Privacy policy

Privacy Policy – Aniko Margit Pek, SELF-EMPLOYED ENTREPRENEUR
ELIGIBLE: from 19 May 2020 UNTIL RETIRED

1. Data controller’s data:

Name of the entrepreneur: Anikó Margit Pék SELF-EMPLOYED ENTREPRENEUR
Tax number: 69749708-1-42
Registration number: 53630515
E-mail address: mascarada.milonguero@gmail.com

2. Purpose of the Privacy Notice:

The data controller acknowledges the contents of this legal notice as binding on him/herself. The purpose of this Privacy Notice is to inform its customers, partners and clients about the processing of their personal data. The data controller shall process personal data only in accordance with the provisions of applicable law and in strict compliance with the provisions of the data management and data protection regulations, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, limited storage.

The data controller shall take all technical and organisational measures to ensure that the personal data of its partners are processed in a secure manner, as required by Regulation (EU) 2016/679 of the European Parliament and of the Council.

The data controller has developed its day-to-day activities, policies, records, templates and information documents in accordance with the above.

The data protection policies relating to the controller’s processing are permanently available at the controller’s headquarters and website. The controller reserves the right to change this notice at any time. It will of course inform its audience of any changes in due time.

The data controller is committed to protecting the personal data of its partners, and attaches the utmost importance to respecting the right to information self-determination of its customers. The data controller treats personal data confidentially and takes all security, technical and organisational measures to guarantee the security of the data. The controller describes its data management practices below.

3:

The personal scope of this Privacy Notice applies to the controller and to the natural persons whose data are included in the processing operations covered by this Notice, as well as to persons whose rights or legitimate interests are affected by the processing.

The scope of this Notice covers all processing that takes place in the course of the event management activities of the controller. The data controller also carries out other activities, the processing policy in relation to which is set out in another Privacy Notice.

This Policy shall enter into force on the date of approval and shall remain in force indefinitely until further notice.

4:

Personal Data: any information relating to an identified or identifiable natural person. Identifiable natural person means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

Special Data: any data falling within special categories of personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the unique identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction.

Controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Joint controllers: where the purposes and means of processing are jointly determined by two or more controllers, they are considered to be joint controllers.

Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her.

Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

5. Lawful processing by the controller:

Personal data will be processed by the controller only in the following cases:

1. where the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes,
2. processing is necessary for the performance of a contract to which the data subject is a party,
3. processing is necessary for compliance with a legal obligation to which the controller is subject,
4. processing is necessary for the protection of the vital interests of the data subject or of another natural person,
5. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

The controller shall verify the lawfulness of processing at all stages of its activities, and shall process only data for which it can justify the purpose and legal basis and only for such time as is necessary to fulfil the legitimate interests of the data subject. In the event that the conditions of a legal basis cease to apply, the processing may only be resumed if the controller can demonstrate an adequate alternative legal basis.

As a general rule, the way of proving the legal basis is in writing, but even in the case of a legal basis created by implied conduct, it must be examined whether it can be clearly proved ex post. In case of doubt, for reasons of reasonableness and economy, written confirmation of the imputability should be sought.

In the case of processing based on consent, the data subject gives his or her written consent to the processing of his or her personal data. Consent is not formally binding, but subsequent evidence requires written consent on paper or in electronic form.

Processing based on a legal basis is independent of the data subject’s consent, as the processing is defined by law.
Irrespective of the mandatory nature of the processing, the private individual concerned must be informed before the processing starts that the processing is mandatory and cannot be avoided, and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the processing starts.

According to the GDPR (General Data Protection Regulation), personal data may also be processed where the processing is necessary for the performance of a contract to which the individual concerned is a party or where the processing is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract. The controller may process personal data for the purposes of the conclusion, performance or termination of the contract on the basis of the legal basis for performance of the contract.

