PRIVACY POLICY
Information notice on the processing of personal data within the framework of
SUMMER UNIVERSITY AND STUDENT CAMP BÁLVÁNYOS – TUSVÁNYOS
The COUNCIL OF HUNGARIAN YOUTH FROM ROMANIA, in what follows TUSVÁNYOS processes personal data within the organization and implementation of the event Summer University and Student Camp Bálványos – Tusványos as foreseen the present Information notice.
The purpose of this information is to set out the principles for the protection and processing of personal data in the context of the organization and conduct of the Event, obtained directly from the data subject, so that the data subject can be adequately informed about: the data processed by TUSVÁNYOS or its processor, the purposes, legal basis and duration of the processing, the name and address of any processor involved in the processing and its activities in relation to the processing, and, in the case of a transfer of the data subject’s personal data, the legal basis and the recipient of the transfer.
Legislation used and taken into account in developing the provisions of this guide:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”;).
- Law nr. 190/2018 with reference to measures of implementing Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Definitions
The definitions in this notice correspond to the interpretative definitions set out in Article 4 of the GDPR.
Where the definitions in the current GDPR differ from the definitions in this notice, the definitions set out in the legislation shall prevail.
- Data processor, the person authorized by the data processor and their contacts
Data processor
The COUNCIL OF HUNGARIAN YOUTH FROM ROMANIA, address Cluj Napoca, str. David Ferenc, nr. 21., ap. 8., VAT nr. 14752780, registration nr. 5/PJ/2002, bank account RO53 OTPV 2000 0108 4868 RO01, at OTP Cluj-Napoca;
- Data subjects, data processed, purpose of data processing, legal basis, method, data source, data storage duration
Data subjects: participants of the event, or legal representative and/or accompanying person.
Scope of processed data | Purpose of data processing | Legal basis of data processing | Storage duration |
Name, forename, email address, telephone number, address
Bank account data |
Attending the Event as a visitor, organizer, guest, partner, trader. Purchasing tickets | Article 6(1)(a) GDPR (consent) | until the withdrawal of consent, but no later than 2 months after the end of the event |
Name, forename, series and number of ID, email, address, date of birth, gender, citizenship, country, ID in original or photo, in case the participant is a minor: name and forename of the legal representative and of the accompanying person, personal number, series and number of the ID of the legal representative and of the accompanying person, telephone number of the legal representative and of the accompanying person, email address of the legal representative | Ensuring access and security within the perimeter
the event, respectively the provision of services to which the participant is entitled on the basis of the ticket / Registration on the Saturday of the Event |
Article 6(1)(b) GDPR –
contract performance |
until the withdrawal of consent, but no later than 2 months after the end of the event |
Photo and video recording | journalistic, informational, commercial, Tusványos marketing and promotional purposes | Article 6(1)(f) GDPR – legitimate interest | until withdrawal of consent, but not later than 3 years |
Name, forename, email address, telephone number | commercial purpose of promoting Tusványos products and services and statistical purpose | Article 6(1)(f) GDPR – legitimate interest | until withdrawal of consent, but not later than 10 years |
Declaration in relation to Article 13(1)(f) of the GDPR | personal data will not be transferred to a third country or an international organization |
Recipients and categories of personal data: | personal data shall not be transferred outside the staff of Tusvanyos processors and data controllers |
How the data is processed: | Electronically, on paper |
Declaration in relation to Article 13(2)(e) of the GDPR: | the provision of personal data is not based on a legal or contractual obligation, is not a prerequisite for the conclusion of a contract and the data subject is not obliged to provide personal data. If personal data are not provided, participation in the event cannot be guaranteed. |
Declaration in relation to Article 13(2)(f) of the GDPR: automated decision making is not used.
III. Principles of data processing
- The data controller will process personal data in accordance with the principles of good faith, fairness, accuracy and transparency, as well as in accordance with applicable laws and the provisions of this Notice.
- The data controller shall process personal data only on the basis of the purposes and for the purposes set out in this Notice and shall not go beyond the purposes set out in this Notice.
- Where the data controller intends to use the personal data for a purpose other than that for which they were originally collected, it shall inform the data subject and, unless there is another legal basis for the processing as provided for in the GDPR, obtain the data subject’s prior explicit consent and give him or her the opportunity to object to the use.
- The sole person responsible for the accuracy of the personal data provided is the person providing it.
- The data controller shall transfer the personal data it processes to third parties only with the express and unequivocal consent of the data subject, given in full knowledge of the scope of the data transferred and of the recipient of the data transfer, it being understood that the data controller has the right and the obligation to transfer to the competent authorities any personal data at its disposal and stored by it in accordance with the law, which it is obliged by law or by a final and binding obligation of a public authority to transfer. The data controller shall not be liable for such transfer and its consequences.
- The data controller shall ensure the security of personal data, take technical and organizational measures, and establish procedural rules to ensure the security of the data collected, stored, processed, and to prevent accidental loss, destruction, unauthorized access, unauthorized use, unauthorized alteration and unauthorized disclosure.
- The data controller shall keep a record of the data it processes in accordance with applicable laws, ensuring that the data is made available to Tusvanyos staff and other persons acting in the interests of the data controller who need to know the data in order to perform their tasks or duties. All persons acting in the interest of the data controller shall have the right to have access only to the data the processing of which is necessary for the performance of the tasks of that person.
- Rights of the data subject
- The data subject can exercise his/her rights in the following ways
- through e-mail
- through the post
- in person
- Rights of the data subject
2.1. Right to information and access
The data subject may at any time request that the data controller inform him or her of the data processed by him or her or by a processor to whom the data controller has delegated the processing, the purpose, legal basis and duration of the processing, the name and address of the processor and his or her activities in relation to the processing, the circumstances of the personal data breach, the effects of the breach and the measures taken to remedy it, as well as the legal basis and the recipient of the data transfer, where the personal data of the data subject are transferred.
