1. Introduction
The Alliance for a Civic Hungary Foundation (Szövetség a Polgári Magyarországért Alapítvány) (in this data privacy policy information: “Data controller” or “Foundation”) shall information deemed to be personal data pursuant to Article 4 Section 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) of visitors at its home page on the http://szpma.hu/ web site (“Website ”), and of persons getting in touch with the Foundation through this Website or concerned with its activities This data-privacy policy (“Privacy Policy”) provides information on the rights and legal remedies of data subject related to the management of their data.
In the course of data management and in this Privacy Policy we act upon the relevant and applicable laws and regulations with special regard to the following:
2. Key terms related to personal data and their interpretation
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3. Identity and contact details of the controller
Name: Alliance for the Civic Hungary Foundation
Address: 1143 Budapest, Stefánia út 20.
Website : http://szpma.hu/
E-mail: alapitvany@szpma.hu
4. Principles relating to processing of personal data
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
They shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, following Article 89 paragraph (1), not be considered to be incompatible with the initial purposes.
Data handled shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. In which cases are your personal data processed?
5.1. Data processing related to communication with the controller, the complaints, enforcement of claims and defence in legal proceedings
For which purposes do we process your data? |
Responding to communications received by the controller (for instance: inquiries related to the activities of the controller), and to complaints, eventual comments, enforcement of legal claims of the controller (claim management). |
What are the legal grounds for processing your data? |
When processing is necessary for the purposes of the legitimate interests pursued by the controller (GDPR Article 6 paragraph (1) item f)). Legitimate interest: managing communications, inquiries received by the controller, responding to eventual comments, enforcement of claims of the controller, submission of legal claims, handling receivables, defence against claims of data subjects or in judicial or governmental proceedings filed by them. In the case of processing consumer complaints: in order to meet legal obligations the controller is subject to (GDPR Article 6 paragraph (1)c)), and in harmony with Article 17/A of Act No CLV of 1997 on the protection of consumers (“Consumer Protection Act”) the controller shall process personal data related to complaint management, responding to consumer complaints and retention of the report drawn up in connection with the consumer complaint and the duplicated copy of the reply thereto. Section 5.3 of this Privacy Policy deals with the communication related to our Facebook page and the respective data processing measures more in details. |
Are you obliged to provide your data? |
You are not obliged to communicate with or – provided you are deemed to be a consumer – submit consumer complaints to the controller. However, should you make any communication or submit any consumer complaint to the data controller, the controller shall process your related data in accordance with and up to the time limit specified in this Privacy Policy. |
What data do we process? |
Personal data concerned with the communication or consumer complaint received by the controller, data necessary for keeping contacts with the data subjects and the persons represented by them (name, address, e-mail address), the contents of the claims (complaints) presented by the data subjects, recording the actions taken in response to the communication, in case of consumer complaint the report drawn up in connection with the consumer complaint and the duplicated copy of the reply thereto pursuant to Article 17/A of the Consumer Protection Act. Your name (and other particulars for your identification, provided you have handed them over to us earlier on and it is necessary for the purposes of the given procedure) as well as your contact details (in the scope required by the enforcement of the claim or the given procedure, including in particular your permanent address and e-mail address, if communication with You is accomplished via e-mail and the processing of your e-mail address is therefore necessary) are processed in connection with the enforcement of legal claims and with the defence in legal or governmental proceedings initiated by them. |
How long do we store your data? |
Your data will be recorded for a period of 5 years (Article 6:22 paragraph (1) of the Civil Code – unless provided for otherwise, claims shall become superannuated in a five years term). The report drawn up in connection with the consumer complaint and the duplicated copy of the reply thereto shall be retained by the controller pursuant to Article 17/A paragraph (7) of the Consumer Protection Act for a period of 5 years just as well. In the event of a court or governmental proceeding the duration of the data processing period will be extended up to the final closure of the proceeding in question (for instance: a final and legally binding decision arrived at by the court or authority). |
To whom do we transmit your personal data? |
Your personal data may be transmitted to our legal representative, the acting court, or other authority (such as a public notary) for the purposes specified above. |
5.2. Data processing related to the promotion of exercising data protection rights, measures taken in response to requests from data subjects and related to personal data breach incident management
For which purposes do we process your data? |
Processing applications received by the controller, taking actions in the wake of such applications, facilitation of exercising data privacy rights of data subjects and data processing related to incident management. |
