1. The aim and scope of the document/statement
1.1. The general purpose of this Privacy Notice (hereinafter referred to as the “Notice”) is to disclose the data protection and processing policies, principles and provisions applied by the Central European Service for Cross-Border Initiatives (hereinafter referred to as the “Data Controller”).
1.2. Main data of the Data Controller:
Title: Central European Service for Cross-Border Initiatives (officially abbreviated as CESCI) (hereinafter referred to as the “Data Controller”)
Classification: non-profit association
Headquarters: 1067 Budapest, Teréz krt. 13.
Office: Budapest, 1137 Budapest XIII., Újpesti rkp. 5. III./12A
Registration number: 01-02-0010819 (Metropolitan Court of Budapest)
Tax Identifiation Number: 18188071-2-42
1.3. Main objective of the activity: to promote socio-economic cooperation between Hungarian communities, territorial units beyond the borders and Hungary in order to ensure the continuous and adequate performance of the state public tasks arising from the responsibility felt for Hungarians living beyond the borders, as stipulated in Article D) of the Foundation of the Fundamental Law of Hungary, and to facilitate the creation of European unity as stipulated in Article E) of the Fundamental Law of Hungary, and to assist in the performance of the state public tasks arising from institutional relations the status of a member state of the European Union;
1.4. The scope of this Policy covers the processing of personal data of Users by the Data Controller in connection with the operation of the Data Controller.
1.5. The scope of this Policy does not cover the data processing activities of other organisations and service providers whose data protection rules are not considered binding by the Data Controller, but whose websites are directly accessible via links on the Data Controller’s website. The activities of such organisations are governed by the provisions of their own privacy policy, and the Data Controller shall not be liable for the compliance of these organizations’ data processing activities.
1.6. Before using the services of the Data Controller, the User shall ensure that he/she is informed electronically or in person of the content of this Policy, accepts it and can exercise his/her rights in accordance with point 13.
1.7. The legislation taken into account when elaborating this Policy, in particular:
2. Definition of terms frequently used in the Guide/policy/document
Pursuant to Article 4 of the Regulation
2.1. personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.2. data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.3. data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by the European Union or Member State law; the controller or the specific criteria for the controller’s designation may also be determined by the European Union or Member State law;
2.4. data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller;
2.5. third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the data controller or processor, are authorised to process personal data;
2.6. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Pursuant to § 3 of the Privacy Act
2.7. data subject: any natural person identified or identifiable based on specific personal data – directly or indirectly – User;
2.8. dataset: the set of data managed in a single register;
2.9. disclosure of data: making the data accessible to anyone;
2.10. data transfer: making data available to a specified third party;
2.11. data erasure: making data unrecognisable in such a way that restoration is no longer possible
2.12. data destruction: the complete physical destruction of the data-storage medium that contains the data;
Other related terms
2.13. social media platforms: media tools used or operated by the Data Controller (website, Facebook page, etc.);
2.14. publication: any online or offline publication created by or related to the Data Controller in the course of its activities;
2.15. service: a set of service activities provided by the Data Controller in accordance with its purposes, in particular.
• professional services and (excluding legal activities operating independently under legal conditions) legal services (in particular in relation to strategy development, situation analysis, project development, tenders);
• organised events (workshop, training, event, conference, community discussion, community forums, etc.);
• online questionnaire surveys related to professional activities;
• job advertisements and related recruitment, interviewing and, where applicable, employer activities.
2.16. user: the natural person who uses or registers for the services outlined in point 2.15 and, in doing so, provides one or more of the personal data listed in point 3;
2.17. employee: a natural person who has an employment or other employment relationship with the Data Controller;
2.18. potential employee: a natural person who applies for one of the job advertisements published by the Data Controller (in the framework of a work, scholarship or voluntary relationship);
2.19. automated dataset: a set of data to be processed automatically;
2.20. system: the set of technical solutions that operate the services of the Data Controller available on the Internet.
