Pannon Gazdasági Hálózat Egyesület processes and stores personal data obtained in the course of its activities for the purpose specified by law.
The purpose of the Statement is to define, in compliance with the legal requirements, the order under which records are kept by the controller, as well as to ensure the enforcement of the constitutional principles of data protection, the right to information self-determination and the data security requirements. A further purpose of this Statement is to set out the data protection and processing principles applied by the controller, the Data Protection and Processing Policy of the controller, which it acknowledges to be binding on itself.
The purpose of this Statement is to ensure that operations at Pannon Gazdasági Hálózat Egyesület comply with applicable regulatory requirements, ensure the enforcement of fundamental rights related to the protection of personal data specified in the processing regulations, the observance and implementation of data security requirements through the application of and compliance with the provisions of this Statement.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing of special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Processing means, regardless of the procedure applied, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data transfer means making the data available to a specific third party.
Disclosure means making the data available to anyone.
Data erasure means making data unrecognisable in such a way that data restoration is no longer possible.
Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
Controller means the person who – alone or jointly with others – determines the purposes and means of the processing.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data subject means any natural person identified or identifiable, directly or indirectly, on the basis of personal data.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
E-mail means electronic mail. Its name refers to the method of writing or transmitting, which takes place entirely by electronic means using computer networks.
Internet (Internetworking System) is a global system of interconnected computer networks (a so-called meta-network) that connects the entire Earth, connecting government, military, commercial, business, educational, research, and other institutions, as well as individual users.
Website means an electronic interface suitable for display and communication of information, which is typically located on servers connected to the Internet (Webserver). These sites, pages, have a unique address (link) that is used to navigate to the given site by typing it into a browser application. The technology of the websites allows hyperlinks between individual content elements and links (hypertext).
Cookies means a component of a programme designed to create convenience features for websites. There are two basic types. One is stored on your own machine, the other is stored on the server side; this is the so-called session cookie. From a processing point of view, the processing of session cookies must be regulated. The websites must inform visitors about the use of cookies and request their consent.
Electronic newsletter means information sent to the e-mail address of persons subscribed to the address list, typically created automatically and sent by an application designed for this purpose, for transactional, advertising or other campaign purposes.
Pannon Gazdasági Hálózat Egyesület is committed to the protection of the personal data of data subjects, and places utmost importance on respecting the right of the data subjects to self-determination. It processes the recorded personal data confidentially in accordance with data protection legislation. In addition, it will take all technical and organisational measures to ensure the secure storage of data.
Personal data may only be processed for a specific purpose, in order to exercise a right and fulfil an obligation. At all stages, data processing must be in accordance with the purpose of data processing, and the collection and processing of data must be fair and lawful.
Only personal data that is essential for the realisation of the purpose of data processing and suitable for the achievement of the purpose may be processed. Personal data may only be processed to the extent and for the time necessary to achieve the purpose.
Personal data retains this quality during data processing as long as its connection with the data subject can be restored. The connection with the data subject can be restored if the controller has the technical conditions necessary for the restoration.
Processing shall be lawful only if at least one of the following applies:
If the duration of the mandatory processing or the periodic review of the necessity thereof is not specified by law, a municipal decree or a mandatory legal act of the European Union, the controller shall review at least every three years from the start of the processing whether the processing of personal data by it or the processor acting on its behalf or on the basis of the controller’s mandate is necessary to achieve the purpose of processing. The circumstances and results of such review shall be documented by the controller, and this documentation shall be retained for ten years after the review and made available to the Nemzeti Adatvédelmi és Információszabadság Hatóság [National Authority for Data Protection and Freedom of Information] upon request.
Pannon Gazdasági Hálózat Egyesület
Google Alphabet Inc.; Apple Inc.
The controller declares that appropriate security measures have been taken to protect the personal data in particular from unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and from becoming inaccessible due to changes in the technology used.
The controller ensures that the data processed is exclusively accessible to those with appropriate authorisation. To this end, the controller also ensures the security of processing through IT and work organisation measures as well as measures taken within the organization.
