Data Protection Policy
RING Series
EFFECTIVE: February 24, 2025
Introduction
The Hungarian Cycling Tourism Association operates the website (hereinafter: Website) of the Ring series of cycling performance tours (hereinafter: Program) and manages the registration interface of the tour series (www.sportnaptar.hu) for the purpose of implementing the Program, in connection with which it also processes information that qualifies as “personal data” according to Article 4, point 1, of the EU General Data Protection Regulation 2016/679 (hereinafter: GDPR). The purpose of this information is to provide information to data subjects and interested parties regarding the processing of personal data, to record the legal basis for data processing, and its other circumstances. The Hungarian Cycling Tourism Association acts as the organizer of the Program and, at the same time, as the data controller for the implementation of all data processing purposes (hereinafter: Data Controller).
In order to fully comply with the provisions of the GDPR and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.), the Data Controller has created this Data Protection Notice (hereinafter: Notice) in order to ensure the right to prior information, which the Data Controller makes available to everyone on the www.ringsorozat.hu website and on the Ring series events registration interface (www.sportnaptar.hu), by navigating to the www.ringsorozat.hu website.
This Notice provides information on the processing of personal data and the rights of data subjects in relation to data processing. In our Notice, you will find information on the purposes for which, on what legal basis and for how long we process your personal data, and to whom we transfer them. We also inform you of the rights you have in relation to our data processing activities.
On the websites operated by the Hungarian Cycling Tourism Association, in order to provide a customized and efficient use of the websites and to ensure the best possible user experience, we may place a small data package, so-called cookie, on your computer. Cookies are identifiers that our website or the server of the partner collecting the cookie can send to the computer you are using to identify the computer used during your visit to our website and to store technical data regarding the use of the website. The Hungarian Cycling Tourism Association does not use cookies on its websites that store users’ personal data.
Please read our Notice carefully, and if you have any questions or requests regarding the Data Controller’s data processing, please contact us at the contact details below.
Data controller contact information:
Hungarian Cycling Tourism Association
Headquarters: 9700 Szombathely, Berzsenyi Dániel tér
Registration number: 18-02-020069101
Tax number: 18877410-1-18
E-mail: info@maketusz.hu
Representative: President Erzsébet Pénzes
E-mail: info@maketusz.hu
Data security
What do we do to protect your data?
The Data Controller is committed to the protection of personal data, therefore we do everything possible to ensure that your personal data is processed in accordance with the law. The Data Controller follows the following principles in its data processing:
- We only process personal data lawfully
- We only process personal data for a limited period of time, for a limited purpose
- We take care of your personal data and take the necessary technical and organizational measures to ensure data security
- We help you to enforce your rights regarding data processing In addition, we apply the following measures and approaches:
Through the contact details above and on the Website, we ensure that users (participants) can request information about the processing of their personal data, modify or delete their personal data, and exercise their other data protection rights.
We only transfer personal data to organizations that store or otherwise process data in a third country (outside the European Union) if an appropriate level of data protection is ensured (including, for example: a guiding decision of the European Commission, application of the so-called “Standard Contractual Clauses” contract model, compliance with the Privacy Shield agreement).
I. REGISTRATION FOR PERFORMANCE TOURS
The Data Controller organizes 12 one-day tours, for which you can register online on the website www.sportnaptár.hu. During registration, the personal data specified in this section will be provided. With regard to the data processing specified in this section, the Data Controller and the company operating the website www.sportnaptar.hu are considered joint data controllers.
The sportnaptár.hu website is operated by:
InfoScope Kft.
registered office: Budapest, Dália utca 13. tax number: 12796539-2-43
e-mail address: info@sportnaptar.hu
During registration on the www.sportnaptar.hu website, the sportnaptar.hu data processing information is also available.
However, given that the personal data provided during registration is also known to the Data Controller, the Data Controller carries out the data processing related to the registration as follows.
1. The scope of data subjects, i.e. who are the data subjects whose personal data we process?
The data controller processes the personal data of natural persons participating in the tours – including minor children – (hereinafter referred to as data subjects).
2. The scope of personal data affected by data processing, i.e. which personal data do we process?
The natural person registering for the tour
– last name and first name,
– email address,
– address,
– date of birth,
– gender,
– telephone number
– five-digit ID (who has it and provides it).
