DATA CONTROLLER'S DATA:
- Company name: Magyar Kultúra Kiadó Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
- Registered office: 9061 Vámosszabadi, Béke utca 4.
- E-mail address: firstname.lastname@example.org
- Fax number: +36 96 433 625
- Tax number: 13567422-2-08
- Company registration number: 08 09 013358
- Registration number of data processing: NAIH-112718/2017
- Represented by: Takács Szilvia igazgató
1. PURPOSE OF THE REGULATION
The purpose of this Regulation (hereinafter referred to as Regulation) is to define, in accordance with Act CXII of 2011 on Information Self-Determination and Freedom of Information (hereinafter referred to as the Information Act), the processing of personal data at MAGYAR KULTÚRA KIADÓ KERESKEDELMI és SZOLGÁLTATÓ KFT. (hereinafter to be referred to as Data controller.) It shall ensure the application of the constitutional principles of data protection and the requirements of data security, prevent unauthorised access to data, alteration of data, unauthorised disclosure of data and, on this basis, regulate the processing of personal data by the Data controller's departments.
2. SCOPE AND SUBJECT MATTER OF THE REGULATION
2.1. The personal scope of the Regulation extends to all employees of the Data controller who carry out data management and data processing, as well as to natural and legal persons and other business entities who have a contractual relationship with the Data Controller, to the extent specified in the contract concluded with them and in the confidentiality agreement.
2.2. The scope of the Regulation covers all computer and paper-based management and processing of personal data by any of the Data Controller's departments.
3. DATA PROTECTION PRINCIPLES
3.1. The Data Controller shall act in good faith and fairly, in cooperation with the data subjects.
3.2. The Data Controller shall exercise and fulfil its rights and obligations in accordance with their purpose.
3.3. The personal data shall retain this quality during the processing for as long as the relationship with the data subject can be re-established. The connection with the data subject may be re-established if the Data controller has the technical conditions necessary for such re-establishment.
3.4. The Data Controller shall ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up-to-date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.
3.5. Personal data may be processed exclusively for specified purposes, for the exercise of rights and for the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for such shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
3.6. The data subject must be informed clearly and in detail of all facts relating to the processing of his/her data before the processing begins, in particular the purpose and legal basis of the processing, the person authorised to manage and process the data, the duration of the processing, if the data subject's personal data are processed by the Data Controller pursuant to Article 6(5) of the Data Protection Act, furthermore who are entitled to access the data. The information shall also cover the rights and remedies of the data subject in relation to the processing.
4. SPECIFIC PROVISIONS CONCERNING UNDERAGE PERSONS
4.1. When applying this Regulation pursuant to Article 2:10 (1) any person under the age of 18 shall be considered as underaged.
4.2. An underaged user is obliged to read this Regulation together with his/her parent or guardian and may only provide his/her personal data with the consent of his/her parent or guardian.
4.3. If the Data Controller becomes aware in any way that the data of an underaged person have not been registered in accordance with the law or this Regulation, it shall delete such personal data without prior notice.
4.4. The Data Controller is obliged to develop and operate technical solutions in the field of IT protection, which prevent the Underaged from accessing educational materials and documents of a nature that may endanger their psychological, intellectual, emotional, moral, physical or personality development, or the content of which they may not understand or misunderstand due to their age. The Data Controller must also identify material which may present a risk to them and keep these documents separately on the webpage from those available for download by the public.
4.5. A If the technical solution referred to in Section 4.4 is not possible to be executed, the Data Controller may only publish the material with a warning about the possible dangers to underaged users.
5. RULES ON THE DATA THAT MAY BE COLLECTED (SCOPE OF DATA PROCESSED)
5.1. The website is accessible to anyone, but the services can only be used after prior registration. On the website of the Data Controller it is possible to register on several levels, which are built on each other.
The first level ("Basic registration") requires the following data:
- E-mail address
The above data are considered personal data according to the Information Act. The Data Controller does not process any special data at the first level of registration.
