Safe Society Foundation

Privacy and Data Management Policy 2021.

TABLE OF CONTENTS

1. INTRODUCTION
   1. Relevant legislation
   2. Terms and definitions
2. DATA PROCESSING PRINCIPLES

• SAFE SOCIETY FOUNDATION’S DATA MANAGEMENT
  1. Purpose of the data management policy
  2. Content and scope of data processing
  3. Duration of data processing
  4. Deletion of personal data, notification of changes
  5. Possibility of amending the data management policy
  6. Use of Google Analytics
  7. Data controller’s personal data, contact details

1. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS
2. COMPENSATION, DAMAGES, REMEDIES
3. INTRODUCTION

This data management policy applies to the storage and processing of personal data provided by

• all users who register on the Safe Society Foundation’s https://vdta.hu, https://safesocietyfoundation.com, https://vedjukmeg.hu, https://sasofo.com websites and its https://facebook.com/vdta/Facebook page, as well as
• by members of the Foundation, officers,
• partners or contractors, organisers, associations, service providers and
• participants in events and programmes organised by the Safe Society Foundation, with their voluntary, informed and explicit consent.

The data is managed, processed and stored by the Safe Society Foundation (registered office: HU-2016 Leányfalu, Panoráma Str.  49/B. Tax number: 19296676-1-13, which uperates under the registration number 13-01-0004161), hereinafter referred to as the data controller.

1. Relevant legislation

The data controller undertakes to carry out its activities in accordance with the legislation in force at the time. These are as follows at the time of publication of this document:

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act.) – updated on https://net.jogtar.huwebpage
• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: Electronic Commerce Act).
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions on Commercial Advertising Activities (hereinafter: Advertisement Act).

2. Terms and definitions

Based on Article 3 of Act CXII of 2011 (Privacy Act)

Data subject

Any specified natural person who is identified or can be identified, directly or indirectly, on the basis of personal data.

Personal data

Data that can be associated with the data subject, in particular the name, identification number, and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject; and the conclusion about the data subject that can be drawn from the data.

Special data

• personal data revealing racial or ethnic origin, membership of a national or ethnic minority, political opinion, party affiliation religious belief or worldview, trade union membership, personal data concerning a natural person’s sex life
• , health or medical conditions, pathological addictions and his/her criminal offences

Criminal personal data

Personal data related to the data subject and to his/her criminal record, generated by organs authorised to conduct criminal proceedings or to detect criminal offences, or by the prison service during or prior to criminal proceedings, in connection with a criminal offence or criminal proceedings;

Data of public interest

Information or knowledge other than personal data, registered through any method or in any form, pertaining to the activities of and processed by the organ or person performing state or local government duties and other public duties defined by law, or generated in the course of performing their public duties, irrespective of the method or form in which it is recorded and regardless of its singular or collective nature; in particular, data concerning material competence, territorial competence, organisational structure, professional activities and the evaluation of their performance, the type of data held and the laws governing its operation, as well as data concerning financial management and concluded contracts.

Data accessible on public interest grounds

Any data, other than data of public interest, the disclosure, availability or accessibility of which is prescribed by an Act for the benefit of the general public.

Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he, by a clear affirmative action, signifies agreement to the processing of personal data relating to him; either in full or in relation to specific operations.

Objection

A statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data.

Data controller

A natural or legal person, or organisation having no legal personality, which, alone or jointly with others, determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor.

Data processing

Any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use; taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans).

Data transfer

Providing access to the data for a designated third party;

Disclosure

Making the data available to anyone.

Data erasure

Making the data unrecognisable in such a way that its restoration is no longer possible.

Data marking

Marking data with an identifier to distinguish it.

Data blocking

Marking the data with an identifier for the purpose of limiting its further processing permanently or for a limited period of time.

Data destruction

The complete physical destruction of the data-storage medium that contains the data.

Technical processing

The performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.

Data processor

A natural or legal person, or an organisation not having legal personality which, acting according to a mandate or instructions given by the data controller, including a contract concluded pursuant to a legal provision, processes personal data.