3. Purpose and legal basis of data processing
3.1. The purpose of data processing:
a) to provide a high level of online and offline services related to the operation of the Data Controller in relation to the activities set out in point 2.15., tailored to the needs of users;
b) to identify the User and the services he/she can use, and to provide hosting for the publication of the content generated by the User (e.g. comments, forums);
c) providing information related to the protection of the rights and legitimate interests of the Data Controller, the User and third parties;
d) implementation of project activities by the Data Controller based on the required data provision;
e) keeping regular records of the Data Controller’s employees, and recruiting and selecting potential employees;
f) other statistics and analyses related to the activities of the Data Controller;
g) marketing enquiries;
h) sending newsletters;
i) technical development of the Data Controller’s IT system;
j) facilitate the conclusion and performance of contracts within the scope of the Data Controller’s activities;
k) maintaining contact in connection with the activities of the Data Controller;
l) the processing of personal data provided during registration for events and conferences organised by the Data Controller;
m) processing of personal data provided in the course of professional interviews, voluntary public questionnaires.
n) other legitimate interests of the controller based on law.
4. Principles of data processing
4.1. The Data Controller shall process the User’s personal data in accordance with the applicable law and, based on the User’s explicit con sent, in accordance with the purposes set out in the Policy, to the extent proportionate to the purpose of the processing.
4.2. If the Data Controller intends to use the personal data processed for purposes other than those for which they were originally collected, it may do so only with the prior explicit consent of the User, unless otherwise provided by law.
4.3. The User shall be given the opportunity to make a personal statement, either in person or in writing, regarding the processing of his/her personal data, taking into account the provisions outlined in point 11.
4.4. The Data Controller shall process personal data in accordance with the principles of good faith, fairness and transparency, as well as in accordance with the applicable laws and the provisions of this Policy.
4.5. The Data Controller is not obliged to verify the accuracy and veracity of the personal data provided by the data subject. The User providing the personal data is responsible for the authenticity of the personal data provided.
4.6. The Data Controller may process the personal data of a natural person who is a minor under the Civil Code only with the consent of the legal representative. In the absence of a declaration of consent, the Controller shall not process such data, with the exception of personal data automatically recorded when using the website service.
4.7. The Data Controller shall notify the User concerned and all those to whom it has previously transmitted the personal data for processing purposes of the rectification, restriction or deletion of the personal data processed by it. The notification may be omitted if, having regard to the purposes of the processing, this is unlikely to be prejudicial to the legitimate interests of the data subjects.
4.8. In order to ensure an adequate level of security of the personal data processed, the Data Controller shall take technical and organisational measures appropriate to the level of risk posed by the processing in order to safeguard the fundamental rights of data subjects. In designing and implementing the security measures, the Data Controller shall take into account all the circumstances of the processing, in particular the state of the art, the cost of implementing the measures, the nature, scope and purposes of the processing, and the varying degrees of risk to the rights of data subjects posed by the processing.
4.9. No automated decision-making (in individual cases, including profiling) is carried out in relation to the Data Controller.
5. The activities of each controller and related personal data
5.1. The Data Controller may process the following personal data of the User in the course of the use of its services: name, place of residence, place of stay, landline and mobile telephone numbers, e-mail address, facial image, voice recording, workplace, position/title, language spoken, education, age, as well as other personal data provided by the User.
5.2. The Data Controller may also process sensitive/special personal data of speakers and participants of events organised by the Data Controller, newsletter services and questionnaire activities, in addition to those described in point 5.1, on the basis of the explicit written consent of the users.
5.3. In the context of its contracts, the Data Controller may, in addition to the processing provided for in Sections 5.1 and 5.2, process the following data of the contracting User.
5.4. The Data Controller’s data processing at the workplace is governed by point 9.
5.5. The possible scope of the personal data processed in relation to the representatives of the natural person members and legal person members of the Data Controller is the same as the scope of data set out in point 5.1.
5.6. The Data Controller may process demographic data by using a cookie (data packet) based on any of the personal data in 5.1 and/or 5.2, as well as browsing habits and preferences.
A cookie provides personalised services on a website and enhances the user experience. The Data Controller will inform the User in advance of its use, and the User will allow or restrict the use of the cookie by deleting it from his/her computer or disabling it in his/her browser.
5.7. During the use of the services of the Data Controller, as a result of the technical processes of the system, certain personal data of the User may be automatically recorded. Such data may include, for example, the User’s IP address, the type of operating system and browser program, the data of the websites from which the User has accessed or visited the Controller’s website, as well as the time and duration of the visits. The data recorded may be logged in the system, without the User’s specific declaration or action, when logging in or out of the system. Only the Data Controller has access to the recorded data.
5.8. In contrast to the provisions outlined in point 5.6, the Data Controller may record the IP address of the User, without the User’s separate consent based on its legitimate interest or in order to ensure the lawful provision of the service (e.g. to filter out illegal content).