3. Scope of recipients – Who can access personal data at the Data Controller’s organization?
The Data Controller declares that it processes the personal data provided by you in compliance with the currently valid data protection regulations, as a data controller. Within the Data Controller’s organizational system, the data may be accessed by persons holding the following positions:
- Data Controller President;
- Ring Series Project Manager;
- Chief Operating Officer;
- Chief Financial Officer and Chief Financial Officer
4. Purpose of data processing – For what purpose do we process your data?
For the purpose of conducting performance tours.
In order to register for performance tours and to allocate starting numbers, it is necessary to provide personal data, and it may be necessary for us to contact you in this regard, including if the contact is made at your initiative.
5. Legal basis for data processing – On what legal basis do we process your data?
The Data Controller’s legal basis for data processing is provided by Section 3, Section 7, GDPR, Section 4, Section 11, GDPR, Section 6
(1) para. a), GDPR, Section 7 (voluntary consent of the data subject). The data subject – the person nominating the data subject on behalf of a minor child – provides his/her consent electronically (during the nomination, by checking the box). It is prohibited to check the box in advance!
6. Are you required to provide your data?
You are free to decide whether to use the services of the Data Controller, i.e. whether to apply for the performance tour. However, it should be emphasized that without providing/processing personal data, it is not possible to participate in the performance tours.
7. How long do we store your data?
Until the consent is withdrawn. If your data is necessary for the fulfillment of tax obligations applicable to the Data Controller: 5 years from the last day of the calendar year in which a tax return, data report, or notification should have been filed, or in the absence of a return, data report, or notification, the tax should have been paid (Art. 78. § (3), 202. § (1) paragraph).
If your data is necessary for the fulfillment of accounting obligations applicable to the Data Controller: 8 years (Szvtv. § 169). Such a case is if the data is part of the documents supporting the accounting, for example, in the documents related to the conclusion of a contract between the Data Controller and its contractual partner or on the invoice issued.
8. To whom do we transfer your personal data?
Among the personal data, the last name, first name and date of birth will be forwarded to the data processor specified in point VI. that organizes and conducts the given tour. The purpose of the data transfer is to distribute the starting package and starting number to the participants on site.
Among the personal data provided during the registration, the last name, first name, e-mail address and starting number will also be forwarded to the data processor (timekeeper) specified in point VI. The purpose of the data transfer is to ensure chip timing for the participants. The five-trial identifiers of those completing the tour will be forwarded to Nagy Sportágvászállót, BBU Nonprofit Kft. (1106 Budapest, Maglódi út 12/b, +36706471652, segitseg@otprobaparizsba.hu) for the purpose of crediting the five-trial points.
The last name and first name of those arriving at the finish line of the tour will be forwarded to VI. to the insurer specified in point 1 for the purpose of accident and liability insurance for tour participants.
II. DISCOUNTED REGISTRATION
You can register at a discount on the Ring series registration page (www.sportnaptar.hu):
· large families,
· students,
· pensioners,
· the disabled,
· the disadvantaged and
· teachers.
The exact list of those eligible for the discount and the method of proving eligibility will be published on the website www.ringsorozat.hu.
1. The scope of data subjects, i.e. who are the data subjects whose personal data we process?
The data controller processes the personal data of natural persons participating in the tours.
2. What is the scope of personal data subject to data processing, i.e. which personal data do we process?
The discount is applied for by filling out a Google form (hereinafter referred to as the form). When filling out the form, the applicant’s (natural person participating in the tour) name and email address must be provided and a document proving eligibility for the discount must be attached.
3. Scope of recipients – Who can access personal data at the Data Controller’s organization?
The Data Controller declares that it processes the personal data and information provided by you in compliance with the currently valid data protection regulations, as a data controller. Within the Data Controller’s organizational system, the data may be accessed by persons holding the following positions:
- Data Controller President;
- Project Manager of the Ring Series;
- Chief Operating Officer;
- Chief Financial Officer and Financial Assistant;
4. Purpose of data processing – For what purpose do we process your data?
For the purpose of sending a coupon code entitling the natural person requesting the discount to a discounted registration.
