data

spirit

health

Privacy Notice

In general

We collect and process personal data only in accordance with the applicable laws in force.

To protect your data, we store it as securely as possible.

You can request the deletion of your personal data by sending an email to info@azadateletetment.org, or we will send you a written request to this address to clarify the information we hold about you.

Introduction

My Health Data and Care Foundation (registered office/postal address: H-1088 Budapest, Vas street 17., registration number: 01-01-0012350 tax number: 18870619-1-43) (hereinafter referred to as the “Service Provider”, “Data Controller”) is subject to the following information.

According to Article 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, the data subject (in this case the user of the website, hereinafter referred to as the “user”) must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.

The data subject must be informed clearly and in detail of all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and processor and the duration of the processing, before the processing begins.

The data subject shall also be informed, pursuant to Article 6(1) of the Info Act, that personal data may also be processed if obtaining the data subject’s consent would be impossible or would involve disproportionate costs and the processing of the personal data would

– necessary for compliance with a legal obligation to which the controller is subject, or

– it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.

The information should also cover the rights and remedies of the data subject in relation to the processing.

Where it would be impossible or disproportionate to provide personal information to data subjects (such as in the present case on the website), the information may be provided by disclosing the following information:

(a) the fact of collection,

(b) the identity of the data subjects,

(c) the purpose of the data collection,

(d) the duration of the data processing,

(e) the identity of the potential controllers who have access to the data,

(f) the rights and remedies of the data subjects with regard to the processing; and

(g) where the processing is subject to registration, the registration number of the processing.

This privacy notice governs the processing of the website http://www.azadateletetment.org,és and is based on the content of the privacy notice described above. The privacy notice is available at: http://www.azadateletetment.org/adatvedelem.php

Amendments to this notice will enter into force upon publication at the above address.

Interpretative provisions (based on § 3 of the Info law)

  1. Data Subject/User (Article 3.1. of the Info Act): any specific natural person identified or identifiable, directly or indirectly, on the basis of personal data;
  2. personal data (Info Act, Article 3.2.): data which can be associated with the data subject, in particular the name, the identification mark and one or more physical, physiological, mental, economic, cultural or social identifiers of the data subject, and the inference which can be drawn from the data concerning the data subject;
  3. consent (Article 3.7. of the Info law): a voluntary and explicit expression of the data subject’s wishes, based on adequate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in respect of specific operations;
  4. objection (Article 3.8. of the Info Law): a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;
  5. data controller (Art. 3.9. of the Info Act): a natural or legal person or an unincorporated body which, alone or jointly with others, determines the purposes for which the data are processed, takes and implements decisions concerning the processing (including the means used) or implements them through a processor on its behalf;
  1. data processing (Art. 3.10. of the Info Act): irrespective of the procedure used, any operation or set of operations which is performed upon the data, in particular collection, recording, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure or destruction, as well as the prevention of further use of the data, the taking of photographs, audio or video recordings, as well as physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
  2. data transmission (Info Act, Article 3.11): making data available to a specified third party;
  3. disclosure (Art.3.12. of the Info Act): making data accessible to anyone;
  4. data erasure (Info Act, Art. 3.13.): rendering data unrecognisable in such a way that their recovery is no longer possible;
  5. data marking (Info Act, Art. 3.14): the marking of data with an identification mark in order to distinguish it;
  6. data storage (Info Act, Article 3.15.): the marking of data with an identification mark for the purpose of limiting their further processing permanently or for a limited period of time;
  7. data destruction (Info Act, Article 3.16): the complete physical destruction of the data carrier containing the data;
  8. data processing (Info Act, Article 3.18.): the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
  9. data processor (Article 3.18. of the Info law): a natural or legal person or an organisation without legal personality, who or which, on the basis of a contract with the controller, including a contract concluded on the basis of a statutory provision, carries out processing of data;
  10. data controller (Article 3.19. of the Info Act): the body performing public tasks which has produced the data of public interest which must be published by electronic means or in the course of whose operation the data were generated;
  11. data communicator (Article 3.20. of the Info Act): the body performing public tasks which, if the data controller does not publish the data itself, publishes the data submitted to it by the data controller on a website;
  12. data file (Info Act, Article 3.21.): the totality of the data managed in a register;
  13. third party (Article 3.22. of the Info Act): a natural or legal person or an organisation without legal personality, which is not the same as the data subject, the controller or the processor.

