Privacy Policy
I. Introduction
Data Controller:
The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
Data Controller’s Information:
- Company name: Budapest Zoo & Botanical Garden
- Address: 1146 Budapest, Állatkerti krt. 6-12
- Tax number: 15490658-2-42
- Phone number: +36 1 273 4901
Email address: info@zoobudapest.com
Purpose of the Privacy Policy
The purpose of this Privacy Policy is to provide visitors to the website operated by the Data Controller at https://zoobudapest.com (hereinafter: “Website”) with clear, concise, transparent, and understandable information regarding the processing of personal data on the Website. This is to ensure the protection of the visitors’ rights to informational self-determination and to promote their enforcement.
Scope of the Privacy and Data Security Policy
This Privacy Policy applies to visitors of the Website and to users browsing or using any service, as well as to the data processing related to the Data Controller’s activities. It also aims to promote the enforcement of the right to access and disseminate data and applies to data management on the social media platforms used by the Data Controller.
The Data Controller declares that it conducts its activities in compliance with the prescribed and defined internal regulations, technical, and organisational measures, ensuring that these meet the standards of “Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC” (hereinafter: General Data Protection Regulation – GDPR).
II. Legal Framework
The Data Controller declares that it conducts its activities in compliance with the prescribed and defined internal regulations, technical, and organisational measures, ensuring that these meet the requirements of the following legislation:
Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
Act V of 2013 on the Civil Code (hereinafter: Ptk.)
Act C of 2016 on Electronic Communications (hereinafter: Eht.)
Act CLV of 1997 on Consumer Protection
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: Elker tv.)
Act C of 2000 on Accounting
Act CXC of 2011 on National Public Education
III. Terms and Definitions
“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Data Processing”: any operation or set of operations performed on Personal Data or on data sets, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Data Subject”: any identified or identifiable natural person based on personal data, either directly or indirectly.
“Consent of the Data Subject”: any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of Personal Data relating to them.
“Public Disclosure”: making the data accessible to anyone.
“Data Processing”: the performance of technical tasks related to Data Processing operations, regardless of the method and tools used for executing the operations and the location of their application, provided that the technical task is performed on the data.
“Data Processor”: a natural or legal person, or a legal entity without legal personality, who processes data based on a contract – including a contract based on legislative provisions.
“Recipient”: a natural or legal person, public authority, agency, or any other body to whom or with which the Personal Data is disclosed, whether or not a third party. Public authorities that may access Personal Data as part of a specific inquiry in accordance with European Union or Member State law are not considered recipients. The processing of such data by these public authorities must comply with applicable data protection rules according to the purposes of the processing.
“Restriction of Data Processing”: the marking of stored Personal Data with the aim of limiting their future processing.
“Filing System”: any structured set of Personal Data, whether centralised, decentralised, or dispersed based on functional or geographical criteria, that is accessible according to specific criteria.
“Data Erasure”: the act of rendering data unrecognizable in such a way that it cannot be restored.
“Data Transfer”: making data available to a specific third party.
“Third Party”: a natural or legal person, public authority, agency, or any other body other than the Data Subject, Data Controller, Data Processor, or persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process Personal Data.
“Personal Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
“Supervisory Authority”: an independent public authority established by a Member State. (Hungarian National Authority for Data Protection and Freedom of Information)
IV. Principles Relating to the Processing of Personal Data
Personal Data must be:
processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (“lawfulness, fairness, and transparency”);
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (“accuracy”);
kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject (“storage limitation”);
processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
The Data Controller shall be responsible for, and be able to demonstrate compliance with, these principles (“accountability”).
V. Possible Data Processing Activities on the Website
1. General Inquiries / Complaints
a) Purpose of data processing: Contact and complaint management.
b) Scope of processed data: Name, email address.
c) Legal basis for processing: Article 6(1)(a) of the European Parliament and Council’s Regulation (EU) 2016/679 (in the case of inquiries), Article 6(1)(c) (in the case of complaints), Section 17/A of the Act CLV of 1997 on Consumer Protection).
d) Retention period: Pursuant to Section 17/A(7) of the Act CLV of 1997 on Consumer Protection: The company shall be obliged to keep the Minutes – and its copy – recorded on the complaint for five years, and it shall present them to the supervising authorities on request. The Data Subject has the right to request erasure in accordance with Article 17 of the European Parliament and Council’s Regulation (EU) 2016/679, which the Data Controller is obliged to fulfil without undue delay upon receiving the request.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
2. Inquiries/Complaints Regarding Tickets and Passes
a) Purpose of data processing: Contact and complaint management.
