1. INTRODUCTION
This Data processing notice (hereinafter referred to as the Notice) of PICK Szeged Zrt. (hereinafter referred to as the Controller) concerns the processing of all personal data in connection with the operation of the www.pickmuzeum.hu website. The Controller ensures the continuous protection of personal data, compliance with legal regulations and secure and fair data processing.
Controller’s information:
Name: PICK Szeged Zrt.
Mailing Address: H-6725 Szeged, Szabadkai út 18.
E-mail: titkarsag@pick.hu
Website: www.pickmuzeum.hu
Phone: +36/62-567-000
Contact information of the Controller’s representative:
Name: László Sutka
Mailing Address: H-6725 Szeged, Szabadkai út 18.
E-mail: titkarsag@pick.hu
Phone: +36/62-567-000
This notice is drawn up particularly in compliance with the following legislation in force:
a) Act CXII of 2011 on informationalself-determination and freedom of information (hereinafter referred to as Infotv.);
b) Act CVIII of 2001 on certain issues of electronic commerce activities and information society services (hereinafter referred to as Ektv.);
c) Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity (hereinafter referred to as Grt.);
d) Act C of 2003 on electronic communications (hereinafter referred to as Ehtv.);
e) Act CXIX of 1995 on the use of name and address information serving the purpose of research and direct marketing;
f) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (hereinafter referred to as Regulation).
This Notice can be accessed on the following website:
www.pickmuzeum.hu
The Controller reserves the right to amend this Notice, in which case the amendments to this Notice enter into force with publication onthe following website:
www.pickmuzeum.hu
2. EXPLANATORY NOTES
The terms used in this Notice shall have the following meaning:
Data subject: identified or identifiable natural person (Regulation Article 4, Section 1). In this case, the visitors to and users of the www.pickmuzeum.huwebsite.
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Regulation Article 4, point 1);
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (Regulation Article 4, Section 2);
Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future; (Regulation Article 4, Section 3);
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (Regulation Article 4, Section 4);
Pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Regulation Article 4, Section 5);
Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis (Regulation Article 4, Section 6);
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law (Regulation Article 4, Section 7);
Processor:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Regulation Article 4, Section 8);
Recipient:a natural or legal person, public authority, agency orother body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or member state law shall not be regarded as recipients; the processing of thatdata by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing (Regulation Article 4, point 9);
Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data (Regulation Article 4, Section 10);
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Regulation Article 4, Section 11);
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure ofor access topersonal data transmitted, stored or otherwise processed (Regulation Article 4, Section 12);
Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (Regulation Article 4, Section 15);
Representative: a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation (Regulation Article 4, Section 17);
Enterprise: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity (Regulation Article 4, Section 18);
Group of undertakings: a controlling undertaking and its controlled undertakings (Regulation Article 4, Section 19);
Special data: all data falling into the special categories of personal data that are personal data revealing racial or ethnic origin, political opinion, religious belief or worldview, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Infotv. Section 3, Subsection 3);
Data transfer: providing access to the data for a designated third party (Infotv. Section 3, Subsection 11);
Disclosure: making the data accessible to anyone (Infotv. Section 3, Subsection 12);
Data erasure: making the data unrecognizable in such a way that its restoration is no longer possible (Infotv. Section 3, Subsection 13);
Data destruction: the complete physical destruction of the data medium that contains the data (Infotv. Section 3, Subsection 16);
Data processing:the totality of data processing operations performed by the processor acting on behalf of, or instructed by, the controller (Infotv. Section 3, Subsection 17);
Data set: all data processed in a single registry (Infotv. Section 3, Subsection 21);
EEA state: any member state of the European Union and any State Party to the Agreement on the European Economic Area, as well as any state the nationals of which enjoy the same legal status as nationals of State Parties to the Agreement on the European Economic Area on the basis of an international agreement concluded between the European Union and its member states and the state which is not party to the Agreement on the European Economic Area (Infotv. Section 3, Subsection 23);
Third country: any state that is not an EEA State (Infotv. Section 3, Subsection 24).