In this context, the data subject has the right to request a copy of the processed data. In the case of a request transmitted in electronic form, the data controller will fulfill the request mainly in electronic form (in pdf format), unless the data subject’s request does not contain an explicit request to the contrary.
The data controller hereby draws the data subject’s attention to the fact that where the right of access as described above adversely affects the rights and freedoms of others, in particular trade secrets or intellectual property of others, the data controller has the right to refuse to comply with the request to the extent necessary and proportionate.
2.2. Right to rectification, modification
The data subject has the right to request rectification, amendment or integration of the personal data processed.
2.3. Right to the portability of data
The data subject shall have the right to receive personal data relating to him or her provided to the data controller in a structured, commonly used and machine-readable format and the right to have such data transmitted to another controller without the data controller preventing him or her from doing so.
The data subject shall also have the right to request, where technically feasible, the direct transfer of personal data between controllers.
2.4. Right to erasure (“the right to be forgotten”)
The data subject has the right to request erasure of some or all of his or her personal data.
In this case, the data controller shall delete the personal data without undue delay if:
- personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- processing which was based on the data subject’s consent, but the data subject has withdrawn that consent and there is no other legal basis for the processing;
- processing that was based on the legitimate interests of the data controller or a third party, but the data subject objected to the processing and there is no overriding legitimate reason for the processing, except an objection to processing for direct marketing purposes;
- personal data have been unlawfully processed by the data controller;
- deletion of personal data is necessary to comply with a legal obligation.
In any case, the data controller shall inform the data subject of any refusal to erasure of the data (for example, where processing is necessary for the establishment, exercise or defense of legal claims), stating the reasons for the refusal. The erasure of personal data shall be carried out in such a way that, once the request for erasure has been complied with, the previous (erased) data can no longer be restored.
In addition to exercising the right to erasure, the data controller will erase personal data if the processing is unlawful, the purpose of the processing has ceased or the lawful data storage period has expired, or if ordered to do so by a court or public authority.
2.5. Right to restrict processing
The data subject may request restriction of the processing of his/her personal data if:
- the data subject contests the accuracy of the personal data – in this case, the restriction shall apply for the period of time allowing the data controller to verify the accuracy of the personal data;
- the processing is unlawful, but the data subject opposes the erasure of the data and requests instead the restriction of its use;
- the data controller no longer needs the personal data for the purpose of processing, but the data subject needs them for the establishment, exercise or defense of legal claims;
- the data subject has objected to the processing – in which case the restriction shall apply for the period until it is established whether the legitimate reasons of the data controller outweigh the legitimate reasons of the data subject.
In the case of a restriction on processing, the data controller shall not process the personal data concerned by the restriction, with the exception of storage, or shall process them only if the data subject has consented or, in the absence of such consent, insofar as the data are necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State of the European Union. The data controller shall inform the data subject in advance of the lifting of the restriction.
2.6. Right to protest
Where the legal basis of the processing is the legitimate interest of the data controller or of a third party (except for mandatory processing), the data subject has the right to object to the processing. The data controller is not obliged to comply with the objection if he/she can prove that:
- processing is justified by legitimate and compelling reasons overriding the interests, rights and freedoms of the data subject;
- the processing relates to the establishment, exercise or defense of legal claims by the data controller.
The data controller will examine the legitimacy of the data subject’s objection and, if the objection is justified, will cease processing.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes.
2.7. Legal remedies
See point VII.
2.8. Right to withdraw consent
The data subject has the right to withdraw his/her consent to the processing at any time, provided that the withdrawal of consent does not affect the lawfulness of the processing based on the consent prior to its withdrawal.
- The data controller shall examine without delay the request submitted as described above, decide whether to accept or refuse the request, take the necessary measures and inform the data subject. If the request is refused, the information shall include the legal basis for the refusal, the reasons for the refusal and the remedies available to the data subject.
- The data controller shall inform all recipients to whom or to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
- Incidents in connection with the data processing
- The data controller shall immediately notify the data protection incident to the National Data Protection Authority, unless the data protection incident is unlikely to present a risk to the rights and freedoms of data subjects. The data controller shall keep a record of data protection incidents together with the actions taken in relation to the incident. Where the incident is serious (i.e. likely to lead to a high risk to the rights and freedoms of the data subject), the data controller shall inform the data subject of the personal data breach without undue delay.
- Modification of the information notice
- The data controller reserves the right to change this policy at any time by unilateral decision, informing the data subject via the contact details provided.
- If the data subject does not agree with the amendment, he or she may request the erasure of his or her personal data as set out in point IV.
VII. Legal remedies
- TUSVÁNYOS, as data controller, may be contacted in relation to the management of personal data through the contact details indicated in point I.
- In the event of a personal data breach relating to the processing of personal data, the data subject shall have the right to lodge a complaint to the competent data protection supervisory authority of the Member State in which he or she has his or her habitual residence, place of work or place of the alleged breach.
The complaint should be sent to: in Romania, to the National Authority for
Data Protection, Bucharest, bd. G-ral Gheorghe Magheru, nr. 28-30, sector 1, 010336,
telephone: +40-318-059-211, e-mail: anspdcp@dataprotection.ro.
- The data subject may take legal action in the following cases:
- in case of breach,
- against a legally binding decision of the supervisory authority concerning it,
- where the supervisory authority does not resolve the complaint or does not inform the person concerned within three months of the progress of the procedure or the outcome of the complaint.
Disputes are settled by the Romanian courts in Cluj-Napoca.