6. Duration of data processing
6.1. Unless otherwise specified by legal regulations, the processing of personal data provided by the User in connection with the services provided by the Data Controller shall continue until the User unsubscribes from the service, otherwise requests the deletion of his/her personal data or their retention, or until the Data Controller has a legitimate interest in the processing of the personal data.
6.2. The User’s right to use the service is not affected by the User’s request to terminate data processing without unsubscribing from the service, however, the User may not be able to use certain services provided by the Data Controller or fully utilize certain services without his/her personal data.
6.3. The processing period for data automatically recorded by the service provider is determined by the data protection provisions of the service provider and the relevant legislation. In this case, the Data Controller shall also endeavour to ensure that the recorded data cannot be linked to other personal data of the User, apart from the exceptions referred to by law.
6.4. The Data Controller periodically backs up the data stored in its IT system during the period of data processing in order to prepare for emergency situations (security purpose) and to guarantee the integrity of the data (evidence purpose), which may also affect the personal data of individual Users and may affect the period of processing.
7. Data processing
7.1. The Data Controller reserves the right to engage a data processor on a permanent or ad hoc basis in the course of its activities on the basis of a written contract of engagement. Permanent data processing may be carried out primarily for the purposes of customer relations; the provision of services; the administration of employment records, legal data supply; and the maintenance of the IT system.
7.2. The Data Controller shall, upon request, inform the data subjects about the identity of the data processor and the details of his or her processing activities.
7.3. The rights and obligations of the data processor in relation to the processing of personal data shall be determined by the Data Controller within the frameworks of the applicable law.
7.4. The IT system of the Data Controller allows for the processing of data and statistical aggregation of the activity of Users, but this cannot be linked in a way that can be used for personal identification with other personal data provided by Users, nor with user data generated during the use of other data processing services.
8. Transfer of data
8.1. The Data Controller is entitled and obliged to send any personal data stored by them to the competent authority or partner and central bodies involved in the project implementation, which it is obliged to transmit by law, by a final decision of a public authority or by a subsidy contract or by an agreement between the parties cooperating in the framework of the above. The Controller shall not be held liable for such transfers or for the consequences thereof.
8.2. The Data Controller is entitled to transfer the personal data to a designated third party on the basis of the User’s prior consent or on the basis of a legal authorisation. Personal data may be transferred, including indirectly, to a controller or processor in a third country outside the European Union or to a controller or processor operating within an international organisation (hereinafter together referred to as “international transfers”), if the data subject has given his or her explicit consent to the international transfer; or the international transfer is necessary for the purposes of the processing and an adequate level of protection of the personal data transferred is ensured in relation to the Data Controller or processor operating in the third country or within the international organisation.
8.3. The Data Controller shall keep records (logs) for the purpose of monitoring the lawfulness of the transfer of data and providing information to the User, which shall include the date, legal basis and recipient of the transfer of personal data processed by the Data Controller, the scope of the personal data transferred and other data specified in the legislation requiring the processing.
9. Data processing in relation to the Controller’s employees and potential employees and its office audit
9.1. The Data Controller may process the following personal data regarding its employees:
9.2. The purpose of the processing of data related to the employees of the Data Controller is to fulfil the legal obligations of the Data Controller.
9.3. The duration of the processing of data concerning the employees of the Data Controller is determined by the applicable legislation and the legitimate interest of the Data Controller applied in accordance therewith.
9.4. By submitting the documents required for his/her application to the Data Controller, the potential employee consents to the Data Controller processing his/her personal data provided during the application process for the purposes of recruitment, selection and, in the case of a successful application, employment.
10. Contract-related data processing
10.1. This Policy is considered as a contractual term of the contract of the Data Controller, which is part of the contract but can be physically handled separately from it.
10.2. The processing of personal data arising from the contracts of scholarship holders and trainees assisting the Controller’s work, the scope of the data processed is determined by the applicable legislation, the rules of the sending higher education institution and the legitimate interest of the controller applied in accordance with them.
10.3. By signing the contract with the Data Controller, the party entering into the contract acknowledges that it has carefully read and understood the content of the Policy, has accepted it as the Data Controller’s legally required data protection measures and has expressly consented to the processing of its personal data by the Data Controller.
10.4. With regard to the duration of data processing, the provisions of the Civil Code in force shall apply to the enforcement of legal claims arising from contracts.
