You are here:
National Research, Development and Innovation Office Data Protection Policy
15 November 2017
Last modified: 25 June 2019
Reading time: 39 minute(s)

Part I
Introduction

 

The National Research, Development and Innovation Office (hereinafter as: NRDI Office) as controller considers it a key priority to disclose and publish the data of public interest to the widest audience possible. Furthermore, the NRDI Office is committed to protect the data subjects’ personal data, and highlights the importance of respecting the data subjects’ right to informational self-determination. The NRDI Office handles all personal information confidentially and makes all security, technical and organisational measures to guarantee the security of data.

The personal data and the data of public interest shall be processed by the NRDI Office in accordance with Act CXII of 2011 on informational self-determination and the freedom of information (hereinafter as: the Information Act) and the positions issued by the President of the Hungarian National Authority for Data Protection and Freedom of Information, in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) (hereinafter as: GDPR).

The purpose of this Data Protection Policy is to harmonise the other internal policies of the organisation in respect of the processing activities, in order to protect the fundamental rights and freedoms of natural persons and to ensure the appropriate processing of personal data. The issuance of the Data Protection Policy serves another important purpose as well, namely that by becoming aware of the provisions of this Data Protection Policy, the associates of the organisation and the heads of the individual organizational units will be able to perform the processing of the data of natural persons in a lawful manner.

This Data Protection Policy lays down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data. The provisions of the Data Protection Policy shall be applied in the course of the specific data processing actions and upon issuance of the instructions and notifications aimed to regulate data processing.

The data subject hereby accepts the terms and conditions laid down in this Policy by providing their personal data.

1. The controller:

The National Research, Development and Innovation Office (registered seat: 1077 Budapest, Kéthly Anna tér 1.; hereinafter as: Controller), as Controller, accepts the contents of this Data Protection Policy as binding for itself. It undertakes to guarantee that all data processing related to its activity shall comply with the provisions and requirements of this Data Protection Policy, its other internal policies and the currently effective legislation.

The Processor:

The NRDI Office shall also engage Processors in the course of its activities related to personal data processing. Controller has a contract based relationship with the following processor:

  • Nemzeti Infokommunikációs Szolgáltató Zártkörűen Működő Részvénytársaság (1081 Budapest, Csokonai utca 3.)
2. Publication

The Data Protection Policy of the NRDI Office shall be available continuously on the following websites: http://nkfih.gov.hu/ and http://h2020.gov.hu (hereinafter collectively as: website or homepage).

 

3. Amendment and scope of this Data Protection Policy

The NRDI Office reserves its right to change this Data Protection Policy unilaterally, without limitation in time, subject to giving notice to the data subjects in due time, in the appropriate manner. Amendment of the Data Protection Policy may become necessary primarily to ensure compliance with legislation.

The contents of the website of the NRDI Office are copyright protected, hence its pictorial or textual elements can only be used with the prior written permission of the owner. The NRDI Office does not assume any liability for any possible damage arising from visiting the website.

This Data Protection Policy shall be valid until withdrawn, its scope shall include the officers, employees, data protection officers of the organisation; furthermore all the data subjects whose personal data are processed by the NRDI Office.

Part II
Definitions

  • data subject: any natural person who is or who can be identified directly or indirectly on the basis of any specific personal information;
  • personal data: the data relating to the data subject, in particular the name and identification number of the data subject, as well as one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity or conclusions drawn from the data with regard to the data subject;
  • any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • sensitive data:
    1. personal data relating to ethnic origin, nationality, political opinion or political affiliations, religious or other ideological convictions, membership in any interest groups, sexual life,
    2. personal data relating to health or pathological addictions and personal criminal data;

  • consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • data processing: shall mean the performance of the technical tasks related to the data handling operations, regardless of the method applied and the tools used for such operations, or the place of application, provided that the technical tasks are executed on the data;
  • processor: the natural person or legal entity or an organisation without legal personality that processes the data, based on its contract concluded with the controller (including if such contract is executed pursuant to law);
  • a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the course of its data processing related activities and in this Data Protection Policy, the NRDI Office shall use the terms and expressions used in the Information Act and the GDPR.

 

Part III
Processing of personal data

Cookies

Since natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as cookie identifiers, therefore these data, when combined with other information are suitable and may be used to create profiles of the natural persons and to identify them.

The websites operated by the NRDI Office use cookies to improve user experience. Visitors receive a session ID in an anonymous manner, through which the start and end times of the visit, as well as the visited pages are recorded for statistical purposes. Each new visitor is notified about this practice upon downloading of the first page. Cookies are used for statistical purposes.