At the second level ("Identified registration"), the Controller processes the following data:
- Name (with title)
- Place and date of birth
- Mother's name
- Language spoken
- Telephone number
For the third level ("Partner registration"), the Data Controller processes the following data relating to the partner:
- Tax number
- Bank account number
- Address of registered office
After partner registration, the following professional data can be entered in the partner profile:
- Biographical data
5.2. By registering on the website and providing the necessary data to the Data Controller, which can be done by filling in the Data menu on the website, the data subject consents to the processing of the personal data provided during registration by the Data Controller for the purpose of concluding and performing contracts electronically for the provision of services available on the website, for the duration of the contract and the existence of the contracts as well as the claims arising from them.
6. RULES OF AUTOMATED DATA COLLECTION
6.1. Data may be stored or accessed on the subscriber's or user's electronic telecommunications terminal equipment only based on the clear and full consent of the user or subscriber concerned, including the purposes for which the data are stored.
6.2. The head of the department or the Data controller shall be responsible for the performance of the tasks listed in points 6.1 to 6.3.
6.4. The website may use web beacons, which monitor the use of the website and show which pages within the website the user visits. Web beacons are short strings of code that place an image on the website to transmit data such as the IP address of the computer that downloaded the page containing the web beacon, the URL (address) of the page on which the web beacon appears, the time the page containing the web beacon was viewed, the type of browser that downloaded the web beacon and the identification number of the cookie previously placed on the computer by the server.
If the user provides us with personal data, this can be linked to anonymous data stored in cookies and/or web beacons. We may process the information generated in this way for analytical and marketing purposes, to measure the effectiveness of the service and to improve it.
7. METHOD OF USING THE COLLECTED DATA
We use your personal data for the following purposes:
- Process your registration
- Enable you to use the services on our website
- We may contact our users to inform them when they use our services or when there are changes to our policies;
- Other purposes, which we have informed the user of at the time the personal data is disclosed, or otherwise where authorised by ad.
8. DATA PROCESSION RULES
8.1. Legal basis for data processing
8.1.1. If the personal data have been collected with the consent of the data subject, the Data Controller may process the collected data for the purpose of complying with a legal obligation to which the Data Controller is subject, or for the purposes of pursuing a legitimate interest of the Data Controller or of a third party, where such interest is proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject's consent, unless otherwise provided by law.
8.1.2. The employee who collects the data shall inform the data subject in advance of the purpose of the processing and whether the provision of the data is based on consent or is mandatory. In the case of mandatory processing, the legal provision imposing the processing must be indicated.
8.1.3. If the purpose of the processing based on consent is the performance of a contract concluded in writing with the Data controller, the contract may contain all information which the data subject needs to know for the purposes of the processing of personal data pursuant to the Information Act, in particular the definition of the data to be processed, the duration of the processing, the purpose of the use, the fact of the transfer of the data, the recipients, the fact of the use of a data processor. The contract shall unambiguously state that the data subject, by signing it, consents to the processing of his or her data as provided for in the contract.
8.1.4. The records containing customer data and the records relating to the services provided by the Data Controller shall be structured in order to separate the processing operations which can be distinguished on the basis of their legal basis and purpose.
8.1.5. The Data Controller may process natural personal identification data and address data necessary to identify the user for the purposes of creating, defining the content of, amending, monitoring the performance of, billing the fees arising from, and enforcing claims in relation to the contract for the provision of information society services.
8.1.6. The Data Controller may process natural personal identification data, address, and data relating to the time, duration and location of the use of the information society service for the purpose of billing the fees resulting from the contract for the provision of the information society service.
8.1.7. The Data Controller may, in addition to Article 7.1.9, process personal data which are technically necessary for the provision of the service.
8.1.8. In addition to the information provided for by a specific act, the Data Controller must ensure that the user is informed, before and at any time during the use of the information society service, which types of data are processed by the Data Controller for which purposes, including the processing of data which cannot be directly related to the recipient. is.
9. RULES ON THE RELEASE OF DATA
9.1. Our customers' personal data will be entered into our company's records during registration. This data is treated confidentially and will not be disclosed to third parties.
9.2. The data provided in the course of subscribing to the newsletter, which may be provided while browsing the website, will be treated confidentially by the Operator, will not be disclosed to third parties and the possibility to unsubscribe will be provided at the bottom of each newsletter sent.
9.3. During the browsing of the website, technical information is recorded for statistical purposes (IP address, duration of visit, etc.). This data will be transmitted by the Operator to the authorities only in cases that are legally justified and supported by credible evidence.
