THE FOUNDATION FOR RESEARCH ON CENTRAL AND EASTERN EUROPEAN HISTORY AND SOCIETY
Effective: 23 August 2023
1./ GENERAL PROVISIONS
1.2./ The data processing of the Foundation is based on the rules set out in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter referred to as the "Regulation") and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter referred to as the "Information Act").
1.3./ The Foundation has taken appropriate measures to ensure that the rights of data subjects as set out in the above two pieces of legislation are fully respected when processing their personal data.
2./ PURPOSE AND SCOPE OF THE PROSPECTUS
3./ NAME AND DETAILS OF THE DATA CONTROLLER
Name: Foundation for Research on Central and Eastern European History and Society
Head office: 1122 Budapest, Határőr út 35.
Registration number: 01-01-0007526 (Fővárosi Törvényszék (Court of Budapest)
Tax number: 18237010-2-43
Phone number: +361/374-2600
E-mail address: firstname.lastname@example.org
Postal address: 1062 Budapest, Andrássy út 60.
NAIH ID of the Foundation: NAIH-97531/2016.
Contact details of the Data Protection Officer: The Foundation for Research on Central and Eastern European History and Society, 1062 Budapest, Andrássy út 60, 1062 Budapest, phone +361/374-2600 e-mail: email@example.com
If you have any questions or comments about data processing, please contact the Foundation's Data Protection Officer at firstname.lastname@example.org.
The institutes operated by the Data Controller: the Institute of the Twentieth Century, the Institute of the Twenty-First Century, the Institute of Habsburg History, the Institute for the Research of Communism, the Imre Kertész Institute, the House of Terror Museum. The Institutes and the Museum have no legal personality.
For the interpretation of the terms used in this Policy, please note that, under the Regulation:
Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller: the natural or legal person (...) who, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data.
5./ POSSIBLE LEGAL BASIS FOR PROCESSING
5.1./ The processing of personal data is lawful under the Regulation if at least one of the following legal grounds is met:
- the processing is based on consent,
- the processing is necessary for the performance or conclusion of a contract,
- processing is necessary for compliance with a legal obligation,
- processing is necessary for a vital interest (e.g. to protect life),
- processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party,
- the processing is in the public interest or necessary for the performance of a task carried out by the controller in the exercise of official authority
5.2./ If the processing is based on consent, the Foundation, as the Data Controller, must be able to demonstrate that the data subject has consented to the processing of his or her personal data. Consent shall be considered as an appropriate legal basis for processing if it is voluntary, specific, unambiguous and based on adequate information. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal. The withdrawal of consent shall be made possible in the same simple manner as the giving of consent.
5.3./ If the provision of the data is based on a legal or contractual obligation, the possible consequence of not providing the data is that the data subject cannot use the services of the Foundation or cannot establish a legal relationship with the Foundation.
5.4./ The Foundation as the Data Controller does not control the personal data provided to it. Only the person providing the data is responsible for the data provided.
5.5./ The application of the legal basis of legitimate interest requires that the legitimate interest of the Foundation as Data Controller to be protected is proportionate to the restriction of the right to the protection of personal data. To establish this, a prior balancing of interests test must be carried out. In the balancing of interests test, the Foundation, as Data Controller:
- identifies his or her legitimate interest in the processing of the personal data subject to the balancing of interests test,
- establishes the interests and rights of the data subject in relation to the personal data on which the balancing of interests test is based,
- carries out an assessment of the legitimate interests of the data subject and the legitimate interests of the Data Controller and, on that basis, determines whether the personal data can be processed.
A DESCRIPTION OF EACH PROCESSING OPERATION
(purpose, legal basis, duration, scope of data processed)
6./ CAMERA SURVEILLANCE
6.1./ The Foundation does not operate an electronic surveillance system in its offices and meeting rooms, and operates an electronic surveillance system (hereinafter: electronic surveillance system, camera system, CCTV system) only on the premises of the House of Terror Museum.
6.2./ The purpose of data processing: to protect the museum site and its assets, to safeguard the property. In addition, other legitimate purposes of data processing are the detection and prevention of offences and the protection of the life and limb of visitors and employees.
6.3./ The electronic surveillance system shall be operated in accordance with the legal provisions in force and in compliance with the requirements laid down, in particular with the relevant provisions of the Regulation.