b) Scope of processed data: Name, email address.
c) Legal basis for processing: Article 6(1)(a) of the European Parliament and Council’s Regulation (EU) 2016/679 (in the case of inquiries), Article 6(1)(c) (in the case of complaints), Section 17/A of the Act CLV of 1997 on Consumer Protection).
d) Retention period: Pursuant to Section 17/A(7) of the Act CLV of 1997 on Consumer Protection: The company shall be obliged to keep the Minutes – and its copy – recorded on the complaint for five years, and it shall present them to the supervising authorities on request. The Data Subject has the right to request erasure in accordance with Article 17 of the European Parliament and Council’s Regulation (EU) 2016/679, which the Data Controller is obliged to fulfil without undue delay upon receiving the request.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
3. Inquiries/Complaints Regarding Events
a) Purpose of data processing: Contact and complaint management.
b) Scope of processed data: Name, email address.
c) Legal basis for processing: Article 6(1)(a) of the European Parliament and Council’s Regulation (EU) 2016/679 (in the case of inquiries), Article 6(1)(c) (in the case of complaints), Section 17/A of the Act CLV of 1997 on Consumer Protection.
d) Retention period: Pursuant to Section 17/A(7) of the Act CLV of 1997 on Consumer Protection: The company shall be obliged to keep the Minutes – and its copy – recorded on the complaint for five years, and it shall present them to the supervising authorities on request. The Data Subject has the right to request erasure in accordance with Article 17 of the European Parliament and Council’s Regulation (EU) 2016/679, which the Data Controller is obliged to fulfil without undue delay upon receiving the request.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
4. Inquiries/Complaints Regarding Education
a) Purpose of data processing: Contact and complaint management.
b) Scope of processed data: Name, email address.
c) Legal basis for processing: Article 6(1)(a) of the European Parliament and Council’s Regulation (EU) 2016/679 (in the case of inquiries), Article 6(1)(c) (in the case of complaints), Section 17/A of the Act CLV of 1997 on Consumer Protection.
d) Retention period: Pursuant to Section 17/A(7) of the Act CLV of 1997 on Consumer Protection: The company shall be obliged to keep the Minutes – and its copy – recorded on the complaint for five years, and it shall present them to the supervising authorities on request. The Data Subject has the right to request erasure in accordance with Article 17 of the European Parliament and Council’s Regulation (EU) 2016/679, which the Data Controller is obliged to fulfil without undue delay upon receiving the request.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
5. Ticket Purchase
a) Purpose of data processing: Online ticket purchase
b) Scope of processed data: Last name, first name, email address, phone number, country, city, street, postal code, bank/SZÉP card number
c) Legal basis for processing: Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council; Section 169(2) of Act C of 2000 on Accounting; and Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
d) Retention period: 8 years as defined in Section 169 of Act C of 2000 on Accounting
e) Data storage location: On the Data Controller’s IT system, protected by login password, and on the Website’s hosting server.
f) Authorised personnel: Authorised staff of the Data Controller for online invoicing (KBoss.hu Kft.: 1031 Budapest, Záhonyi u. 7.) and for ticket sales service (Banktech Safe Kft.: 1124 Budapest, Hegyalja út 154).
g) Data transfers: for online payment purposes: OTP Mobil Szolgáltató Kft. (1143 Budapest, Hungária Krt. 17-19, email address: ugyfelszolgalat@simple.hu, phone number: +36 1 776 6901)
6. Gift Voucher Purchase
a) purpose of data processing: Online gift voucher purchase
b) scope of the processed data: Last name, first name, email address, phone number, country, city, street, postal code, bank/SZÉP card number
c) legal basis of data processing: Article 6(1)(c) of the European Parliament and Council Regulation (EU) 2016/679 Section 169(2) of the Act C of 2000 on Accounting, Section 13/A(3) of the Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
d) Retention period: 8 years as defined in Section 169 of Act C of 2000 on Accounting
e) place of data storage: On the Data Controller’s IT system, protected by login password, and on the Website’s hosting server.
f) Authorised personnel: authorised staff of the Data Controller for online invoicing (KBoss.hu Kft.: 1031 Budapest, Záhonyi u. 7.) and for ticket sales service (Banktech Safe Kft.: 1124 Budapest, Hegyalja út 154).
g) Data transfers: for online payment purposes: OTP Mobil Szolgáltató Kft. (1143 Budapest, Hungária Krt. 17-19, email address: ugyfelszolgalat@simple.hu, phone number: +36 1 776 6901)
7. Volunteering
a) Purpose of data processing: Registration for voluntary work.
