data processing: maintaining contact in relation to establishing and implementing cooperation and fulfilling the contract.

Legal basis for data processing: the data subject’s voluntary, specific and informed consent (GDPR Article 6 (1) a) point), or the performance of a contract or data processing in the public interest or the exercise of official authority vested in the controller (GDPR Article 6 (1) e) point).

The user is entitled to withdraw their consent for the processing of all or part of their personal data at any time by sending an email to the address dataprotection@keszthely.hu. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent before its withdrawal.

If the processing is necessary for the legitimate interests pursued by the controller or a third party, the data subject may object to the processing of their personal data. In this case, the controller may not process the personal data any further, unless it proves that the processing is based on compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or that are for the establishment, exercise or defense of legal claims.

Duration of data processing: until the withdrawal of consent, in the absence of this, for 5 years after the termination of cooperation. In the former case, the personal data will be deleted within 30 days of the withdrawal of consent being received by the Data Controller. In the case of withdrawal of consent, the Data Controller is still entitled to process the personal data of the data subject if it has another legal basis for the data processing (e.g. for the fulfilment of a legal obligation or for the enforcement of a legitimate interest).

4. Curriculum Vitae
Scope of processed data: according to CV (e.g. name, address, phone number, e-mail address)

The purpose of data processing: The processing of data is carried out solely for the purpose of providing support and advice to the Applicant in relation to his/her future placement and employment, based on his/her application and voluntary disclosure of data, as well as to examine the possibility of employing the Applicant for the positions indicated and to invite and hear him/her for an interview.

Legal basis of data processing: the voluntary, specific and informed consent of the data subject (GDPR 6. Article (1) a) point). Possible legal consequences of not providing data: the Data Controller cannot employ the Applicant due to the lack of consent, as it cannot make a well-founded decision without a CV.

Duration of data processing: The Data Controller shall process the personal data contained in the Applicant’s CV – whether directly from the applicant/candidate or from the personnel center – until the date of the decision taken on the establishment of the employment relationship or – in the case of the establishment of the employment relationship – until the termination (cessation) of the employment relationship.

In case of unsuccessful application, the CV will be returned to the Applicant by the Data Controller or the CV will be deleted/destroyed. In case of withdrawal of consent, the CV will be deleted/destroyed within 30 days of the Data Controller’s receipt of the withdrawal. The Data Controller will store the CV for a period of 1 year after the unsuccessful application, upon the Applicant’s express request and consent, for the purpose of possible future job offers.

Data Processing One

Request for Offer

1. Fact of data collection, scope of processed data and purposes of data processing:

In the case of the email address, it is not necessary to contain personal data.

2. Scope of Affected Persons: All affected persons requesting an offer on the website.

3. Duration of data processing and deadline for data deletion: If any of the conditions set out in Article 17 (1) of the GDPR are met, it shall last until the deletion request of the data subject. The data controller shall inform the data subject electronically of the deletion of any personal data provided by the data subject in accordance with Article 19 of the GDPR. If the data subject’s deletion request extends to the e-mail address provided by him/her, the data controller shall also delete the e-mail address following the notification.

4. Persons authorized to obtain data, recipients of personal data: The personal data may be handled by the data controller’s authorized employees, and the data will be transferred to the chosen accommodation.

5. Presentation of the data subjects’ rights related to data processing:

• The data subject may request from the data controller access to their personal data, rectification, erasure or restriction of processing, and
• The data subject has the right to data portability and to withdraw consent at any time.

6. The data subject can initiate access to personal data, its erasure, modification, or restriction of processing, and data portability in the following ways:

• by post to the address 8360 Keszthely, Fő tér 1.
• by e-mail at the adatvedelem@keszthely.hu e-mail address,
• by phone on +36 83 505 500.

7. Legal basis for data processing: Article 6 (1) point b) of the GDPR.

8. We inform that

• Data processing is necessary for offering a proposal.
• You are obliged to provide personal data in order to send an offer.
• The absence of data provision has the consequence that we cannot offer you a tailored offer.

Contact Taking

1. Data collection fact, scope of processed data and purpose of data processing:

In the case of the email address, it is not necessary to contain personal data.