6. Processing of personal data by the controller:

The controller is engaged in the organisation of events. The data controller organises events. It carries out the following processing activities:

A. The controller organises events. The data controller organises events. When registering, the data controller requests the name, address, e-mail address, telephone number and name of the partner of the data subject. The purpose of the processing is to carry out the registration for the event, to provide the possibility of contacting the data subject and to organise the event. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). The controller will invoice the participant for the amount of the participation fee. The invoice shall contain the name and address of the partner. The legal basis for processing personal data is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

B. Special dietary needs and dietary requirements may arise for event participants. For example, information on lactose-free, gluten-free diets will be requested from the data subject at the time of registration for the event. In these cases, information about the health condition of the data subject (e.g. lactose intolerant, gluten intolerant) will be recorded on the registration form. This information is considered as sensitive data as it refers to the health condition of the person concerned. The purpose of processing this type of special data is to provide a complete service to the participants, catering for all their needs and food intolerances. The data controller stores the special data solely for the purpose of organising the event, for the duration of the event and deletes them immediately after departure. The data controller is entitled to process the special data on the basis of Article 9(2)(a) of the General Data Protection Regulation (GDPR), as the data subject gives his/her explicit and informed consent to the processing of his/her personal and special data at the time of registration. The legal basis for the processing of sensitive data is the consent of the data subject.

C. In the performance of its tasks, the data controller processes the e-mail addresses and telephone numbers of its partners and customers, in the performance of its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) or on the basis of their individual consent (Article 6(1)(a) of the General Data Protection Regulation).

D. In the course of its work, the controller may also have contractual relations with subcontractors, suppliers and service providers, which also provide a basis for the processing of personal data. In this case, the legal basis for the processing of personal data (in the case of an individual or sole trader) is the performance of a contractual obligation (Article 6(1)(b) GDPR), and in the case of personal data of a contact of a legal person, the explicit, prior informed consent of the data subject (Article 6(1)(a) GDPR).

E. The controller also operates a social networking site and a group for marketing purposes to present its activities and services. Here, too, the processing of the followers of the page and group will take place. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

F. The data controller occasionally takes photographs or videos of its customers, partners and participants at events. If the footage shows a recognisable individual, the footage will be taken and used – in connection with the controller’s website, social networking sites or other appearances – only with the prior, informed, written and voluntary consent of the data subject. The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
G. The purpose of data processing in the course of complaint handling in relation to the activities of the data controller is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required to be recorded by law, to investigate the complaint and to maintain contact in connection with its resolution.
Once a complaint has been made, the handling of the complaint, and thus the processing of personal data, is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for the processing of personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

The Data Controller shall keep records of the processing of the data described above. The register shall also contain the time limits for the erasure of personal data. The register is annexed to this Data Processing Notice.

7:

Where the processing is carried out by another party on behalf of the controller, the controller may only use processors that provide adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects.
The controller hereby declares that in the course of its work, it will only use processors that offer adequate guarantees of compliance with the GDPR Regulation and implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data processors are available to you.
By reading and acknowledging this Privacy Notice, data subjects accept that the controller transfers their personal data to the processors and joint controllers listed below.

• In relation to the issuing of invoices, the data controller is a partner of the data controller:
• NAV
• The company hosting the controller’s website is also a data processor:
• Canva.com
• Ionos.hu
• The server of the controller’s mail system is also a data processor:
  Google – Gmail
• The service provider is also a data processor – Gmail.com – the service provider of the online cloud database:
  Google
• Cooperating subcontractors involved in the processing of personal data provided by the data controller’s customers:
  Hotel Magyar Király, Székesfehérvár
  Pálffy-Balogh Márta
• Processing partner and joint data controller for the use of Facebook pages:
  Facebook Ireland Ltd.
  4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
• The data controller transfers the personal data of event registrants to the hotel providing the accommodation.
  The contracted data processor and data controller partners will process the personal data of the partners only on the basis of instructions from the data controller (except where required by law) and under the obligation of confidentiality.
  

8. Processing of data relating to contracts concluded by the controller:

Customer contracts:
The controller organises events. Event registration is possible via the controller’s email address, social media page and website www.mascarada.hu. When registering, the data controller requests the name, address, e-mail address, telephone number and name of the partner of the data subject. The purpose of the processing is to carry out the registration for the event, to provide the possibility of contacting the data subject and to organise the event. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). The controller will invoice the participant for the amount of the participation fee. The invoice shall contain the name and address of the partner. The legal basis for the processing of personal data is the fulfilment of the legal obligation (Article 6(1)(c) of the General Data Protection Regulation). With regard to the storage of personal data contained in the invoice, the controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and Small Business Tax and shall store them for 5 years.