5. Legal basis for data processing – On what legal basis do we process your data?
The Data Controller’s legal basis for data processing is provided by Section 3, Section 7 of the Information Act, Section 4, Section 11 of the GDPR, Section 6, Section
(1) para. a), Section 7 of the GDPR (voluntary consent of the data subject). The data subject – on behalf of a minor child, the person nominating him/her – provides his/her consent electronically (by ticking a box when filling out the form). It is prohibited to tick the box in advance.
6. Are you required to provide your data?
You may refuse to consent, but in this case we cannot provide a coupon for a discounted entry.
7. How long do we store your data?
Until consent is withdrawn, but no later than December 31, 2025.
8. To whom do we transfer your personal data?
No data transfer takes place.
III. DATA PROCESSING RELATED TO IMAGE, AUDIO AND VIDEO RECORDINGS DURING PERFORMANCE TOURS
During the performance tours, images, audio, and video recordings of the participants may be made, which are considered personal data.
1. The scope of data subjects, i.e. who are the data subjects whose personal data we process?
The data controller processes the personal data of natural persons participating in the tours.
2. What is the scope of personal data subject to data processing, i.e. which personal data do we process?
The natural person participating in the tour
– image;
– voice;
– a moving image of the person concerned.
3. Scope of recipients – Who can access personal data at the Data Controller’s organization?
The Data Controller declares that it processes the personal data and information provided by you in compliance with the currently valid data protection regulations, as a data controller. Within the Data Controller’s organizational structure, the data may be accessed by persons holding the following positions:
1. President of the Data Controller;
2. Project Manager of the Ring series;
3. Operational Manager;
4. Financial Manager and Financial Assistant;
4. Purpose of data processing – For what purpose do we process your data?
For advertising purposes.
5. Legal basis for data processing – On what legal basis do we process your data?
The Data Controller’s legal basis for data processing is provided by Section 3, Section 7 of the Information Act, Section 4, Section 11 of the GDPR, Section 6, Section
(1) para. a), Section 7 of the GDPR (voluntary consent of the data subject). The data subject – the person nominating the data subject on behalf of a minor child – provides his/her consent electronically (during the nomination, by checking a box). It is prohibited to check the box in advance.
6. Are you required to provide your data?
You may refuse to consent.
7. How long do we store your data?
Until the consent is withdrawn.
If your data is necessary for the fulfillment of tax obligations applicable to the Data Controller: 5 years from the last day of the calendar year in which a tax return, data report, or notification should have been filed, or in the absence of a return, data report, or notification, the tax should have been paid (Art. 78. § (3), 202. § (1) paragraph).
If your data is necessary for the fulfillment of accounting obligations applicable to the Data Controller: 8 years (Szvtv. § 169). Such a case is if the data is part of the documents supporting the accounting, for example, in the documents related to the conclusion of a contract between the Data Controller and its contractual partner or on the invoice issued.
8. To whom do we transfer your personal data?
Given that the Ring series is partly supported by the central budget, during the settlement of the support, it may be forwarded to the sponsor (State Secretariat for Active Hungary of the Prime Minister’s Office) and the Active and Ecotourism Development Center Nonprofit Ltd., acting on behalf of the sponsor under a management agreement.
IV. DATA PROCESSING RELATED TO THE DELIVERY OF MARKETING CONTENT AND REFERENCES
- The scope of data subjects, i.e. who are the data subjects whose personal data we process?
The data controller processes the personal data of natural persons participating in the tours.
2. What is the scope of personal data subject to data processing, i.e. which personal data do we process?
The data subject’s
– name,
– email address
– telephone number,
– and – in connection with the delivery of marketing content – data related to possible interests,
– and in connection with data processing for reference purposes, a reference to the contact details of the data subject or the partner represented by him, previous business relations and opinions.
3. Scope of recipients (Who can access personal data at the Data Controller?):
The Data Controller declares that it processes the personal data and information provided by you in compliance with the currently valid data protection regulations, as a data controller. Within the Data Controller’s organizational structure, the data may be accessed by persons holding the following positions:
– President of the Data Controller;
– Project Manager of the Ring series;
– Operational Manager;
– Financial Manager and Financial Assistant;
4. Purpose of data processing – For what purpose do we process your data?
We may also process your data for the purpose of sending marketing content (newsletter) and providing references. The newsletter is sent exclusively for the purpose of informing you about the Data Controller’s projects, events and programs. The Data Controller processes the data of the data subjects for the purpose of sending marketing content related to the organization of the possible next year’s bicycle tour.
