You are here:
National Research, Development and Innovation Office Data Protection Policy
15 November 2017
Last modified: 06 October 2021
Reading time: 39 minute(s)

Part I
Introduction

 

The National Research, Development and Innovation Office (hereinafter as: NRDI Office or Controller) as controller considers it a key priority to disclose and publish the data of public interest to the widest audience possible. Furthermore, the NRDI Office is committed to protect the data subjects’ personal data, and highlights the importance of respecting the data subjects’ right to informational self-determination. The NRDI Office handles all personal information confidentially and makes all security, technical and organisational measures to guarantee the security of data.

The personal data and the data of public interest shall be processed by the NRDI Office in accordance with Act CXII of 2011 on informational self-determination and the freedom of information (hereinafter as: the Information Act) and the positions issued by the President of the Hungarian National Authority for Data Protection and Freedom of Information, in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as: general data protection regulation or GDPR).

The purpose of this Data Protection Policy is to harmonise the other internal policies of the organisation in respect of the processing activities, in order to protect the fundamental rights and freedoms of natural persons and to ensure the appropriate processing of personal data. The issuance of the Data Protection Policy serves another important purpose as well, namely that by becoming aware of the provisions of this Data Protection Policy, the associates of the organisation and the heads of the individual organizational units will be able to perform the processing of the data of natural persons in a lawful manner.

This Data Protection Policy lays down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data. The provisions of the Data Protection Policy shall be applied in the course of the specific data processing actions and upon issuance of the instructions and notifications aimed to regulate data processing.

1. The controller:

The National Research, Development and Innovation Office (NRDI Ofiice)

Registered seat: 1077 Budapest, Kéthly Anna tér 1.
Postal address: 1438 Budapest Pf. 438.
Tax registry number: 15831000-1-42
Treasury account: 10032000-00334820-00000000
Central telephone: (+36-1) 795 9500
Central e-mail addresses: nkfihivatal@nkfih.gov.hu. kommunikacio@nkfih.gov.hu
Website: http://www.nkfih.gov.hu

The NRDI Office undertakes to guarantee that all data processing related to its activity shall comply with the provisions and requirements of this Data Protection Policy, its other internal policies and the currently effective legislation.

2. Name and contact of the data protection officer:
Data protection officer at the NRDI Office: dr. Gyula Fonyó
Direct contact: e-mail address: adatvedelmitisztviselo@nkfih.gov.hu
telephone: +36 20 932 9144
3. The Processor:

The NRDI Office shall also engage Processors in the course of its activities related to personal data processing. Controller has a contract based relationship with the following processor:

  • Nemzeti Infokommunikációs Szolgáltató Zártkörűen Működő Részvénytársaság (1081 Budapest, Csokonai utca 3.)
4. Publication

The Data Protection Policy of the NRDI Office shall be available continuously on the following websites: http://nkfih.gov.hu/ and http://h2020.gov.hu (hereinafter collectively as: website or homepage).

 

5. Amendment and scope of this Data Protection Policy

The NRDI Office reserves its right to change this Data Protection Policy unilaterally, without limitation in time, and binds itself to give notice to the data subjects in due time, in the appropriate manner.

This Data Protection Policy shall be valid until withdrawn, its scope shall include the officers, employees, data protection officers of the organisation; furthermore all the data subjects whose personal data are processed by the NRDI Office.

Part II
Definitions

For the purpose of this Policy:

  • data subject: any natural person who is or who can be identified directly or indirectly on the basis of any specific personal information;
  • personal data: the data relating to the data subject, in particular the name and identification number of the data subject, as well as one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity or conclusions drawn from the data with regard to the data subject;
  • any information relating to an identified or identifiable natural person (‘data subject’); piece of information that enables, directly or indirectly, the personal identification of the data subject, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity;
  • sensitive data:
    1. personal data relating to ethnic origin, nationality, political opinion or political affiliations, religious or other ideological convictions, membership in any interest groups, sexual life,
    2. personal data relating to health or pathological addictions and personal criminal data;
  • data subject’s consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • data processing: any and all data processing operations performed by a processor upon the assignment or provision of the controller;
  • processor: a natural person or legal entity or an organisation without legal personality that processes personal data, based on its contract concluded with the controller (including if such contract is executed pursuant to law) upon the assignment or provision of the controller;
  • recipient: a natural person or legal entity or an organisation without legal personality to whom or which personal data are disclosed by the controller or processor;
  • third party: a natural person or legal entity or an organisation without legal personality other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations which are intended to process personal data;
  • third country: any state that is not an EEA state;
  • data transfer: making the data available to a specified third party;
  • disclosure: making the data available to anyone;
  • erasure: making data unrecognisable in such a way that it is no longer possible to recover it;
  • data destruction: the complete physical destruction of the data medium containing the data;
  • restriction of processing: blocking of stored data by marking it for the purpose of restricting its further processing;
  • personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • pseudonymisation: processing of personal data in a way that makes it impossible to determine to which data subject the personal data relate, without further information being stored separately from the personal data, and by technical and organisational measures to ensure that the personal data cannot be linked to an identified or identifiable natural person;
  • profiling: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, state of health, personal preferences or interests, reliability, behaviour, location or movements.

In the course of its data processing related activities and in this Data Protection Policy, the NRDI Office otherwise shall use the terms and expressions used in the Information Act and the GDPR.

 

Part III
Processing of personal data

1. Purpose, legal basis and duration of processing

A. Cookies

Since natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as cookie identifiers, therefore these data, when combined with other information are suitable and may be used to create profiles of the natural persons and to identify them.

The websites operated by the NRDI Office use cookies to improve user experience. Visitors receive a session ID in an anonymous manner, through which the start and end times of the visit, as well as the visited pages are recorded for statistical purposes. Each new visitor is notified about this practice upon downloading of the first page. Cookies are used for statistical purposes.

The servers of the NRDI Office automatically log the IP addresses of the users at each access level of the website, and also the type of the operating system and browser program used, the URL address of the visited pages, as well as the time of the visit. These data are used by the NRDI Office only and exclusively in an aggregated, anonymous and processed manner, for purposes of eliminating any possible errors in the website, and to improve the quality of service and for statistical purposes.

The data subject has to be notified in advance about the cookies storing the data recorded by the user, the authentication session cookies, the user-centric cookies, the multimedia session cookies, the load balancing session cookies, and the session cookies facilitating the customisation of the user interface, however, the data subject’s consent is not required for these.

 

B. Sending of newsletters

Visitors of the website operated by the NRDI Office has the chance to subscribe to the NRDI Office newsletter service so that they get notices about the latest research, development and invitation calls, news and events. For that purpose the name and e-mail address of the data subjects are recorded.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
Consent of the data subject
Information about the latest research, development and invitation calls, news and events.
Until requesting the unsubscription from the newsletter service
E-mail
Consent of the data subject
Information about the latest research, development and invitation calls, news and events.
Until requesting the unsubscription from the newsletter service

The data subjects subscribing to the newsletter service accept the terms and conditions of this Data Protection Policy by starting the registration process. After the registration request is sent, the data subject receives a confirmation e-mail to the e-mail provided by them, and by clicking on this message, the registration becomes active. In the event the confirmation is not made within 24 hours, the registration process must be started again.

The method of unsubscription from the newsletter service is notified by the NRDI Office to the data subjects in an easily accessible and clear manner. One can unsubscribe by clicking on the „Unsubscribe” link displayed at the bottom of the newsletters, or by sending a request to the address of the NRDI Office indicated in this Data Protection Policy (kommunikacio@nkfih.gov.hu, 1077 Budapest, Kéthly Anna tér 1.).
One can also unsubscribe by clicking on the “Unsubscribe” button placed at the bottom of the NRDI Office website, and then the data subject is required to enter the e-mail regarding which they intend to unsubscribe. In this latter case, the data subject receives a confirmation message to the e-mail provided by them.

It is necessary to provide the indicated personal data for the purpose of data processing specified in this subsection; if these data are not provided, the data subject will not be allowed to use the service.

 

C. Registration to access closed libraries on the nkfih.gov.hu website

There are password protected contents on the website of the NRDI Office at nkfih.gov.hu which can only be accessed by authorised persons, following registration.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
Consent of the data subject
Access to password protected content.
Until termination of the registration
E-mail
Consent of the data subject
Access to password protected content.
Until termination of the registration
Verification of entitlement Law or any contractual relationship with the NRDI Office
Access to password protected content.
For the duration of the legal relationship, in accordance with the effective law

If the data are not provided, the data subject will not be allowed to use the service.