2. Scope of Affected Persons: All persons affected who send a message via the contact form.

3. Duration of data processing and deadline for data deletion: If any of the conditions set out in Article 17 (1) of the GDPR are met, it shall last until the data subject’s request for deletion.

4. Possible data controllers and recipients of personal data authorized to access the data: The personal data may be handled by the data controller’s authorized personnel.

5. Description of the data subjects’ rights related to data processing:

• The data subject may request from the data controller access to his/her personal data, rectification, erasure or restriction of processing, and
• The data subject has the right to data portability and to withdraw their consent at any time.

6. The access to personal data, its deletion, modification, or restriction of its processing, and data portability can be requested by the data subject in the following ways:

• By post to the address 8360 Keszthely, Fő tér 1.
• by e-mail at the adatvedelem@keszthely.hu e-mail address,
• By phone on +36 83 505 500.

7. Basis of Data Processing: consent of the data subject, points a), b) and c) of Article 6 (1). If you contact us, you consent to us processing the personal data (name, telephone number, e-mail address) that you provide to us in connection with the contact in accordance with this policy.

8. We inform you that

• The present data processing is based on your consent, or in case of contractual legal relationship, on a legal obligation (cooperation).
• The person is obligated to provide personal data in order to be able to contact us.
• The failure to provide data results in an inability to establish contact with the Provider.

Customer Relations

1. Fact of data collection, scope of processed data and purpose of data processing:

2. Scope of the Data Subjects: All data subjects who are in contact with the data controller by phone/e-mail/in person or who are in contractual legal relationship with them.

3. Duration of data processing and deadline for data deletion: Letters containing requests are kept until the deletion request of the data subject is processed, but for a maximum of 2 years.

4. Persons authorized to become familiar with the data, recipients of personal data: The personal data can be handled by the data controller’s authorized employees, respecting the above principles.

5. Presentation of data subjects’ rights related to data processing:

• The data subject may request access to their personal data from the data controller, rectification, erasure or restriction of processing, and
• The data subject has the right to data portability and to withdraw their consent at any time.

6. The data subject can initiate access to, deletion of, modification of, or restriction of processing of personal data, and portability of data, in the following ways:

• by post to the address 8360 Keszthely, Fő tér 1.
• by e-mail at the adatvedelem@keszthely.hu e-mail address,
• by phone on +36 83 505 500.

7. Legal basis for data management:

7.1. Article 6 (1) (b) and (c) of the GDPR.

7.2. In case of enforcement of claims arising from the contract, 5 years according to Section 6:21 of Act V of 2013 on the Civil Code.

6:22. § [Prescription]

• (1) Unless otherwise provided by law, claims expire within five years.
• (2) The expiration begins when the claim becomes due.
• (3) Any agreement to modify the expiration period must be put in writing.
• (4) Agreement excluding expiration is void.

8. We hereby inform you that

Required for performance of data processing contract and making offers.

Required to provide personal data in order to fulfill the contract/other request.

The lack of data provision has the consequences that we cannot fulfill your order/contract or process your request.

Newsletter, DM Activity

1. According to Article 6 of Law No. XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity, the User may give prior and explicit consent for the Service Provider to contact him/her with its advertising offers and other mailings at the contact details provided at the time of registration.

2. Furthermore, the Client, taking into account the provisions of this Information, may consent to the Service Provider processing the personal data necessary for sending advertising offers.

3. The Provider will not send unsolicited advertising messages, and the User can unsubscribe from receiving offers free of charge and without restriction or justification. In this case, the Provider will delete all personal data necessary for sending the advertising messages from its records and will not contact the User with any further advertising offers. The User can unsubscribe from the advertisements by clicking on the link in the message.

4. Fact of data collection, scope of processed data and purpose of data processing:

5. Scope of the Affected: All persons who have subscribed to the newsletter.

6. Purpose of data processing: sending electronic messages containing advertisement (e-mail, sms, push message) to the data subject, providing information about current information, products, campaigns, new features, etc.

7. Duration of data processing and deadline for data deletion: The data processing shall last until the withdrawal of the consent declaration, i.e. until unsubscribing.