6.4./ Legal basis for data processing: the legal basis for data processing is the processing of visitors’ data (visitors to the premises of the House of Terror Museum other than employees) based on consent pursuant to Article 6(1)(a) of the Regulation. In addition to the Regulation, the applicable legislation for the Foundation with regard to the processing of data in connection with the surveillance by cameras is Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter: the "Act on the Protection of Personal Data and the Rules of Private Investigation"). Pursuant to Section 30 (2) of the Act on the Protection of Personal Data and the Protection of Property and the Rules of Private Investigation, the voluntary consent to the operation of the camera system and the processing of the resulting images as personal data is obtained by the voluntary conduct of the persons concerned. In particular, it shall be deemed to be an intrusive behaviour if a person in the area concerned enters the area despite the warning signs and information placed in the private area, unless the circumstances clearly indicate otherwise. Consent given by means of intrusive behaviour shall be subject to the display of a sign (sign, sticker) indicating that the area is being monitored by a camera.
6.5./ Purpose of data processing: to protect the museum premises, on the basis of the above-mentioned regulations, and to safeguard the property. In addition, other legitimate purposes of data processing are the detection and prevention of offences and the protection of the life and limb of customers and employees.
6.6./ Scope of the data processed: images of visitors and employees of the Museum. The images recorded and processed by the electronic surveillance system are considered personal data, as they can be linked to the data subject and conclusions can be drawn from them.
6.7./ Duration of data management: the retention period of personal data (images) obtained during the surveillance on the Museum's premises is limited to 14 working days from the date of recording.
6.8./ Location of personal data: the camera recordings are stored on the data storage in the cameras. The image recordings are automatically overwritten by the system when the storage is full.
6.9./ Purpose limitation: the Foundation processes personal data solely for the purpose of exercising its rights and fulfilling its obligations, in accordance with the applicable law and the data processing principles set out in the Regulation. In order to comply with the principles of purpose limitation, necessity and proportionality, the Foundation shall no longer process the data of data subjects after the purpose limitation has ceased to exist. After the purpose of the processing has ceased to exist, the Foundation shall destroy or erase all available data, unless excluded by law. Camera recordings may be used for the detection of infringements, to catch the perpetrator in the act, to prevent such infringements and, in connection therewith, as evidence in official or judicial proceedings. The data protection principle of purpose limitation also applies to the angle of view of each camera in addition to the data processing. Accordingly, the field of view of the camera is always directed towards an area consistent with its purpose.
6.10./ Live observation is carried out in the Museum on an ongoing basis.
6.11./ Access to the recordings: the recordings stored in the camera surveillance and recording system operated by the Foundation may be viewed by authorised persons only for the purpose of proving the infringement and identifying the perpetrator. Only a limited number of persons are authorised to access the recordings. The persons and designated functions responsible for the processing of personal data generated by the recording of images at the Museum are: security, IT and the designated professional manager. In addition, the lawyer/law firm acting on behalf of the Foundation in the event of use in the context of official or judicial proceedings shall be entitled to access the recordings. In the event of a criminal offence, the review of the recordings shall be carried out, where possible, by the designated professional manager.
6.12./ The access to the recorded data, the name of the person who accessed the data, the reason and the time of access shall be recorded in a protocol.
6.13./ Transfer of data: the transfer of images or other personal data recorded by them is only possible to the authorities or courts in charge of the proceedings in case of unlawful conduct or breach of duty. The data transmitted may include recordings containing relevant information made by the camera system.
6.14./ Detailed information on the placement of the cameras (location, area monitored, method and purpose of monitoring, interest analysis test) is provided in the "Information on the use of electronic surveillance" in force at the Foundation.
7./ DATA PROCESSING CONCERNING THE SHOP CUSTOMER
7.1./ The Foundation operates a shop on the premises of the House of Terror Museum, where the personal data of customers may be recorded and subsequently processed during the purchase process.
7.2./ Brief description of the data processing: when shopping in the shop run by the Foundation, the customer purchases the selected products on the spot. If the customer does not request an invoice for the purchase, he/she does not provide the Foundation with his/her personal data and no data processing takes place.
8./ INVOICING IN CONNECTION WITH A SHOP PURCHASE
8.1./ Brief description of the data processing: when a product is purchased, the Foundation issues a computer invoice at the customer's request.
8.2./ Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6(1)(c) of the Regulation]. Applicable legislation: the Value Added Tax Act CXXVII of 2007 (VAT Act).) § 159 (obligation to issue invoices), § 169 (mandatory content of invoices), Act C of 2000 on Accounting (Accounting Act) §§ 166-169 (accounting documents, strict accounting documents, obligation to keep documents).
8.3./ Purpose of data processing: to support and certify an economic event (sale of a product), which is a legitimate purpose of data processing.