Legal basis for data processing (Info tv. 5-6.§)

  1. Personal data may be processed if

– the data subject consents, or

– it is ordered by law or – on the basis of the authorisation of the law and within the scope specified therein – by a decree of a local government for a purpose in the public interest (mandatory data processing).

  1. Personal data may also be processed if obtaining the consent of the data subject would involve an impossible or disproportionate effort and the processing of the personal data would

(a) necessary for compliance with a legal obligation to which the controller is subject; or

(b) necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.

  1. Where the data subject is unable to give his or her consent because of incapacity or for other reasons beyond his or her control, the personal data of the data subject may be processed to the extent necessary to protect his or her vital interests or those of another person or to prevent or protect against an imminent danger to the life, physical integrity or property of a person, as long as the obstacles to consent persist.
  2. The consent or subsequent approval of the legal representative is not required for the validity of a statement of consent by a minor data subject over the age of 16.
  3. Where the processing based on consent is intended to implement a contract concluded in writing with the controller, the contract must contain all the information which the data subject needs to know in order to process the personal data, in particular the specification of the data to be processed, the duration of the processing, the purposes for which the data are to be used, the fact of the transfer of the data, the recipients of the data, the use of a processor. The contract must unambiguously state that the data subject, by signing it, consents to the processing of his or her data as provided for in the contract.
  4. If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,

– for the purpose of complying with a legal obligation to which he is subject, or

– for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data without further specific consent and after the withdrawal of the data subject’s consent.

Purpose limitation of data processing (Info tv. § 4 (1)-(2))

  1. Personal data may only be processed for a specific purpose, for the exercise of a right or the performance of an obligation. At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful.
  2. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

Other principles of data processing (Info tv. § 4 (3)-(4))

  1. Personal data shall retain this quality during processing for as long as the relationship with the data subject can be re-established. The link with the data subject may be re-established if the controller has the technical conditions necessary for such re-establishment.
  2. The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.

Functional processing

  1. Pursuant to Article 20 (4) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following must be defined in the scope of the functionality (ordering) of the website:
  2. a) the fact of data collection,
  1. b) the scope of the data subjects,
  2. c) the purpose of the data collection,
  3. d) the duration of the data processing,
  4. e) the identity of the potential controllers entitled to access the data,
  5. f) a description of the data subjects’ rights in relation to the processing,
  6. g) where the processing is subject to registration, the registration number of the processing.
  1. The fact of data collection, the scope of the data processed.
  2. Data subjects: users of any of the services indicated on the website (including contacting for a quote) and all data subjects.
  3. Purpose of the data collection: the Service Provider processes the personal data of the users as defined above for the purposes of creating a contract for the provision of any service indicated on the website, fulfilling a request for a quote, determining the content of any contract for the provision of any service, amending it, monitoring its performance, billing the resulting fees and enforcing claims in relation to it.
  4. Duration of processing, deadline for deletion of data. Accounting records (including general ledger accounts, analytical and detailed accounts) which directly and indirectly support the accounting accounts must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.
  5. The personal data will be processed by the controller/service provider, in compliance with the principles set out above.
  6. Description of data subjects’ rights in relation to data processing: at the address of the office of the person in charge of the processing of the request,

– By post at the address at H-1088 Budapest, Vas street 8.,

– by e-mail at info@azadateletetment.org.

  1. The legal basis for the processing of data is the consent of the User, in accordance with the Info tv. Article 5(1) of the Info Act and Article 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter referred to as “Elker Act”):

The Service Provider may process personal data that are technically necessary for the provision of the service. The service provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for the provision of the service and for the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.

