PRIVACY NOTIFICATION

Excerpt – House of Wisdom

INTRODUCTION

The objective of this information note is that the Foundation as data controller could inform the data subject appropriately about the essential circumstances of data management, as well as the rights of the data subjects, and to comply with the requirements on the provision of information referred to in Articles 13 and 14 of the Regulation (GDPR) [1].

The current information note shall be continuously accessible on the website of the Foundation (www.pallasalapitvanyok.hu and www.bolcsvar.hu), and if required, it shall also be sent directly to the data subjects by the Foundation.

 

SECTION I

NAME OF THE “DATA CONTROLLER”

Publisher of this information document and Data Controller:

Name: Pallas Athéné Domus Sapientiae Foundation

Registered office: 1014 Budapest, Úri u. 21.

Corporate number: 01-01-0012645

Representative regarding data control activities:

E-mail: titkarsag@pads.hu

Website: www.pallasalapitvanyok.hu and www.bolcsvar.hu

(hereinafter referred to as: Foundation)

 

SECTION II
DATA MANAGEMENT ON THE WEBSITE OF THE FOUNDATION

Information about the use of cookies
The Foundation uses cookies on its website accessible at www.bolcsvar.hu in order to improve user experience. Cookies are small files including a certain set of characters; these get onto the computer of a user when (s)he visits a website. When the same website is visited again, due to the cookie, the website is able to recognize the browser of the visitor, and the fact of the repeated visit.  Cookies might store user settings (such as selected language) and other types of information as well, and collect information about the visitor and his/her device, memorize the individual settings of the visitor, which can be used later on, for example when using online shopping carts.  Cookies in general ease the use of the given website, and facilitate that it could provide real web-based experience for users and represent an efficient source of information; and furthermore, they also ensure control of the website’s operation, the prevention of misuse and a smooth and high-level service provision on the website for the operator.

While using the www.bolcsvar.hu website the following data are recorded and managed about the visitor and the device used for browsing purposes:

  • IP address used by the visitor,
    • browser type,
    • features (the language set) of the operating system of the device used for browsing,
    • date and time of the visit,
    • the visited (sub)site, function, or service.

The acceptance of the use of cookies is not obligatory, but we kindly raise your attention to the fact that it might happen that certain web function or services might not work properly without cookies.

The cookies used on the website are unable to identify the user by themselves, i.e. the relationship between the data created and managed for the above-mentioned technical purposes and the data subject cannot be identified.

 

Cookies used at the www.bolcsvar.hu website
Technically absolutely indispensable session cookies

These cookies are necessary for the visitors to browse the website, to use its functions smoothly and without limitation and to have an access to the services available through the website itself, thus – among others – especially to memorize certain operations completed on the given website in the course of a visit. The duration of data control in the case of these cookies refers exclusively for the given visit of the visitor, thus, by the end of a session this type of cookies are automatically deleted from the computer.

Range of data processed: AVChatUserId, JSESSIONID, portal referrer.

The legal basis of this data control is Article 13/A. (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.

Purpose of data processing: ensuring the appropriate operation of the website.

 

Logging related data control of external service providers
The html code of the www.bolcsvar.hu website operated by the Foundation includes links arriving from external servers, independent of the Foundation and pointing at also external ones. The server of the external service provider is in direct contact with the computer of the user involved. The service providers of these links are able to collect user data (such as IP address, browser, operating system data, name of the website visited, and date of the visit) due to the direct connection to their server and the direct contact with the user’s browser.
The potentially personalized contents are served by the external provider’s server for the data subject.
The attendance and other web analytics related measurements and auditing in relation to the www.bolcsvar.hu website are facilitated by the server of Google Analytics as an external service provider.
About the data control related to the www.google.com/analytics further details are available at http://www.google.com/intl/hu/policies/.

 

SECTION III

PHOTO AND VIYDEO RECORDING IN THE HOUSE OF WISDOM

 

Personal and asset protection devices
The Foundation operates a CCTV system in the complete internal area of the House of Wisdom (1014 Budapest, Úri u. 21.) as well as at its terrace. The very objective of the operation of the CCTV system is the protection of human life, bodily integrity, personal freedom and asset protection. The CCTV system also makes image and sound recording possible, and based on that the behaviour of all parties present in the establishment is also recorded as personal data. No recording is made in premises where observation and monitoring would harm human dignity, thus especially in restrooms.

The legal basis of this type of data control is the validation of the rightful interests of the Foundation that shall be acknowledged and approved by data subjects based on the awareness-raising information note when entering the area of the establishment.

About the fact that a CCTV system is operating in the area of the establishment there is an easy-to-read awareness-raising information note next to all three entrances providing information and also indicating the availability of this privacy notification.