8.4./ Scope of the data processed: name of the natural person, address of the buyer, date of purchase. Name, registration number, place of business, tax number, date of purchase of the individual entrepreneur.
8.5./ Duration of data processing: 15 years
8.6./ Related IT systems: Novitax
9./ CUSTOMERS’ BOOK, DATA MANAGEMENT OF CONSUMER PROTECTION CASES
9.1./ Brief description of data processing: shop customers as consumers have the right to lodge a complaint. A consumer may lodge a complaint with the Foundation, orally or in writing, concerning the conduct, activity or omission of the Foundation or of a person acting in the interest of or on behalf of the Foundation, directly related to the sale of goods for sale in the shop to customers (consumers). Consumers may enter their complaints or suggestions directly in the Customers' Book. In the case of an oral complaint communicated orally, by telephone or by other electronic communication services, the Foundation shall record the complaint in a protocol with the content as per the Act on the Protection of Consumer Rights and shall assign a unique identification number to the complaint. The complaint must be answered in writing within 30 days and the answer must be communicated to the consumer. A copy of the record of the complaint and the reply must be kept for 5 years and presented to the supervisory authorities. The authorities may examine the entries in the Customers' Book and the replies to complaints for a period of 2 years from the copies.
9.2./ The record of the complaint shall include the following:
a) the name and address of the consumer,
b) the place, time and manner of lodging the complaint,
(c) a detailed description of the consumer's complaint, a list of the documents, records and other evidence produced by the consumer,
(d) a statement by the undertaking of its position on the consumer's complaint, where an immediate investigation of the complaint is possible,
(e) the signature of the person who took the record and, except in the case of an oral complaint made by telephone or other electronic communication service, the signature of the consumer,
f) the place and time of the taking the record,
(g) in the case of an oral complaint made by telephone or other electronic communication service, the unique identification number of the complaint.
9.3./ Legal basis for data processing
The legal basis for processing can be identified as a legal obligation on the Data Controller pursuant to Article 6(1)(c) of the Regulation. Relevant legislation:
- for consumer complaints: § 17/A of Act CLV of 1997 on Consumer Protection.
- in relation to the Customers’ Book: § 5 (4)-(5) of Act CLXIV of 2005 on Trade and § 25 of Government Decree 210/2009 (IX. 29.) on the conditions for carrying out commercial activities
9.4./ Purpose of data processing: to ensure consumers' right to complain, which is a legitimate purpose of data processing.
9.5./ Scope of data processed: name, address. Other possible data: telephone number, e-mail address and other personal data voluntarily provided by the consumer.
9.6./ Duration of data processing: 5 years for the record of the complaint, copy of the reply, 2 years for the duplicate of the entries in the Customers' Book.
9.7./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
10.1./ The Foundation, which operates the House of Terror Museum, offers reduced admission to the Museum for persons and groups with certain characteristics.The discounts are available at http://www.terrorhaza.hu/hu/muzeum. To obtain the discount, you must present a document or identity card (passport, identity card, driving licence, teacher's certificate, student card) at the time of purchase of the ticket.
10.2./ The Foundation does not make copies of the documents/certificates presented for discounted admission to the Museum, does not record their data content, so only the presentation of the document/certificate is required for the validation of the discounts, no data processing is performed.
11./ PROCESSING OF APPLICANTS' AND CONTRACTORS' DATA
11.1./ Brief description of data processing: the Foundation, as a public body, enters into a number of contracts (typically contracts of engagement, contracts for services and grants) in the course of its activities. The Foundation's contracting partners are typically legal entities, which are not covered by the provisions on the processing of personal data. However, in the course of the Foundation's activities, natural persons may submit applications or grant applications to the Foundation, and the Foundation may also enter into contracts with natural persons. Where the applicant or contractor is not an economic operator, it is necessary to provide the Foundation with certain personal data in order to submit the application and conclude the contract.
11.2./ Legal basis for processing: the legal basis for processing is Article 6(1)(b) of the Regulation, as the processing is necessary for the conclusion and performance of the contract with the Foundation.
11.3./ Purpose of data processing: the purpose of data processing is to establish and maintain a contractual relationship, to perform the contract, to monitor the fulfilment of the accounting and reporting obligations in the case of grant contracts, and to fulfil the reporting and accounting obligations of the Foundation.
11.4./ Personal data processed: name, name at birth, mother's name, place and date of birth, address, tax identification number, social security number, bank account number, e-mail address.
11.5./ Duration of processing: the Foundation will keep the personal data provided to it for 10 years.