8. Possible data controllers and recipients of personal data authorized to access the data: The personal data may be handled by the data controller’s sales and marketing personnel, respecting the above principles.

9. Outlining the data processing rights of the data subjects:

• The data subject may request access to their personal data from the data controller, rectification, erasure or restriction of processing, and
• They can protest against the handling of their personal data and
• The data subject has the right to data portability and to withdraw their consent at any time.

10. The following methods can be used to request access to, delete, modify, or restrict the processing of personal data, as well as to request the portability of data or to object:

• by post to the address 8360 Keszthely, Fő tér 1.
• by e-mail at the e-mail address,
• by phone on +36 83 505 500.

11. The concerned person can unsubscribe from the newsletter free of charge at any time.

12. Data processor used during data management:

MailChimp
The Rocket Science Group, LLC
675 Ponce de Leon Avenue Northeast
Suite 5000
Atlanta, GA 30308 USA

13. Basis of data processing: consent of the data subject, Article 6 (1) a) and f) and Article 6 § (5) of the Act on the Basic Conditions and Certain Restrictions of Economic Advertising Activity 2008 (XLVIII of 2008):

The advertiser, the advertising service provider, or the publisher of the advertisement – within the scope specified in the consent – keeps a record of the personal data of the persons who have given their consent. The data recorded in this register – relating to the recipient of the advertisement – can only be handled in accordance with the consent statement, until it is revoked, and can only be transferred to third parties with the prior consent of the person concerned.

14. We inform you that

• Data processing is based on your consent and the provider’s legitimate interest.
• You are required to provide personal data if you wish to receive newsletters from us.
• The consequence of not providing data is that we cannot send you a newsletter.
• We inform you that you can withdraw your contribution at any time by clicking on the unsubscribe.

Complaint Handling

1. Fact of data collection, scope of processed data and purpose of data processing:

2. Scope of Affected Persons: All affected persons who raise a complaint on the website.

3. Duration of data processing and deadline for data deletion: According to the 17/A. § (7) of the Act CLV of 1997 on consumer protection, copies of the minutes of the complaint, transcript and response thereto must be kept for 5 years.

4. Possible data controllers and recipients of personal data authorized to access the data: The personal data can be handled by the data controller’s sales and marketing staff, respecting the above principles.

5. Presentation of the data subjects’ rights related to data processing:

• The data subject may request access to their personal data from the data controller, rectification, erasure or restriction of processing, and
• The data subject has the right to data portability and to withdraw consent at any time.

6. The data subject can initiate access to, deletion of, modification of, or restriction of processing of personal data, and data portability, in the following ways:

• by post to the address 8360 Keszthely, Fő tér 1.
• by e-mail at the adatvedelem@keszthely.hu e-mail address,
• By phone on +36 83 505 500.

7. Legal basis of data processing: Article 6 (1) point c) of the GDPR and Article 17/A (7) of the Act on Consumer Protection of 1997.

8. We hereby inform you that

• The provision of personal data is based on a legal obligation.
• The processing of personal data is a prerequisite for concluding the contract.
• The person is obliged to provide personal data so that we can handle their complaint.
• The failure to provide data results in us not being able to handle your complaint.

Recipients with whom personal data is shared

“recipient”: the natural or legal person, public authority, agency or any other body to whom or which the personal data are disclosed, irrespective of whether they are a third party.

Data Processors (those who process the data on behalf of the data controller)

The data controller engages data processors in order to facilitate its own data processing activities and to fulfil its contractual and legal obligations.

The data controller places great emphasis on engaging only data processors who provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the data processing complies with the requirements of the GDPR and the protection of the rights of the data subjects.

The data processor and any person under the authority of the data controller or the data processor with access to personal data shall process such personal data only in accordance with the instructions of the data controller.

The data controller is liable for the data processor’s activities. The data processor shall be liable for any damages caused by processing only if it has not complied with the obligations imposed on it by the GDPR or if it has acted outside or contrary to the data controller’s lawful instructions.

The data processor does not have any decision-making authority in relation to the processing of the data.