3. MANAGING COOKIES
3.1 The purpose of the processing
The Controller uses so-called cookies during a visit to the www.pickmuzeum.huwebsite (hereinafter referred to as cookies). Cookies are information packages comprising letters and numbers, which aresent by the Controller’s website to the user’s web browser to save certain settings, makinguse of the Controller’s website easier, and to assist the Controller in collecting some relevant statistical data about the user. Cookies do not contain personal information and are not suitable to identify anindividual user.
The purpose of the data processing connected to cookies is the identification ofusers, to distinguish them from one another, to identify the current session of the users, to store the data entered during the session, to prevent data loss, to understand the browser specifications and to improve the efficiency of the service. In order to deliver the service, to verify the operation of the service and to prevent misuse, the Controller records all visitor data which are technically essential for providing the service.
The Controller shall not connect the data from analyzing the logs with other information, and shall not make efforts to personally identify the visitor. Cookies often contain a unique identifier – a randomly generated secret set of numbers – which is stored by the user’s device. Some cookies are terminated after the website is closed, some are stored on the user’s computer for a longer time.
3.2 Types of cookies and their usage
3.2.1 Groups of cookies based on their lifetime
A. Session cookies
Session cookies are automatically deleted when the user closes the web browser.
B. Persistent cookies
Persistent cookies remain stored in the user’s end device until the determined expiry time (minute, day, year) arrives, or until the user manually deletes them.
3.2.2 Groups of cookies based on their origin
A. First party cookies
First party cookies refer to cookies which arestored by the Controller (or any of its Data Processors) who operates the website visited by the user – usually determined by the URL address appearing in the browser’s address bar.
B. Third party cookies
Third party cookies are cookies stored by a controller other than the Controller who operates the website visited by the user (determined by the URL address appearing in the browser’s address bar).
3.2.3 Groups of cookies defined by the Data Protection Working Group
A. Cookies not requiring the consent of the user (technical cookies)
1. Cookies storing user recorded data (user-input cookies)
User-input cookies may generally be used to describe session cookies which are utilized to consistently track the user’s data entry during communication with the service provider. Normally, the first party cookies used are based on a session ID (a random temporary identification number), and expire with the end of the session at the latest.
User-input cookies are commonly used to track the user’s data entry while completing a multi-page online form, or to track a shopping cart, tracking the items the user has chosen by clicking a button (e.g. “Add to Cart”).
These cookies are clearly necessary to provide the internet service the user expressly asked for. In addition, they are connected to the user’s activity (e.g. the clicking of a button or the completion of a form).
2. Authentication session cookies
Authentication cookies serve to identify the user upon login (e.g. on the website of an online bank). These cookies are necessary for users to identify themselves in the course of their recurring visits to the website, and to get access to restricted content, such as their account balance, transactions, etc.
Authentication cookies are usually session cookies. When a user logs in, s/he expressly asks for permission to access content or services granted to him. If there was no authentication token stored on the cookie, the user would need to enter his/her login credentials on every requested page. Therefore the authentication service composes an essential part of the service related to information society and expressly requested by the user.
However, it should be noted that the user only asks for access to the website and the specific service needed to complete the required task. The authentication may not grant an opportunity to use the cookie for other secondary objectives – e.g. tracking behavior or unsolicited ads.
3. User-centric security cookies
The exemption for authentication cookies (presented above) may be extended to other cookies which were designed for specific tasks to enhance the security of services expressly requested by the user. For example, such cookies are used to recognize repeated unsuccessful website login attempts, or other similar mechanisms that were designed to protect against login system misuse.
However, this exemption does not include the use of cookies which relate to third-party services unrelated to the security of the websites and not expressly asked for by the user. Although login cookies are ordinarily set to expire at the end of the session, the lifetime of security cookies is longer so they can serve their security purpose.