Data source

The organ performing public duties, which generated the data of public interest that is to be published through electronic means or during the operations of which such data was generated.

Data publisher

The organ performing public duties which, if the data source itself does not publish the data, uploads the data sent to it by the data source to a website.

Dataset

All data processed in a single registry.

Third party

A natural or legal person, or an organisation having no legal personality, other than the data subject, data controller, or data processor.

EEA state

Any Member State of the European Union and any State Party to the Agreement on the European Economic Area, as well as any state the nationals of which enjoy the same legal status as nationals of State Parties to the Agreement on the European Economic Area on the basis of an international agreement concluded between the European Union and its member states and the state which is not party to the Agreement on the European Economic Area.

Third country

Any state that is not an EEA State.

1. DATA PROCESSING PRINCIPLES

Personal data can be processed (Article 5(1) of the Privacy Act), if

• the data subject gives its consent, or
• it is ordered by law or – on the basis of the authorisation of the law and within the scope specified therein – by decree of a local government.

The declaration of an incapacitated minor and a minor with limited capacity to act requires the consent of his or her legal representative (Article 6(3) of the Privacy Act)., except for parts of services where the declaration is intended for registration occuring on a massive scale in everyday life and does not require special consideration.

Personal data may be processed only for specified purposes, for excercising a right or performing an obligation. The data processing must comply with this objective at all stages. (Article 4(1) of Privacy Act).

Only personal data may be processed which is necessary for the purposes of the data processing, which is adequate to achieve those purposes, and only to the extent and for the duration necessary for those purposes. (Article 4(2) of Privacy Act).

Personal data can only be processed with consent based on proper information. The data may not be disclosed to third parties. The data controller does not further process the personal data in its possession, and therefore does not give an order for data processing.

The data subject (Article 20(2) of the Privacy Act) must be informed – in a clear, comprehensible and detailed manner – of all facts relating to the processing of his or her data, in particular the purpose and legal basis of the processing, the person authorised to process the data, the duration of the processing and who may access the data. The information should also cover the rights and remedies of the data subject in relation to the processing.

The personal data processed must comply with the following requirements:

• their collection and processing are fair and lawful
• to be accurate, complete and, where necessary, timely
• they are stored in a way that ensures that the data subject can be identified only for the time necessary for the purpose for which they are stored

The unrestricted use of a general and unified identity number is prohibited.

Personal data may be transferred and different processing operations may be combined where the data subject has given his or her consent or where the law permits it and where the conditions for processing are met for all personal data.

Personal data (including special data) may be transferred from the country to a data controller or processor in a third country, irrespective of the data medium or the means of transmission, if the data subject has given his or her explicit consent or if the law so permits and the third country ensures an adequate level of protection for the personal data concerned during the processing of the data transferred. Transfers to EEA States shall be treated as if they were transfers within the territory of Hungary (Article 8 of Privacy Act).

III. SAFE SOCIETY FOUNDATION’S DATA MANAGEMENT POLICY

Name of data controller

Safe Society Foundation, hereinafter referred to as Foundation.

Description of data processing

Storage and processing of personal data.

Legal basis for data processing

Voluntary consent of the data subject (Act CXII of 2011. Article 5.(1) a)).

Data controller’s websites

https://vdta.hu, https://safesocietyfoundation.com, https://vedjukmeg.hu, https://sasofo.com and its facebook.com/vdta Facebook page.

Place of actual data processing

HU-2016 Leányfalu, Panoráma Str. 49/B.

 

 

Personal scope of data subjects

Members of the Foundation, regional representatives, supporters, event organisers, participants of events, registrants on the website.

1. Purpose of the data management policy

On the basis of the voluntary, informed and explicit consent of the Foundation’s members, supporters, regional representatives, participants in the various events and registrants on the website – hereinafter referred to as “Data Subjects”.