Principles of the service provider for functional data management (based on § 13/A of the Elker Act)

  1. The Service Provider may process natural person identification data relating to the use of the information society service, address, as well as data relating to the time and duration of the use of the service, the place of provision of the service, for the purpose of invoicing the fees resulting from the contract for the provision of the information society service.
  2. The Service Provider may process personal data which are technically necessary for the provision of the service. The Service Provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in the Elker Act, but even in this case only to the extent and for the duration necessary.
  3. The Service Provider may process data relating to the use of the service for any other purposes, in particular to improve the efficiency of its service, to deliver electronic advertising or other targeted content to the recipient, to conduct market research, only with the prior specification of the purpose of the processing and with the consent of the recipient.
  4. The recipient must be given the possibility to object to the processing prior to and throughout the use of the information society service.
  5. The processed data must be erased after the non-conclusion of the contract, the termination of the contract and after invoicing. The data must be deleted when the purpose of the processing ceases to exist or when the user so requests. Unless otherwise provided by law, the deletion shall be carried out without delay.
  6. The Service Provider shall ensure that the recipient is informed, before and at any time during the use of the information society service, of the types of data processed by the Service Provider for which purposes, including the processing of data which cannot be directly linked to the recipient.

Data processing

  1. Pursuant to Section 20 (1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following shall be defined in the scope of the website’s data processing activities:
  1. a) the fact of data collection,
  2. b) the data subjects concerned,
  3. c) the purpose of the data collection,
  4. d) the duration of the processing,
  5. e) the identity of the potential controllers who have access to the data,
  6. f) a description of the data subjects’ rights in relation to the processing.
  1. The fact of processing, the scope of the data processed.
  2. Data subjects: all data subjects visiting the website.
  3. Purpose of the processing: to ensure the smooth functioning of the website.
  4. Duration of processing, time limit for deletion of data: until the end of the visit.
  5. The following hosting providers may process personal data, subject to the principles set out above:

Silihost Kft.

Phone 0-24: +36-1-788-4060 or +36-70-453-1923

FAX: +36-1-999-1885

Email: info@silihost.hu

Privacy Policy: http://silihost.hu/adatvedelem

  1. Description of the data subjects’ rights in relation to data processing: the data subject may request the controller to erase his or her personal data as soon as possible by contacting the above contact details.
  2. The legal basis for the transfer of data is the consent of the User, the consent of the Data Subject, the legal basis for the transfer of data is the consent of the Data Subject. The consent of the User shall be provided in accordance with Article 5(1) of the Act on Information Society Services and Certain Aspects of Electronic Commerce Services and Information Society Services of 2001 (CVIII of 2001), Article 13/A(3).

Data security

  1. The controller shall design and implement data processing operations in such a way as to ensure the protection of the privacy of data subjects.
  2. The data controller and the data processor in the scope of their activities shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the Info Act and other data protection and confidentiality rules.
  3. In particular, data must be protected by appropriate measures against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction or damage and against inaccessibility due to changes in the technology used.
  4. In order to protect the data files managed electronically in the different registers, appropriate technical arrangements should be in place to ensure that data stored in the registers cannot be directly linked and attributed to the data subject, except where permitted by law.
  5. The controller and the processor should take into account the state of the art when defining and applying data security measures. A choice should be made between several possible processing solutions which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.
  6. The controller should store the personal data in a locked room on a password-protected computer accessible only to the controller.

Rights of data subjects

  1. Data subjects may request the Service Provider to provide them with information about the processing of their personal data, request the rectification of their personal data, and request the erasure or blocking of their personal data, except for mandatory processing.
  2. At the request of the data subject, the controller shall provide information about the data of the data subject processed by the controller or by a processor to whom the controller has delegated the processing, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, and, in the case of the transfer of the data subject’s personal data, the legal basis and the recipient of the transfer.
  3. For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, including the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other information specified in the legislation providing for the processing.
  4. The controller shall provide the information in writing, in an intelligible form and at the request of the data subject, within the shortest possible time from the request, but not later than 30 days from the request. The information shall be provided free of charge.
  5. At the request of the User, the Service Provider shall provide information on the data processed by it, their source, the purpose, legal basis and duration of the processing, the name and address of any data processor and its activities related to the processing, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The service provider shall provide the information in writing and in an intelligible form within the shortest possible time from the date of the request, but not later than 30 days. The information shall be provided free of charge.
  6. If the personal data is not accurate and the accurate personal data is available to the controller, the Service Provider shall correct the personal data.
  7. Instead of deleting the personal data, the Service Provider shall block the personal data if the User requests this or if, on the basis of the information available to it, it can be assumed that deletion would harm the legitimate interests of the User. Blocked personal data may be processed only for as long as the processing purpose that precluded the deletion of the personal data persists.
  8. The Service Provider shall delete the personal data if its processing is unlawful, the User requests it, the processed data is incomplete or incorrect – and this situation cannot be lawfully remedied – provided that deletion is not excluded by law, the purpose of the processing has ceased to exist, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.
  9. The controller shall mark the personal data that it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
  10. Rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not undermine the legitimate interests of the data subject having regard to the purposes of the processing.
  11. If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