4. Multimedia player session cookie
Multimedia player session cookies are used to store the technical data needed to play video or audio content, such as image quality, network connection speed and buffering parameters. These multimedia session cookies are usually called “flash cookies”. The name comes from Adobe Flash, which is currently the most common online video technology. Since this information is only needed for a short period of time, these cookies need to expire when the session ends.
If the user visits websites encompassing interconnected text and video content, then both content items constitute a part of the services expressly asked for by the user. In order to get an exemption, the website operator must avoid adding further information – not essential to play the media content – to “flash” and other cookies.
5. Load balancing session cookies
Load balancing is a technique which allows the distribution ofthe processing of the requests received by a web server to multiple computers instead of one. One of the techniques used to balance loads is based on a “load balancer”: web requests coming from users are directed to a load balancing gateway which forwards each of them to one of the available internal servers within the computer set. In certain cases, this rerouting must be continued throughout the whole session: in order to maintain the consistency of the processing, all requests coming in from any given user must be forwarded to the same server in the computer set.
In addition to numerous other techniques, cookies may also be used to identify the server within the computer set to ensure that the load balancer reroutes the requests appropriately. In this case, they aresession cookies. The sole purpose of the information inside the cookie is to identify one endpoint of communication (one of the servers inside the computer set), hence this kind of cookie is necessary to forward communication through the network.
6. User interface customization cookies
User interface customization cookies are used to store service-related user preferences through websites, which are not connected to any other permanent identifiers such as a username. These are activated only if the user has expressly requested the service of storing the individual information – e.g. by clicking a button or by ticking a box. These may be session cookies or – depending on their objective – their expiry may also be specified in weeks or months.
Typical examples for customization cookies arethe following:
a) Cookies corresponding to the language chosen, which are used to store the language the user has chosen (e.g. by clicking on a flag) on a multi-language website;
b) Cookies corresponding to the desired display mode of search results, which are used to store the user’s preferences in connection with online search queries (e.g. choosing the number of results per page).
7. Social plug-in content sharing cookies
Numerous social network offers “social content sharing plugins” which the website operators can embed in their platform, especially to enable social network users to share content they like to their friends (and they offer other related services – such as publishing comments – as well).
These content sharing pluginsstorecookies and makethem accessible on the user’s end device, so that the social networks may identify their members when connection is established through these plug-ins. To clarify this usage-related question, it is important to distinguish users “logged in” to their social network account through their web browser from those “not logged in” users who are either not a member of the specific social network, or interrupted the connection to their social network account.
B. Cookies requiring user consent (optional cookies)
1. Social plugintracking cookies
Numerous social networks offer “social content sharing plugins” which the website operators can embed in their platform to provide a service that their members have presumably “expressly requested”. However, these modules can also be used to track the individuals (members and non-members), and may contain third-party cookies for other purposes (e.g.: behavior-based advertising, analysis or market research).
2. External ads (third-party advertising)
This group contains external cookies used for behavior-based advertising, and all related external action cookies used in advertising activities, including cookies for frequency maximization, financial logging, advertising partnership, detecting click fraud, exploration and market research, product improvement, as well as cookies for troubleshooting.
The Do Not Track (DNT) function is a browser-side opt-out settings option. If this function is enabled, the browser sends – every time a page is requested – a signal to the service providers (web analytics system, ad server system, other service providers) that they must not store any online behavioral information on this user, i.e. they must not store any cookies on the user’s end device. In principle, this generates an operation similar to the user opting out at the given service provider, however, in this case, s/he can use one browser setting to let every service provider know that s/he does not want them to track what and where s/he is browsing on the web. Hence, if a user declares that s/he does not want to be tracked (DNT=1), then no tracking ID may be stored and no other processing may be performed.
3. First party analytics
Visit analyzers are statistical tools to provide visitor statistics, which often use cookies. The website owners use these tools in particular to assess the number of individual visitors, to identify the keywords mostly used in search engines, which lead to the given website, and to track certain web navigation questions.