b) Scope of processed data: Name, place of residence, age, education, foreign language proficiency, email address.
c) Legal basis for processing: Article 6(1)(a) of the European Parliament and Council Regulation (EU) 2016/679
d) Retention period: for the duration of the voluntary work. The Data Subject has the right to request erasure in accordance with Article 17 of the European Parliament and Council’s Regulation (EU) 2016/679, which the Data Controller is obliged to fulfil without undue delay upon receiving the request.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
8. School Community Service
a) Purpose of data processing: registration for school community service.
b) Scope of processed data: Name, place of residence, age, education, foreign language proficiency, email address.
c) Legal basis for processing: Article 6(1)(b)-(c) of the European Parliament and Council Regulation (EU) 2016/679 Section 6(4) of the Act CXC of 2011 on National Public Education
d) Retention period: until the completion of the school community service.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
9. Registration for Educational Activities
a) Purpose of data processing: registration for participation in educational activities.
b) Scope of processed data: institution name, full institution address with postal code, name of accompanying teacher, phone number of accompanying teacher, email address of accompanying teacher, number of participating students, age group of participating students.
c) Legal basis for processing: Article 6(1)(b)-(c) of the European Parliament and Council Regulation (EU) 2016/679
d) Retention period: until the completion of participation in the educational activities.
e) Data storage location: On the Data Controller’s IT system, email system, and on the Website’s hosting server, protected by login passwords.
f) Authorised personnel: authorised staff of the Data Controller.
g) Data transfers: The Personal Data provided will not be transferred.
10. Newsletter
a) Purpose of data processing: subscription and unsubscription to the newsletter.
b) Scope of processed data: Name, email address.
c) legal basis of data processing: Article 6(1)(a) of the European Parliament and Council Regulation (EU) 2016/679
d) Retention period: until the date of unsubscription from the newsletter.
e) place of data storage: Webgalamb newsletter software.
f) Authorised personnel: authorised staff of the Data Controller.
g) transmission of data: The Personal Data provided will not be transferred.
VI. Data Security
Access to the website is determined based on individual authorization. Only individuals who are not restricted for security or other reasons (e.g., conflict of interest) and have the necessary professional and information security knowledge to ensure safe usage are granted access rights.
The IT devices storing the data are equipped with multi-level, active, complex antivirus protection against external attacks. Unauthorised persons cannot access Personal Data stored on the web server.
The Data Controller implements appropriate technical and organisational measures, considering the nature, scope, context, and purposes of the data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure and demonstrate that Personal Data processing is conducted in accordance with the European Parliament and Council Regulation (EU) 2016/679.
VII. Cookie Policy
Cookie files
Cookies are small data files placed by the browser on the user’s computer or device. Among other things, they collect information, remember the visitor’s individual settings, and generally make the Website easier to use for users. Cookies themselves do not collect data stored on the computer or in files.
Types of cookie files
Session cookies: These cookies are temporarily activated during browsing, i.e., from the moment the user opens the browser window until the moment they close it. Once the browser is closed, all session cookies are deleted.
Persistent cookies: These cookies remain on the user’s device for the period specified in the cookie. They are activated each time the user visits the Website.
Third-party cookies: When a user visits a page, another party activates the cookie through the Website.
Use of cookie files
Strictly necessary cookies:
These assist with Website navigation and remember actions taken by the user on certain pages. Without these cookies, services would not function, but they do not store any data about the user that indicates what other websites they have visited.
Strictly necessary cookie files:
Remember entered information in the case of contact options
Recognize the user when they visit the Website again
Accepting these cookies ensures the proper use of the website; if the user disables them, the proper functioning and security of the Website during use cannot be guaranteed.
Performance cookies:
These cookies collect information about the user’s activities on the Website. They do not collect any information that could identify the user, but their role is important in improving the functionality of the Website, measuring its effectiveness based on visitor interest.
The purposes of using performance cookie files:
Web analytics (Analytics): Provide statistics on Website usage
Error management: Assist in the development of the Website by measuring errors that occur
Design testing: Necessary for testing different versions of our Website
By using the Website, the visitor accepts the use of performance cookies. Acceptance of these cookies is a condition for the proper use of the Website. If the user disables them, the proper functioning and security of the Website cannot be guaranteed during use.
Usage-assisting cookies:
The use of these cookie files is important for providing various services and remembering the user’s settings, making it easier to visit the Website and navigate it.
