The purpose of this Data Management Statement is to define the principles and rules related to the processing of personal data and other data provided by users of the website during its use and managed by the website operators (Jakab János).
This data management policy pertains to data voluntarily provided by visitors on the http://birs.hu website, through the contact form and comments related to blog posts. The handling of personal data is conducted with the following principles in mind:
i) Personal data can be managed solely for a specified purpose, to exercise rights and fulfill obligations. In every phase of data management, it should align with the purpose of data management; the collection and processing of data should be fair and lawful.
ii) Only such personal data can be managed that is indispensable for realizing the purpose of data management and suitable for achieving the goal. Personal data can be processed only to the extent and duration necessary for achieving the purpose.
iii) Personal data retains its quality throughout data management as long as its relation to the subject can be restored. The relation with the subject can be restored if the data controller has the technical conditions necessary for restoration.
iv) During data management, the accuracy, completeness of data – and, if necessary for the purpose of data management, its up-to-date nature – must be ensured. The subject can only be identified for as long as it’s necessary for the purpose of data management.
- GENERAL PROVISIONS
Data Controller’s Name: Jakab János (hereinafter: Data Controller)
Address of the Data Controller: 3400 Mezőkövesd, Fecske utca 25.
Contact details of the Data Controller:
Legal basis for data management: Consent of the subject, based on Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Section 5 (1) a).
Scope of those affected by data management: Those who fill out the contact form.
Consent to data management: By registering, users expressly consent to their personal data being processed by the Data Controller in the manner described in this policy.
Purpose of data management: Sending information via email, initiating contact, and sending newsletters (with consent).
Method of data management: Automated data processing.
- THE RANGE OF PROCESSED PERSONAL DATA:
During voluntary data provision by the user, the following data can be provided (on a voluntary basis, but indispensable for the use of the service) on the http://birs.hu site using the contact form:
- User’s name “Name” – who writes the message – purpose: making contact, identification
- Email address “E-mail” – purpose: making contact, sending notifications, sending newsletters
- Phone number “Phone number” – not mandatory for using the service – purpose: making contact by phone
When submitting a comment, in addition to the details given in the comment form, the commenter’s IP address and browser identifier string are also collected to filter out unwanted content.
An anonymized string created from the e-mail address (often called a hash) will be sent to the Gravatar service if it is used on the site. The Gravatar service terms can be viewed at the following address: https://automattic.com/privacy/. After the acceptance of the comment, our comment content and profile picture will also be publicly displayed.
- DURATION OF DATA MANAGEMENT:
The provided data is managed by the Data Controller indefinitely or until the consent of the affected person is withdrawn.
- DATA TRANSFER ABROAD:
No data transfer occurs.
- RIGHTS OF THE AFFECTED:
The affected person can request from the Data Controller: a) information about the processing of their personal data, b) correction of their personal data, and c) deletion or blocking of their personal data, except in the case of mandatory data processing. Upon the request of the affected person, the Data Controller provides information about the data processed by or for him, their sources, the purpose, legal basis, duration of data processing, the name and address of the data processor, and the related activities, the circumstances and effects of data protection incidents and measures taken to remedy them, and – in case of data transfer – the legal basis and recipient of the data transfer.
The Data Controller, if they have an internal data protection officer, keeps a record for the purpose of checking measures related to data protection incidents and informing the affected person. This includes the range of personal data affected, the scope and number of those affected by the data protection incident, its date, circumstances, effects, measures taken to remedy it, and other data specified in the legislation that requires data processing. The Data Controller is obligated to provide this information in a comprehensible form, in writing, within the shortest possible time from the submission of the request, but no later than 25 days. Information is free of charge if the person requesting the information has not submitted a similar request to the Data Controller in the current year. In other cases, the Data Controller may charge a fee.
The Data Controller will delete personal data if: i) its processing is illegal; ii) it is requested by the affected person; iii) it is incomplete or incorrect – and this condition cannot be legally corrected – unless the deletion is prohibited by law; iv) the purpose of data processing has ceased, or the legal deadline for data storage has expired; v) it is ordered by the court or the Authority.
The affected person and all those to whom the data was previously forwarded for processing purposes must be notified of the correction, blocking, marking, and deletion. Notification can be omitted if it does not harm the affected person’s legitimate interest considering the purpose of data processing.