3.2.4 Groups of cookies defined by the United Kingdom International Chamber of Commerce (ICC UK)
The most commonly used classification system of cookies – that is, regarding English websites – was proposed and developed by the United Kingdom International Chamber of Commerce (ICC UK) with a document called ICC UK Cookie Guide:
A. Strictly necessary cookies/necessary
These cookies are required to use the website, they enable the use of the website’s features. These include cookies with which you can log into the website’s secure areas, use shopping carts or make use of e-invoicing services.
B. Performance cookies/statistics
These are cookies thatcollect information on how the visitors use the websites, for example, which pages they visit most frequently or whether they receive error messages from the website. These cookies do not collect identification information on the visitor.
These cookies collect aggregated information and as such are anonymous, and use the information solely to improve the website's operation.
C. Functionality cookies/preferences
These cookies allowthe user’s choices (e.g. name, language or region entered) to be recorded and the use of extended, personalized features. Furthermore, in order to enable proper operation, these cookies may also allow certain features embedded in the website (such as the display ofYouTube videos). The information collected by these cookies may be anonymous, and isnot suitable to track the user’s activity on other websites visited by the user.
D. Targeting cookies or advertising cookies/marketing
These cookies are used to display advertisements on the website that are even more interesting and relevant to the user. These cookies can be used to determine how many times a certain ad was displayed, and the effectiveness of ad campaigns may also be assessed. These cookies are usually placed by ad networks on a given website, with the approval of the website operator. These cookies remember the visit to the given website, and share this information with other organizations, such as the poster of the advertisement. Targeting or advertising cookies are usually connected to the features provided by the website operator.
E. Unclassified cookies
Unclassified cookies are cookies that are not classified yet, together with the providers of the individual cookies.
3.3 Cookies particularly used on the www.pickmuzeum.hu website
3.3.1 Strictly necessary cookies/necessary
| Name |
Provider |
Purpose |
Type |
Expiry |
wordpress_*,
wordpress_logged_in_*
|
pickmuzeum.hu |
Authentication cookie to use the admin interface. |
HTTP |
At the end of the session. |
3.3.3 Functionality cookies/preferences
| Name |
Provider |
Purpose |
Type |
Expiry |
| wordpress_test_cookie |
pickmuzeum.hu |
Verifies whether the user’s
browser supports
cookies.
|
HTTP |
At the end of the session. |
| pll_language |
pickmuzeum.hu |
User interface customization cookie. |
HTTP |
2 years |
| wp-setting-* |
pickmuzeum.hu |
User interface customization cookie. |
HTTP |
2 years |
3.4 Legal basis for data processing
Concerning cookies that requireconsent, the legal basis for data processing is the data subject’s consent based on Article 6(1)(a) of the Regulation,Ehtv. Section 155, § Subsection 4 and Ektv. Section 13/A, Subsection 4 and Ektv. Section 13/A, Subsection 3.
For the purposes of managing cookies (strictly necessary cookies), server logs (e.g. logging of IP addresses) or other personal data that are needed for the basic operation of the website and the security of the IT system, the legal basis for data processing is the legitimate interests pursued by the controller or by a third party, pursuant to Article 6(1)(f) of the Regulation.
3.5 Data subjects
Data subjects include the visitors of the www.pickmuzeum.hu website, which have given their consent to the usage of cookies requiring consent, by separately ticking the separate ticking boxes under the Cookie Settings menu to accept the cookie and pressing the “I AGREE” button on the website.
For the purposes of data processing necessary for the basic operation of the www.pickmuzeum.hu website (strictly necessary cookies) and the security of the IT system (server logs, etc.), the data subjects include the administrators authorized to use the administration interface of the www.pickmuzeum.hu website.