Supplier contracts:
The data controller may also process the contact details (name, e-mail address, telephone number) of suppliers and may be in contact with service providers and subcontractors. The legal basis for the processing of personal data is the performance of a contractual obligation (Article 6(1)(b) GDPR) or the consent of the contact person (Article 6(1)(a) GDPR).
The data controller shall, with the contact persons of the companies, fill in a consent form informing them of their rights in relation to personal data and requesting their consent to process their data. In such cases, the legal basis for the processing of personal data shall be the explicit, written and informed consent of the data subject to the processing (Article 6(1)(a) of the General Data Protection Regulation). If the contract with the partner has been terminated and the legal obligation to keep the data and documents no longer applies, the telephone numbers and e-mail addresses shall be deleted. The personal data contained in the contract and invoice shall also be stored in accordance with the provisions of Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and Small Business Tax and shall be kept by the controller for 5 years.

9. Processing of invoices issued to customers and the personal data contained therein:

The controller issues invoices for the value of the services it provides. The invoice contains the name, address and possibly the tax number of the data subject. The issuance of the invoice is a legal obligation of the controller. The legal basis for the processing of personal data on the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). With regard to the storage of personal data on the invoice, the controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and on Small Business Tax and shall store them for a period of 5 years.

10. Children’s data, processing of special categories of personal data:

The controller does not process personal data of children.
The data subject declares on the controller’s website that he/she is 16 years of age or older in connection with the registration for the event. A person under the age of 16 may not apply for the event in this way, given that, pursuant to Article 8(1) of the GDPR, the validity of his/her consent to the processing of personal data requires the consent of his/her legal representative. The controller is not in a position to verify the age and eligibility of the person giving consent, so the data subject warrants that the data he/she has provided is accurate.
Special dietary needs and dietary requirements may arise for those attending the event. For example, information about lactose-free, gluten-free meals will be requested from the data subject at the time of registration for the event. In these cases, information on the health condition of the data subject (e.g. lactose intolerant, gluten intolerant) will be recorded on the registration form. This information is considered as sensitive data as it refers to the health condition of the person concerned. The purpose of processing this type of special data is to provide a complete service to the participants, catering for all their needs and food intolerances. The data controller stores the special data solely for the purpose of organising the event, for the duration of the event, and deletes them immediately after the event. The data controller is entitled to process the special data on the basis of Article 9(2)(a) of the General Data Protection Regulation (GDPR), as the data subject gives his/her explicit and informed consent to the processing of his/her personal and special data at the time of registration. The legal basis for the processing of sensitive data is the consent of the data subject.
Specific data otherwise brought to the attention or knowledge of the controller shall not be recorded by the controller. If such data have been entered into any of the controller’s systems without the controller’s knowledge, the controller shall delete them from the system as soon as they are detected.

11. Procedure for the retention of e-mail addresses and telephone numbers:

In the course of its activities, the data controller also obtains the e-mail addresses and telephone numbers of its partners and customers. If the contract with the partner has been terminated and there is no legal obligation to keep the data and documents, the telephone numbers and e-mail addresses will be deleted. In some cases, the data controller will still have a legitimate interest in retaining the data and will request the explicit and written consent of the data subject to the retention of his or her personal data (Article 6(1)(a) of the General Data Protection Regulation).

12:
The controller occasionally takes photographs or video recordings of its customers, partners and participants at events. The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
Where the data subject withdraws consent and requests the cessation of the use of the recording or its erasure, the controller shall comply with this request without delay.

13. The controller’s website:
    The controller presents its events on its own website (www.mascarada.hu).
    The controller’s website (website on its own website).
    The website does not use its services to process personal data:
    The data controller also organises events. The controller also organises events. When registering, the data controller requests the name, address, e-mail address, telephone number and name of the partner of the data subject. The purpose of the processing is to carry out the registration for the event, to provide the possibility of contacting the data subject and to organise the event. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). The controller will invoice the participant for the amount of the participation fee. The invoice shall contain the name and address of the partner. The legal basis for processing personal data is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
    The data subject declares on the controller’s website that he/she is 16 years of age or older when registering for the event. A person under the age of 16 may not apply in this way, given that, pursuant to Article 8(1) of the GDPR, the validity of his/her declaration of consent to the processing requires the consent of his/her legal representative. The controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided are accurate.
    