11.6./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
12./ PROCESSING OF CONTACT DETAILS SPECIFIED IN THE CONTRACTS
12.1./ Brief description of the data processing: contracts concluded by the Foundation in the scope of its activities often contain contact details.
12.2./ Legal basis for data processing: the legal basis for data processing is the legitimate interest of the partner and the Foundation in the performance and maintenance of the contractual relationship, as referred to in Article 6(1)(f) of the Regulation. In the case of processing based on legitimate interest, a balancing of interests test must be carried out and the result of the test must be communicated to the data subjects. The relevant balancing of interests test has been carried out by the Foundation. The balancing of interests test confirms that the legitimate interest of the Foundation does not constitute a disproportionate restriction on the right to the protection of personal data of the data subject.
12.3./ Purpose of data processing: to maintain the contractual relationship, which is a legitimate purpose of data processing.
12.4./ Scope of the personal data processed: name, e-mail address, telephone number of the person designated as contact person.
12.5./ Duration of processing of personal data: 10 years.
12.6./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
13./ ENFORCEMENT OF CLAIMS
13.1./ Brief description of the data processing: external companies (e.g. law firms) may carry out claims management activities for the Foundation on the basis of a contract of engagement in order to enforce accounts receivable and other claims through legal proceedings.
13.2./ Legal basis for processing: the legal basis for processing is the performance of a contractual obligation pursuant to Article 6(1)(b) of the Regulation or, in the case of a non-contractual claim (e.g. damages), the legitimate interest pursuant to Article 6(1)(f) of the Regulation. In accordance with Art. 6:137 of the Civil Code, breach of contract is deemed to be a breach of any obligation under the contract. Under Art. 6:138 of the Civil Code, in the event of breach of contract, the injured party is entitled to claim performance of the service. In the case of processing based on legitimate interest, a balancing of interests test must be carried out and the data subjects must be informed of the results. The corresponding balancing of interests test shall be carried out by the Foundation for each debtor and the result shall be communicated to the data subject.
13.3./ Purpose of data processing: the collection of debts and other claims by legal means, which is a legitimate purpose of data processing. In the case of a mandated debt collection agency, the content of the specific mandate may determine whether it is a processor or a separate Data Controller.
13.4./ Scope of data processed: typically invoice data (name, address, date of claim), notification data (telephone number, e-mail address).
13.5./ Duration of processing: 10 years from the period necessary for the recovery of the claim, but at least until the end of the statutory limitation period. If legal proceedings are instituted to enforce the claim, the documents on which the claim is based shall not be disposed of and shall be transferred to the Archives after 15 years.
14./ PROCESSING OF PERSONAL DATA PROVIDED IN THE CONTEXT OF A PUBLIC INTEREST REQUEST
14.1./ Brief description of the data processing: The Foundation, as a public body, regularly receives requests for data of public interest from natural persons.
14.2./ Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6(1)(c) of the Regulation]. Applicable law: Article 26(1) of the Data Protection Act.
14.3./ Purpose of data processing: to comply with a legal obligation, which is a legitimate purpose. The personal data of the data requester may be processed only to the extent necessary for the fulfilment of the claim, the examination of the claim on the basis of the criterion set out in Article 29(1a) of the Information Act or the payment of the compensation for the fulfilment of the claim.
14.4./ Scope of the data processed: the name of the data requester and the contact details to which any information and notifications related to the data request may be provided [Article 29 (1b) of the Data Protection Act].
14.5./ Duration of data management: 1 year from the date of submission of the public interest data request [Section 29 (1a) of the Information Act]. If legal proceedings are brought against the disclosure of public interest data, the public interest data request and the related documents may not be discarded, but will be returned to the Archives after 15 years.
14.6./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
15./ PROCESSING OF PERSONAL DATA OF REGISTRARS TO THE FOUNDATION’S EVENTS
15.1./ Brief description of the data processing: the Foundation regularly organises public or private events (conferences, book launches, lectures, discussions, etc.), where participation is subject to written registration. In this case, the Foundation, as the Data Controller, carries out the following data processing activities: recording, storing and, where required by law, transmitting the personal data provided by the registrant (data subject), sending a confirmation of registration to the e-mail address provided, asking the event participants for their names as a rule, but if several persons with the same name have registered, additional personal data may be requested (e.g. telephone number, e-mail address). The registrant acknowledges and agrees that upon arrival at the event, he/she may be identified by the QR code sent during the registration confirmation.