3.6 Scope of personal data processed
The administration interface of thewww.pickmuzeum.hu website – for administrators with access privileges –is used with the following personal data required for the following actions:
a) name: identification;
b) password: secure login
3.7 Retention period
The personal data referred to in Section 3.6 entered during the use of the administration interface of thewww.pickmuzeum.hu website – by administrators with access privileges –are deleted at the end of the session.
3.8 Recipients of personal data, recipient categories
Competent employees of the Controller and the Processor.
3.9 Data Controller
The economic operator referred to in Section 1 of this Data Processing Notice.
3.10 Data Processors
a) CreatIT Solutions Kft. (Mailing Address: H-6724 Szeged, Körtöltés utca 59.; E-mail: info@creatit.hu; Website: www.creatit.hu; Phone:+36-20-341-5291), as the economic operator responsible for website development and transfer.
b) Invitech ICT Services Kft. (Mailing Address: H-2040 Budaörs, Edison utca 4.; E-mail: fazekasb@invitech.hu; Website: www.invitech.hu; Phone: 1444), as the economic operator providing web hosting services.
c) Bonafarm Zrt. (Mailing Address: H-1123 Budapest, Alkotás utca 53.; E-mail: info@bonafarm.hu;Website: www.bonafarmcsoport.hu; Phone: +36-1-801-9061), as the economic operator providing professional IT advisory services.
3.11 Data processing of external service providers
The html code of the portal may contain links coming from and linking to external servers. The servers of external service providers may connect directly to the visitors computer. We advise our visitors that due to the direct connection to their server and the direct communication with the visitor’s browser, the providers of these links are able to collect visitors’ data. Contents which may be customized to the visitor are provided by the servers of the external service provider. The cookies used by external service providers are in particular: Google Adwords cookie, Google Analytics cookie or cookies from Facebook.
More information on cookies from Google is available here:
https://policies.google.com/technologies/types?hl=hu
More information on cookies from Facebook is available here:
https://hu-hu.facebook.com/policies/cookies/
3.12 Setting, deleting or disabling cookies
Cookies – with the exception of cookies strictly necessary for the operation of the website – can be deleted by the user from his/her own computer, or s/he can disable the use of cookies in the browser settings. Using cookies – with the exception of cookies strictly necessary for the operation of the website – is not mandatory. If the user does not accept the use of cookies on the www.pickmuzeum.huwebsite – with the exception of cookies strictly necessary for the operation of the website –then certain features may not be accessible to him/her.
If the user visiting the website would like to fully or partially disables cookies, s/he has to do so separately on each device and software with browsing capability.
The visitor may view and change the settings for cookies used on the www.pickmuzeum.hu website:
a) on the www.pickmuzeum.hu website in the Cookie Settings menu, or
b) in the Chrome browser, by clicking the “View site information” graphical element left from the address bar (a lock if it is a secure connection – https – or the letter “i” in a circle), inside the pop-up window or
c) using the following menu in Chrome: Settings/Advanced/Privacy and security/Site Settings/Cookies
For more information on cookies, please click the links below:
a) Microsoft Internet Explorer:
https://support.microsoft.com/en-gb/help/17479/windows-internet-explorer-11-change-security-privacy-settings
b) Firefox:
https://support.mozilla.org/en-US/products/firefox/protect-your-privacy/cookies
c) Google Chrome:
https://support.google.com/accounts/answer/61416?hl=en
d) Microsoft Edge
https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy
e) Opera
https://help.opera.com/en/latest/web-preferences/#cookies
f) Safari
https://www.apple.com/legal/privacy/en-ww/
4. SECURITY OF DATA PROCESSING
The Controller stores the personal data in electronic form.
Considering the current affairs of science and technology, the costs of implementation, the nature, scope, conditions and objectives of data processing and its risk of variable probability/severity concerning the rights and freedoms of natural persons, the Controller and the Processor(s) implement technical and organizational measures which ensure a level of data security suitable for the extent of risk to data subjects.