If the Data Controller does not fulfill the affected person’s request for correction, blocking, or deletion, they must inform the affected person in writing or electronically (with their consent) within 30 days of the reasons for the rejection. If the request for correction, deletion, or blocking is rejected, the Data Controller informs the affected person about the possibility of seeking judicial remedy and turning to the Authority.
- OBJECTION TO THE PROCESSING OF PERSONAL DATA:
The affected person can object to the processing of their personal data if: a) the processing or forwarding of personal data is exclusively for fulfilling the legal obligation of the Data Controller or for asserting the legitimate interests of the Data Controller, data recipient, or a third party, except in the case of mandatory data processing; b) personal data is used or forwarded for direct marketing, public opinion polling, or scientific research; and c) in other cases defined by law.
The Data Controller examines the objection within the shortest possible time from the submission of the request, but no later than 15 days, makes a decision on its validity, and informs the applicant in writing about the decision.
If the Data Controller establishes the validity of the objection, they cease data processing, including further data collection and data transfer, and block the data, and inform all those to whom the affected personal data had previously been forwarded about the objection and the measures taken based on it.
If the Data Controller does not fulfill the request of the data subject for correction, blocking, or deletion, within 30 days of receipt of the request, it shall inform the data subject in writing or electronically with the consent of the data subject about the factual and legal reasons for rejecting the request for correction, blocking, or deletion. In case of rejection of the request for correction, deletion, or blocking, the Data Controller informs the data subject about the possibility of judicial remedy and the option to turn to the Authority.
- OBJECTION TO THE PROCESSING OF PERSONAL DATA:
The data subject may object to the processing of his/her personal data if: a) the processing or transmission of personal data is solely for the purpose of fulfilling a legal obligation relating to the Data Controller or for enforcing the legitimate interests of the Data Controller, the data recipient, or a third party, except in the case of mandatory data processing; b) personal data is used or transmitted for direct business acquisition, public opinion polling, or scientific research; c) in other cases defined by law.
The Data Controller examines the objection as soon as possible, but within a maximum of 15 days, makes a decision on its merits, and informs the applicant in writing.
If the Data Controller establishes the legitimacy of the data subject’s objection, it terminates data processing – including further data collection and transmission – and blocks the data. It also notifies all those to whom it previously transmitted the personal data affected by the objection, and who must take measures to enforce the right to object.
If the data subject disagrees with the decision made by the Data Controller or if the Data Controller misses the above deadline, the data subject may go to court within 30 days of the announcement of the decision or the last day of the deadline.
If the data subject objects to the processing of his/her personal data, or exercises judicial remedy, or if a request for data communication from a third party not based on the data subject’s consent is received, then the data necessary for the legal assessment of these can also be issued to legal representatives appointed by the Data Controller.
- JUDICIAL REMEDY:
We kindly ask our Users, if they feel that the Data Controller has violated their rights related to the protection of personal data, to contact us so that we can remedy any potential legal violations.
Furthermore, we inform our Users that in the event of a violation of their rights, they can take legal action against the Data Controller. The court shall act urgently in the matter. The trial falls under the jurisdiction of the court. The lawsuit can also be initiated at the court of the Data Controller’s headquarters or, at the data subject’s choice, at the court of the data subject’s residence or place of stay. Even those who otherwise do not have the capacity to be a party can be a party in the lawsuit.
If the Data Controller causes damage to someone with the unlawful processing of the data subject’s data or by violating the requirements of data security, it is obliged to compensate for it. If the Data Controller violates the personality right of the data subject with the unlawful processing of his/her data or by violating the requirements of data security, the data subject can claim damages from the Data Controller. The Data Controller is exempt from liability for the damage caused and the obligation to pay damages if it proves that the damage or the violation of the data subject’s personality right was caused by an unavoidable reason outside the scope of data processing. No compensation for damage shall be paid and no damages can be claimed to the extent that the damage or the violation of the personality right was caused by the intentional or grossly negligent behavior of the injured party or the data subject.
- AUTHORITY PROCEDURE:
The data subject can file a complaint or request information from the Authority:
Name: National Data Protection and Freedom of Information Authority Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. Mailing Address: 1530 Budapest, Pf.: 5. Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 Website: http://naih.hu
II. DETAILED DATA MANAGEMENT PROVISIONS:
- HANDLING OF COOKIES:
On the gdpr.info.hu website, cookies used by Google Analytics are active, and their operation is governed by Google’s privacy policies (https://support.google.com/analytics/answer/6004245?hl=hu).