The recordings shall be available in the establishment throughout the entire duration of their storage, and they shall not be forwarded for the lack of utilization. For lack of utilization the recordings are deleted by the Foundation 3 (three) working days upon recording.

Utilization of the recording means that the recorded image and voice and other personal data are planned to be used as evidence at court or other public proceeding, and the person whose right or legal interest is affected by the very content of the recording in connection with this utilization  notifies the Foundation about this within three working days upon the act of the recording at the titkarsag@pads.hu e-mail address in a written form, or if the Foundation wants to use it in the procedure referred to above.

For the lack of utilization, the operating personnel, the director of the Foundation and other person(s) assigned by him/her on an occasional basis shall be entitled to view the recordings with the purpose of exploring potential infringements and monitoring the overall operation of the system.

 

Documenting the programs and events of the institution
The Foundation is entitled to document the actions and happenings of the exhibitions, programs and events organized in the building, by taking photos and making video recordings in the complete internal area of the House of Wisdom (1014 Budapest, Úri u. 21.) as well as at its terrace. The recording of these images and video recordings (hereinafter referred to collectively as: recordings) is performed by a non-installed technical system, with the contribution of a person present at that specific occasion and responsible for making the recordings.

The objective of these recordings is that the Foundation could report about the “life” of the House and, by featuring these recordings, popularize the institution, its events, programs, and create an archive of the photo images documenting the “life” of the House.

About the fact that recordings might be made in the House, there is an easy-to-read awareness-raising information note next to all three entrances leading to the area of the House, providing information and also indicating the availability of this privacy notification.

The legal basis of this type of data control is the validation of the rightful interests of the Foundation that shall be acknowledged and approved by data subjects based on the awareness-raising information note when entering the area of the establishment.

The Foundation provides the opportunity for the data subject to indicate his/her wish to the personnel making the recording, according to which (s)he does not want recording to be made about his/her person, and this wish shall be granted by the person making the recordings.

The data subject can initiate at the titkarsag@pads.hu e-mail address that the recordings in which (s)he is recognizable and thus which qualify as personal data are deleted, or made inaccessible on the website they have been uploaded to.

The Foundation shall get in contact with the data subject having used such indication, on working days within 24 hours, otherwise on the following working day, and within 8 hours upon the identification of the recordings shall erase them or make them inaccessible on its website, in accordance with the request of data subject.

If data subject formulates his/her above request for erasure or the prohibition of accession in a way that together with the request the recordings (personal data) are also identified, then the Foundation shall fulfil the request within 24 hours upon its reception on working days, otherwise on the following working day.

For the lack of such request the duration of storing the personal data shall last until the related legal interest of the Foundation persists.

The recipient of the recordings, thus also of personal data is KNK PR&Média Kommunikációs Ügynökség Kft., operator of the Foundation’s website.

 

SECTION IV

INFORMATION SUMMARY ON THNE RIGHTS OF THE DATA SUBJECT

 

Right of the data subject to receive sufficient information
The general data management information document of the Foundation as per Annex No. 2 shall be continuously accessible on its website (www.pallasalapitvanyok.hu) and if requested so by the data subject, it shall also be sent directly to him/her. The very purpose of this information document is to inform the data subject publicly in an easy-to-access, unambiguous and detailed manner about the facts concerning the management of his/her data prior to the start of the data control and during that; this information specifically covers the objective and legal basis of data control, the person(s) entitled to data control and processing, the duration of the data control, the legal basis based upon which the personal data of the data subject are controlled by the Foundation, and finally, to whom these data might be disclosed. The information document shall cover the rights and potential legal remedies of the data subject regarding data control.

 

Right to receive preliminary information
Data subject is entitled to be informed about the facts and information related to data control prior to the start thereof.

  1. The Foundation must provide a data subject from whom data relating to himself are collected with all of the following information at the time when the information is acquired:
  2. a) the identity and contact details of the Foundation as data controller and of his representative;
  3. c) purpose and legal basis for processing personal data;
  4. d) regarding data control based on legal interest the legal interests of the Data Controller or the third party;
  5. e) the recipients or categories of recipients of the personal data, if any;
  6. f) the duration of storage of your personal data, or if it is not possible, the criterion for the definition of such period;
  7. g) a list of the rights of the data subject, and a statement about the fact that (s)he can request an access to the personal data related to him/her from the data controller; the rectification, erasure or blocking of such data, and that (s)he can object to the processing of data relating to him/her, and that (s)he has the right to data porting; in the case of data control based on the approval of data subject, the right to withdraw the approval at any time, which, however, does not influence the legality of the data control performed based on the approval, before the withdrawal; the right to submit complaint to the regulatory body;
  8. h) whether the provision of personal data is based on a piece of legislation or some contractual obligation, or whether it is a precondition of contracting, and furthermore, whether data subject is obliged to provide personal data, and what consequences there might be for the lack of data supply;
  9. i) the Foundation does not apply automated decision-making procedure in the course of the data management.