When determining the appropriate level of security, the Controller expressly considers the risks stemming from data processing, which are especially connected to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or unauthorized access of personal data transferred, stored or processed in any other way.
The Controller and the Processor take action to ensure that natural persons acting under the supervision of the Controller or the Processor – who have access to the personal data – process the above mentioned data only in compliance with the Controller’s instructions, unless Union or member state law provides otherwise.
5. EXERCISING AND ENFORCING RIGHTS, AND LEGAL REMEDIES
Data subjects may exercise their rights provided in the Regulation taking into consideration the above mentioned nature of legal bases for data processing.
5.1 Data Subject Rights
5.1.1 Transparent communication
The Controller communicates all information prescribed in the Regulation in a concise, transparent, comprehensible and easily accessible form, formulated in a clear and easily understandable way, especially if the information was meant for children. The Controller provides the information in writing or any other way – in electronic form –however, at the data subject’s request, the Controller may also provide oral notification, provided that the personal identity of the data subject was verified in a different way.
5.1.2 Right to access own personal data
At the data subject’s request, the Controller provides feedback on whether the data subject’s personal data is currently being processed. If it’s established that the data subjects personal data is currently being processed, the data subject may request access to its personal data and the following information:
a) the purpose of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data was or will be disclosed by the Controller, in particular recipients in non-EU member states;
d) the period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
e) the right of data subjects to request from the Controller the rectification or erasure of personal data or the restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right of the data subject to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, information on the source of these personal data;
h) whether automated decision-making, profiling was performed based on the personal data, if yes, comprehensible information on the applied logic and on the significance of such data processing, and on the consequences of it regarding the data subject;
i) where the Controller transfers the data subject’s personal data to a non-EU country or to an international organization, the data subject’s right to be informed ofthe transfer.
5.1.3 Rectification of inaccurate personal data
If the data processing involves inaccurate or incomplete personal data, the Controller rectifies them after receiving the data subject’s request without undue delay. The data subject may also request the completion of the personal data.
5.1.4 Right to erasure (“right to be forgotten”)
The data subject has the right to request from the Controller the erasure of personal data concerning him or her, and to request doing so without undue delay, where one of the following grounds applies:
a) the data subject’s personal data are no longer necessary in relation to the original purposes of data processing;
b) the data subject withdraws consent to the processing and there is no other legal basis for data processing;
c) the legitimate interest of the Controller provides the legal basis for data processing against which the data subject objects, and there are no overriding legitimate grounds for data processing;
d) the personal data are processed for direct marketing purposes against which the data subject objects;
e) the Controller processed the data subject’s personal data unlawfully;
f) the data subject’s personal data have to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject;
g) the legal basis for the Controller’s processing of the personal data was the consent of a child’s guardian, and / or
ga) the data subject is the child’s guardian and the child concerned has not yet reached the age of 16 and is required to give consent;
gb) the data subject is a child who has reached the age of 16 and is required to give consent.
The Controller may not delete the personal data if data processing is necessary for the following reasons:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) for preventive health care or occupational health, for assessing the employee’s ability to work, for medical diagnosis, for providing health or social care / treatment, or the management of health care or social care systems and services, based on Union or member state law or pursuant to a contract with a healthcareprofessional;
d) on the grounds of public interest in the area of public health, such as the protection against severe dangers to health spreading across borders or ensuring the high quality and safety of medical care, pharmaceuticals and medical devices, and it’s based on such Union or member state law that is appropriate and provides for specific actions concerning the warranties of the data subject rights, especially professional secrecy;
e) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the data subject’s right to erasure would probably render this data processing impossible or seriously jeopardize it;
f) for the establishment, exercise or defense of legal claims.
5.1.5 Right to restriction of processing
At the request of the data subject, the Controller restrictsprocessing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
d) the data subject has objected to the processing done by the Controller because the Controller’s legal basis for the processing was its own legitimate interest, however, the data subject claims that his/her interests override the Controller’s interests.