The servers of the NRDI Office automatically log the IP addresses of the users at each access level of the website, and also the type of the operating system and browser program used, the URL address of the visited pages, as well as the time of the visit. These data are used by the NRDI Office only and exclusively in an aggregated, anonymous and processed manner, for purposes of eliminating any possible errors in the website, and to improve the quality of service and for statistical purposes.

The data subject has to be notified in advance about the cookies storing the data recorded by the user, the authentication session cookies, the user-centric cookies, the multimedia session cookies, the load balancing session cookies, and the session cookies facilitating the customisation of the user interface, however, the data subject’s consent is not required for these.

 

Sending of newsletters

Visitors of the website operated by the NRDI Office has the chance to subscribe to the NRDI Office newsletter service so that they get notices about the latest research, development and invitation calls, news and events. For that purpose the name and e-mail address of the data subjects are recorded.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
consent of the data subject
Information about the latest research, development and invitation calls, news and events.
until requesting the unsubscription from the newsletter service
E-mail
consent of the data subject
Information about the latest research, development and invitation calls, news and events.
until requesting the unsubscription from the newsletter service

The data subjects subscribing to the newsletter service accept the terms and conditions of this Data Protection Policy by starting the registration process. After the registration request is sent, the data subject receives a confirmation e-mail to the e-mail provided by them, and by clicking on this message, the registration becomes active. In the event the confirmation is not made within 24 hours, the registration process must be started again.

The method of unsubscription from the newsletter service is notified by the NRDI Office to the data subjects in an easily accessible and clear manner. One can unsubscribe by clicking on the „Unsubscribe” link displayed at the bottom of the newsletters, or by sending a request to the address of the NRDI Office indicated in this Data Protection Policy (kommunikacio@nkfih.gov.hu, 1077 Budapest, Kéthly Anna tér 1.).
One can also unsubscribe by clicking on the “Unsubscribe” button placed at the bottom of the NRDI Office website, and then the data subject is required to enter the e-mail regarding which they intend to unsubscribe. In this latter case, the data subject receives a confirmation message to the e-mail provided by them.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service.
The NRDI Office shall be responsible for the data processing specified in this subsection.

 

Registration to access closed libraries on the nkfih.gov.hu website

There are password protected contents on the website of the NRDI Office at nkfih.gov.hu which can only be accessed by authorised persons, following registration.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
consent of the data subject
Access to password protected content.
until termination of the registration
E-mail
consent of the data subject
Access to password protected content.
until termination of the registration

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

Making an appointment for accessing/inspecting files

The NRDI Office provides the option to the applicants to access certain files and documents, based on its policies created in conformity with the provisions of Act CXII of 2011 on informational self-determination and the freedom of information. This access to the files and documents is ensured by the associates of the NRDI Office at times agreed in advance. These appointments can be agreed in advance through the website at nkfih.gov.hu.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Applicant’s name (if the applicant is a natural person)
consent of the data subject
making an appointment for accessing files
personal data will be erased 30 days following the access to the files.
Name of the person accessing/inspecting the files or documents
consent of the data subject
making an appointment for accessing files
personal data will be erased 30 days following the access to the files.
E-mail of the person accessing/inspecting the files or documents
consent of the data subject
making an appointment for accessing files
personal data will be erased 30 days following the access to the files.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

Publication of calls for proposals, monitoring of the calls, related news

The NRDI Office displays on its website the calls for proposals and other information about calls taken over from the current and legal predecessor organisations, the Hungarian and international news related to research and development and innovation, and the Hungarian calls for proposals and news related to calls.

Data subjects have the option to keep track of any specific call for proposals, and the data subjects will receive continuous information about the related news, changes and events.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
consent of the data subject
Information to the data subjects about the specific calls for proposals they wish to monitor and keep track of, any changes to these calls, and also the related events and news.
until the given call is closed. Prior to this, the personal data are erased if this is requested by the respective data subject.
E-mail
consent of the data subject
Information to the data subjects about the specific calls for proposals they wish to monitor and keep track of, any changes to these calls, and also the related events and news.
until the given call is closed. Prior to this, the personal data are erased if this is requested by the respective data subject.