For members of the Foundation

• members’ identification with their personal data (recording, processing, transmission, disclosure of data)
• records of members’ activities
• sending newsletters to members’ electronic and/or postal addresses
• ensuring conditions for ongoing contact and information
• register of regional representatives

For persons in partnership or contractual relations with the Foundation, social organisations

• identification with their personal data (recording, processing, transmission, disclosure of data)
• producing data and statistics on the activities
• ensuring conditions for ongoing contact and information

For participants in the Foundation’s events

• identification of event participants
• production of statistical data
• enabling the verification of entitlements for the provision of benefits and services

For users who register on the Foundation’s websites

• identification and registration of registrants
• compiling statistical data
• enabling the services of the site

2. Content and scope of data processing

Data processing

• for foundation members, the register of members,
• for persons or social organisations who are partners or contractors of the Foundation, the processing of personal or other data relating to events and other activities,
• the recording of personal data and statistics necessary for participation in the various events of the Foundation,
• for website registrants, the recording of personal data necessary to use the site.
• personal data relating to contracts concluded by the Foundation, labour, payroll and invoicing (the data processor is the chairman of the Board of Trustees of the Foundation and his/her accountant.)

 

 

Scope of the data processed

• For members of the Foundation
  • name, birth name
  • mother’s maiden name
  • place and date of birth
  • address, notification address, telephone number and e-mail address

• For participants in the Foundation’s events
  • name
  • year of birth
  • address
  • telephone number, e-mail address
  • reports

• for users who register on the website:
  • name (cannot be changed)
  • nickname
  • year of birth
  • address
  • telephone number, e-mail address, password
  • user profile and settings related to the website

3. Duration of data processing

• For foundation members, from the start of membership to the termination of membership. The ways of termination of membership are laid down in the Constitution of the Foundation.
• For contractual partners, until the termination of the contract.

4. Erasure of personal data, notification of changes

Erasure of personal data

• members of the Foundation may not request the erasure of their data until the termination of their membership. Upon termination of membership, the Foundation shall inform the person concerned in writing that his/her data have been erased from the register of members,
• contracted partners may not request the erasure of their data during the contract period; after the termination of the contract, the Foundation must inform the partner in writing that it has erased its data from the register,
• participants in the Foundation’s events may request in writing the erasure of their data, and the Foundation shall inform the person concerned in writing within 30 days.

Notification of a change in personal data

They are binding only on members of the Foundation within 5 working days of the change occurring.

5. Possibility of amending the data management policy

The Foundation reserves the right to unilaterally modify this Data Management Policy with prior notice to the Data Subjects. If the Data Subject does not object to the amendment in writing within 15 days, the amendment to the Policy is deemed to have been accepted by the Data Subject.

6. Use of Google Analytics

The Foundation’s website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files stored on the computer, to help analyze how users use the website.

The information generated by the cookies about the website used by the user is usually transferred to and stored at a Google server in the USA. By activating IP anonymisation on the website, Google will shorten the user’s IP address in the Member States of the European Union or in other states party to the Agreement on the European Economic Area.

Only in exceptional cases will the full IP address be transmitted to and shortened at a Google server in the USA. Google will use this information at the request of the operator of this website to

• evaluate how users use the website,
• provide the website operator with reports relating to website activity,
• provide additional services related to website and internet use.

Within the framework of Google Analytics, the IP address transmitted by the user’s browser will not be merged with other data held by Google. The storage of cookies can be prevented by the user by selecting the appropriate settings on their browser.

7. Data controller’s personal data, contact details

Name: Safe Society Foundation

Adress: HU-2016 Leányfalu, Panoráma Str. 49/B.

registration number: 13-01-0004161

Name of court of registration: Fővárosi Törvényszék (Budapest High Court)
Tax number: 19296676-1-13
Email: info@safesocietyfoundation.com

1. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS

The Data Subject may request information about the processing of his or her personal data (Article 14 of the Privacy Act) and may request the rectification or – with the exception of data processing required by law – the erasure of his or her personal data in the manner indicated when the data were collected or through the data controller.

At the request of the Data Subject, the Data Controller shall provide information on the data processed by it (Article 15 of the Privacy Act), the purpose, legal basis and duration of the processing, the name, address (registered office) and activity of the data processor, as well as the persons who receive or have received the data and the purpose of the data processing.

