National Research, Development and Innovation Office General Data Protection Policy
Part I
Introduction
The National Research, Development and Innovation Office as the data controller (hereinafter: NRDI Office or Controller) attaches great importance to the widest possible disclosure of data of public interest, to protecting the personal data of the data subjects, and to respecting the right of data subjects to information self-determination. The NRDI Office treats personal data confidentially and takes all security, technical and organisational measures to guarantee the security of the data.
The NRDI Office processes personal data and data of public interest in accordance with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.) and the resolutions issued by the President of the National Authority for Data Protection and Freedom of Information, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR).
The purpose of this Data Protection Policy is to harmonise the requirements of the other internal rules of the organisation with regard to data management activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the adequate processing of personal data. Another important purpose of issuing a Data Protection Policy is to ensure that the staff of the organisation and the heads of the individual departments are able to handle the data of natural persons lawfully.
This Data Protection Policy sets out the rules on the protection of natural persons with regard to the processing of personal data and on the free flow of personal data. The provisions of this Data Protection Policy shall be applied in the specific processing activities and when issuing instructions and notices governing the processing.
1. The controller:
The National Research, Development and Innovation Office (NRDI Office)
Seat: 1077 Budapest, Kéthly Anna tér 1.
Mailing address: 1438 Budapest POB: 438
Central phone number: (+36 1) 795 9500
Central e-mail addresses: nkfihivatal@nkfih.gov.hu. kommunikacio@nkfih.gov.hu
Internet: http://www.nkfih.gov.hu
Representative: Ádám Kiss, President
The NRDI Office will endeavour to ensure that all data processing in relation to its activities is in accordance with the requirements set out in this Data Protection Policy, its internal rules and applicable law.
2. Name and contact details of the Data Protection Officer
Data protection officer of the NRDI Office: dr. Gyula Csaba GórDirect contact details:
Email address: adatvedelmitisztviselo@nkfih.gov.hu
Phone number: +36 20 480 4365
3. Processor:
The NRDI Office also uses data processors in the course of its personal data processing activities.
Processors contracted by the Controller are as follows:
- Nemzeti Infokommunikációs Szolgáltató Zártkörűen Működő Részvénytársaság (1081 Budapest, Csokonai utca 3.)
- Express Innovation Agency VMV Nonprofit Zártkörűen Működő Részvénytársaság (1133 Budapest, Pozsonyi út 56.)
4. Disclosure
This Data Protection Policy of the NRDI Office is permanently available at : http://nkfih.gov.hu/ and http://h2020.gov.hu (hereinafter collectively as: website).
5. Amendment and scope of this Data Protection Policy
The NRDI Office reserves the right to unilaterally modify this Data Protection Policy without any time limitation and undertakes to notify the data subjects of any changes in a timely manner and in a suitable manner.
This Data Protection Policy is valid until revoked and applies to the officers, employees and data protection officer of the organisation; and to all data subjects whose personal data are processed by the NRDI Office.
Part II
Definitions
For the purposes of this Data Protection Policy:
- data subject shall mean any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;
- personal data shall mean data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn therefrom concerning the data subject;
- any information relating to an identified or identifiable natural person (“data subject”) shall mean information which makes it possible to determine, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, the identity of that person;
-
special data shall mean
- personal data revealing racial or ethnic origin, nationality, political opinions or opinions, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,
- personal data concerning health, pathological addiction and personal data concerning criminal offences;
- data subject’s consent shall mean a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation;
- controller shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by EU or Member State law, the controller or specific criteria for the designation of the controller may also be determined by EU or Member State law;
- processing shall mean any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- processing shall mean the set of processing operations carried out by a processor acting on behalf of or under the instructions of the controller;
- data processor shall mean a natural or legal person or unincorporated body which, under a contract with a controller, including a contract concluded pursuant to a legal provision, processes personal data on behalf of or on the instructions of the controller;
- recipient shall mean the natural or legal person or unincorporated body to whom or which personal data are disclosed by the controller or processor;
- third party shall mean a natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations which are intended to process personal data;
- third country shall mean any state that is not an EEA state;
- data transfer shall mean making the data available to a specified third party;
- disclosure shall mean making the data available to anyone;
- erasure shall mean making data unrecognisable in such a way that it is no longer possible to recover it;
- data destruction shall mean the complete physical destruction of the data medium containing the data;
- restriction of processing shall mean blocking of stored data by marking it for the purpose of restricting its further processing;
- data breach shall mean a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- pseudonymisation shall mean the processing of personal data in a way which makes it impossible to determine, without further information, to which data subject the personal data relate, stored separately from the personal data, and technical and organisational measures to ensure that the personal data cannot be linked to an identified or identifiable natural person;
- profiling shall mean any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, health, personal preferences or interests, reliability, behaviour, location or movements.