The data controller may engage hosting providers, courier services as data processors for the purpose of providing the IT infrastructure and delivering the ordered products.

Web Hosting and Web Development

• Name: Bábelhal Webstudio Kft.
• Address, contact: 8360 Keszthely, Kossuth utca 35.

6. Handling of Cookies (Cookies)

1. Cookies typically used in web stores are the so-called “cookies used for password-protected sessions”, “security cookies”, “Necessary cookies”, “Functional cookies”, and “cookies responsible for managing website statistics”, for which prior consent from the data subjects is not required.

2. Data processing fact, scope of processed data: Unique identification number, dates, timestamps

3. Scope of Affected Persons: All visitors to the website.

4. Purpose of Data Processing: Identification of users and tracking of visitors.

5. Duration of data processing, deadline for data deletion:

6. Possible data controllers entitled to know the data: The data controller does not process personal data using cookies.

7. Description of the data subject’s rights related to data processing: The data subject has the possibility to delete the cookies in the browser’s Tools/Settings menu, usually under the Data Protection menu item settings.

8. Basis of data processing: Consent from the data subject is not necessary if the sole purpose of using cookies is the transmission of communication through an electronic communications network or is expressly requested by the subscriber or user in order to provide a service connected with the information society.

9. Most of the browsers used by our users allow the setting of which cookies to save and allow (certain) cookies to be deleted again. If you restrict the saving of cookies on certain websites or do not allow third-party cookies, this can lead to certain conditions under which our website can no longer be used in full. Here you will find information on how to customize cookie settings for the usual browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)
Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)
Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)
Safari (https://www.apple.com/legal/privacy/en-ww/)

Using Google and Facebook Services

Using Google Ads (Adwords) Conversion Tracking

1. The data controller uses the online advertising program called “Google Ads (Adwords)” and makes use of the Google conversion tracking service within its framework. The Google conversion tracking is a service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

2. When a User reaches a website via a Google advertisement, a cookie necessary for conversion tracking is placed on his/her computer. These cookies are limited in validity and do not contain any personal data, so the User cannot be identified by them.

3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User has clicked on the advertisement.

4. Every Google Ads (Adwords) customer receives another cookie, so it is not possible to track them through the websites of Ads (Adwords) customers.

5. The information collected through the conversion tracking cookies serves the purpose of generating conversion statistics for Ads (Adwords) customers who have opted for conversion tracking. Customers thus obtain information about the number of users who have been referred to the website with a conversion tracking tag after clicking on their advertisement. However, they do not receive any information with which individual users can be identified.

6. If you do not wish to participate in the conversion tracking, you can object to this by preventing the installation of cookies in your browser settings. You will then not be included in the conversion tracking statistics.

7. Further information and the Google data protection declaration can be found at the following link: www.google.de/policies/privacy/

Application of Google Analytics

1. This website uses the Google Analytics application, which is a web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are saved to your computer, thus facilitating the analysis of the website visited by the User.

2. The information created by the cookies related to the website used by the User is usually sent to and stored on a server of Google in the USA. By activating the IP anonymization on the website, Google shortens the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area previously.

3. Forwarding and shortening the full IP address to Google’s server in the USA is only done in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User has used the website, to generate reports on website activity for the website operator, and to provide other services related to website and internet usage.

4. Within the framework of Google Analytics, the IP address transmitted by the User’s browser is not linked to other data of Google. The User may prevent the storage of cookies by setting his browser accordingly, however, we draw his attention to the fact that in this case not all functions of this website may be fully usable. Furthermore, the User may prevent Google from collecting and processing data related to his website usage (including the IP address) generated by cookies by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Social Media

1. Data collection fact, scope of processed data: Name registered on social media platforms such as Facebook/Twitter/Pinterest/Youtube/Instagram, and public profile picture of the user.

2. Scope of persons concerned: All persons concerned who registered on social media platforms such as Facebook/Twitter/Pinterest/Youtube/Instagram, and “liked” the Service Provider’s social media page, or contacted the data controller through social media.

3. Purpose of data collection: Sharing or “liking”, following, promoting certain content elements, products, actions or the website itself on social media platforms.