15.2./ Transfer of data: the Foundation will make the data it processes available to third parties in cases provided for or permitted by law, in particular in response to a formal judicial or police request, legal proceedings, or in the event of a breach of copyright, property rights or other infringements or a reasonable suspicion that such infringements may harm the interests of the Foundation, etc. The personal data provided during registration will not be disclosed for commercial or non-commercial purposes other than those mentioned above.
15.3./ Data processor: the Foundation for Research on Central and Eastern European History and Society, including those employees of the Foundation whose job is to process registrations for the event.
15.5./ Purpose of data processing: the purpose of data processing is to ensure that the registrant who expressed his/her intention to participate in the Foundation's event can participate, to record and register the number of registrants and registrants for the purpose of determining the number of registrants for the event and to check the eligibility to enter the event, to respond to requests, questions and complaints of the data subjects, and to send invitations to further events of the Foundation.
15.6./ Scope of the personal data processed: name, e-mail address, telephone number of the registrant, name of the institution from which he/she came.
15.7./ Duration of data processing: if the registrant, by ticking the checkbox during the registration process, consents to the processing of his/her personal data until the consent is withdrawn and the Foundation sends invitations to further events, the Foundation will delete the personal data within 3 working days of the withdrawal of consent. In the absence of consent, registration will not be possible.
15.8./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
15.9./ Capacity limit: By registering for an event, the registrant as a data subject acknowledges that the capacity of the event venue is limited, therefore the Foundation may limit the number of registrants for an event at any time and may decide at any time during the registration period not to accept further registrations.
16./ PROCESSING OF PERSONAL DATA OF PARTICIPANTS IN THE FOUNDATION’S EVENTS
16.2./ Legal basis for processing: voluntary consent of the data subject [Article 6(1)(a) of the Regulation]. If a natural person participates in a public or private event of the Foundation, and the Foundation has informed the participants in advance that the event will be filmed and/or video recorded, the natural person, by participating, gives his/her voluntary consent to the recording of his/her image and to the processing, use and disclosure of his/her image as personal data by the Foundation.
16.3./ Purpose of data processing: the purpose of data processing is to record and promote the Foundation's event.
16.4./ Scope of personal data processed: the image of the person participating in the event.
16.5./ Duration of data processing: 10 years. After 10 years, the records will be returned to the Archives.
16.6./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
17./ PROCESSING OF DOCUMENTS AND E-MAILS
17.1./ Brief description of the data processing: documents generated in the course of the Foundation's activities are kept in paper form and scanned. Paper documents are stored in the Foundation's offices. Electronic documents are stored on the software that runs the Foundation's websites and on a server owned by the Foundation.
17.2./ Legal basis for processing: the legal basis for processing each document depends on the legal basis for the processing of the personal data contained therein. In other words, for the processing of a document, no separate legal basis for processing can be identified.
17.3./ Purpose of data processing: to preserve information and data contained in paper and electronic documents, to make them available for further use and to fulfil the Foundation's various legal obligations (e.g. reporting, accounting, preservation and transmission of public records).
17.5./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
18./ DATA PROCESSING CONCERNING WEBSITE VISITORS, COOKIES
18.2./ Websites operated by the Foundation:
18.3./ Brief description of the data processing: information on the website visitor's activity is considered personal data if it can be linked to the data subject. Data subjects: all data subjects visiting the website.
18.4./ Purpose of data management: to compile statistics, track visitors.
18.5./ Legal basis for processing: the legal basis for processing is the consent of the data subject, as referred to in Article 6(1)(a) of the Regulation.
18.6./ Scope of personal data processed: unique identification number, dates, times.
18.7./ Duration of data processing: session cookie: for identification at login, PHP session id: deleted when closing the browser.
18.8./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
19./ DATA PROCESSING RELATED TO NEWSLETTERS, DIRECT MARKETING
19.1./ Brief description of the data processing: the sending of newsletters and direct marketing e-mails (hereinafter collectively referred to as "Newsletter") by the Foundation is subject to the prior declaration of the recipient. Subject to the prior consent of the recipient, the Foundation sends regular Newsletters to subscribers to the Newsletter service on various topics. These may include news and updates on the activities of the Foundation's institutions, book and event recommendations, other news and events of interest, direct marketing enquiries, recommendations of services/products, direct marketing elements, advertising.In relation to the Newsletters, the Foundation, as Data Controller, carries out the following processing activities: records and stores the personal data provided by the registrant (the data subject) and the date of registration, and transmits them where required by law. In the Newsletters there is also an unsubscribe option.