Importance of consent to the use of cookie files:
By using the Website, you consent to the placement of cookie files on your computer to analyse Website usage. If you do not agree to the use of cookie files while browsing our Website, the latter may not function fully.
Deleting and disabling cookie files:
Cookies are designed to make the Website more user-friendly and enhance its processes. If cookies are disabled or deleted, users may not be able to fully use the Website’s features.
Google Analytics cookies:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
http://www.google.com/intl/en/policies/privacy/
Google Chrome cookie:
https://support.google.com/chrome/answer/95647?hl=en
Internet Explorer cookie:
https://support.microsoft.com/hu-hu/help/17442/windowsinternet-explorer-delete-manage-cookies)
Firefox cookie:
https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer)
Safari cookie:
https://support.apple.com/kb/PH21411?locale=hu_HU
VIII. Community Guidelines
The purpose of activities on social media platforms used by the Data Controller (Facebook, Instagram, YouTube, TikTok) is to share, follow, and promote certain content elements, products, promotions, or the accessibility of the Website.
Visitors to the social media platforms are subject to the data protection and service conditions of the respective site.
In the event of publishing illegal or offensive content on social media platforms, the Data Controller may block the individual from the list of followers without prior notice and immediately delete their comment.
The Data Controller is not responsible for any unlawful data content or comments posted by visitors on social media platforms. The Data Controller is not responsible for any errors, malfunctions, or problems arising from changes in the operation of social media platforms.
The Data Controller takes all necessary measures to ensure the security of the data uploaded and processed on the social media platforms it uses.
Purpose of data processing:
The upload and display of images and video recordings of the Data Subject by the Data Controller.
Scope of processed data:
The image of the Data Subject visible in the photo, and Personal Data recorded in the video (subject’s image, inferred actions of the subject).
Legal basis for data processing:
Article 6(1)(a) of the European Parliament and Council Regulation (EU) 2016/679, with the consent of the Data Subject;
Article 2:48(1) of Act V of 2013 on the [Hungarian] Civil Code
Source of data, duration of data processing:
The Data Controller processes Personal Data solely based on the consent of the Data Subject and does not collect data from other sources. The Data Controller does not process Personal Data of individuals under the age of 16, except with the consent of a legal guardian.
Data may only be processed to the extent and for the duration necessary to achieve the purpose or until the consent is withdrawn.
Once the recording is published, the Data Subject has the right to request deletion, which the Data Controller must fulfil without undue delay upon receipt of the request.
If consent is withdrawn, the Data Controller will delete the Personal Data from the social media platform; however, due to the nature of social media and website publication, the Data Controller cannot guarantee that no copies or shares have been made.
After the withdrawal of consent for the processing of Personal Data, the data will be deleted unless the data processing is based on fulfilling a legal obligation.
IX. Operation of Webcams
The Data Controller operates live webcams to allow visitors to the Website to view their favourite animals’ daily lives at any time in the following areas:
- Savanna enclosure,
- Elephant enclosure,
- Seal pool,
- South America enclosure,
- Orangutan outdoor enclosure,
- Shark School.
Purpose of data processing:
To observe the animals in the Zoo’s aforementioned areas via webcams.
Legal basis for data processing:
Article 6(1)(f) of the European Parliament and Council Regulation (EU) 2016/679.
Scope of processed Personal Data:
The image of any individual who enters and stays within the field of view of the webcam and their actions visible on the footage. The camera system does not record audio.
Storage location of the footage:
The Data Controller stores the recorded footage on a password-protected device within the camera recording unit.
The Data Controller has a data protection and data security policy regarding camera surveillance, which is made available to anyone upon request and can be forwarded to a provided contact.
X. Data Breach
“Personal Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed (Regulation Article 4(12)).
Commonly reported breaches may include the following: insecure storage of Personal Data, insecure transmission of data, unauthorised copying or transmission of databases containing Personal Data, server attacks, website hacking.
Handling of data breaches:
Preventing and managing data breaches and ensuring compliance with applicable legal regulations is the responsibility of the Data Controller. A data breach can be reported via the Data Controller’s email or phone number, where affected individuals can report underlying incidents or security vulnerabilities.
Upon detecting a data breach, the Data Controller will promptly address it. If a data breach is reported, the Data Controller must promptly investigate it to determine whether it is a genuine breach or a false alarm.