Data subjects will receive continuous information in e-mail about the calls for proposals they wish to monitor and keep track of right until the given call for proposals is closed. At that point the provided personal data will be erased automatically. Prior to this, if the data subject does not intend to receive further information about the given call, the related news, events, and changes, he/she may request to unsubscribe.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

Publication of the results of the calls

In order to meet its obligations required under law, the NRDI Office shall publish on its website the data related to the winning calls. This type of data processing and the publication of personal data are acknowledged by the applicants (data subjects) as of submission of their applications.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
project title
place of implementation
date of decision
amount of the funding total costs of the project
general disclosure list of Act CXII of 2012 (Section III.3)
compliance with a legal obligation to which the NRDI Office is subject
in accordance with the provisions of the specific records management policy issued by the NRDI Office, the results of the calls are stored in the archives for 15 years

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

Event management

G.1. Registering to the event

The NRDI Office organizes events related to its activities, where it informs the general public about the experiences learned from the calls and other events related to the calls. Those data subjects can participate at the public events who have registered in advance.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, e-mail
consent of the data subject
Verifying the right to participate at the event, preliminary calculation concerning the number of participants, preparations for satisfying the needs
Once the given event is completed, the provided personal data will be erased.
The field (organisation) from where the data subject is coming
consent of the data subject
The NRDI Office assesses which fields are drawn by the event organised by it, so that it can organise events specialised to these fields in the future.
Once the given event is completed, the provided personal data are recorded in an aggregated, anonymous and processed manner, for statistical purposes. Following this, no individuals can be identified in the case of the data subjects participating at the event.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

G.2. Photo materials made at the events

The NRDI Office may take pictures of the lecturers, the venue, and also the participating data subjects at the events organised by it, and may publish these photos on its website and possibly in its publications. Pursuant to Article 2:48 (1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may take photos of them and publish these on its website or possibly in its publications. No publication of these photos is allowed outside the website and/or publications of the NRDI Office, except if the explicit consent of the given data subject has been obtained by the NRDI Office prior to the publication.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
The data subject’s image
consent of the data subject
Publication on the website of the things happening at the event.
The photo material will be made public to the visitors of the website following the event, right until they are withdrawn. Prior to this, if the data subject so requests, the Controller shall pixelate the concerned data subject on the objected picture, thereby disguising the identity of the concerned data subject, or shall delete the objected picture from the website.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

G.3. Audio recordings made at the events

The NRDI Office may make audio recordings of the words spoken at the events organised by it, and may transcribe these audio recordings into a written form after the event and may publish such written documents on its website. Data subjects may ask questions from the lecturers during the events and hence these questions are recorded as well.

Pursuant to Article 2:48(1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may make audio recordings at its events and publish the transcripts on its website. No publication is allowed outside the website of the NRDI Office, except if the explicit consent of the data subjects has been obtained by the Controller prior to the publication.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Audio recordings from the data subject
consent of the data subject
Professional recording of the words spoken at the events, making a transcript about the audio recordings and publication thereof on the website.
The transcript about the audio recording will be made within 30 days following the event, and afterwards the NRDI Office shall delete the audio recording and shall publish only and exclusively the written documentation on its website.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

G.4. Video footage and online broadcasting

The NRDI Office shall use technical (video) solutions – recording images and sounds simultaneously – about the events organised by it, and in the course of this, video recordings shall be made of the events. The video recordings shall be published on the website of the Controller.

The video recording shall also be broadcast live on the Youtube channel operated by the NRDI Office.
Pursuant to Article 2:48(1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may make recordings which are recording images and sounds simultaneously at its events and broadcast this live on its Youtube channel, and publish it on its website, either in full, or in an edited form.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Images and audio contained in the video recording
consent of the data subject
Publication on the website, production of short videos to provide posterior information to the general public.
The video recording, as well as all of its versions, will be made public to the visitors of the website, right until these are withdrawn. Prior to this, if the data subject so requests, the NRDI Office shall pixelate and/or distort the concerned data subject in the objected video sections, thereby disguising the identity of the concerned data subject, or shall alter (edit) the objected video so that the images and audio about the data subject shall not be accessible.
Images and audio contained in the video recording
consent of the data subject
Live broadcasting on the Youtube channel in order to provide simultaneous information to the general public; then publication of (leaving) these on the Youtube channel to ensure posterior retrieval.
The video recording will be available for the public on the Youtube channel of the NRDI Office right until withdrawn.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

H. Liaising with the media

The NRDI Office shall keep press conferences on a regular basis and answer any possible questions of the press. In order to coordinate the media relations and organise the press events, the personal data of the media workers, being data subjects, must be processed.