Remedies

  1. You may object to the processing of your personal data if.
  2. a) the processing or transfer of the personal data is necessary solely for the performance of a legal obligation to which the Service Provider is subject or for the purposes of the legitimate interests pursued by the Service Provider, the data recipient or a third party, unless the processing is required by law;
  3. (b) the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes;
  4. (c) in other cases specified by law.
  5. The service provider shall examine the objection within the shortest possible period of time from the date of the request, but not later than 15 days, and shall decide whether the objection is justified and inform the applicant in writing of its decision. If the Service Provider establishes that the objection of the data subject is justified, it shall terminate the processing, including further recording and transmission of the data, and block the data, and shall notify the objection and the measures taken on the basis of the objection to all those to whom it has previously transmitted the personal data concerned by the objection and who are obliged to take action to enforce the right to object.
  6. If the User does not agree with the decision of the Service Provider, the User may appeal against it to a court within 30 days of its notification. The court shall act out of turn.
  7. Complaints against possible violations of the data controller may be lodged with the National Authority for Data Protection and Freedom of Information, whose contact details are:

National Authority for Data Protection and Freedom of Information

If you are interested in the protection of personal data and privacy, please contact the Hungarian Data Protection and Information Protection Authority (DPA) at 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, P.O. Box 5.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Judicial Enforcement

  1. It is the data controller’s responsibility to prove that the processing complies with the law. It is for the recipient to prove that the transfer is lawful.
  2. It is for the courts to decide on the lawsuit. The action may also be brought, at the option of the data subject, before the courts for the place where the data subject resides or is domiciled.
  3. A person who does not otherwise have legal capacity may be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.
  4. If the court upholds the application, the controller shall be ordered to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take account of the data subject’s right to object or disclose the data requested by the data subject.
  5. If the court rejects the data subject’s request, the controller shall erase the personal data of the data subject within 3 days of the notification of the judgment. The controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit.
  6. The court may order the publication of its judgment, with the publication of the controller’s identification data, if the interests of data protection and the protected rights of a larger number of data subjects so require.

Compensation and damages

  1. If the controller causes damage to another person by unlawfully processing the data subject’s data or by breaching data security requirements, the controller must compensate the damage.
  2. Where the controller infringes the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller.
  3. The controller shall be liable to the data subject for the damage caused by the processor and the controller shall also pay the data subject the damages due to the data subject in the event of a personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject’s personality rights was caused by an unavoidable cause outside the scope of the processing.
  4. No compensation shall be due and no damages shall be payable where the damage or injury to the personality rights of the data subject was caused by the intentional or grossly negligent conduct of the data subject.

Closing words

For matters not covered by this information notice, the following legislation shall apply:

  • Act CXII of 2006 – on the Right to Informational Self-Determination and Freedom of Information;
  • Act No CVIII of 22.12.2006 – on certain aspects of electronic commerce services and information society services;
  • Act XLVII of 2007 – on the prohibition of unfair commercial practices against consumers;
  • Act XLVIII of 2006 – on the basic conditions and certain restrictions on commercial advertising
  • Act XC of 2003 on freedom of electronic information
  • Act C of 2011 on electronic communications 16/2011 Opinion on the EASA/IAB Recommendation on best practices for behavioural online advertising