Public Foundation for the Research of Central and East European History and Society
Data processing Guidelines
on data processing implemented in connection with the Photo Gallery
Effective from: 25 May 2018
1./ Aim and scope of the Guidelines
1.1./ The aim of these Guidelines is to provide you with information required by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, henceforward: GDPR) and by the Hungarian Act 2011/112 on the Right of Informational Self-Determination and on the Freedom of Information concerning the use of and your rights regarding the personal information you provided via the Photo Gallery (Fotótár) on the www.terrorhazafoto.hu website operated by the Public Foundation for the Research of Central and East European History and Society.
1.2./ The scope of these Guidelines only covers the processing of personal information you provided via the Photo Gallery on the www.terrorhazafoto.hu website.
1.3./ These Guidelines and their amendments implemented from time to time shall be considered effective from the moment that they are published on the website www.terrorhazafoto.hu.
1.4./ Before you provide any data or information to us, please read the current version of the Guidelines, which shall always be accessible from www.terrorhazafoto.hu. Please note that you should only provide data or information to the Public Foundation at any time if you have read the current version of these Guidelines, and explicitly agree with their contents.
Data subject: natural persons who are explicitly defined or identified, or can explicitly or implicitly identified by the use of personal data.
User: data subjects who provide their personal data for the purpose of submitting an order through the Photo Gallery at www.terrorhazafoto.hu, operated by the Public Foundation (henceforward: the Photo Gallery).
Personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject.
Data controller: natural or legal persons or organisations not having legal personality that (independently or jointly with others) may determine the purpose of the data processing, make and execute decisions regarding the data processing (including the devices used), or have their decisions executed by the data processor. In the context of these Guidelines, the Public Foundation is the data controller.
Data processing: all activities or the sum of activities carried out by the Public Foundation on the data provided by the users, including especially collecting, recording, organizing, storing, modifying, using, querying, transmitting, publishing, harmonising or interconnecting, locking, deleting and destroying the data, as well as preventing further use of the data.
Data breach: unlawful processing or handling of personal data, especially unauthorized access to the data, modifying, transmitting, publishing, deleting or destroying the data, as well as incidents where data is destroyed or corrupted by accident.
3./ The description of the data controllers
Name: Public Foundation for the Research of Central and East European History and Society
Registered seat: H-1122 Budapest, Határőr út 35, Hungary
Registration No.: 01-01-0007526 (Company Registry Court of Budapest Capital-Regional Court)
VAT nr: 18237010-2-43
Phone number: +361/212-7140
Mailing address: H-1062 Budapest, Andrássy út 60, Hungary
NAIH ID of the Public Foundation: NAIH-97531/2016.
Data Protection Officer: Közép- és Kelet-európai Történelem és Társadalom Kutatásáért Közalapítvány, 1062 Budapest, Andrássy út 60., phone number: +361/212-7140, e-mail: firstname.lastname@example.org
4./ Legal basis for data processing
4.1./ The legal basis of the processing carried out by the Public Foundation regarding the Photo Gallery is, on the one hand, your consent [GDPR Art.6 par.1 section a)], on the other hand the fact that processing is necessary for entering into a contract and for the fulfilment of the existing contract regarding the Photo Gallery [GDPR Art.6 par.1 section b)], furthermore, regarding invoicing, it is because the Public Foundation as controller is bound by law to process data [GDPR Art.6 par.1 section c)].
4.2./ By giving your express consent to have your personal data processed when placing an order after or without registering on the www.terrorhazafoto.hu website, the legal basis of processing shall be considered fulfilled; by placing an order on the www.terrorhazafoto.hu website, then beside your consent the legal basis regarding the conclusion and performance of contracts is also fulfilled.
5./ Processing related to registration and placing orders
5.1./ A brief description of the data processing activities: If you wish to use the services of the Photo Gallery you may register on the www.terrorhazafoto.hu website prior to placing an order. In order to register you need to fill in the form found under the Registration tab. The personal data you provide while registering or placing an order without registration is handled by the software used for the www.terrorhazafoto.hu page on its proprietary server. The software transfers the data to the employee in charge of performing the contracts concluded with regard to the Photo Gallery.
5.2./ Legal basis for data processing: By completing the Registration process and providing their data, you accept the existing provisions of the current version of the Data Processing Guidelines, and explicitly consent to the Public Foundation processing your data regarding the Photo Gallery. Thus GDPR Art.6 par.1 section a) forms the legal basis for data processing. By placing an order in the Photo Gallery - whether as a registered User or as a client without registration - processing gains an additional legal basis: processing is required for concluding contracts and performing existing ones regarding the Photo Gallery [GDPR Art.6 par.1 section b)].