14:
The controller also operates a Facebook page and a group, where personal data are also processed. The data controller also uses Facebook pages and groups to promote its activities and services. The controller uses these pages for marketing purposes.
https://www.facebook.com/MascaradaMilonguero/
https://www.facebook.com/groups/1313554128801406/
The controller also provides comprehensive personal support through Facebook. If you ask a question via Facebook, the controller will try to answer it as soon as possible. The data you provide on Facebook pages and groups will only be used to answer your question and not for any other advertising purposes.
The purpose of using the Facebook page and group is to advertise and provide information on social media platforms. Facebook may also use the data for its own purposes, including profiling and targeting the data subject with advertising.

In order to contact the controller via Facebook, you must be logged in. To do this, Facebook may also request, store and process personal data. The controller has no control over the type, scope and processing of this data and does not receive personal data from the Facebook operator. For more information on this, please visit the Facebook page.

The personal data of people who follow Facebook pages and groups are processed by the controller on the basis of their consent (Article 6(1)(a) of the General Data Protection Regulation), which is deemed to be given by the fact that the person concerned likes, follows or comments on the page, group or posts.

15:
The data controller uses cloud-based services primarily for storing, backing up and sharing documents. The common feature of such services is that they are not provided by the user’s computer, but by a remote server, a server centre located anywhere in the world. Such services are also provided by online hosting. A major advantage of cloud applications is that they provide a highly secure, flexible and scalable IT storage and processing capacity, essentially independent of geographical location.
In these cases, the cloud service provider can be considered as a data processor, processing personal data on behalf of the data controller. Cloud service providers are obliged to keep personal data confidential and may only process personal data on the instructions of the controller.
The data controller shall take the utmost care in the selection of its cloud service partners, shall take all measures reasonably necessary to contract with them in a manner that is compatible with the data security interests of its customers, shall be transparent about their data processing principles and shall regularly monitor data security.
Cloud storage is password protected and only the data controller has access to the data stored there.
The data controller’s partners expressly consent to the transfer of data necessary for the use of cloud applications by accepting this Privacy Notice. The legal basis for processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

16. Handling of complaints about the controller’s activities:
    In the course of complaint handling in relation to the controller’s activities, the purpose of the processing is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required to be recorded by law, to investigate the complaint and to maintain contact in connection with its resolution.
    Once a complaint has been lodged, the handling of the complaint, and thus the processing of personal data, is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for the processing of personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
    The data controller keeps the record of the complaint and a copy of the reply for 5 years, on the basis of which the personal data are also processed during this period.
    

17:
The data controller undertakes to ensure the security of the data, to take technical and organisational measures and to maintain procedures to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require any third party to whom it transfers or discloses the data to comply with the requirements of data security.
The controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The data processed may only be accessed by the controller and its data processor(s) and shall not be disclosed to third parties not entitled to access the data.
The data controller shall pay particular attention to the security of the personal data of its partners and customers. It shall act in full compliance with the legal provisions and shall require all its partners to do the same. Personal data protection includes physical data protection (storage of documents in a lockable room) and IT protection (use of antivirus, firewall, password protection).
The controller shall store the personal data provided by the data subject primarily on the servers of the data processor(s) specified in this Privacy Notice, equipped with the usual protection systems, and partly on its own IT equipment, in case of paper media, at its headquarters, in an appropriately locked manner.
The data subjects acknowledge and accept that, in the event that they provide their personal data, the data protection cannot be fully guaranteed on the Internet and on the computer system. In the event of unauthorised access or disclosure, despite the efforts of the controller, it is necessary to proceed as described in this notice.