9.4. If the data subject no longer wishes to receive electronic advertising from the Data Controller, he may notify the Data Controller of his request by electronic means, and the Data Controller shall comply with the data subject's request within 3 working days of receipt of the request.
9.5. These data are the following:
- E-mail address
- Identifier of the purchased publication
- Price of the publication purchased
- Date of purchase, expiry date
- Purchase method (payment method, discount coupon, free coupon)
- Subscription fee
- Start and end of group membership
- Progress rate
- Exam results, assignments to be submitted
- List of video conference participants
The processing of the data transmitted will be governed by the data management policy of the owner of the product or individual marketplace purchase.
10. DATA STORAGE RULES
10.1. The data is entered by filling in the registration form. On the registration form, the user declares in writing that he/she has read and understood the information on data management and data protection contained in this Regulation and that he/she has read and understood all the information provided, grants a voluntary and explicit consent to record , manage, and process all the data provided by the user. In the absence of such consent, the data controller is entitled to refuse registration.
10.2. The Data Controller is obliged by law to keep records of users who have given their consent in accordance with this clause.
10.3. In the event of successful registration, the user will receive a confirmation e-mail to his/her e-mail address.
11. RULES ON THE MODIFICATION OF DATA
11.1. If the processed data is changed, subsequently proves to be incorrect or needs to be amended for any other reason, the Data Controller may only do so in such a way that the original data can be ascertained.
11.2. The amended data must indicate the fact of the amendment and be signed by the Controller.
11.3. At any time after registration, the User shall be entitled to request in writing (by e-mail or fax) the modification or alteration of the data provided, or to request the deletion of his/her registration, or the destruction of the data processed. The Data Controller shall, immediately upon receipt of the written request for modification/deletion, ensure the modification, alteration or destruction of the data processed by it.
12. RULES FOR DELETING OR TERMINATING USERS
12.1. The User is obliged to provide a real name and e-mail address for registration (username). The Data Controller may verify the authenticity of the data provided; if any of the data is found to be false, the Data Controller shall be entitled to cancel the User's registration.
12.2. The Data Controller is entitled to terminate the profile of any User if the User violates any of the rules in force at the Data Controller or any of the terms and conditions applicable to the use of the service.
13. AMENDMENT OF DATA PROTECTION REGULATIONS
This Regulation is in force for an indefinite period, but will be reviewed from time to time to ensure that it meets the expectations of Users and complies with applicable data protection laws and regulations. The Regulation may be amended at any time by the Data Controller, who shall inform Users by appropriate means (in a newsletter or a pop-up window upon login) and publish the amended Regulation on the website. The information shall be provided before the entry into force of the amendment, in time to allow the User to decide whether to accept the amendment or to cancel his/her registration.
14. RULES APPLICABLE TO USERS OUTSIDE THE EUROPEAN UNION
14.1. The Data Controller or the Processor may transfer personal data to a data controller carrying out processing in a third country or provide personal data to a data processor carrying out processing in a third country if the User concerned has given his or her explicit consent or if the processing complies with the rules applicable to the legal basis of the processing.
In both cases, it is a precondition that an adequate level of protection of personal data is ensured in the third country during the data management and processing.
14.2. An adequate level of protection is ensured if a binding legal act of the European Union establishes an international treaty between Hungary and the third country containing guarantees for the right to legal remedies and for the independent control of the processing and data processing, and the data management or processing is carried out in accordance with mandatory organisational rules.
14.3. For the purposes of data management and processing, all EEA Member States are considered to be the same as Hungary.
15. DATA PROCESSION
15.1. The rights and obligations of the Data Processor in relation to the processing of personal data shall be determined by the Data Controller within the framework of the Information Act and the specific laws on data processing. The Data Controller shall be solely responsible for the lawfulness of the instructions given by it.
15.2. The Processor may not take any substantive decisions concerning the processing of personal data, may process personal data that have been made available to him only in accordance with the Controller's instructions, and may not process personal data for his own purposes.
15.3. The contract for the processing shall be drawn up in writing. The processing shall not be entrusted to an entity which has an interest in the business of the user of the personal data to be processed.
Compliance with legal requirements and internal regulatory documents relating to data protection must be continuously monitored by the heads of the departments responsible for data processing.