5.3./ The purpose of data processing: In order to create a user account for the person registering to simplify the process of ordering on the www.terrorhazafoto.hu website, which is a legitimate purpose for data processing. The purpose of the data processing is the operation of the Photo Gallery, the provision of the services available from the Photo Gallery, operation of the related databases, fulfilment of orders placed by the users, collection of the payments related to the orders, and especially:
a) Processing the orders and financial transactions initiated by the user.
b) Sending order confirmations to the user.
c) Documenting eligibility for possible benefits to registered Users.
d) Responding to user requests, queries and complaints.
e) Administering the user accounts.
5.4./ Scope of the data processed with regard to the Photo Gallery:
a) last name and first name/company name,
b) e-mail address,
c) phone number,
d) postal address/registered office (country, municipality, postal code, street name, house number, floor, door number),
e) for individuals, date of birth (year, month, day)
f) for legal persons, VAT number.
5.5./ Duration of data processing: The data you provided while registering or placing an order without registration is stored until you withdraw your consent; in case of registration until you delete your personal account. The Public Foundation shall only process the personal data provided by the user as long as the user has an active account, until the user requests the deletion of their data, or withdraws their consent to the processing of their personal data. You may send your requests via e-mail to email@example.com.
5.6./ Relevant IT systems : the software of www.terrorhazafoto.hu and the server owned by the Public Foundation.
6./ Processing related to invoicing
6.1./ A brief description of the data processing activities: Once you place an order in the Photo Gallery the Public Foundation shall issue an invoice for the sum of the order.
6.2./ The legal basis for data processing: According to Section c) of Paragraph (1) of Article 6 of the GDPR, Controller is legally bound to processing data. Governing regulations: Act 2007/127 on Value Added Tax (hereinafter referred to as: VAT Act) par.159 (obligation to issue invoices), par.169 (the obligatory contents of invoices), Act 2000/100 (Accounting Act) par.166-169 (accounting documents, documents subject to strict accounting, obligation to keep documents).
6.3./ Purpose of processing: to confirm and certify financial transactions (orders and their performance), which is a legal data processing
6.4./ Scope of the processed data If the customer is a natural person, their name, address, date of order. If the customer is a legal or other type of entity, its name, registered seat, VAT no., date of order.
6.5./ Duration of data processing: 8 years
6.6./ Relevant IT systems: Novitax
7./ The rights and obligations of Users
7.1./ By providing their e-mail address and other personal data, the User assumes responsibility for ensuring that only the User shall provide data and submit orders from that e-mail address, and that the data provided shall always be correct. In light of this assumption of responsibility, the User who registered the specific e-mail address shall bear all liability related to the logins that were performed with that e-mail address. Please note that if you do not provide your own personal data, it is your responsibility as User to obtain the consent of the relevant data subject.
7.2./ The minimum age for consenting to the personal data processing at the Photo Gallery is 18 years. If you are not yet 18 years of age, please do not provide your data on this website, and do not use our services.
8./ Data processing related to webpage visitors
8.2./ Legal basis for data processing: Thus the GDPR Art.6 par.1 section a) forms the legal basis for data processing. By clicking the “Accept” button on the webpage you accept the processing. The consent of the data subject is not necessary if the sole purpose of using cookies is the transmission of a communication over an electronic communications network, or strictly necessary in order to provide a service related to an information society, expressly requested by the subscriber or user.
8.3./ The purpose of data processing: For registered users, to identify the user; for unregistered users, to prepare statistics, track visitors; in case of customers, to administer the “shopping cart”.
8.4./ Scope of the processed data: unique ID’s, dates, times.
8.5./ Duration of data processing: Session cookie: to identify users logging in, PHP session id: is deleted on closing the browser.
8.6./ Relevant IT systems : the software of www.terrorhazafoto.hu and the server owned by the Public Foundation.
8.7./ Controllers eligible to view the data: personal data may be processed by employees of the Public Foundation in line with the above principles.
8.8./ Informing data subjects about their rights regarding processing: data subjects may delete cookies from the appropriate menu of their browser.
9./ Controllers, processors, data transfer
9.1./ The Public Foundation does not employ a separate data processor.
9.2./ The personal data submitted by users during the course of using the Photo Gallery are processed by the accounting firm employed to carry out the accounting obligations of the Public Foundation, as well as those employees of the Public Foundation in charge of performing orders placed via the Photo Gallery and monitoring the related payments. The personal data provided upon registration is stored by the software of the www.terrorhazafoto.hu website on the server owned by the Public Foundation, and shall not be disclosed to any third parties.
9.3./ By completing the Registration process and placing an order, the user consents to the employees of the Public Foundation defined by Section 9.2. handling and processing their data.
9.4./ We shall not transfer your personal data to any third parties unless we are obliged by law or a binding court or authority decision to do so.
9.5./ We do not provide personal data to other natural or legal persons for the purpose of carrying out marketing activities related to their products or services.