 

D. A. Customer Service Related Data Processing

D.1. Requests Received by the Customer Service

The NRDI Office is operating a customer service, primarily to perform its public service duties related to the management of calls for proposals. E-mail is used as the primary channel for liaising with clients via the nkfialap@nkfih.gov.hu and nkfihivatal@gov.hu e-mail addresses.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Client’s e-mail address and the personal data provided by the client in the electronic request/communication
Consent of the data subject
To handle client requests/communications and to verify performance of the request
The mails received to the customer service e-mail addresses shall be deleted on 31 December of the year following the year of receipt.

For the purposes described in this subsection, the e-mail addresses of customers are automatically managed by NRDI Office, the scope of other personal data provided by the customers is determined by the customers themselves, with the understanding that in certain cases – adapted to the subject of the request, defined by law or contractual obligation – the customer request cannot be fulfilled without the provision of personal data.

D.2. Making an appointment for accessing/inspecting files

The NRDI Office provides the option to the applicants to access files and documents. This is ensured by the staff members of the NRDI Office at times agreed in advance. Appointments can be pre-arranged through the website at nkfih.gov.hu.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Applicant’s name (if the applicant is a natural person)
Consent of the data subject
Making an appointment for accessing files
Personal data will be erased 30 days following the access to the files.
Name of the person accessing/inspecting the files or documents
Consent of the data subject
Making an appointment for accessing files
Personal data will be erased 30 days following the access to the files.
E-mail of the person accessing/inspecting the files or documents
Consent of the data subject
Making an appointment for accessing files
Personal data will be erased 30 days following the access to the files.

If the customer knows the file number and the subject of the documents, the NRDI Office will ask for them in the electronic form so that the customer can be received and informed by a competent administrative staff member.

If the data are not provided, the data subject will not be allowed to use the service.

D.3. Drawing up a record verifying the fact of access to the files

The NRDI Office will provide applicants with an opportunity to consult the files. When consulting the file, a record is made of the fact that the file has been accessed.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, place and date of birth, mother's name of the person accessing the files
Consent of the data subject
Verification of the fact of access to the files
The deadline scheduled for erasing the provided personal data is the same as the period of retention of the record drawn up upon access to the files, that is 6 months from the day when the files were accessed. The record shall be destroyed after expiry of the deadline.

If the data are not provided, the data subject will not be allowed to use the service i.e. access files and documents.


E. Publication of calls for proposals, monitoring of the calls, related news

The NRDI Office displays on its website the calls for proposals and other information about calls taken over from the current and legal predecessor organisations, the Hungarian and international news related to research and development and innovation, and the Hungarian calls for proposals and news related to calls.

Data subjects have the option to keep track of any specific call for proposals, and the data subjects will receive continuous information about the related news, changes and events.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name
Consent of the data subject
Information to the data subjects about the specific calls for proposals they wish to monitor and keep track of, any changes to these calls, and also the related events and news.
Until the given call is closed. Prior to this, the personal data are erased if this is requested by the respective data subject.
E-mail
Consent of the data subject
Information to the data subjects about the specific calls for proposals they wish to monitor and keep track of, any changes to these calls, and also the related events and news.
Until the given call is closed. Prior to this, the personal data are erased if this is requested by the respective data subject.

Data subjects will receive continuous information in e-mail about the calls for proposals they wish to monitor and keep track of right until the given call for proposals is closed. At that point the provided personal data will be erased automatically. Prior to this, if the data subject does not intend to receive further information about the given call, the related news, events, and changes, he/she may request to unsubscribe.

If these data are not provided, the data subject will not be allowed to use the service.

 

F. Publication of the results of the calls

In order to meet its obligations required under law, the NRDI Office shall publish on its website the data related to the winning calls. This type of data processing and the publication of personal data are acknowledged by the applicants (data subjects) as of submission of their applications.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time

Name,
project title,
place of implementation,
amount of the funding

General disclosure list of the Information Act (Section III.3)
Compliance with a legal obligation to which the NRDI Office is subject
In accordance with the provisions of the records management policy applied by the NRDI Office, the results of the calls are stored in the archives for 15 years

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection.