11. Rights and obligations of the User
11.1. Within the scope of his/her rights, the User may request in a verifiable manner that the Data Controller inform him/her whether the Data Controller processes any of his/her personal data and, if so, provide access to the electronic and paper records and project documents of the Data Controller related to such data, if so requested.
11.2. In addition to the personal data processed by the Data Controller, the User’s request for information may include the source of the personal data, the purpose, legal basis and duration of the processing and transfer, the data of any data processors, service providers and other activities related to the processing.
11.3. The User may request the rectification of his/her personal data by the Data Controller in a verifiable manner. Once the request has been fulfilled, the amended data (except for data changes requiring further amendments) can no longer be restored.
11.4. The User may request the erasure of his/her personal data by the Data Controller in a verifiable manner. Deletion may be refused if
The Data Controller shall inform the Us er of the refusal of the deletion request, stating the reason. Once the request for erasure of personal data has been fulfilled, the previously erased data can no longer be restored.
The procedure for deleting personal data must be clear and verifiable.
11.5. The User may request in a verifiable manner that the Controller restricts the processing of his/her personal data if
11.6. The User may object to the processing of her/his personal data if
11.7. The Data Controller is obliged to assess the merits of the User’s request for restriction or the lawfulness of the User’s objection as soon as possible after the request is submitted, but within 30 days at the latest if the User is prevented from doing so.
11.8. If the User’s request or objection is justified, the Data Controller shall restrict or terminate the processing of the personal data and, if necessary, with the involvement of the User, take measures to ensure that the correct data are recorded; it shall then notify the persons to whom the personal data were previously disclosed of the measures taken.
11.9. The User warrants that the personal data provided or made available to the Data Controller about another natural person is accurate, that the consent of the natural person concerned has been obtained lawfully, or, where applicable, that the User is acting lawfully on behalf of the other natural person. If the User has unlawfully provided the personal data, the User shall be fully liable in this respect.
12. External providers
12.1. The Data Controller uses or may use external service providers (hereinafter referred to as the “Service Provider”) on a contractual basis in the provision of its services, in particular for the operation of its media sites.
12.2. The Data Controller distances itself from the activities of the contracted service providers, during which they access personal data (e.g. user IP addresses) processed by the Data Controller through their web applications (e.g. cookies, click meters) without the specific consent or knowledge of the User or the Data Controller, and use them to ensure the personalisation of their services and the preparation of their statistics.
12.3. The Data Controller also distances itself from service providers with which it does not have a contractual relationship, but whose technical solutions allow them to access its services and collect data that can identify the User.
12.4. Such service providers may include, but are not limited to, service providers that operate Google, Facebook, LinkedIn, YouTube.
12.5. The personal data stored and processed in the systems of the service provider is governed by the privacy policy of the service provider.
12.6. To find out the data management rules applied by such service providers, it is recommended to visit the website or customer service of the service provider concerned.
12.7. The web analytics and ad serving service provider currently cooperating with the Data Controller is Google Analytics.
13. Enforcement possibilities
13.1. The User may contact the following employee of the Data Controller with any questions or comments regarding the personal data processed by the Data Controller, who will facilitate the enforcement of the legal provisions on the processing of personal data and the rights of the data subjects: dr. Jankai Norbert.
Contact
13.2. The User may also directly contact the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11; phone: +36-30-683-5969; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).
13.3. The User may take legal action against the controller or the processor in connection with processing operations within the scope of the processor’s activities, if the User considers that the controller or the processor acting on his/her behalf or under his instructions is processing his personal data in breach of the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union. The action may also be brought, at the User’s choice, before the competent court in the place of residence or domicile.
14. Final provisions
14.1. The Data Controller reserves the right to unilaterally amend the text of the Policy in the light of changes in legislation, the content of new or amended guidelines and other interpretations in accordance with the law.
14.2. In the event of any dispute between the Data Controller and the User, the terms used in this Policy shall be interpreted in accordance with the purpose and content of the applicable data protection legislation.
14.3. The Policy is available for electronic consultation on the Data Controller’s website and in person at the offices of the Data Controller.
The privacy statement can be downloaded in English and in signed form here:
The project is financially supported by the European Union,
within the framework of the Interreg Hungary – Slovakia Programme.
For more information visit www.skhu.eu.
The project is financially supported by the European Union,
within the framework of the Interreg Hungary – Slovakia Programme.
For more information visit www.skhu.eu.