19.3./ Purpose of data processing: the purpose of data processing is to send electronic newsletters containing commercial advertising, commercial offers to interested parties, direct marketing inquiries, contact, information about news related to the Foundation's activities, book releases, sales promotions, events, permanent and temporary exhibitions, promotions. The Data Controller will use the data you provide for the sole purpose of sending the Newsletter.
19.4./ The scope of personal data processed: the first and last name of the registrant, his/her e-mail address and the date of subscription/registration.
19.5./ Responsibility: the Foundation does not verify the accuracy of the data provided. The Foundation is not responsible for the accuracy of the information provided. In view of this assumption of responsibility, any liability for accessing the service from an e-mail address is borne solely by you as the data subject who registered the e-mail address
19.6./ Duration of data processing: the Foundation processes the personal data of the data subject from the moment consent is given until consent is withdrawn. The personal data provided for sending the newsletter will be stored by the Foundation only until the subscriber unsubscribes from the newsletter service. If you unsubscribe, the Foundation will not contact you with further newsletters or offers. You may unsubscribe from the newsletter service and withdraw your consent at any time, free of charge. If you unsubscribe, your personal data used to send the newsletter will be deleted without delay. The Foundation will consider the cancellation of the registration as a withdrawal of consent in all cases.
19.7./ Data processor: the Foundation for Research on Central and Eastern European History and Society, including those employees of the Foundation whose job duties include processing subscriptions to the newsletter and sending newsletters.
19.8./ Transfer of data: the Foundation will make the data it processes available to third parties in cases provided for or permitted by law, in particular in response to a formal judicial or police request, legal proceedings, or in the event of a breach of copyright, property rights or other infringements or a reasonable suspicion that such infringements may harm the interests of the Foundation, etc. The personal data provided when subscribing to the newsletter will not be transmitted by the Data Controller for commercial or non-commercial purposes other than those mentioned above.
19.9./ Related IT systems: the software running the Foundation's websites and the server owned by the Foundation.
20./ OTHER DATA PROCESSING
20.1./ The Foundation does not make audio recordings of telephone conversations.
20.2./ At the Foundation's premises at 20 Báthory utca III/3, 1054 Budapest, and at its headquarters at 35 Határőr út, 1122 Budapest, access is by means of an access card. In view of the fact that the Foundation does not request data on entries and exits, no personal data processing is carried out by the Foundation in connection with entry and exit.
21./ RECEIPT OF INFORMATION FROM THE FOUNDATION
21.1./ In the course of its activities, the Foundation, as Data Controller, in some cases uses data processors. The processors shall record, process or handle personal data transmitted to them by the Foundation and processed or handled by them in accordance with the Regulation and shall provide the Foundation with a declaration to that effect.
21.2./ For the fulfilment of its tax and accounting obligations, the Foundation uses an external service provider under an accounting and auditing service contract, who processes the personal data of natural persons who have contractual or paying agent relationships with the Foundation for the purpose of fulfilling the tax and accounting obligations of the Foundation.
21.3./ The Foundation uses an external data processor for its payroll, legal services and public procurement consultancy activities.
21.4./ In the case of a mandated claims administrator, it may be decided whether it is a data processor or a Data Controller on the basis of the content of the specific mandate.
21.5./ The Foundation shall provide the necessary data to its data processors on the basis of the data processing contracts and in the manner specified therein. The data processors of the Foundation shall be established in Hungary.
22./ DATA TRANSMISSION
22.1./ The Foundation does not transfer personal data outside Hungary.
22.2./ The Foundation, as a public body established by the Government of Hungary, is obliged to transmit personal data to its founder, to the state control bodies and, in the case of a grant, to its donor in respect of a number of legal relationships. If the Foundation is obliged to transfer personal data provided to it in a contractual relationship with a natural person to a body, the Foundation shall inform the person concerned of this at the latest when the legal relationship is established.
22.3./ Pursuant to paragraph (1) of Article 12 of Act LXVI of 1995 on public records, public archives and the protection of private archival material, the Foundation shall transfer the complete and closed volumes of public records that cannot be scrapped to the competent public archives by the end of the fifteenth year from the calendar year of their creation.
23./ RIGHTS OF DATA SUBJECTS
23.1./ The Regulation defines "data subject" as a natural person who can be identified, directly or indirectly, on the basis of information and personal data relating to him or her. In relation to the processing of data by the Foundation, the data subject has the rights described below.
23.2./ Please note that the Foundation is obliged to identify the person submitting the request before executing the request for enforcement. If the Foundation has reasonable doubts as to the identity of the natural person submitting the request, it may request additional information necessary to confirm his/her identity.