Nonetheless, the controller must also inform data subjects about the fact that, despite the best possible security measures, software and systems using state of the art protection techniques, any form of data transfer over the Internet is inherently vulnerable to illegal and unfair attacks. The computers used by the data controller’s employees and contributors are secured by a unique password, and to further prevent unauthorised access, they are equipped with a firewall and anti-virus software as a safeguard against viruses, malware and intrusions.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (Nemzeti Adatvédelmi és Információszabadság Hatóság [National Data Protection and Freedom of Information Authority] address: 1055 Budapest, Falk Miksa u. 9-11.; phone: +36 1 391 1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu ), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification shall include at least the following:
Any personal data breaches shall be documented, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
If the personal data breach occurs at the processor, the processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall not be required if any of the following conditions are met:
Pursuant to Article 15 of the GDPR, the data subject may request access to personal data concerning him or her as follows:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
Pursuant to Article 16 of the GDPR, the data subject has the right to request from the Controller the rectification of personal data concerning him or her. Upon such request from the data subject, the controller shall, without undue delay, rectify the inaccurate personal data concerning the data subject. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Pursuant to Article 17 of the GDPR, the data subject has the right to request from the Controller the erasure of personal data concerning him or her as follows: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The data subject’s right of erasure may only be limited in the case of the following exceptions included in the GDPR, i.e. in the case of the above reasons, the further retention of personal data can be considered lawful:
Pursuant to Article 18 of the GDPR, the data subject has the right to request from the Controller the restriction of the processing of personal data concerning him or her as follows: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Where processing has been restricted as per the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Pursuant to Article 21 of the GDPR, the data subject has the right to object to the Controller processing personal data concerning him or her as follows:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of their personal data carried out in the public interest, in the exercise of official authority or in the legitimate interest of the controller (third party), including profiling based thereon. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right to object shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Pursuant to Article 20 of the GDPR, the data subject shall have the right to the portability of personal data concerning him or her as follows:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right to data portability shall be without prejudice to the right to the erasure of personal data. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right to data portability shall not adversely affect the rights and freedoms of others.
Pursuant to Article 7 (3) of the GDPR, the data subject has the right to withdraw his or her consent to the processing of his or her personal data at any time as follows:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It shall be as easy to withdraw as to give consent.
Within five years after the death of the data subject, a person authorised by the data subject through a statement about an administrative order that is included in a public document or a private document of full probative value and made before the controller is eligible to exercise the rights belonging to the deceased in his/her lifetime.
If the data subject did not make such statement, pursuant to the Civil Code, a close relative is entitled to exercise certain rights that belonged to the deceased in his/her lifetime, even in the absence such statement.
If, according to the data subject, the controller has violated any legal provision on processing or has not complied with one or more of his/her requests, the data subject may initiate proceedings by the Nemzeti Adatvédelmi és Információszabadság Hatóság [National Authority for Data Protection and Freedom of Information] (address: 1055 Budapest, Falk Miksa u. 9-11., postal address: 1363 Budapest, Pf.: 9., telephone: +36 (1) 391 1400, fax: +36 (1) 391 1410, email: ugyfelszolgalat@naih.hu, website: www.naih.hu).
In the case of violation of the rights of the data subject or if the controller has failed to comply with one or more of the data subject’s requests, the data subject may also take legal action against the controller. The court shall grant expedited trials. The trial falls within the jurisdiction of the tribunal.
Please note that you are not obliged to provide personal data, the provision of data is not a precondition for concluding a contract. Notwithstanding, we hereby draw your attention to the fact that the possible consequence of failure to provide data may be that performance of the contract may be difficult.
In order to reach a settlement and resolve the problem as quickly as possible, please contact us first, before submitting your complaint to the supervisory authority or court.
With regard to the processing of personal data, the main applicable acts of legislation for natural persons are the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the processing of personal data (“GDPR”) and the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”).
Szombathely, 30 June 2021