 

G. Event management

G.1. Registering to the event

The NRDI Office organizes events related to its activities, where it informs the general public about the experiences learned from the calls and other events related to the calls. Those data subjects can participate at the public events who have registered in advance.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, e-mail
Consent of the data subject
Verifying the right to participate at the event, preliminary calculation concerning the number of participants, preparations for satisfying the needs
Once the given event is completed, the provided personal data will be erased.
Represented field (organisation) Consent of the data subject
The NRDI Office assesses which fields are drawn by the event organised by it, so that it can organise specialised events in the future.
Once the given event is completed, the provided personal data are recorded in an aggregated, processed and anonymous manner, so that no individuals can be identified.

If the data are not provided, the data subject will not be allowed to use the service.

G.2. Photo materials made at the events

The NRDI Office may take pictures of the lecturers, the venue, and also the participating data subjects at the events organised by it, and may publish these photos on its website and possibly in its publications. Pursuant to Article 2:48 (1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may take photos of them and publish these on its website or possibly in its publications. No publication of these photos is allowed outside the website and/or publications of the NRDI Office, except if the explicit consent of the given data subject has been obtained by the Controller prior to the publication.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
The data subject’s image
Consent of the data subject
Publication on the website of the things happening at the event.
The photo material will be made public to the visitors of the website following the event, right until they are withdrawn. Prior to this, if the data subject so requests, the Controller shall pixelate (mask) the concerned data subject on the objected picture, thereby disguising the identity of the concerned data subject, or shall delete the objected picture from the website.

If the data are not provided, the data subject will not be allowed to use the service.

G.3. Audio recordings made at the events

The NRDI Office may make audio recordings of the words spoken at the events organised by it, and may transcribe these audio recordings into a written form after the event and may publish such written documents on its website. Data subjects may ask questions from the lecturers during the events and hence these questions are recorded as well.

Pursuant to Article 2:48(1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may make audio recordings at its events and publish the transcripts on its website. No publication is allowed outside the website of the NRDI Office, except if the explicit consent of the data subjects has been obtained by the Controller prior to the publication.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Audio recordings from the data subject
Consent of the data subject
Professional recording of the words spoken at the events, making a transcript about the audio recordings and publication thereof on the website.
The transcript about the audio recording will be made within 30 days following the event, and afterwards the NRDI Office shall delete the audio recording and shall publish only and exclusively the written documentation on its website.

It is compulsory to provide the indicated personal data for the purpose of data processing specified in this subsection. If these data are not provided, the data subject will not be allowed to use the service. The NRDI Office shall be responsible for the data processing specified in this subsection.

G.4. Video footage and online broadcasting

The NRDI Office shall use technical (video) solutions – recording images and sounds simultaneously – about the events organised by it, and in the course of this, video recordings shall be made of the events. The video recordings shall be published on the website of the Controller.

The video recording shall also be broadcast live on the Youtube channel operated by the NRDI Office.
Pursuant to Article 2:48(1) of Act V of 2013 on the Civil Code, the data subjects, by participating at the event, give their consent so that the NRDI Office may make recordings which are recording images and sounds simultaneously at its events and broadcast this live on its Youtube channel, and publish it on its website, either in full, or in an edited form.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Images and audio contained in the video recording
Consent of the data subject
Publication on the website, production of short videos to provide posterior information to the general public.
The video recordings are public to the visitors of the website.
Prior to publication, if the data subject so requests, the NRDI Office shall pixelate and/or distort (mask) the concerned data subject in the objected video sections, thereby disguising the identity of the concerned data subject, or shall alter (edit) the objected video so that the images and audio about the data subject shall not be accessible.
Images and audio contained in the video recording
Consent of the data subject
Live broadcasting on the Youtube channel in order to provide simultaneous information to the general public; then publication of (leaving) these on the Youtube channel to ensure posterior retrieval.
The video recording will be available for the public on the Youtube channel of the NRDI Office until it is withdrawn.

If the data are not provided, the data subject will not be allowed to use the service.

 

H. Liaising with the media

The NRDI Office shall keep press conferences on a regular basis and answer any possible questions of the press. In order to coordinate the media relations and organise the press events, the personal data of the media workers, being data subjects, must be processed.