10./ Data security measures
10.1./ The Public Foundation provides protection to the data by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique. In determining the measures to ensure security of processing, the Public Foundation shall proceed by taking into account the latest technological developments. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable difficulties for him.
10.2./ Personal data provided by the user is protected during their transfer and after their arrival to the databases of the data controller. However, there are no completely safe methods for transferring data online and storing data electronically. We implement industry-standard solutions for the protection of personal data; however, their absolute safety cannot be guaranteed.
10.3./ The IT system of the Public Foundation is hosted on a server stored in a secure, custom-designed server room by Invitech Megoldások Zrt.
10.4./ The operator has put into service several safety and security procedures to safeguard the IT systems and networks of the Public Foundation, among them the following:
a) The useris only able to access their user profile with the password and user ID that they provided. The password is encrypted. The use of a strong, alphanumeric password (one that contains both letters and numbers) is required, and the user should not share the password with others.
b) Your personal data are stored on a secure server. The servers are only accessible to certain employees of the Public Foundation, and are password-protected.
c) to prevent data loss we make backup copies,
d) Physical protection: The server is located in a facility protected by a fence, CCTV surveillance, armed guards and a multi-stage entry system.
c) Software protection: On one hand, Invitech continuously monitors whether there are any external threats against the computers they use, on the other hand, they provide a so-called “firewall” for their users. On top of this, they also protect their server with a dedicated “firewall”. Access to the server is only allowed with system administrator rights, and only from certain external locations (IP addresses).
11./ Rights and their enforcement available to data subjects
11.1./ According to the wording of the GDPR, data subjects are natural persons who can directly or indirectly identified based on information or personal data pertaining to him.
11.2./ Please note that before complying with their requests regarding the exercise of their rights, the Public Foundation is obliged to identify the person submitting the request. Where the Public Foundation has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the applicant.
11.3./ You may contact the Public Foundation or the Data Protection Officer in order to exercise your rights listed below:
a) You have the right to request information about processing, as well as to request a copy of your stored and processed data (right to information, right of access - GDPR art.15, Info Act par.15)
b) You have the right to request the correction of incorrect or incomplete data (right to correction, GDPR art.16, Info Act par.17).
c) You have the right to request the deletion of your personal data; moreover, if your personal data have been published, you are entitled to request that the Public Foundation forward your request for deletion to other Controllers as well (right to deletion, GDPR art.17, Info Act par.17)
d) You have the right to request the restriction of some processing activities (right to restriction of processing, GDPR art.18).
e) You have the right to obtain your personal data in a generally used and computer-readable form, and to request that these data be handed over to another Controller (right to data portability, GDPR art.20).
f) You have the right to object to data processing activities (right to object, GDPR art.21, Info Act par.21).
g) You have the right to withdraw your consent at any time in case of processing based on consent. The withdrawal of consent does not affect the legality of the processing performed in the period prior to withdrawal (right to withdrawal, GDPR art.7 par.3).
h) You have the right to file a complaint with the supervisory authority if you judge that the processing violates any regulations (right to file a complaint with a supervisory authority, GDPR art.77).
11.4./ Requests pertaining to the rights listed in Section 11.3 shall be sent via e-mail to the following address: firstname.lastname@example.org or by mail to the following address: 1062 Budapest, Andrássy út 60. of the Public Foundation.
11.4./ The Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) shall provide legal remedies, and receives the complaints of the users:
Name: National Authority for Data Protection and Freedom of Information (NAIH)
Registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary
Mailing address: 1530 Budapest, Pf.: 5.
11.5./ If the Public Foundation refuses to comply with your request as a data subject, the factual or legal reasons for refusing the request shall be communicated to you electronically within 25 (twenty-five) days of receipt of the request. Should your request be refused, the Public Foundation shall inform you of the possibilities for seeking judicial remedy or filing a complaint with an Authority.
11.6./ If you disagree with the decision taken by the Public Foundation, or if the Public Foundation fails to meet the deadline, you shall have the right to turn to court within 30 (thirty) days of the date of delivery of the decision or from the last day of the time limit. A lawsuit may take place at the tribunal of your choice: either the one that has jurisdiction where the Public Foundation has its registered seat, or where you are domiciled. The tribunal with jurisdiction where the Public Foundation has its registered seat is the Budapest Capital-Regional Court.
12./ Records of the Public Foundation
12.1./ The Public Foundation as the data controller, with a view to controlling measures relating to data breaches and to inform data subjects, shall keep records containing the personal data involved, the scope of those affected by the data breach, the time, circumstances and effects of the data breach and measures taken to eliminate further breaches, as well as other information stipulated by law.
In matters not regulated by these Data Processing Guidelines, the provisions of Act 112 of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act 5 of 2013 on the Civil Code as well as other relevant acts shall apply.
Dated Budapest, 25 May 2018