23.3./ Any request for the exercise of the rights described below must be sent by e-mail to email@example.com or by post to the Foundation's postal address at Andrássy út 60, 1062 Budapest, Hungary.
23.4./ Request for information
23.5./ Right of access
The data subject is entitled to receive feedback from the Foundation, upon request, on whether his or her personal data are being processed. If such processing is ongoing, he or she has the right to access the personal data processed and the following information:
a) the purposes of the processing,
b) the categories of personal data concerned,
(c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations,
(d) where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration,
(e) may request the Data Controller to rectify, erase or restrict the processing of personal data concerning him or her and may object to the processing of such personal data,
(f) the right to lodge a complaint with a supervisory authority,
(g) where the data have not been collected from the data subject, any available information on their source,
(h) the fact of automated decision-making, including profiling, and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
The practice of the Foundation to grant the right of access: the Foundation shall provide a copy of the personal data subject to processing upon request of the data subject. Where the data subject has made the request by electronic means or where the processing of personal data is carried out by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject explicitly requests otherwise. The Foundation shall reply to the data subject's request without undue delay and at the latest within 30 days and shall give reasons for not complying with any request. The request for a copy of personal data shall normally be executed free of charge. The Foundation may charge a reasonable fee, based on administrative costs, for copies requested in more than one copy or where a simpler, faster, more cost-effective way than the one requested by the data subject would be available.
23.6./ Right to rectification
The data subject shall have the right to obtain, upon request and without undue delay, the rectification by the Foundation of inaccurate personal data relating to him or her. Taking into account the purpose of the processing, the data subject shall also have the right to request the completion of incomplete personal data. Supplementation may be made by means of a written supplementary declaration by the data subject.
23.7./ Right to erasure ("right to be forgotten")
The data subject shall have the right to obtain from the Foundation the erasure of personal data relating to him or her without undue delay upon his or her request, and the Foundation shall be obliged to erase personal data relating to him or her without undue delay if one of the following grounds applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
(c) the data subject objects to the processing on the basis of the relevant provision of the Regulation and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Foundation.
The Foundation is not obliged to delete data if the processing is necessary for the following reasons:
a) for the exercise of fundamental rights (the right to freedom of expression and information);
(b) where processing is mandatory (for the purposes of complying with an obligation under Union or Member State law to which the Data Controller is subject to which requires the processing of personal data);
(d) for reasons of public interest (e.g. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render impossible or seriously impair such processing); or
(e) for the presentation, exercise or defence of legal claims.
The right to erasure should not entail, in particular, the erasure of personal data relating to the data subject which the data subject has provided for the performance of a contract, if and for as long as the personal data in question are necessary for the performance of that contract. Furthermore, the right to erasure should not apply in cases where the duration of the processing is determined by law, such as in the case of an invoice, since the invoice must be kept for 10 years under the law.
If the Foundation has disclosed the personal data and is obliged to delete it, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the Data Controllers that have processed the data that the data subject has requested the deletion of the links to or copies of the personal data in question. The exception rules also apply in this case.
23.8./ Right to restriction of processing
The data subject shall have the right to obtain at his or her request the restriction of processing by the Foundation if one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data (in which case the limitation applies for the period of time that allows the Foundation to verify the accuracy of the personal data);
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the Foundation no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing in accordance with the relevant provision of the Regulation; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the Foundation as Data Controller prevail over the legitimate grounds of the data subject.
If the processing is restricted, such personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
The Foundation will inform the data subject (at whose request the processing was restricted) in advance of the lifting of the restriction.
23.9./ Right to data portability
The data subject shall have the right to receive personal data concerning him or her provided to the Foundation in a structured, commonly used, machine-readable format and the right to transmit such data to another Data Controller without hindrance from the Foundation, if:
(a) the processing is based on consent or a contractual legal basis; and
(b) the processing is carried out by automated means.
In exercising the right to data portability, the data subject has the right to request, where technically feasible, the direct transfer of personal data between Data Controllers.
Please note that the right to data portability can only be exercised if the above cumulative conditions are met (i.e. if the processing is based on consent or a contract AND the processing is carried out by automated means). The right to data portability does not therefore extend, for example, to data processed under a legal obligation. According to the guidelines of the Article 29 Data Protection Working Party (WP29), since the right to data portability only applies to processing by automated means, it does not apply to paper-based processing.