Any journalists informed of public press conferences via the MTI Tükör or the website of the NRDI Office may participate at these events. However, press events dedicated for a limited circle of journalists will be offered to participate only for media workers with special fields of interest who have previously requested to be registered for the purpose of sending information and invitation according to their fields of interest. To do so, the media workers may request to be registered by sending a letter to kommunikacio@nkfih.gov.hu. Similarly, media workers may initiate their deletion from the register by sending a letter to the same e-mail address specified in this Section.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, e-mail, phone number, name of the concerned media outlet
Consent of the data subject
Prior notice about press events affecting a special field, in order to ensure that the data subject, as media worker, may participate at the press conference.
Until the concerned media worker requests his/her deletion from the register.

If the data are not provided, the data subject will not be allowed to use the service.

 

I. Requests for data of public interest

The NRDI Office, meeting its statutory obligation, keeps a register about the requests made for provision of data of public interest processed by it, regardless of the way these requests were made (in writing, orally or electronically). The data subject sending a request for provision of data of public interest acknowledge, by sending the given request, that his/her personal data are recorded.

Scope of processed personal data
Legal Basis (legal title)
Purpose
Data retention time
Name, address for service (postal address, e-mail address)
Article 28(2) of the Information Act
Fulfilment of the request for data of public interest performance of the test based on the criteria specified under Article 29(1a) of the Information Act payment of the defined expense reimbursement due for fulfilment of the request
In accordance with the provisions of the specific records management policy issued by the NRDI Office, the requests filed for provision of data of public interest are stored for 10 years.

It is compulsory by the law to provide the indicated personal data for the purpose of data processing specified in this subsection. If the data are not provided, the data subject will not be allowed to use the service

2. The data subject’s consent, conditions

Processing based on consent can only take place if the consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of data, such as by a written statement, including by electronic means, or an oral statement. The data subject’s consent must clearly indicate that the person agrees to the processing.  In case of participation at the event of the NRDI Office, being intentionally present at the event while aware of prior information, can be considered as consent. Similarly, it shall also qualify as a consent given to the processing, if the data subject ticks a related checkbox when visiting the website.

Silence, pre-ticked boxes or inactivity shall not constitute consent. Consent could also include the choosing of technical settings for electronic services by the user or making a statement or conduct which clearly indicates in this context the data subject's consent to the processing of his or her personal data.

If processing is based on consent, the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Where the child is below the age of 16 years, the processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

3. The source of the personal data and the scope of the data processed, if not provided by the data subject to the NRDI Office

The NRDI Office does not process personal data collected from other source than the data subjects.

4. Data transfers

Upon description of the specific data processing operations, the NRDI Office shall list – if and when necessary – the recipients of data transfers and the categories of recipients.

The NRDI Office uses the services of Nemzeti Infokommunikációs Szolgáltató Zrt. (1081 Budapest, Csokonai utca 3.) as processor and for this purpose it forwards the personal data processed by it as controller to the processor.

The NRDI Office shall be obliged and entitled to transfer any personal data available to it and stored by it lawfully, to the competent authorities, if it is required to do so based on any piece of legislation or final and enforceable regulatory obligation. The NRDI Office shall not be liable for these data transfers or the consequences thereof.

The NRDI Office shall transfer personal data to controllers seated in third countries (i.e. not an EEA Member State) only in conformity with the provisions of the GDPR and the currently effective legislation.

Part IV
Security of processing

1. General data security requirements

By applying appropriate technical and organisational measures, corresponding to the given risk, the NRDI Office shall ensure the security of the data subjects’ data, and also the protection against unauthorised or unlawful processing or accidental loss, destruction or damage, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the IT systems and equipment used for the processing of personal data.

For that purpose, the NRDI Office is using IT tools in its systems, in particular firewalls, encryption, physical protection devices, furthermore it installs physical protection in all the premises where the data are accessible. The NRDI Office, when defining and applying data protection measures, takes into account the current state of the art technology. In the event several possible data processing methods are available, the one ensuring the highest level of personal data protection shall be selected, unless it poses disproportionate difficulties to the NRDI Office.

2. Personal data breach

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud.