Anyone informed of the completely public press conferences via the MTI Tükör or the website of the NRDI Office may participate at these events. However, only the invited media workers may participate at the press events organised specifically for a predefined circle of journalists. For that purpose the NRDI Office shall keep a grouped register about the individual media workers. In order to receive invitations, the media workers may subscribe to this register by sending a letter to kommunikacio@nkfih.gov.hu. Similarly, media workers may initiate their deletion from the register by sending a letter to the same e-mail address specified in this Section.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, e-mail, phone number, name of the concerned media outlet
consent of the data subject
Prior notice about press events affecting a special field, in order to ensure that the data subject, as media worker, may participate at the press conference. Certain press conferences are not relevant to certain types of journalists, therefore the name of the given media outlet may be required as well. Failure to provide this information may result that the concerned data subject will be notified of every press event, even of those that are outside his/her special field. The aim of the processing is the legitimate interest of the NRDI Office, to ensure that the general public is informed of the activities of the NRDI Office through the media workers, as widely as possible.
Until the concerned media worker requests his/her deletion from the register.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

 

I. Requests for data of public interest

The NRDI Office, meeting its statutory obligation, keeps a register about the requests made for provision of data of public interest processed by it, regardless of the way these requests were made (in writing, orally or electronically). The data subject sending a request for provision of data of public interest acknowledge, by sending the given request, that his/her personal data are recorded.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, address for service (postal address, e-mail address)
Article 28(2) of Act CXII of 2011
fulfilment of the request for data of public interest performance of the test based on the criteria specified under Article 29(1a) of the Information Act payment of the defined expense reimbursement due for fulfilment of the request
in accordance with the provisions of the specific records management policy issued by the NRDI Office, the requests filed for provision of data of public interest are stored for 10 years.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

The data subject’s consent, conditions

Only the legal representative of the data subject with a lack of capacity, under the age of 14 shall have the right to provide personal data on behalf of the concerned data subject. The statement of the legal representative shall be required for provision of the personal data of a data subject with a lack of capacity. The signed statement shall be sent to the NRDI Office by personal delivery or by post or in e-mail, and the statement can also be made via any other verifiable manner (e.g. image and/or audio recording).

The declaration of consent of the legal representative of the minor with diminished capacity, under the age of 16 shall be required for the processing of the personal data of such minor.

No consent or subsequent approval of the legal representative shall be required for the validity of the legal statement containing the consent given by the minor over the age of 16 given regarding the processing of his/her data (i.e. to registration or the provision of his/her personal data in any other manner). Such a data subject may give his/her consent to the processing depending on the way of data provision.

Processing based on consent can only take place if the consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of data, such as by a written statement, including by electronic means, or an oral statement (or by being present at the event of the NRDI Office, in case of participation at the event of the NRDI Office). If the data subject ticks the checkbox regarding the consent to processing in the course of visiting the website, it shall qualify as a consent given to the processing as well. Silence (with the exception of participation at the event of the NRDI Office), pre-ticked boxes or inactivity shall not constitute consent. Consent could also include the choosing of technical settings for electronic services by the user or making a statement or conduct which clearly indicates in this context the data subject's consent to the processing of his or her personal data.

If processing is based on consent, the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Where the child is below the age of 16 years, the processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited, except if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

The data subject’s consent must clearly indicate (without doubt) that the data subject consents to the processing. Where processing is based on the data subject's consent, if there is any doubt, it shall be the controller’s liability to demonstrate that the data subject has given consent to the processing operation.

 

Part IV
Security of processing

By applying appropriate technical and organisational measures, corresponding to the given risk, the NRDI Office shall ensure the security of the data subjects’ data, and also the protection against unauthorised or unlawful processing or accidental loss, destruction or damage, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the IT systems and equipment used for the processing of personal data. For that purpose, the NRDI Office is using IT tools in its systems, in particular firewalls, encryption, physical protection devices, furthermore it installs physical protection in all the premises where the data are accessible. The NRDI Office, when defining and applying data protection measures, takes into account the current state of the art technology. In the event several possible data processing methods are available, the one ensuring the highest level of personal data protection shall be selected, unless it poses disproportionate difficulties to the NRDI Office.

Personal data breach

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud.

In the event of unlawful processing of personal data, the given breach must be reported to the Hungarian National Authority for Data Protection and Freedom of Information, acting as the supervisory authority. In the case of a personal data breach, the NRDI Office shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in any risk to the rights of natural persons. The personal data breach must be reported to the supervisory authority without undue delay, but within 72 hours at the latest, unless it can be demonstrated, in accordance with the accountability principle, that the personal data breach is unlikely to result in any risk to the rights and freedoms of natural persons. The data subject must be notified, without delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person, in order to allow him or her to take the necessary precautions.