5. On what legal basis do we process your data?
The Data Controller’s legal basis for data processing is provided by Section 3, Section 7, GDPR, Section 4, Section 11, GDPR, Section 6
(1) para. a), GDPR, Section 7 (voluntary consent of the data subject). The data subject – the person nominating the data subject on behalf of a minor child – provides his/her consent electronically (during the nomination, by checking a box). It is prohibited to check the box in advance.
6. Are you required to provide your data?
Data subjects may object to the data processing contained in this section, in which case the Data Controller is not entitled to send marketing content to data subjects.
7. How long do we store your data?
Until consent is withdrawn (in the case of newsletters, until the newsletter is terminated).
8. To whom do we transfer your personal data?
No data transfer takes place.
V. DATA PROCESSING ON THE COMPANY’S FACEBOOK PAGE
The Data Controller maintains a Facebook page for the purpose of introducing and promoting its activities. A question asked on the Facebook page does not constitute an officially submitted complaint.
The Company does not process personal data published by visitors on the Data Controller’s Facebook page. Visitors are subject to Facebook’s Privacy and Service Terms.
In the event of the publication of illegal or offensive content, the Data Controller may exclude the Data Subject from membership or delete their comments without prior notice.
The Data Controller is not liable for any data content or comments published by Facebook users that violate the law. The Data Controller is not liable for any errors, malfunctions or problems arising from changes to the operation of the system.
In connection with the above Facebook page, Facebook Ireland Limited (address: 4 Grand Canal Square Dublin, Dublin 2, Ireland) also has access to the data, which acts as a joint data controller in relation to the Data Controller’s Facebook page and as an independent data controller in relation to its own data processing. More information on the data processing carried out by Facebook can be found below: https://www.facebook.com/privacy/explanation.
VI. DATA PROCESSORS
Data processors involved in the organization of the tours and their contact details:
Mátra Biker Sport Club
registered office: 3200 Gyöngyös, Dobó István utca 12.
tax number: 18024502-1-10
represented by: Dr. László Záray, president
data processing activity personal data processing related to the organization of an event
Zengő Sportegyesület
registered office: 7694 Hosszúhetény, Ormándi u. 8.
tax number: 18326828-1-02
represented by: Zsolt Keszericze, president
data processing activity: personal data processing related to the organization of an event
Kisvárda és Környéke Bringások Kerékpáros Sportegyesület
registered office: 4600 Kisvárda, Akácfa utca 13
tax number: 18870808-1-15
data processing activity: personal data processing related to the organization of an event
SDR-SurfCamping Sportegyesület
registered office: 2475 Kápolnásnyék, Szent László utca 27.
tax number: 19318738-1-07
representative: Bertold Beregnyei, president
data processing activity: personal data processing related to the organization of an event
Dunakanyari Védegylet Alapítvány
registered office: 2627 Zebegény, Jánoshegy u. 12.
tax number: 18942714-2-13
represented by: Gergő Bajor, chairman of the board of trustees
data processing activity: personal data processing related to the organization of an event
Újbuda Mountain Bike és Szabadidő Sportegyesület
Registered office: 1118 Budapest, Törökugrató utca 3. VII./27. Tax number: 18734218-1-43
Representative: Rita Bertóti
data processing activity: personal data processing related to the organization of an event
Attidas Kft.