Where processing has been restricted – due to the data subject’s request –such personal data shall, with the exception of storage, only be processed:
a) with the data subject's consent or
b) for the establishment, exercise or defense of legal claims or
c) for the protection of the rights of another natural or legal person or
d) for reasons of important public interest of the Union or of a member state.
The data subject shall be informed by the controller before the restriction of processing is lifted.
5.1.6 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller if:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
The data subject shall also have the right to have the personal data transmitted directly from one controller to another.
5.1.7 Right to object
The data subject shall have the right to object to processing of personal data concerning him or her if
a) the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller;
b) the processing is necessary in the legitimate interest of a third party, including profiling;
c) the personal data are processed for direct marketing purposes, including profiling related to direct marketing.
If the processing is necessary based on legitimate interest as defined in point (b) above, the data subject may not object to the processing if the Controller demonstrates
a) compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or
b) for the establishment, exercise or defense of legal claims.
Where the data subject objects to processing for direct marketing purposes, the Controller shall no longer process the personal data for such purposes.
5.1.8 Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The data subject shall not exercise his/her above mentioned right if the decision
a) is necessary for entering into, or performance of, a contract between the data subject and the Controller;
b) is authorized by Union or member state law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
c) is based on the data subject's explicit consent.
In the cases referred to in points (a) and (c), the data subject may request human intervention, may express their opinion and may submitopposition tothe decision.
5.1.9 Withdrawal of consent
The data subject may withdraw his/her consent any time only where the data processing is based on their consent. The withdrawal of consent does not affect the legitimacy of the consent-based data processing performed prior to the withdrawal.
The controller shall inform the data subject prior to giving consent.
The declaration of consent withdrawal is only valid if the specific data processing is clearly indicated.
5.2 Exercising rights, complaints, legal remedies
5.2.1 Exercising rights
The data subject may exercise his/her abovementioned processing-related rights by sending an e-mail or letter to the Controller’s e-mail address or registered seat address respectively, from an identifiable e-mail address of the data subject or a letter signed by the data subject. The declaration of the data subject on exercising their right(s) is only valid if the specific data processing is clearly indicated.
The Controller shall respond to electronic requests by electronic means or any other means requested by the data subject.
5.2.2 Complaints
If the data subject considers that the processing of the personal data relating to him/her violates the provisions of the Regulation, the data subject shall have the right to lodge a complaint with the supervisory authority concerned, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement.
In Hungary, complaints may be lodged with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter referred to as NAIH), as the Supervisory Authority. NAIH contact information:
E-mail: ugyfelszolgalat@naih.hu
Mailing Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Phone: +36 (1) 391-1400
Honlap: www.naih.hu
For the names and contact information of the data protection authorities in the EU, please click the following link:
http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
5.2.3 Legal remedies
a) Judicial remedy against the Supervisory Authority
All data subjects shall have the right to an effective judicial remedy:
aa) against legally binding decisions of the supervisory authority or
ab) where the competent Supervisory Authority does not address the complaint or fails to notify the data subject about the procedural developments of the lodged complaint or the results of it within three months.
Proceedings against the Supervisory Authority shall be initiated at a court in the member state of the Supervisory Authority’s registered seat.
b) Judicial remedy against the Controller or the Processor
The data subject may contact a court with his/her claims against the Controller and/or the Processor, where s/he considers that processing of his/her personal data by the Controller and/or the Processor mandated by the Controller infringes upon the provisions of a law or a binding EU act on the processing of personal data.
The procedure shall be initiated in a court in the member state of the establishment of the Controller or the Processor. Such a proceeding may be brought before a court in the member state of the of the data subject’s habitual residence, unless the Controller or the Processor is a public authority exercising public powers in a member state.
In Hungary, the lawsuit may be brought before the competent court of the data subject’s permanent or habitual residence, based on the data subject’s choice.