17. DATA SECURITY
17.1. The Data Controller shall:
- ensure the security of the data. In order to do so, it shall take the necessary technical and organisational measures with regard to both data stored by means of IT tools and data those on traditional forms of data storage media.
- ensure that the rules on data security laid down in the relevant legislation are complied with.
- ensure the security of the data, take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable legislation, data protection and confidentiality rules.
- take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.
- ensure the enforcement of data security rules by means of specific policies, instructions and procedures.
- ensure that the staff concerned are adequately trained in order to enforce data security conditions.
- when defining and applying data security measures, takes into account the state of the art.
- choose among several possible data processing solutions the one that ensures a higher level of personal data protection, unless this would imply a disproportionate level of difficulty.
17.2. Protection of electronic records
The Data Controller shall ensure, in particular, within the scope of its responsibilities for the protection of information technology:
- measures to protect against unauthorised access, including the protection of software and hardware devices and physical protection (access protection, network protection);
- measures to ensure that data files can be recovered, including regular back-ups and separate secure management of copies (mirroring, backup);
- the protection of data files against viruses (virus protection);
- the physical protection of data files and the media on which they are stored, including protection against fire, water, lightning and other natural hazards and the ability to recover from damage caused by such events (archiving, fire protection).
17.3. Protection of paper-based records
The Controller shall take the necessary measures to protect paper-based records, in particular with regard to physical security and fire protection.
Employees and other persons acting on behalf of the Data Controller shall keep secure and protect the data carriers they use or have in their possession, including personal data, regardless of the way in which the data are recorded, against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, as well as against accidental destruction or damage.
17.4. Regulations for data security
The Data Controller shall ensure that the requirements of data security are met by means of separate regulations and instructions. The employees of the Data Controller and persons acting in the interests of the Data Controller shall in all cases act in accordance with the procedures laid down in the separate regulations and instructions, which ensure a high level of data security.
18. RIGHTS OF DATA SUBJECTS AND EXERCISE OF SUCH
18.1. Right to be informed
18.1.1. The Data Controller shall inform the data subject prior to the processing. The information may also be provided by the Data Controller by announcing the details of the processing and drawing the attention of the data subject to it.
18.1.2. Data subjects may request information about the processing of their data. The data subject may request information in particular from the Customer Service or, if this is not possible, from the Data Protection Officer. The Data Controller shall endeavour to provide the data subject with information on the details of the processing prior to the processing.
18.1.3. At the request of the data subject, the Data Controller shall provide information about the data processed by the Data Controller or by a processor on behalf him about the source, purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, and, in the case of transfer of the data subject's personal data, the legal basis and the recipient of the transfer. The Data controller shall provide the information in writing in an intelligible form and at the request of the data subject within the shortest possible time from the date of the request, but not later than 25 days. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information in the current year for the same set of data. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a correction.
18.1.4. The Data Controller may refuse to provide information to the data subject only if permitted by law. The Data Controller shall inform the data subject of the reasons for the refusal to disclose. The Data Controller shall inform the data subject of the legal remedies available to him/her.
18.2. Right to rectification
The data subject may request that the Data Controller rectify personal data that have been incorrectly recorded. In the event that the data to be corrected are regularly provided, the Data Controller shall, where necessary, inform the recipient of the data of the rectification and shall draw the attention of the data subject to the fact that he or she must also initiate the rectification with another controller.
18.3. Right to cancellation and objection
12.3.1. The data subject may request the cancellation of his or her personal data, except for processing required by law. The Data Controller shall inform the data subject of the cancellation.
18.3.2. If the processing based on consent is a condition for the establishment or maintenance of an employment relationship, the Data Controller shall inform the data subject about this and the expected consequences.
18.3.3. The Data Controller may refuse to erase personal data if the processing is based on law and the processing is necessary for the purposes of the legitimate interests pursued by the Controller. In the event of refusal to comply with a request for erasure, the Controller shall inform the data subject of the reasons for the refusal.
18.3.4. The data subject may object to the processing of his or her personal data in accordance with Act CXII of 2011 on Freedom of Information and Informational Self-Determination.