In the event of unlawful processing of personal data, the given breach must be reported to the Hungarian National Authority for Data Protection and Freedom of Information, acting as the supervisory authority. In the case of a personal data breach, the NRDI Office shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in any risk to the rights of natural persons. The personal data breach must be reported to the supervisory authority without undue delay, but within 72 hours at the latest, unless it can be demonstrated, in accordance with the accountability principle, that the personal data breach is unlikely to result in any risk to the rights and freedoms of natural persons. The data subject must be notified, without delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person, in order to allow him or her to take the necessary precautions.

 

Part V
Rights of the data subjects, legal remedies

The data subject can exercise any of his/her rights guaranteed under this Policy and/or under law via any of the contact channels of the NRDI Office specified in this Policy.

1. Deadline

The NRDI Office shall consider the data subject’s request to exercise his or her rights within a maximum of 25 days from the date of receipt of the request and shall notify the data subject of its decision in writing or, if the data subject has submitted the request by electronic means, by electronic means. The date of receipt of the request shall not be included in the time limit. The Controller may extend this time limit by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

2. Rights of the data subject

A .Right to request information (right to access)

Any data subject may request information from the NRDI Office whether any processing of their personal data is under way, and also concerning which personal data the NRDI Office processes regarding him or her, the legal basis and purpose of processing, the source of the data, and the period of processing; to whom, when, under what legislation was access provided regarding their personal data, which personal data were involved, to whom these data were transmitted, including in particular any recipients from third countries or international organisations.

B. Right to rectification

Any data subject may request the modification or supplementation of any of their data.

C. Right to erasure (right to be forgotten)

Any data subject can request the erasure of their data if

  1. their personal data are no longer necessary in relation to the purposes for which the NRDI Office processed them;
  2. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  3. the data subject objected to the processing and there is no other legitimate reason for the processing;
  4. their personal data were processed by the NRDI Office unlawfully;
  5. their personal data have to be erased for compliance with a legal obligation to which the NRDI Office is subject;
  6. the personal data have been collected in relation to the offer of information society services to children.

D. Right to blocking, restriction

Any data subject can request the blocking of their data if

  1. the accuracy of the personal data is contested by the data subject, in which case the restriction/blocking shall be for a period enabling the verification of the accuracy of the personal data by the NRDI Office;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the NRDI Office no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing; in this event the restriction is pending the verification whether the legitimate grounds of the NRDI Office override those of the data subject.

The data shall be blocked as long as necessitated by the reasons stated. Upon request, this has to be performed without delay, but not later than within 25 days, and a notice is to be sent to the provided contact channel.

E. The right to objection

Any person can object to the processing based on legitimate interest through the specified contact channels. In this case, the NRDI Office shall no longer process the personal data unless it demonstrates legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The objection must be reviewed and a decision about its justification is to be made as soon as possible, but not later than within 15 days, and a notice is to be sent about the decision to the provided contact channel.

F. Right to data portability:

The data subject shall have the right to request from the NRDI Office to receive the personal data concerning him or her, which he or she has provided to the NRDI Office, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, if processing is based on the data subject’s consent or a contract and the processing is carried out by automated means. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Legal remedies related to the data processing:

The NRDI Office shall provide information to the data subject without undue delay and in any event within 25 days of receipt of the request at the latest. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The obligation to provide information can be fulfilled via the operation of such a secure online system through which the data subject can easily and rapidly access the necessary information.

If the data subject considers that the Authority has infringed the applicable data protection requirements in the processing of his or her personal data, he or she may lodge a complaint with the data protection supervisory authority (National Authority for Data Protection and Freedom of Information) at the following contact details:

Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1363 Budapest, Pf.: 9.
Address: 1055 Budapest, Falk Miksa u. 9-11.
Phone: +36 (1) 391 1400 
Fax: +36 (1) 391 1410 
E-mail: ugyfelszolgalat@naih.hu 
URL: https://naih.hu

The data subject, if his/her rights are violated, may take legal action against the controller and bring the case to court, where the case shall be heard in an accelerated procedure. At the data subject’s discretion, the legal action can also be started at the regional court having competence according to the data subject’s domicile or habitual residence as well. The tribunal of the place where you are domiciled or resident can be found at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso. According to the seat of the Controller, the Metropolitan Tribunal shall have jurisdiction over the lawsuit.

Updated: 06 October 2021
Feedback
Was this page helpful?