Registered office: 7400 Kaposvár, Orci út 20. b.,
tax number: 11486000-3-14,
representative: Attila Péter
data processing activity: personal data processing related to the organization of an event
Őrségi Kerékpáros és Természetbarát Egyesület
9941 Őriszentpéter, Városszer 55.
tax number: 18845590-1-18
representative: Zoltán Légrádi
data processing activity: personal data processing related to the organization of an event
Keszthelyi Kilométerek Egyesület
8360 Keszthely Deák F. u. 45. I.em. 1.
tax number: 19282879-1-20,
represented by: Beáta Bedő,
data processing activity: personal data processing related to the organization of an event
Szendrő Városi Sport és Szabadidő Klub Egyesület
3752 Szendrő, Fő út 19.
tax number: 18433883-1-05
representative: Ernő Bári
data processing activity: personal data processing related to the organization of an event
HOTE Sportegyesület
3534 Miskolc, Gagarin utca 10. 2/1.
tax number: 18445671-1-05
representative: Kalotai Norbert
data processing activity: personal data processing related to the organization of an event
BAKONY RACING TEAM Kerékpársport Egyesület
9025 Győr, Kispásztor utca 3.
tax number: 18878624-1-08
representative: László Pál Várallyai
data processing activity: personal data processing related to the organization of an event
Data processor providing hosting services:
BlazeArts Kft. (1096 Budapest, Thaly Kálmán u. 39., Company registration number: 01-09-389087, tax number: 12539833-2-43, phone: (+36) 1 610 5508), which has access to personal data to the extent necessary for the provision of hosting services.
data processing activity: personal data processing related to hosting services
Data processor providing timekeeping services:
Dóra Pintér (registered office: 2884 Bakonyszombathely, Dózsa u. 22., tax number: 59783862-1-31, e-mail: peter@fairtiming.hu)
data processing activity: providing timekeeping for event participants, for this purpose processing personal data (first and last name, date of birth)
Insurance
In order to insure the participants of the tour against accidents and liability, the Data Controller concludes an insurance contract with Magyar Posta Biztosító Zrt. (hereinafter referred to as the insurer). To determine the insurance premium, the Data Controller sends the list of participants (starters) of the given tour to the insurer on each day of the tour. No other personal data will be transmitted other than the last name and first name of the participants of the tour.
VII. RIGHTS OF THE DATA SUBJECT AND LEGAL REMEDIES
The data protection rights and legal remedies of the data subjects are set out in detail in the relevant provisions of the GDPR (in particular Articles 15, 16, 17, 18, 19, 21, 77, 78, 79, 80 and 82 of the GDPR). The following summary contains the most important provisions, and the Data Controller provides information to the data subjects on their rights and legal remedies in relation to data processing accordingly.
1. Procedure to be applied in case of a request from the data subject
The Data Controller shall facilitate the exercise of the Data Subject’s rights. The Data Controller may not refuse to comply with a request for the exercise of the Data Subject’s rights, unless it proves that it is unable to identify the Data Subject.
The Data Controller shall assess the request submitted by the Data Subject as soon as possible, but no later than 25 (twenty-five) days after its submission, and shall notify the Data Subject of its decision (in writing or, if the Data Subject submitted the request electronically, electronically).
If the Data Controller fails to take action following the Data Subject’s request, it shall inform the Data Subject, without delay, but no later than 25 (twenty-five) days after receipt of the request, of the reasons for the failure to take action, and of the fact that the Data Subject may lodge a complaint with the supervisory authority and exercise his or her right to a judicial remedy.
The Data Controller provides the Data Subject with information pursuant to Articles 13 and 14 of the GDPR and information and measures pursuant to Articles 15–22 and 34 of the GDPR (feedback on the processing of personal data, access to the processed data, correction, completion, deletion of data, restriction of data processing, data portability, objection to data processing, information about a data protection incident) free of charge.
If the Data Subject
a) submits a repeated request for the enforcement of his/her rights specified in Section 14, points b)-e) in the current year, regarding the same data scope, and
b) based on this request, the Data Controller or the data processor acting on its behalf or on its instructions, the Data Controller lawfully fails to correct, delete or restrict the data processing of his/her personal data, the Data Controller may demand reimbursement from the Data Subject of the costs directly incurred in connection with the repeated and unfounded enforcement of the Data Subject’s rights as set out in points a) and b).
If it can be reasonably assumed that the person submitting a request for the exercise of the rights specified in Section 14, Section b)-e) of the Infotv. is not the same person as the Data Subject, the Data Controller shall fulfill the request after providing credible proof of the identity of the person submitting it.
The request can be submitted as follows:
– By post: 1124 Budapest, Apor Vilmos tér 20.