In the activities related to data processing and in this Data Protection Policy, the NRDI Office uses the terms as used in the Infotv. and the GDPR.
Part III
Processing of personal data
1. Purpose, legal basis and duration of processing
A. Cookie management
Since natural persons can be associated with online identifiers provided by the devices, applications, tools and protocols they use, this data, combined with other information, can be used to profile and identify natural persons.
The websites operated by the NRDI Office, including the website of the NRDI Office (www.nkfih.gov.hu, hereinafter: Website), use cookies to ensure proper functioning and to enhance the user experience. When visiting the Website, a small block of data (a cookie) is automatically placed on the computer, notebook or other mobile device (hereinafter: device) of the user.
There are two types of cookies: session cookies and persistent cookies.
- A session cookie is stored only temporarily on the device of the data subject to prevent data loss. This cookie helps the system to remember information so that users do not have to enter or fill in the information again. The session cookie’s validity is limited to the user’s current session only, and this type of cookie is automatically deleted from the user’s device when the session ends or the browser is closed.
- Persistent cookies are stored on the user’s device even after leaving the Website. These cookies allow the Website to recognise users as a returning visitors. Persistent cookies can be used to identify the data subject by associating the server-side identifier with the data subject (user), so in all cases where the authentication of the data subject is essential, this is a necessary condition for correct operation. Persistent cookies do not carry any personal data on their own and can only be used to identify the data subject (user) in combination with the assemblage stored in the server’s database. The risk of such cookies is that they do not actually identify the user, but the browser.
B. Newsletter service
Visitors to the NRDI Office’s website can subscribe to the NRDI Office’s newsletter service to stay up to date on the latest research, development and innovation calls, news and events. To this end, their names and email addresses are recorded.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Information on the latest research, development and innovation tenders, news and events. |
Until request to unsubscribe from the newsletter service |
Email address |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Information on the latest research, development and innovation tenders, news and events. |
Until request to unsubscribe from the newsletter service |
Subscribers to the newsletter service accept the terms of this Data Protection Policy at the time of registration. After submitting the registration request, the data subject receives a confirmation email to the email address provided by them, which will activate the registration. If confirmation is not received within 24 hours, the registration process will be restarted.
The NRDI Office will communicate the unsubscription from the newsletter service in an easily accessible and clear way to the data subjects. To unsubscribe click the unsubscribe button at the bottom of the newsletter „Unsubscribe (Leiratkozás)” or by contacting the NRDI Office at the address indicated in this Data Protection Policy (kommunikacio@nkfih.gov.hu, 1077 Budapest, Kéthly Anna tér 1.).To unsubscribe you can also click the “Unsubscribe (Leiratkozás)” button on the NRDI Office’s website and providing the email address to which you do not wish to receive future newsletters. If you unsubscribe this way, you will receive a confirmation message at the email address provided.
The provision of the personal data indicated is necessary for the processing for the purposes described in this subsection, because in the absence of such provision, the data subject will not be able to use the service.
C. Register to access closed libraries on nkfih.gov.hu
The NRDI Office’s website nkfih.gov.hu also contains password-protected content, which is available to authorised users after registration.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Access to password protected content. |
Until the registration is cancelled |
Email address |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Access to password protected content. |
Until the registration is cancelled |
Proof of eligibility | Legislation or contractual relationship with the NRDI Office (Article 6(1)(b) and/or (c) GDPR) |
Access to password protected content. |
During the legal relationship, in accordance with the scope of the relevant laws |
The consequence of not providing the data is that the data subject cannot use the service.