Data transfers

Upon description of the specific data processing operations, the NRDI Office shall list – if and when necessary – the recipients of data transfers and the categories of recipients. The NRDI Office may transfer the personal data to bodies under its supervision, based on its legitimate interest (such as the creation of uniform, group level records for administrative purposes).

The NRDI Office shall be obliged and entitled to transfer any personal data available to it and stored by it lawfully, to the competent authorities, if it is required to do so based on any piece of legislation or final and enforceable regulatory obligation. The NRDI Office shall not be liable for these data transfers or the consequences thereof.

The NRDI Office shall transfer personal data to controllers seated in third countries (i.e. not in a EEA Member State) only in conformity with the provisions of the GDPR and the currently effective legislation.

 

Part V
Rights of the data subjects, legal remedies

The data subject can exercise any of his/her rights guaranteed under this Policy and/or under law via any of the contact channels of the NRDI Office specified in this Policy.

Rights of the data subject

1 .Right to request information (right to access)

Any data subject may request information from the NRDI Office whether any processing of their personal data is under way, and also concerning which personal data the NRDI Office processes regarding him or her, the legal basis and purpose of processing, the source of the data, and the period of processing; to whom, when, under what legislation was access provided regarding their personal data, which personal data were involved, to whom these data were transmitted, including in particular any recipients from third countries or international organisations.

Upon his/her request, the information must be sent to the provided contact channel, without delay, but in no event later than within 30 days.

2. Right to rectification

Any data subject may request the modification or supplementation of any of their data. Upon his/her request, measures shall be taken without delay, but not later than within 30 days, and a notice is to be sent to the provided contact point.

3. Right to erasure (right to be forgotten)

Any data subject can request the erasure of their data if

  1. their personal data are no longer necessary in relation to the purposes for which the NRDI Office processed them;
  2. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  3. the data subject objected to the processing and there is no other legitimate reason for the processing;
  4. their personal data were processed by the NRDI Office unlawfully;
  5. their personal data have to be erased for compliance with a legal obligation to which the NRDI Office is subject;
  6. the personal data have been collected in relation to the offer of information society services to children.

Upon his/her request, this has to be performed without delay, but no later than within 30 days, and a notice is to be sent to the provided contact channel.

4. Right to blocking, restriction

Any data subject can request the blocking of their data if

  1. the accuracy of the personal data is contested by the data subject, in which case the restriction/blocking shall be for a period enabling the verification of the accuracy of the personal data by the NRDI Office;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the NRDI Office no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing; in this event the restriction is pending the verification whether the legitimate grounds of the NRDI Office override those of the data subject.

The data shall be blocked as long as necessitated by the reasons stated. Upon request, this has to be performed without delay, but not later than within 30 days, and a notice is to be sent to the provided contact channel.

5. The right to objection

Any person can object to the processing based on legitimate interest through the specified contact channels. In this case, the NRDI Office shall no longer process the personal data unless it demonstrates legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The objection must be reviewed and a decision about its justification is to be made as soon as possible, but not later than within 15 days, and a notice is to be sent about the decision to the provided contact channel.

6. Right to data portability:

The data subject shall have the right to request from the NRDI Office to receive the personal data concerning him or her, which he or she has provided to the NRDI Office, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, if processing is based on the data subject’s consent or a contract and the processing is carried out by automated means. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The NRDI Office shall fulfil the data subject’s request within 30 days at the latest, and shall notify the data subject in a letter sent to the contact channel provided by the data subject.

7. Withdrawal of consent:

The data subject has the right to withdraw his/her consent at any time, free of charge, if the processing was based on consent. For more details on the terms and conditions of withdrawal of consent, see the last Section (titled “The data subject’s consent, conditions”) of Part III titled “Processing of personal data”.

Legal remedies related to the data processing:

Supervisory Authority:

Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c 
Phone: +36 (1) 391-1400 
Fax: +36 (1) 391-1410 
E-mail: ugyfelszolgalat (at) naih.hu 
URL: https://naih.hu 
coordinates: N 47°30'56''; E 18°59'57'' 

The data subject, if his/her rights are violated, and the data importer may take legal action against the controller and bring the case to court. The court shall hear the case in an accelerated procedure. At the data subject’s discretion, the legal action can also be started at the regional court having competence according to the data subject’s domicile or habitual residence as well.

The NRDI Office shall provide information to the data subject without undue delay and in any event within one month of receipt of the request at the latest. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The obligation to provide information can be fulfilled via the operation of such a secure online system through which the data subject can easily and rapidly access the necessary information.

Updated: 25 June 2019
Feedback
Was this page helpful?