– By electronic means: info@maketusz.hu
The data subject has the right to receive feedback from the Data Controller as to whether his/her personal data is being processed or whether his/her personal data is being processed by the Data Controller or, where applicable, by Data Processor(s). In addition to what is specified in this paragraph, the Data Controller shall provide the Data Subject with the personal data of the Data Subject processed by it and by the data processor acting on its behalf or on its instructions, and shall inform
a) the source of the processed personal data;
b) the purpose and legal basis of the data processing;
c) the scope of the processed personal data;
d) in the event of the transfer of the processed personal data, the scope of the recipients of the data transfer – including recipients in third countries and international organizations;
e) the period of retention of the processed personal data, the criteria for determining this period;
f) a description of the rights to which the Data Subject is entitled on the basis thereof and the method of exercising them;
g) the fact of profiling in the event of its application; and
h) the circumstances of the occurrence of data protection incidents arising in connection with the processing of the Data Subject’s personal data, their effects and the measures taken to address them.
The Data Controller may restrict or refuse the exercise of the Data Subject’s right of access in proportion to the purpose sought to be achieved, if such measure is indispensable for the protection of one of the interests specified in this Policy. The Data Controller shall provide the Data Subject with a copy of the personal data subject to the processing. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the Data Subject requests otherwise.
3. Rectification
In order to enforce the right to rectification, the Data Controller shall, if the personal data processed by it or by a data processor acting on its behalf or on its instructions are inaccurate, incorrect or incomplete, immediately clarify or rectify them – in particular at the request of the Data Subject – or, if this is compatible with the purpose of the data processing, supplement them with additional personal data provided by the Data Subject or with a statement made by the Data Subject to the processed personal data (hereinafter collectively: rectification). The Data Controller shall be exempt from the obligation specified above if
a) accurate, correct or complete personal data are not available and the Data Subject does not provide them, or
b) the authenticity of the personal data provided by the Data Subject cannot be established beyond doubt
4. Restriction
In order to exercise the right to restrict data processing, the Data Controller shall restrict data processing,
a) if the Data Subject disputes the accuracy, correctness or completeness of the personal data processed by the Data Controller or data processor, and the accuracy, correctness or completeness of the processed personal data cannot be established beyond doubt, for the duration of the clarification of the doubt,
b) if the data processing is unlawful and the data should be deleted, but based on the written statement of the Data Subject or the information available to the Data Controller, it can be reasonably assumed that the deletion of the data would harm the legitimate interests of the Data Subject, for the duration of the legitimate interest justifying the omission of deletion,
c) if the data should be deleted as specified in Section 20 a), but it is necessary to preserve the data as evidence in the course of investigations or procedures specified in law, including in particular criminal proceedings, carried out by or with the participation of the Data Controller or another body performing public tasks, until the final or legally binding conclusion of such investigation or procedure,
d) if the data should be deleted as specified in Section 20 a), but it is necessary to preserve the data in order to fulfill the documentation obligation set out in Section (2),
until the date specified in Section 25/F (4).
During the period of restriction of data processing, the Data Controller or the data processor acting on its behalf or on its instructions may perform other data processing operations with the personal data of the Data Subject other than storage solely for the purpose of enforcing the legitimate interests of the Data Subject or as specified in law, an international treaty or a binding legal act of the European Union.
5. Right to erasure (“right to be forgotten”)
In order to exercise the right to erasure, the Data Controller shall immediately erase the Data Subject’s personal data if
a) the processing is unlawful
b) the Data Subject withdraws his/her consent to the processing or requests the erasure of his/her personal data (unless the processing of the data is based on Article 5(1)(a) or (c) or Article 5(2)(b))
c) the erasure of the data has been ordered by law, a legal act of the European Union, the Authority or a court, or
d) the period specified in Article 19(1)(b)-d) has elapsed.
Notification obligation related to the rectification or erasure of personal data or the restriction of data processing
If the Data Subject’s request to rectify, erase or restrict the processing of personal data processed by the Data Controller or the Data Processor is rejected by the Data Controller, the Data Subject shall be informed in writing and without delay of
a) the fact of the rejection, the legal and factual reasons for it, and
b) the rights to which the Data Subject is entitled on the basis thereof and the manner of enforcing them, in particular that the Data Subject may exercise his right to rectify, erase or restrict the processing of personal data processed by the Data Controller or the Data Processor with the assistance of the Authority.