D. Customer relationship management
D.1. Inquiries to Customer Service
The NRDI Office operates a helpdesk primarily for the performance of its public tasks related to the management of calls for proposals, the primary channel for client requests being email at nkfialap@nkfih.gov.hu, nkfihivatal@gov.hu.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Email address and personal data provided by the client in the electronic request |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Handling of client requests and proof that the request has been fulfilled |
Emails sent to client contact email addresses will be deleted on 31 December of the year following the year of receipt. |
For the purposes described in this subsection, the email address of the client is automatically included in the data management of the NRDI Office, the scope of other personal data provided by the client is determined by the client, with the understanding that in certain cases, which are adapted to the subject of the request, defined by law or contractual obligation, the client request cannot be fulfilled without the provision of personal data.
D.2. Appointment to inspect documents
The NRDI Office make it possible for applicants to inspect documents. Inspection of documents can be arranged by appointment with the NRDI Office. You can book your appointment in advance at nkfih.gov.hu.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name of applicant (if a natural person) |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Book an appointment to inspect documents |
The personal data will be deleted within 30 days of the date of access. |
Name of inspecting person |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Book an appointment to inspect documents |
The personal data will be deleted within 30 days of the date of access. |
Email address of inspecting person |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Book an appointment to inspect documents |
The personal data will be deleted within 30 days of the date of access. |
The consequence of not providing the data is that the data subject cannot use the service.
D.3. Record as a proof of inspection of documents
The NRDI Office make it possible for applicants to inspect documents. During the inspection of documents, a record is made of the fact that the documents have been inspected.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name, date and place of birth, mother’s name of the inspecting person |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Proof of inspection of documents |
The time limit foreseen for the deletion of the personal data provided is the same as the retention period of the record of the inspection, which is 6 months from the date of inspection. Once the deadline has expired, the record is destroyed. |
The consequence of not providing the data is that the person concerned cannot use the document inspection service.
E. Publication and monitoring of calls for proposals, and relevant news
On its website, the NRDI Office publishes current calls for proposals and information from its predecessor organisations, national and international RDI news, and national calls for proposals and relevant news.
Stakeholders have the possibility to follow a call for proposals and get updated on the news, changes and events related to it.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Informing data subjects about the specific calls for proposals they wish to monitor and follow, any changes to them, events and news related to them. |
Until closure of the relevant call. Prior to this, personal data will be deleted if the data subject so requests. |
Email address |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Informing data subjects about the specific calls for proposals they wish to monitor and follow, any changes to them, events and news related to them. |
Until closure of the relevant call. Prior to this, personal data will be deleted if the data subject so requests. |
Data subjects will be kept informed by email about the calls for proposals they wish to monitor and follow until the call for proposals closes, at which point the personal data provided will be automatically deleted. Prior to this, if the person concerned no longer wishes to be informed about news, events or changes to the call, he or she may unsubscribe.
The consequence of not providing the data is that the data subject cannot use the service.
F. Publication of call results
In compliance with its legal obligation, the NRDI Office publishes on its website the details of the winning project proposals. By submitting a proposal, applicants (data subjects) consent to this type of processing, disclosure and publication of personal data.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name, project title, place of implementation, amount of funding | Fulfilling a legal obligation (Article 6(1)(c) of the GDPR and the general publication list of the Infotv. (point III.3) |
Fulfilling the legal obligation of the NRDI Office |
In accordance with the provisions of the NRDI Office’s archiving rules, the period for which the results of the call for proposals may be archived is 15 years |
The provision of the personal data indicated is mandatory for the purposes described in this section.
G. Event management
G.1. Registration for an event
The NRDI Office organises side events related to events in its field of activity to inform the public about the main processes and events related to the NRDI Office’s activities, the experience of the calls for proposals and other news related to the calls for proposals. Public events are subject to pre-registration.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name, e-mail |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Checking eligibility to participate in the event, pre-assessing the number of participants, preparing to meet demand |
After the end of the event, the personal data provided will be deleted. |
Represented field of specialisation (organisation) | Consent of the data subject (Article 6(1)(a) of the GDPR) |
The NRDI Office will assess the fields of specialisation that are targeted by the event it organises, with a view to organising specialised events in the future. |
After the end of the event, the personal data provided will be aggregated, processed and anonymised for statistical purposes, so that no conclusions can be drawn about the identity of the data subjects. |
The consequence of not providing the data is that the data subject cannot use the service.
G.2. Taking photos at events and using them
The NRDI Office may take photographs of the speakers, the venue and the participants of the events it organises, which will be published on its website and occasionally in its publications and reference materials.