What are the legal grounds for processing your data? |
When processing is necessary for the purposes of the legitimate interests pursued by the controller (GDPR Article 6 paragraph (1) item f)). The controller shall facilitate the exercise of data subject rights (GDPR Article 12 paragraph (2)), and to investigate personal data breach incidents – if any – and to notify the supervisory authority (data protection authority) as well as the data subject, pending on the severity of the breach (GDPR Articles 33 and 34). |
Are you obliged to provide your data? |
For the purposes of exercising data privacy rights, the performance of the associated queries, as well as in the case of a potential data privacy incident (such as a hacker attack) processing of the personal data of the data subject concerned (especially his or her name and the contact details provided to us) might become necessary. In this scope the controller might request to have the aforementioned personal data made available to it, and – in the case of electronic communication, when the identification of the data subjects is necessary –, the photocopy of the personal identity card, passport or driving licence of the data subject concerned (for instance: by sending the PDF file recording the photocopy in an e-mail attachment). These duplicated copies will only be processed for the purposes of verification of the identity of the person concerned, subsequently they will be immediately and irreversibly erased. |
What data do we process? |
The application received by the controller, name and contact details of the data subject (in particular: permanent address, e-mail address). In the case of electronic communication means, if the identification of the data subjects requires so, the photocopy of the personal identity card, passport or driving licence of the data subject concerned. Such copies will be erased immediately after inspection and will not be retained. |
How long do we store your data? |
Your data will be recorded for a period of 5 years (Article 6:22 paragraph (1) of the Civil Code – unless provided for otherwise, claims shall become superannuated in a five years term). The photocopy of the personal identity cards, passports or driving licences of data subjects will not be stored or retained. |
To whom do we transmit your personal data? |
Personal data of the data subject might be transmitted to the data protection authority and to our legal representative, should there be any proceedings in progress at the competent data protection authority (in particular in the case of a data protection incident, if the weight and nature thereof mandates such an action). |
5.3. Online presence in social media
The controller shall take advantage of the services provided by online platforms within the social media networks in the capacity of the Website operator for the purposes of transmitting information related to the controller to the users present on the platform concerned, and to communicate with users through these platforms directly, provided such users intend to take the opportunity use this means. This way social media channels reinforce the online presence of the controller and create an alternative communication channel for stakeholders who welcome such a kind of information. At the time being, we have our own online social media webpage on the following networks (Facebook page):
When you connect to the social media page of the controller within the network in question through that network, such interaction shall be within the scope of the General Terms and Conditions of Contract and the Privacy Policy of the operator of the social media page you connected to and the operator of the respective network (which is, for the social media page referred to above, Facebook Ireland Limited).
It must be emphasised that for the purposes of the aforementioned social media page of the controller the controller and Facebook Ireland Limited (4 Grand Canal Square, Dublin, Ireland) must be considered to be joint controllers, therefore data subject can exercise their data protection (data subject) rights specified in this Privacy Policy in face of the controller and Facebook Ireland Limited just as well. In any other cases Facebook acts as an independent data controller and assumes responsibility of the data processing carried out by it on Facebook. In this respect, you may find more information in the Privacy Policy (https://www.facebook.com/privacy/explanation) and Terms of Use (https://www.facebook.com/legal/terms) of Facebook, as well as in the policy related to page analyses (https://www.facebook.com/legal/terms/page_controller_addendum).
Additionally, you may find more information about the Facebook cookies used on this Website in our cookies policy as referred to in Section 6 of this Privacy Policy.
In addition to the foregoing the Foundation shall process data of the social media platform users only and exclusively to the extent which is necessary for the users named above to contact and communicate with us in the form of comments or direct messages.
Processing of personal data from users is based on their legitimate interest to get effective directions from us and could communicated with us under Article 6 paragraph (1) item f) of the GDPR – for more information, please refer to Section 5.1 of this Privacy Policy above. In the event the service providers concerned (that is, with respect to our social media page mentioned above, Facebook Ireland Limited) requested consent from You for the processing of your data (such as “express your consent by ticking the appropriate box “, or “confirm your answer by clicking on the appropriate button “), the legal grounds shall be data processing under GDPR Article 6 paragraph (1) item a).
It should be emphasised that in addition to the foregoing, Facebook Ireland Limited shall be held liable for the data processing activities carried out by it as an independent controller as laid down in its Privacy Policy (https://www.facebook.com/privacy/explanation) and Terms of Use (https://www.facebook.com/legal/terms).