If the Data Controller corrects, erases or restricts the processing of personal data processed by it or by the data processor, the Data Controller shall notify the data controllers and data processors to whom the data was transmitted prior to this action of the fact and its content, in order for them to implement the correction, erasure or restriction of the processing of the data with regard to their own data processing.
6. Withdraw consent
If the legal basis for data processing is your consent, you have the right to withdraw your consent at any time. Please note that the fact that you have withdrawn your consent does not make the data processing activities previously carried out by the Data Controller unlawful.
You can find guidance on the cases in which the Data Controller bases data processing on your consent in the section “On what legal basis do we process your data” of the Notice.
7. Protest
The Data Subject shall have the right to object at any time to processing of personal data concerning him or her carried out in the public interest or in the exercise of official authority or to processing necessary for the purposes of the legitimate interests pursued by the Controller or by a third party (processing based on point (e) or (f) of Article 6(1) of the GDPR), including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
8. Data portability
The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 1(1) of the GDPR (the data subject’s consent to the processing of personal data) or point (a) of Article 9(2) of the GDPR (the data subject’s explicit consent to the processing), or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
In exercising the right to data portability, the data subject shall have the right to request the direct transmission of personal data between controllers, where technically feasible.
Right to be exempt from automated decision-making
The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning him or her or similarly significantly affect him or her.
9. Complaint
The Data Subject’s right to complain and seek legal redress
- Right to lodge a complaint with a supervisory authority
In order to enforce his/her rights, the Data Subject
a) may initiate an investigation by the Authority to examine the legality of the Data Controller’s action, if the Data Controller restricts the enforcement of his/her rights specified in or rejects his/her request to enforce these rights, and
b) may request the Authority to conduct a data protection authority procedure if, in his/her opinion, the Data Controller or the data processor acting on his/her behalf or on his/her instructions violates the provisions on the processing of personal data set out in law or in a binding legal act of the European Union.
The Data Subject may exercise his/her right to file a complaint at the following contact details:
National Data Protection and Freedom of Information Authority
address: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36 (1) 391-1400
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
· Right to an effective judicial remedy against the supervisory authority
Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her. Every Data Subject has the right to a judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the Data Subject within three months of the progress of the procedure or the outcome of the complaint submitted.
Proceedings against the supervisory authority shall be brought before the court for the place of the seat of the supervisory authority.
The right to a judicial remedy
The Data Subject may take legal action against the Data Controller or the Data Processor if, in his/her opinion, the Data Controller or the Data Processor processes his/her personal data in violation of the provisions set out in the law on the processing of personal data (Infotv.) or in a binding legal act of the European Union. The Data Controller or the Data Processor shall be obliged to prove that the data processing complies with the provisions set out in the law on the processing of personal data or in a binding legal act of the European Union.
The Data Subject may, at his/her choice, initiate the lawsuit before the court competent for his/her place of residence or stay.
A party to the lawsuit may also be a person who does not otherwise have legal capacity to sue. The Authority may intervene in the lawsuit in the interest of the Data Subject.
If the court upholds the claim, it establishes the fact of the violation and obliges the Data Controller or the Data Processor
a) to terminate the unlawful data processing operation,
b) to restore the lawfulness of the data processing, and
c) to demonstrate precisely defined conduct to ensure the enforcement of the Data Subject’s rights
and, if necessary, it also decides on the claim for compensation or damages.
· Compensation and damages
If the Data Controller or the data processor violates the provisions of the law or a binding legal act of the European Union regarding the processing of personal data and thereby causes damage to another person, they are obliged to compensate for it. If the Data Controller or the data processor violates the provisions of the law or a binding legal act of the European Union regarding the processing of personal data and thereby violates the personal rights of another person, the person whose personal rights have been violated may claim damages from the Data Controller or the data processor.
We recommend that the Data Subjects contact our Company with their complaints, comments and questions in confidence, using any of the contact details specified in this section, before initiating the procedures specified in Section VII.9 of this Notice.
MAKETUSZ
Data controller