23.10./ Right to object
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on the legitimate interests of the Foundation. In such a case, the Foundation may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
24./ HOW TO EXERCISE YOUR RIGHTS
24.1./ The Foundation shall inform the data subject of the action taken on the request without undue delay and in any event within 25 days of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Foundation shall inform the person concerned of the extension, stating the reasons for the delay, within 25 days of receipt of the request. If the data subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.
24.2./ If the Foundation fails to act on the request of the data subject, it shall inform the data subject without delay, but no later than 25 days from the date of receipt of the request, of the reasons for the failure to act and of the possibility to lodge a complaint with a supervisory authority and to exercise his or her right to judicial remedy.
24.3./ The Foundation shall provide the information requested under the right to information and the information and action related to the exercise of certain rights free of charge in principle. However, where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, the Foundation shall, subject to the administrative costs of providing the information or information or of taking the requested action:
charge a reasonable fee, or
may refuse to act on the request.
The burden of proving that the request is manifestly unfounded or excessive lies with the Foundation.
25.1./ Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if he or she considers that the processing of personal data relating to him or her infringes the Regulation.
25.2./ Without prejudice to other administrative or non-judicial remedies, the data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint.
25.3./ Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, the data subject shall have an effective judicial remedy if he or she considers that the Foundation has infringed his or her rights under the Regulation as a result of the processing of his or her personal data in a way that does not comply with the Regulation. Proceedings against the Data Controller or processor shall be brought before the courts of the Member State in which the Data Controller or processor is established. Such proceedings may also be brought before the courts of the Member State of habitual residence of the data subject.
25.4./ The Foundation may lodge a complaint about its data management practices with the National Authority for Data Protection and Freedom of Information (in short: NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., postal address: 1530 Budapest, Pf.: 5.., phone: +36 (1) 391-1400, fax: +36 (1) 391-1410, email: firstname.lastname@example.org, website: https://www.naih.hu) or with a court. The competent court has jurisdiction to hear the case. The competent court for the seat of the Foundation is the Metropolitan Court of Budapest. The action may also be brought, at the option of the person concerned, before the Court of the place of residence or domicile of the person concerned.
26./ DATA SECURITY MEASURES
26.1./ The Foundation shall take the technical and organisational measures and establish the procedural rules necessary for the enforcement of the Regulation and the Information Act in order to ensure the security of personal data in all its processing.
26.2./ The Foundation shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure or access.
26.3./ The Foundation treats personal data as confidential. The Foundation imposes on its employees an obligation of confidentiality with regard to the processing of personal data. Access to personal data is restricted by the Foundation by setting privilege levels.
26.4./ The Foundation protects its IT systems with firewalls and virus protection.
26.5./ Security requirements for personal data processed on paper by the Foundation:
- all personal data, regardless of the medium on which it is stored, is accessible only to those who have a right to know it and cannot be accessed or disclosed to unauthorised persons,
- the documents must be kept in a room with a key, lockable, dry and equipped with fire and property protection equipment,
- a member of the Foundation's staff carrying out data processing may leave the office or the room where the data processing is taking place only by locking the files or closing the room,
- these safety rules also apply to working at home.
26.6./ To ensure the security requirements for the protection of personal data stored on a computer or in a network or in the cloud:
- the Foundation applies security requirements to the computers used to process personal data,
- personal data stored on your computer, network or in the cloud can only be accessed with valid, personalised, identifiable access rights,
- where the purpose for which the personal data is processed has been achieved, the time limit for processing has expired or the lawfulness of the processing has ceased for any reason, the file containing the data is irretrievably deleted in such a way that the data on it can no longer be retrieved,
- the Foundation provides firewall security and other virus protection for computers,
- personal data is backed up continuously on computers and regularly on network systems,
- the Foundation ensures the IT security of the personal data it processes by using appropriate modern IT tools and methods.
26.7./ When processing personal data by automated means, the Foundation takes additional measures to ensure:
a) preventing the unauthorised input of data;
(b) the prevention of the use of automatic data-processing systems by unauthorised persons by means of data transmission equipment;
(c) the verifiability and ascertainability of the bodies to which the personal data have been or may be transmitted using data transmission equipment;
(d) the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;
(e) the recoverability of the installed systems in the event of a failure (reinstallation, restoring data to the last state of backup); and
f) that errors in automated processing are reported.
26.8./ The hosting service is self-hosted.
26.9./ Only the competent administrators have access to pending cases and documents under processing, the Foundation keeps documents containing personal data securely locked and ensures that only authorised persons have access to the keys of these rooms (cabinets).
27.2./ The Foundation reserves the right to unilaterally amend or update this Policy without prior notice, with effect from the date of publication of the amendment.