6. Cookies used on the Website (cookies
Data subject can obtain more information on the cookies used on the website, the related data processing implications and rights in the Cookies Policy of the website which can be accessed at: https://szpma.hu/en/cookie-policy
7. Rights and legal remedies of the data subjects related to data processing
Information provided in return of your communication or the performance of your application shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or – having regard to the administrative costs of providing the information or communication or taking the action requested – refuse to act on the request.
Data privacy rights and judicial remedies of the data subjects (including You, provided your personal data are processed by the Data Controller) are contained in the relevant and applicable provisions of the GDPR (in particular in GDPR Articles 15, 16, 17, 18, 19, 21, 77, 78, 79, 80 and 82). The summary below contains the key provisions and the Data Controller shall provide information to data subjects in relation to their rights associated with the processing of their personal data and the judicial remedies available.
The controller shall provide information on action taken on a request under Articles 15 to 21 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The information shall be provided by the Controller in writing, or by other means, including, – where the data subject submitted his or her application electronically, or requested to be informed this way – by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven to the Data Controller.
Access |
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; and g) where the personal data are not collected from the data subject, any available information as to their source. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. |
Rectification |
You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you and your incomplete personal data completed, including among others by means of providing a supplementary statement. Please note that by reporting any changes in your personal data you shall facilitate for the Data Controller to maintain accurate and up to date data about you. |
Restriction |
You shall have the right to obtain from the controller restriction of processing where one of the following applies - the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; - the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead; - the controller no longer needs the personal data for the purposes of the processing, but they are required by your for the establishment, exercise or defence of legal claims, - You have objected to processing of your data. In such a case the restriction shall be pending for the period of the verification whether the legitimate grounds of the controller override those of the data subject. |
Withdrawal of your consent |
In the event the legal grounds for data processing is your consent, You are entitled to withdraw your consent any time. Please note if you withdrew your consent, former data processing activities carried out by the controller shall not become unlawful. You may find guidance in the section “What are the legal grounds for processing your data?” of the Privacy Policy on the cases where the controller relies upon your consent for data processing. |
Objection |
You shall have the right to object to processing of personal data concerning you, provided the ground for processing data is the lawful interest of the Controller. For more information on this subject please refer to the part “Legal grounds for processing your data” of this Privacy Policy. Provided you raised objection to processing your data, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, your rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. |
Erasure |
You shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay to erase personal data without undue delay where one of the following grounds applies: - the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, - You have withdrawn consent on which the processing is based and where there is no other legal ground for the processing, - You object to the processing of your data and there are no overriding legitimate grounds for the processing, - Your personal data have been unlawfully processed, - the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. |
Data portability |
In the event the processing is based on your consent or on the performance of a contract concluded with you, and the processing is carried out by automated means, You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. The exercise of the right referred to above shall be without prejudice to the provisions laid down with respect to the right to erasure (right to be forgotten) and furthermore it shall not adversely affect the rights and freedoms of others. |
Complaint |
You are entitled for lodging a complaint with a supervisory authority – in particular in a Member State of your habitual residence, workplace or the location of the presumed violation of the law –, if according to your judgement the processing of the personal data concerning you is in conflict with the provisions laid down in the GDPR. For the contact details of each supervisory (data protection) authority within the European Union see: https://edpb.europa.eu/about-edpb/board/members_hu. In Hungary, the competent authority is the following: Hungarian National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11.; mailing address: 1363 Budapest, PO. Box: 9.; Telephone number: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu; webpage: https://naih.hu/). Additionally, you are also entitled to lodge a complaint with the competent court in order to enforce your rights. Such a proceeding can be launched at the court of the Member State of your habitual residence. Such a law suit in Hungary falls within the competence of the High Court. You may also file an action – at your sole discretion – at the High Court with a jurisdiction at your permanent residence or place of stay. You may find details on the jurisdiction, competence, authority and contacts of the court (High Court) at: www.birosag.hu. |
8. Amendment to the Privacy Policy
The Controller retains the right to amend this Privacy Policy by unilateral decision. The up to date version of this Privacy Policy is always posted on the Website. Amendments, if any, shall take effect upon posting on the Website. Therefore it is recommended to visit the Website regularly and get acquainted with the eventual changes.