The processing is necessary for the performance of a public task carried out by the NRDI Office. The NRDI Office also seeks to improve the efficiency of R&D, to support the innovation activities of micro, small and medium-sized enterprises, to promote R&D and innovation and the environment in which they take place, and to raise awareness of their importance by publicising the results of its events.
The NRDI Office will draw your attention in advance to the fact that photographs will be taken at the event and such photographs will be used in accordance with the provisions of this Data Protection Policy.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Image of the person concerned |
Performance of a task carried out by the Controller in the public interest (Article 6(1)(e) of the GDPR) |
Coverage of the events through publication of information on the website and in publications and reference materials. |
The photos will be made available to visitors to the website and readers of publications and reference material after the event. The Controller will delete the photographs of the events from its website only upon the express request of the data subject or in case of objection to the processing, if the Controller considers the data subject’s request to be reasonable on the basis of a balancing test. |
The consequence of not providing the data is that the data subject cannot use the service.
G.3. Capturing audio recordings at events and using such recordings
The NRDI Office may make audio recordings of the events organised by the NRDI Office, which will be transcribed after the event and made available on its website. Participants may ask questions from the speakers during the event and these questions will also be recorded.
The processing is necessary for the performance of a public task carried out by the NRDI Office. The NRDI Office also seeks to improve the efficiency of R&D, to support the innovation activities of micro, small and medium-sized enterprises, to promote R&D and innovation and the environment in which they take place, and to raise awareness of their importance by publicising the results of its events.
The NRDI Office will draw your attention in advance to the fact that audio recordings will be captured at the event and such recordings will be used in accordance with the provisions of this Data Protection Policy.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Voice recording of the data subject |
Performance of a task carried out by the Controller in the public interest (Article 6(1)(e) of the GDPR) |
Professional recording of the event, transcription of the audio material and publication on the website. |
The audio material will be transcribed within 30 days of the event, after which the NRDI Office will delete the audio recording and publish only the written transcript on its website. |
The consequence of not providing the data is that the data subject cannot use the service.
G.4. Recording and use of video recordings, and on-line broadcasting
The events of the NRDI Office are video recorded.
The processing is necessary for the performance of a public task carried out by the NRDI Office. The NRDI Office also seeks to improve the efficiency of R&D, to support the innovation activities of micro, small and medium-sized enterprises, to promote R&D and innovation and the environment in which they take place, and to raise awareness of their importance by publicising the results of its events.
The NRDI Office will draw your attention in advance to the fact that video recordings will be captured at the event and such recordings will be used in accordance with the provisions of this Data Protection Policy.
The video recording will be published on the website of the Controller and on the Youtube channel operated by the NRDI Office, where it may also be broadcast live.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Video recorded image and voice |
Performance of a task carried out by the Controller in the public interest (Article 6(1)(e) of the GDPR) |
Publication on a website, making short videos to inform the public afterwards. |
Until the video is taken down, it is public for visitors to the website. The Controller shall not delete from the website video recordings of events or the part thereof relating to the data subject, except at the express request of the data subject or in the event of an objection to the processing, if the Controller considers the data subject’s request to this effect to be reasonable on the basis of a balance of interests. In the case of an event supported by a grant, the Controller shall process the personal data after the event until the end of the retention period applicable to the grant. |
Video recorded image and voice |
Performance of a task carried out by the Controller in the public interest (Article 6(1)(e) of the GDPR) |
Live streaming on Youtube channel to inform the public in real time; then publishing (maintaining) the video on Youtube channel for later viewing. |
The video is available on the NRDI Office’s Youtube channel until it is taken down. The Controller may delete from the YouTube channel the part of the video recordings of the events relating to the data subject, only upon the express request of the data subject or in case of objection to the processing, if the Data Controller considers the data subject’s request in this regard to be reasonable on the basis of a balance of interests. |
The consequence of not providing the data is that the data subject cannot use the service.
H. Relations with the media
The NRDI Office holds regular press conferences and responds to press enquiries. In order to coordinate media relations and organise press events, it is necessary to process the personal data of press staff as data subjects.