If the Foundation wishes to implement further data control beyond the original purpose of the collection of the personal data, then prior to such additional data control he shall inform the data subjects about the additional objective and all relevant additional information as referred to above.

 

Right of access for the data subject
Data subject shall have the right to be informed by the Foundation if any of his/her personal data are being processed, and if so, (s)he shall have the right to access such personal data and information related to the data management.

 

Right to rectification
Data subject is entitled to have the Data Controller rectify his/her incorrect personal data without delay. Taking into account the purpose of the data processing, data subject is also entitled to request that his/her incomplete personal data are completed.

 

Right of erasure (right to be forgotten)
Data subject shall have the right to obtain from the Foundation the erasure of personal data concerning him/her without undue delay if

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) data subject has withdrawn his/her consent on which the data processing is based, and there is no other legal ground for the processing;
  3. c) the data subject objects to the processing of his/her data, and there is no priority legitimate reason for the data processing;
  4. d) the personal data have been unlawfully processed;
  5. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Foundation is subject;
  6. f) the personal data have been collected in relation to the offer of information society services.

 

Right to restriction of processing
Data subject is entitled to have the Data Controller rectify his/her incorrect personal data if

  1. a) data subject contests the accuracy of the personal data; such restriction shall be valid for a period enabling the Foundation to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. c) the Foundation no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. d) data subject has objected to processing; in this case such restriction shall be valid for a period it is determined whether the legitimate grounds of the Foundation override those of the data subject.

The Data Controller shall inform each recipient of any rectification, erasure or restriction, whom or which the personal data have been disclosed to, unless this proves impossible or involves a disproportionate effort. The Foundation shall inform data subject about these recipients if requested by data subject.

 

The right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her for public interest or for implementing tasks within the frameworks of exercising public authority, or if processing is necessary against data control based on the purposes of the legitimate interests pursued by the Data Controller or by a third party. In such case the Foundation is no longer entitled to control personal data unless it demonstrates that there are compelling legitimate grounds for the data processing which override the interests, rights and freedoms of the data subject or the establishment, exercise or defence of legal claims.

Where personal data are processed for scientific or historical research purposes or statistical purposes, on grounds relating to the data subject’s particular situation, (s)he shall have the right to object to the processing of his/her personal data unless the data control is implemented for the sake of completing duties of public interest.

 

Restrictions
EU or national laws applicable to the Foundation or data controller in contractual relationship with the Foundation can constraint the effect of certain rights and obligations stipulated in the GDPR by using legislative measures, for the purpose indicated therein.

 

Information to the data subject about the data protection incident
If the data protection incident most probably involves a high level of risk to the rights and freedoms of natural persons, then the Foundation shall inform data subject about the data protection incident without delay.

In this information it is necessary to describe in an explicit and easy-to-understand manner the nature of the incident, its possible consequences and the measures (planned) to be taken in order to tackle the data protection incident, including measures aiming at mitigating the potential detrimental consequences deriving from the data protection incident.

 

Providing information to data subject might be neglected if:

  1. a) the Foundation has taken appropriate technical and organizational protective measures, and these measures have been applied regarding the data affected by the data protection incident, especially the measures – such as applying encryption –, which make data incomprehensible for persons not authorized for the accession of the personal data;
  2. b) Following the data protection incident, the Foundation took such additional measures, which ensure that the high risk to the rights and freedoms of data subject will most probably not materialize hereafter;
  3. c) information would necessitate disproportionate efforts; – in such cases data subjects shall be informed by using publicly disclosed information, or such measures shall be taken, which ensure the similarly efficient information of data subjects.

 

The right to submit complaint to the regulatory body (right to regulatory remedy)
Data subject shall be entitled to submit complaint to a regulatory body if, in his/her view, the control of personal data related to him/her infringes the rules stipulated by the GDPR.

Data subject shall be entitled to get efficient judiciary remedy against the legally binding decision of the regulatory body related to him/her or if the regulatory body fails to deal with his/her complaint, or if it fails to inform data subject about the procedural development of the complaint submitted or the results thereof within three months.

Data of the supervisory authority:

National Authority for Data Protection and Freedom of Information

http://naih.hu

Postal address: 1530 Budapest, Pf.: 5.

E-mail: ugyfelszolgalat@naih.hu

Phone: +36 (1) 391-1400

 

Right to efficient judicial remedy against data controller or data processor
Every data subject shall have the right to an effective judicial remedy where (s)he considers that his/her rights have been infringed as a result of the processing of his/her personal data in non-compliance with the GDPR.