18. Rights of data subjects:

• Transparent information:
  The purpose of this Privacy Notice is also to provide clear, concise, transparent and understandable information about the processing activities carried out by the controller.
• Right of access:
  The data subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:
• the purpose of the processing,
• the purpose of the processing; the categories of personal data concerned,
• the categories of recipients to whom the personal data have been disclosed,
• the intended storage period of the personal data.
  You can request information on the above data from the controller at the following address, e-mail address:
  Anikó Margit Pék sole proprietor.
  E-mail: mascarada.milonguero@gmail.com
  The controller hereby informs you that he will reply to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.
• Right to rectification:
  The data subject has the right to have inaccurate personal data relating to him or her corrected by the controller at his or her request.

The data subject may request information on the above data from the controller at the following address, e-mail address:
Margit Anikó Pék sole proprietor.
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that it will respond to your request within 30 days. Information requests sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

• Right to erasure:
  The data subject has the right to obtain, at his or her request, the erasure of personal data relating to him or her by the controller. The data controller is obliged to delete personal data on the basis of this request if one of the following grounds applies:
• the personal data are no longer necessary for the purposes for which they were collected,
• the data subject withdraws his or her prior consent and there is no other legal basis for the processing,
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
• the personal data have been unlawfully processed,
• the data must be erased in order to comply with a legal obligation under EU or Member State law.

You can request information about the above data from the controller at the following address, e-mail address:
Margit Anikó Pék sole proprietor
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that he will reply to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

• Right to restriction of processing:
  A data subject has the right to request the controller to restrict processing, in particular where:
• the accuracy of the data is contested,
• The data subject may request the erasure of data if the data subject considers that the processing is unlawful but does not request the erasure of the data for any reason.

You can request information about the above data from the data controller at the following address, e-mail address:
Margit Anikó Pék sole proprietor
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that he will reply to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

• Right to data portability:
  The data subject has the right to receive personal data relating to him or her in a structured, commonly used, machine-readable format and the right to have such data transmitted to another controller.

You can request information on the above data from the controller at the following address, e-mail address:
Margit Anikó Pék sole trader
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that he will reply to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

• Right to object:
  The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can request information from the controller about the above data at the following address, e-mail:
Anikó Margit Pék sole proprietor.
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that he will reply to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

• Right of the data subject in case of automated decision-making:
  The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her. Automated decision-making is any process or methodology whereby a technical automatism evaluates personal aspects relating to the data subject and which produces legal effects concerning him or her or significantly affects him or her. The controller shall not use IT automated mechanisms, including profiling, which have a significant impact on the rights of the data subject.

You can request information about the above data from the controller at the following address, e-mail address:
Pék Anikó Margit sole proprietor
E-mail: mascarada.milonguero@gmail.com

The controller hereby informs you that he will reply to your request within 30 days. Information requests sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The controller undertakes to inform all recipients to whom it has disclosed personal data of requests sent to it in relation to the above rights, unless this proves impossible. It further undertakes to notify the data subject (applicant) of the decision on the processing of the above requests within 30 days at the latest.

19. Data Protection Incident:

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the event of a data breach, the level of the breach must be at a serious risk level, i.e. the breach must be of such a degree that the personal data:

• Destruction,
• loss,
• alteration,
• unauthorized disclosure or
• unauthorised disclosure or access.

An incident shall be deemed to occur if any of the above occurs, but this does not preclude more than one of the above occurring at the same time. This includes not only intentional malicious conduct, but also negligent harm. An incident therefore occurs when it is caused by an accidental or unlawful act.

An example of a data breach is:

• the unlawful transmission of personal data on a document, portable device, storage medium or IT system (e.g. by mail),
• unauthorised access to an IT system or application that processes personal data,
• corruption or loss of part or all of a database containing personal data,
• rendering part or all of an IT system unusable by a virus or other malicious software, etc.

A personal data breach may, in the absence of appropriate and timely action, cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft, or misuse of identity, financial loss, unauthorised impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantages suffered by the natural persons concerned.

In the event of a potential data breach (unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons), the controller shall immediately notify the National Authority for Data Protection and Freedom of Information. As soon as the controller becomes aware of the incident, it shall notify it without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach. If the notification cannot be made within 72 hours, the notification shall state the reason for the delay and provide the required information in detail without further undue delay.

For the notification of a personal data breach, the National Authority for Data Protection and Freedom of Information operates a dedicated system on its website through which notifications can be made electronically.