The Data Subject may request information from the Foundation at any time in writing, by registered letter with acknowledgent of receipt sent to the Foundation’s address or by e-mail to [email protected]. The Foundation will consider a request for information sent by letter to be authentic if the user can be clearly identified from the request sent. Requests for information sent by e-mail will be considered authentic by the Foundation only if they are sent from the user’s registered e-mail address. The request for information may cover the user’s data processed by the Foundation, their source, the purpose, legal basis and duration of the processing, the names and addresses of any data processors, the activities related to the processing and, in the case of transfer of personal data, who has received or is receiving the user’s data and for what purpose.

The Foundation shall provide the information in writing in a comprehensible form within the shortest possible time from the date of the request, but not later than 25 days. This information shall be provided free of charge if the person requesting it has not yet submitted a request for information in the same subject to the data controller in the current year. In any other case, the data controller may set a fee.

The Foundation shall delete personal data (Article 17 of the Privacy Act) if the processing is unlawful, the data subject requests it, the purpose of the processing has ceased, or the statutory period for storing the data has expired, or the court or the Data Protection Supervisor has ordered it.

The Foundation shall notify the data subject of the rectification and erasure, as well as all those to whom the data were previously transmitted for processing. It may refrain from notifying the Data Subject, if this does not violate the Data Subject’s legitimate interest with regard to the purpose of the processing (Article 18(1) of the Privacy Act).

The Data Subject may object to the processing of his or her personal data (Article 21 of the Privacy Act) if

• the processing (transfer) of the personal data is necessary solely for the purposes of the exercise of a right or legitimate interest of the data controller or of the data importer, unless the processing is required by law;
• the personal data is used or transmitted for direct marketing, public opinion polling or scientific research purposes;
• the exercise of the right to object is otherwise permitted by law.

The Foundation shall examine the objection within the shortest possible period of time from the date of the request, but not later than 15 days, and shall inform the applicant in writing of the outcome of the examination, with the simultaneous suspension of the processing.

If the objection is justified, the Foundation shall terminate the processing, including further collection and transfer of data, and block the data and notify the objection and the action taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.

If the Data Subject does not agree with the decision taken by the Foundation, he or she may appeal against it to the courts within 30 days of its notification. The Foundation may not delete the data of the data subject if the processing is required by law. However, the data may not be transferred to the data importer if the Foundation has consented to the objection or if the court has ruled that the objection is justified.

The Data Subject may take the Foundation to court if his or her rights are infringed. The case shall be given priority by the court (Article 22(1) of the Privacy Act). The data subject may choose to bring the case in the competent court of the place where he or she lives or stays. (Article 22(3) of the Privacy Act.)

1. COMPENSATION, DAMAGES, REMEDIES
2. Compensation and damages

Based on Article 23 of Act CXII of 2011.

If the data controller causes damage to another person by unlawful processing of the Data Subject’s data or by breaching the requirements of data security, the data controller shall compensate the Data Subject for the damage. If the data controller infringes the Data Subject’s personal rights by unlawfully processing the data of the data subject or by breaching the requirements of data security, the data subject may claim damages from the controller.

The data controller is liable to the Data Subject for any damage caused by the data processor and the data controller is also liable to pay the data subject’s damages in the event of a personal injury caused by the data processor. The data controller shall be exempt from liability for the damage caused and from the obligation to pay compensation if it proves that the damage or the infringement of the Data Subject’s personal rights was caused by an unforeseeable cause outside the scope of the processing.

No compensation shall be paid and no damages shall be recover where the damage has been caused by the intentional or grossly negligent conduct of the victim or the infringement of a right relating to personality.

Remedies

A complaint can be made or a judicial remedy can be sought at the National Agency for Data Protection and Freedom of Information.

Name: National Agency for Data Protection and Freedom of Information

Registered office: H-1125 Budapest Szilágyi Erzsébet Alley 22/c.

Postal adress: 1530 Budapest, PO Box 5.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Webpage: https://naih.hu

The Data Subject may take legal action against the data controller in case of a breach of his or her rights. The case shall be given priority by the court (Article 22(1) of the Privacy Act). The Data Subject may choose to bring the case in the competent court of the place where he or she lives or stays. (Article 22(3) of the Privacy Act.)