 

  1. A) Information in cases of collection of data from the data subject
    The Foundation must provide a data subject from whom data relating to himself are collected with the following information at the time when the information is acquired:
  2. a) the identity and contact details of the controller and of his representative, as per CHAPTER I;
  3. b) the nomination of the Foundation’s data control officer does not take place in accordance with Article 37 (1) of the GDPR;
  4. c) the purposes of the processing for which the data are intended, and the legal basis of data control as per this information document, including the indication of the legal interest if data control is based thereupon;
  5. e) the recipients or categories of recipients of the personal data, if any;
  6. f) the very fact that the Data Controller does not want to forward the personal data to any third country or for an international organization;
  7. g) the duration of storage of personal data, or the criteria for the definition of such period;
  8. h) data subject shall be entitled to request an access to the personal data related to him/her from the data controller, as well as the rectification, erasure or blocking of such data, and that (s)he can object to the processing of data relating to him/her, but data subject shall not have the right to data porting because the Foundation does not perform automated data control;
  9. i) in the case of data control based on the approval of data subject the approval may be withdrawn at any time, which, however, does not influence the legality of the data control performed based on the approval, before the withdrawal;
  10. k) data subject shall be entitled to submit complaint to the regulatory body;
  11. l) whether the provision of personal data is based on a piece of legislation or some contractual obligation, or whether it is a precondition of contracting, and furthermore, whether data subject is obliged to provide personal data, and what consequences there might be for the lack of data supply;
  12. m) the Foundation does not perform automated data control;
  13. n) the Foundation does not wish to implement further data control beyond the original purpose of the collection;

 

  1. B) Information where the data have not been obtained from the data subject
    Where the data have not been obtained from the data subject, the controller must provide the data subject with the following information:
  2. a) the identity and contact details of the controller and of his representative, as per CHAPTER I of this information document;
  3. b) the nomination of the Foundation’s data control officer does not take place in accordance with Article 37 (1) of the GDPR;
  4. c) the purposes of the processing for which the data are intended, and the legal basis of data control as per this information document, including the indication of the legal interest if data control is based thereupon;
  5. b) the categories of the personal data concerned;
  6. e) the recipients or categories of recipients of the personal data, if any;
  7. f) the very fact that the Data Controller does not want to forward the personal data to any third country or for an international organization;
  8. g) the duration of storage of personal data, or the criteria for the definition of such period;
  9. h) data subject shall be entitled to request an access to the personal data related to him/her from the data controller, as well as the rectification, erasure or blocking of such data, and can object to the processing of personal data, but data subject shall not have the right to data porting because the Foundation does not perform automated data control;
  10. i) in the case of data control based on the approval of data subject the approval may be withdrawn at any time, which, however, does not influence the legality of the data control performed based on the approval, before the withdrawal;
  11. j) data subject shall be entitled to submit complaint to the regulatory body;
  12. k) the source of personal data and in certain cases if the data derive from publicly accessible sources;
  13. l) that the Foundation does not perform automated data control;

 

  1. The Foundation provides the information as per below:
  2. a) in consideration of the specific circumstances of the control of personal data within a realistic timeframe upon the acquisition thereof, but within a month at the latest;
  3. b) if the personal data are used for the purpose of contacting data subject, then at least on the occasion of the first contact with data subject; or
  4. c) if the data are most probably disclosed to other recipients, then on the occasion of the first such disclosure at the latest.

 

  1. If the Foundation wishes to implement further data control beyond the original purpose of the acquisition of the personal data, then prior to such additional data control he shall inform data subject about the additional objective and all relevant additional information as referred to above.

 

  1. The disclosure of the information above might be neglected if and to the extent:
  2. a) data subject has already received that information;
  3. b) the provision of such information proves impossible or would involve a disproportionate effort, but in such cases data controller shall take the necessary measures in order to protect the rights, freedoms and legal interests of data subject;
  4. c) recording or disclosure is expressly laid down by the applicable EU or national law, which stipulates the appropriate measures serving the protection of data subject’s legal interests; or
  5. d) in accordance with the duty of professional secrecy stipulated by some EU or national law, including any legislation-based obligation to exercise discretion, personal data shall remain confidential.

 

CHAPTER V

SUBMISSION OF THE DATA SUBJECT’S APPLICATION

 MEASURES OF THE DATA CONTROLLER

 

Measures based on the application of data subject
The Foundation as data controller shall, without undue delay, but in any event within 8 days following the receipt of the request, inform data subject about the measures determined in respect of his/her request to exercise his/her rights.

If data subject submitted the request electronically, the requested information shall be made available to him/her in electronic format, unless (s)he expressly requested otherwise.

If the Foundation has reasonable doubts concerning the identity of the natural person, it may request the provision of additional information necessary to confirm the identity of the data subject.

 

Pallas Athéné Domus Sapientiae Foundation