18.4. Exercising Data Subjects’ rights
18.4.1. The data subject may submit a request for information, rectification, or cancellation primarily to the Customer Service or to the Data Protection Officer.
18.4.2. If the Data Controller does not comply with the data subject's request for rectification, blocking or cancellation, it shall, within 25 days of receipt of the request, communicate in writing the factual and legal grounds for refusing the request for rectification, blocking or cancellation.
18.4.3. In the event of refusal of a request for rectification, cancellation or blocking, the Data Controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority. In the event of information, rectification, cancellation or objection, the Data Controller shall act in accordance with the applicable legislation.
18.4.4. In the event of a breach of rights, the data subject may request an investigation by the controller's superior, as well as contact the internal data protection officer appointed by the Data controller.
18.4.5. In the event of a violation of his/her rights, the data subject may turn to court and enforce his/her rights under Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information and the Civil Code.
18.4.6. In the event of a breach of the right to the protection of personal data, the data subject may turn to the National Authority for Data Protection and Freedom of Information and request an investigation by the Authority.
18.4.7. The Data Controller shall compensate for the damage caused by unlawful processing of the data subject's data or by breach of data security requirements. The Controller shall also be liable to the data subject for damage caused by the processor.
18.4.8. The Data Controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the processing.
18.4.9. No compensation shall be payable if the damage was caused intentionally or by gross negligence on the part of the injured party.
18.4.10. The general civil liability of the Data Controller shall be governed by the rules of the Civil Code. At the request of the data subject, the Data Controller shall provide detailed information on the possibilities of legal enforcement.
18.4.11. In the event of any disputes the provisions included in the Hungarian version of the General Terms of Conditions shall be applicable.
19. DATA PROTECTION RULES IN HUNGARY
For matters not or not fully covered by this Regulation, the
- Act CXII of 2011 on the Right to20 Informational Self-Determination and Freedom of Information;
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;
- Act C of 2003 on Electronic Communications;
- Act CLV of 2009 on the Protection of Classified Data
shall be applicable.
20. OTHER RELATED LEGAL STATUTES
- 2013. Act V of 2013 on the Civil Code;
- Act C of 2012 on the Criminal Code;
- Act I of 2012 on the Labour Code;
- Act XIX of 1998 on Criminal Procedure;
- the provisions of other relevant legislation shall prevail.
21. EXPLANATORY NOTES
For the purposes of Section 3 of the Information Act:
data subject: shall mean any natural person directly or indirectly identifiable by reference to specific personal data;
personal data: shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity as well as conclusions drawn from the data in regard to the data subject;
special data: shall mean:
- a) personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
- b) personal data concerning health, pathological addictions, or criminal record;
criminal personal data: shall mean personal data relating to the data subject or that pertain to any prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in connection with a crime or criminal proceedings;
data of public interest: shall mean information or data other than personal data, registered in any mode or form, controlled by the body or individual performing state or local government responsibilities, as well as other public tasks defined by legislation, concerning their activities or generated in the course of performing their public tasks, irrespective of the method or format in which it is recorded, its single or collective nature; in particular data concerning the scope of authority, competence, organisational structure, professional activities and the evaluation of such activities covering various aspects thereof, the type of data held and the regulations governing operations, as well as data concerning financial management and concluded contracts;
data public on grounds of public interest: shall mean any data, other than public information, that are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
the data subject’s consent: shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;
the data subject’s objection: shall mean a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
Data controller: shall mean natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;
data processing: shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);
data transfer: shall mean ensuring access to the data for a third party;
disclosure: shall mean ensuring open access to the date;
data deletion: shall mean making data unrecognisable in a way that it can never again be restored;
tagging data: shall mean marking data with a special ID tag to differentiate it;
blocking of data: shall mean marking data with a special ID tag to indefinitely or definitely restrict its further processing;
data destruction: shall mean complete physical destruction of the data carrier recording the data;
data process: shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;
data processor: shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;
data source: shall mean the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated;
data disseminator: shall mean the body responsible for undertaking the public responsibility which uploads the data sent by the data source it has not published the data;
data set: shall mean all data processed in a single file;
third party: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;
22. DATE OF ENTRY TO FORCE
This General Data Protection Regulation shall enter into force on 2 May 2023, and its provisions shall apply thereafter.