The public press conference is open to all journalists who can obtain information about it via the MTI’s services or the NRDI website. However, press events for a limited number of journalists are only open to members of the press with a specific interest who have requested to be registered in advance so that the NRDI Office can inform them about and invite them to events in line with their interests. To receive an invitation, a member of the press can request registration by sending an email to kommunikacio@nkfih.gov.hu. To request to be removed from the register, send an email to the email address provided in this section.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name, email address, telephone number, press name |
Consent of the data subject (Article 6(1)(a) of the GDPR) |
Prior information about a specific press event in the field in order to enable the person concerned, as a member of the press, to attend the press conference if required. |
Until the request for removal from the register by the press officer concerned. |
The consequence of not providing the data is that the data subject cannot use the service.
I. Data requests of public interest
In compliance with its legal obligations, the NRDI Office keeps a register of requests for access to data of public interest which it handles, regardless of the means of submission (written, oral, electronic). By sending a request for access to data of public interest, the data subject acknowledges that his or her personal data will be recorded.
Scope of personal data processed |
Legal Basis |
Purpose |
Duration of data processing |
Name, notification address (postal address, email address) |
Fulfilling a legal obligation (Article 6(1)(c) of the GDPR and Section 28 (2) of the Infotv.) |
The fulfilment of a request for data of public interest is the examination on the basis of the criterion set out in Section 29 (1a) of the Infotv. |
In accordance with the provisions of the specific document management rules issued by the NRDI Office, the retention period for requests for public interest data is 10 years. |
For the purposes of the processing described in this subsection, the provision of the personal data indicated is mandatory by law. The consequence of not providing the data is that the data subject cannot use the service.
2. Consent of the person concerned, conditions
Processing based on consent can only take place if the data subject gives his or her freely given, specific, informed and unambiguous consent to the processing of the data by means of a clear affirmative action, such as a written, including electronic, or oral statement. The data subject’s consent must unambiguously indicate that the data subject consents to the processing. In the case of participation in an event organised by the NRDI Office, consent shall be deemed to be given if the data subject, having been informed in advance, deliberately attends the event. Consent to processing is also deemed to be given if the person concerned ticks a box when viewing the website.
Silence, ticking a box or inaction does not constitute consent. Consent is also deemed to be given when a user, in the course of using electronic services, makes the relevant technical settings or makes a statement or takes an action which, in the relevant context, clearly indicates the consent of the person concerned to the processing of his or her personal data.
Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. Where the data subject gives his or her consent in a written statement which also relates to other matters, the request for consent must be communicated in a manner clearly distinguishable from those other matters.
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed before consent is given. It should be possible to withdraw consent in the same simple way as it is given. In determining whether consent is voluntary, the utmost account should be taken of the fact, among other things, whether consent to the processing of personal data which are not necessary for the performance of the contract, including the provision of services, has been made a condition of the performance of the contract.
In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person who has parental authority over the child.
3. The source of the personal data and the scope of the data processed, if not provided by the data subject to the NRDI Office
The NRDI Office does not process personal data that it does not collect from the data subject.
4. Data transfers
In the description of each processing operation, the NRDI Office will list the recipients of the transfers and the categories of recipients, where appropriate.
The NRDI Office uses the services of Nemzeti Infokommunikációs Szolgáltató Zrt. (1081 Budapest, Csokonai utca 3.) as a data processor for its electronic mail and for this purpose it transfers the personal data processed by it as a data controller to the data processor.
The NRDI Office shall be entitled and obliged to transmit to the competent authorities any personal data which it holds and which it has stored in accordance with the law and which it is required to transmit by law or by a final administrative decision. The NRDI Office shall not be held liable for such transfers and the consequences thereof.
The NRDI Office will only transfer personal data to a controller established in a third country (i.e. a non-EEA Member State) in accordance with the provisions of the GDPR and applicable law.
Part IV
Security of data processing
1. General data security requirements
The NRDI Office shall ensure the security of data subjects’ data, the protection against unauthorised or unlawful processing, accidental loss, destruction or damage, including the confidentiality, integrity, availability and resilience of the IT systems and tools used to process personal data, by applying technical and organisational measures appropriate to the level of risk. To this end, the NRDI Office uses IT tools, in particular firewalls, encryption, physical protection tools and physical protection at all locations where data is accessible.
The NRDI Office shall take into account the state of the art when defining and applying data security measures. It will choose among several possible data management solutions the one that ensures a higher level of protection of personal data, unless this would impose a disproportionate burden on the NRDI Office.
2. Data protection incident
A personal data breach may cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse of their identity, if not addressed in an appropriate and timely manner.