The data controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. The controller shall keep records of the data relating to the incident, including the causes, the events and the personal data involved. In addition, the record should also include the effects and consequences of the incidents and the measures taken to remedy them, and the conclusions of the controller (for example, why it thinks the incident is not reportable, or if the notification is delayed, the reason for the delay).

An incident that is unlikely to pose a risk to the rights and freedoms of natural persons need not be notified to the supervisory authority.

If the personal data breach is likely to present a high risk to the rights and freedoms of the data controller’s partners or clients, we will inform the partner concerned without delay. The information provided to the data subject shall clearly and plainly describe the nature of the personal data breach and shall include the most relevant information and measures.

The data subject need not be informed as described above if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures that render the data unintelligible to persons not authorised to access the personal data;
• the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
• the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure ensuring that the data subjects are informed in an equally effective manner.

1. Information on the most relevant legislation:

• Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (Info. tv.);
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);
• Act V of 2013 – on the Civil Code (Civil Code);
• Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and Small Business Tax.

1. Right to apply to the courts:

The data subject may take legal action against the controller in case of infringement of his/her rights. The court shall rule on the case out of turn.

22 Data protection authority procedure:

Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, PO Box 5.
Phone: 0613911400
Fax: 0613911410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

23. Other provisions:

The data controller shall provide information on the processing of data not listed in this information notice at the time of recording the data. In such cases, the provisions of the legislation in force shall prevail.

The data controller hereby informs its customers that the court, the prosecutor, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, or other bodies authorised by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents. The controller shall disclose to the authorities – if the authority has indicated the precise purpose and scope of the data – personal data only to the extent and to the extent strictly necessary for the purpose of the request.

The website of the Data Protection Authority contains further information on the data protection rights referred to in this Privacy Notice.
Budapest, 19 May 2020.
Margit Anikó Pék
sole trader

Appendix 1.

Ssz.
Name of the processing of personal data
Purpose of data processing
Legal basis for processing
Time limit for deletion of personal data
1.
Personal data provided when registering for the event (name, address, e-mail address, telephone number).
For the performance of the contract, to maintain contact.
Establishment of the contract, performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation).
Within 30 days of the expiry of the legal retention period (5 years).
2.
Health data (specific data – e.g. lactose intolerance, gluten intolerance, etc.) that have come to the attention of the controller when communicating special dietary needs of event participants.
To ensure full service to the applicants, to ensure that the food is prepared with the right ingredients.
Based on the data subject’s consent.
Immediately after withdrawal of consent. Immediately after the stay at the hotel.
3.
Personal data contained in the invoice issued to the users of the service (natural persons, sole traders).
Legal obligation to issue the invoice.
Performance of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
Within 30 days of the expiry of the legal retention period (5 years).
4.
Processing of incoming e-mails (sender’s e-mail address), telephone numbers.
To fulfil a contractual obligation or on the basis of consent.
Performance of a contractual obligation (Article 6(1)(b) GDPR) or with the consent of the data subject (Article 6(1)(a) GDPR).
Within 10 working days after the performance of the task or immediately after the withdrawal of consent, up to a maximum of 3 working days.
5.
Personal data of suppliers, service providers, subcontractors (in the case of an individual or sole trader).
To fulfil a contractual obligation.
Performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation).
Within 30 days of the expiry of the legal obligation to keep the consent (5 years).
6.
Personal data of contact persons of suppliers, service providers, subcontractors.
In the performance of a contractual obligation.
With the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Immediately upon withdrawal of consent. Within 10 working days after the termination of the contract, unless the law provides for a retention obligation in relation to the contract (within 30 days after the expiry of the obligation).
7.
Personal data that have come to the knowledge of the controller through the use of a social networking site.
To promote the activity and services.
With the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
Immediately after withdrawal of consent.
8.
The images contained in photographic and video recordings of customers.
To promote the services and activities, use of the footage on websites, social networking sites and other media.
Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Without undue delay after withdrawal of consent, but within 3 working days at the latest.
9.
Personal data obtained in the course of complaint handling.
To identify and address a complaint.
Compliance with the legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
Within 30 days of the expiry of the legal obligation to keep the consent (5 years).