4. Duration of data processing, deadline for data deletion, persons who may be aware of data and description of data subjects’ rights related to data processing: The data subject can be informed about the source of data, their processing, and the way and legal basis of their transfer on the respective social media platform. The data processing takes place on the social media platforms, thus the duration, manner and possibilities of deleting and modifying the data are subject to the regulations of the respective social media platform.

5. Legal basis of data processing: Voluntary consent of the data subject to the processing of their personal data on social media platforms.

Customer Relations and Other Data Processing

1. If any questions arise or problems occur when using our data processing services, the data controller can be contacted through the methods provided on the website (phone, e-mail, social media, etc.).

2. The data controller will delete the incoming emails, messages, phone numbers, Facebook data, etc., with the inquirer’s name and email address, as well as other voluntarily provided personal data, within a maximum of two years from the date of disclosure.

3. We will provide information about data processing not listed in this information when the data is collected.

4. In the case of exceptional requests from authorities or requests from other bodies based on legal authorization, the Service Provider is obliged to provide information, disclose data, transfer or make documents available to the requester.

5. In these cases, the Service Provider shall provide personal data to the requester only to the extent and to the extent necessary to achieve the purpose of the request, provided that the requester specifies the exact purpose and scope of the data.

Rights of the Affected

1. Access Right

You are entitled to receive feedback from the data controller as to whether the processing of your personal data is ongoing and, if such processing is ongoing, you are entitled to access the personal data and the information listed in the Regulation.

2. Right to Rectification

You are entitled to request the data controller to rectify without undue delay any inaccurate personal data concerning you. Taking into account the purposes of the processing, you are entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

3. Right to Erasure

You are entitled to request the data controller to erase your personal data without undue delay and the data controller is obliged to erase your personal data without undue delay under certain conditions.

4. Right to be Forgotten

If the data controller has made the personal data public and is obliged to delete it, it shall take reasonable steps, including technical measures, to inform data controllers processing the data that you have requested the links to, or copies or replicas of, the personal data in question to be deleted.

5. Right to Restrict Data Processing

You have the right to request the data controller to restrict the data processing if any of the following conditions are met:

• You dispute the accuracy of the personal data, in which case the restriction shall apply for the period enabling the data controller to verify the accuracy of the personal data;
• the data processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use;
• the data controller no longer needs the personal data for the purposes of data processing, but you require them for the establishment, exercise or defence of legal claims;
• you have objected to the data processing; in this case, the restriction shall apply for the period until it is established whether the data controller’s legitimate grounds override your legitimate grounds.

6. Right to data portability

You have the right to receive the personal data you have provided to a data controller in a structured, commonly used and machine-readable format and to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided (…)

7. Right to Object

In the case of data processing based on legitimate interests or public authority powers, you are entitled to object at any time, on grounds relating to your particular situation, to the processing of your personal data (…) including profiling based on these provisions.

8. Objection to Direct Marketing

If the processing of personal data is for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose, including profiling to the extent that it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data shall no longer be processed for such purposes.

9. Automated Decision-Making in Individual Cases, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
The preceding paragraph shall not apply in the case of a decision:

• necessary for entering into, or performance of, a contract between you and the controller;
• authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• based on your explicit consent.

Action Deadline

The data controller shall inform you of the measures taken as a result of the above requests without undue delay, but in any case within one month of receipt of the request.

This may be extended by a further two months where necessary. The data controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the data controller does not take any measures in response to your request, it shall inform you of the reasons for not taking action without undue delay, but at the latest within one month of receipt of the request, and of your right to lodge a complaint with a supervisory authority and to a judicial remedy.