In the event of unlawful processing or processing of personal data, the National Authority for Data Protection and Information Security, as supervisory authority, is obliged to be notified. The NRDI Office must notify the supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights of the natural person. A data protection incident must be notified to the competent supervisory authority without undue delay and within 72 hours at the latest, unless it can be demonstrated, in accordance with the principle of accountability, that the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
The data subject must be informed without delay if the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person, in order to enable him or her to take the necessary precautions.
Part V
Data subjects’ rights and legal remedies
Data Subjects may exercise their rights under this Data Protection Policy and the law by using any of the contact details of the NRDI Office indicated herein.
1. Deadline
The NRDI Office shall consider the data subject’s request to exercise his or her rights within a maximum of 25 days from the date of receipt of the request and shall notify the data subject of its decision in writing or, if the data subject has submitted the request by electronic means, by electronic means. The date of receipt of the request does not count towards the deadline. If necessary, the Controller may, taking into account the complexity of the request and the number of requests, extend this period by a further two months. The Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay.
2. Data subjects’ rights:
A .Right to request information (right of access)
Any data subject may request information from the NRDI Office as to whether or not his or her personal data are being processed, what data are being processed, on what legal basis, for what purpose, from what source, for how long, to whom, when, on the basis of what law, to whom, to which personal data, or to whom the personal data have been disclosed, including in particular to third country recipients or international organisations.
B. Right to rectification
Any data subject may request that any of their data be amended or supplemented.
C. Right to erasure (forgetting):
Any data subject may request the erasure of their data if
- such personal data are no longer necessary for the purposes for which they were processed by the NRDI Office;
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no other legitimate grounds for the processing;
- such personal data have been unlawfully processed by the NRDI Office;
- such personal data must be erased in order to comply with a legal obligation applicable to the NRDI Office;
- the personal data were collected in connection with the provision of information society services to children.
D. Right to blocking and restriction
Any data subject may request the blocking of their data if
- the data subject contests the accuracy of the personal data, in which case the blocking/restriction shall apply for the period of time necessary to allow the NRDI Office to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
- the NRDI Office no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the NRDI Office prevail over the legitimate grounds of the data subject.
The blocking lasts as long as the reason stated makes it necessary to store the data. Upon request, this must be done without delay and within 25 days at the latest, and information must be sent to the contact details provided.
E. Right to protest
Any person may object to processing based on legitimate interest using the contact details provided. In such a case, the NRDI Office may no longer process the personal data unless it can demonstrate legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The objection shall be examined within the shortest possible time from the date of the request, but not later than 15 days, a decision shall be taken on the merits of the objection and the decision shall be communicated to the contact details provided.
F. Right to data portability
The data subject may request from the NRDI Office to receive personal data concerning them, which the data subject has provided to the NRDI Office, in a structured, commonly used, machine-readable format, and may also have the right to transmit such data to another controller, where the processing is based on the data subject’s consent or on a contract and the processing is carried out by automated means. In exercising their right to data portability, the data subject has the right to request, where technically feasible, the direct transfer of personal data between controllers.
Possibilities to enforce rights in relation to data processing:
The NRDI Office shall inform the person concerned without undue delay and at the latest within 25 days of receipt of the request. If necessary, and taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The information obligation can be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.
If the data subject considers that the Authority has infringed the applicable data protection requirements in the processing of his or her personal data, he or she may lodge a complaint with the data protection supervisory authority (National Authority for Data Protection and Freedom of Information) at the following contact details:
National Authority for Data Protection and Freedom of Information
Mailing address: 1363 Budapest, Pf. 9
Address: 1055 Budapest, Falk Miksa u. 9-11.
Phone: +36 (1) 391 1400
Fax: +36 (1) 391 1410
Email: ugyfelszolgalat@naih.hu
URL: https://naih.hu
In the event of a breach of their rights, the data subject has the right to take the data controller to court, which will rule on the matter out of turn, in order to protect their data. The lawsuit may also be brought before the competent court of the place of residence (permanent address) or domicile (temporary address) of the data subject or the competent court of the place where the Controller has its registered office. You can apply to the court competent in the place where you are domiciled or habitually resident at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso. According to the seat of the Controller, the Metropolitan Court of Budapest shall have jurisdiction over the lawsuit.