Data Handling Security

The data controller and data processor implement appropriate technical and organizational measures, taking into account the varying probabilities and severity of risk to the status of science and technology and the costs of implementation, as well as the nature, scope, context and purposes of data processing, and the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the risk, including, where appropriate,

• a) Anonymization and encryption of personal data;
• b) Ensuring the continuous confidential nature, integrity, availability and resilience of systems and services used for personal data processing;
• c) In the case of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
• d) Procedure for regular testing, surveying and evaluating the effectiveness of technical and organizational measures taken to ensure the security of data processing.
• e) Data must be stored in a way that unauthorized persons cannot access it. For paper-based data carriers, physical storage and filing must be organized, and for electronically managed data, a central authorization management system must be applied.
• f) Data storage method using IT should be chosen so that they can be deleted when the data deletion deadline expires, or if necessary for other reasons. The deletion should be irreversible.
• g) Paper-based data carriers must be destroyed using a shredder or by engaging an external organization specialized in document destruction. For electronic data carriers, the rules for electronic data carrier disposal must be followed to ensure physical destruction, or, if necessary, secure and irrecoverable deletion of the data beforehand.
• h) The data controller takes the following specific data security measures:

a. In order to ensure the security of personal data handled on paper, the Provider applies the following measures (physical protection):

• i. Store documents in a secure, well-sealed dry room.
• ii. The Provider’s building and premises are equipped with fire protection and asset protection devices.
• iii. Personal data can only be known by authorized persons, and third parties cannot access them.
• iv. The Service Provider’s data processing employee can only leave the premises where data processing is taking place by locking the data carriers entrusted to him/her, or by closing the given premises.
• v. If personal data handled on paper is digitized, then the rules applicable to digitally stored documents must be applied.

b. Information security

• i. Computers and mobile devices (other data carriers) used in data processing are owned by the Service Provider.
• ii. Access to data on computers is only allowed with a username and password.
• iii. Access to the central server machine is only allowed to those with the appropriate permissions and only to those persons designated for it.
• iv. In order to ensure the security of digitally stored data, the Provider applies data backups and archiving.
• v. The computer system containing personal data used by the Service Provider is equipped with virus protection.

Notification of Data Protection Incident to the Data Subject

If the data protection incident is likely to involve a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay.

In the information provided to the data subject, it must be clearly and understandably stated the nature of the data protection incident and the name and contact details of the data protection officer or other contact person providing further information; the likely consequences of the data protection incident must be stated; the measures taken or planned by the controller to remedy the data protection incident must be stated, including, where appropriate, any measures to mitigate the possible adverse consequences of the data protection incident.

The affected person does not need to be informed if any of the following conditions are met:

• The data controller has implemented appropriate technical and organizational protection measures and applied them with respect to the personal data affected by the data protection incident, in particular those measures such as encryption which make the data unintelligible to unauthorized persons in respect of access to the personal data;
• Following the data protection incident, the data controller took additional measures to ensure that the high risk posed to the affected rights and freedoms is unlikely to materialize in the future;
• Informing would require disproportionate effort. In such cases, the affected persons should be informed through publicly available information, or such a measure should be taken that ensures the effective informing of the affected persons in a similar manner.

If the data controller has not yet informed the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the information of the data subject.

Reporting a Data Protection Incident to the Authority

The data controller shall report the data protection incident to the competent supervisory authority pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

Complaint Possibility

Against the possible violations of the data controller, a complaint can be made to the National Authority for Data Protection and Freedom of Information:

• National Authority for Data Protection and Freedom of Information
• 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
• Mailing address: 1530 Budapest, Post Office Box: 5.
• Phone: +36 -1-391-1400
• Fax: +36-1-391-1410
• E-mail: ugyfelszolgalat@naih.hu

Conclusion

In preparing this information, we have taken into account the following laws:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Infotv.)
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (especially Section 13/A)
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Consumers
• Act XLVIII of 2008 on the Basic Conditions of Economic Advertising Activities and Certain Restrictions Thereof (especially Section 6)
• Act XC of 2005 on Electronic Freedom of Information
• Act C of 2003 on Electronic Communications (especially Section 155)
• Opinion No. 16/2011 of the European Advertising Standards Alliance/Interactive Advertising Bureau on the Best Practice for Behavioural Advertising
• Recommendation of the National Data Protection and Information Freedom Authority on the Data Protection Requirements of Prior Information
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Downloadable Documents

Data Protection Incident Record
Notification of Data Protection Incident to Data Subjects
Consent under GDPR
Statements on Deletion

Keszthely, 22 July 2022.