The following must be examined and established:
the time and place of the breach;
description, circumstances, and effects of the breach;
the scope and number of affected data;
the scope of individuals affected by compromised data,
measures taken to address the breach;
measures taken to prevent, mitigate, or reduce damage.
In the event of a data breach, the affected systems, individuals, and data must be isolated, and evidence supporting the occurrence of the breach must be collected and preserved. Only after this can the restoration of damages and resumption of lawful operation begin.
A record must be kept of data breaches, which includes:
the scope of affected Personal Data;
the scope and number of individuals affected by the data breach;
the time of the data breach;
the circumstances and effects of the data breach;
measures taken to remedy the data breach;
other data required by the data processing regulations.
Data concerning recorded data breaches must be retained for 5 years.
If a data breach is likely to result in a high risk to the rights and freedoms of individuals, the Data Controller must inform the affected individuals without undue delay. The notification to the affected individual must clearly and comprehensively describe the nature of the data breach and at least include the information and measures specified in Article 33(3) of the European Parliament and Council Regulation (EU) 2016/679.
The affected individual does not need to be notified if any of the following conditions are met:
the Data Controller has implemented appropriate technical and organisational protection measures, and these measures have been applied to the data affected by the breach, particularly those measures – such as encryption – that render the data unintelligible to unauthorised persons;
the Data Controller has taken further measures after the data breach to ensure that the high risk to the rights and freedoms of the affected individuals is no longer likely to materialise;
notification would involve disproportionate effort.
In such cases, the affected individuals must be informed via publicly available communication or similar measures that ensure effective notification.
If the Data Controller has not yet notified the affected individual of the data breach, the supervisory authority, after considering whether the data breach is likely to pose a high risk, may require the affected individual to be notified or determine that one of the conditions mentioned above is met (European Parliament and Council Regulation (EU) 2016/679, Article 34).
The Data Controller shall report the data breach to the supervisory authority competent under Article 55 of Regulation (EU) 2016/679 of the European Parliament and of the Council without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be provided.
XI. Rights of individuals involved in data processing
Right to information:
The Data Subject is entitled to transparent information about the processing of their data and to be informed about their data processing rights and the opportunities to exercise those rights. The Data Subject has the right to access the data collected about them and to exercise this right easily and at reasonable intervals, in order to assess and verify the lawfulness of the data processing.
Right of access for Data Subjects:
The Data Subject has the right to receive confirmation from the Data Controller on whether their Personal Data is being processed, and if so, to access the Personal Data and the following information.
Right to rectification:
The Data Subject has the right to request the Data Controller to correct inaccurate Personal Data concerning them without undue delay. Considering the purpose of the processing, the Data Subject has the right to request the completion of incomplete Personal Data, including through a supplementary statement.
Right to erasure (“right to be forgotten”):
The Data Subject has the right to request the Data Controller to delete Personal Data concerning them without undue delay, provided certain conditions are met. The right to erasure does not apply to mandatory data processing required by law or internal regulations. In some cases, the Data Controller has a legal obligation to process certain data, so a request for deletion cannot be fulfilled, particularly when the Personal Data is processed to comply with a legal obligation applicable to the Data Controller.
Right to restriction of processing:
The Data Subject has the right to request the Data Controller to restrict processing if one of the following conditions is met:
the accuracy of the Personal Data is contested by the Data Subject, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the Personal Data;
the processing is unlawful, and the Data Subject opposes the erasure of the data and requests the restriction of its use instead;
the Data Controller no longer needs the Personal Data for processing, but the Data Subject requires it for the establishment, exercise, or defence of legal claims;
the Data Subject has objected to processing, pending verification of whether the Data Controller’s legitimate grounds override those of the Data Subject.
Right to object:
The Data Subject has the right to object at any time to the processing of their Personal Data. In this case, the Data Controller may no longer process the Personal Data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims.
XII. Legal Remedies
If the Data Subject believes that their rights related to the processing of Personal Data have been violated, they may contact the Data Controller’s data protection officer for information and to exercise their rights.
Complaint to a supervisory authority:
Without prejudice to any other administrative or judicial remedies, every Data Subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their Personal Data violates this regulation.
Name: Hungarian National Authority for Data Protection and Freedom of Information
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf.: 9.
E-mail: ugyfelszolgalat@naih.hu
Phone: +36 1 391 1400
XIII. Final Provisions
If the duration of mandatory data processing or its periodic review is not specified by law, local government regulation, or a binding legal act of the European Union, the Data Controller shall review at least every three years from the start of data processing whether the Personal Data processed by them or by a Data Processor acting on their behalf or instruction is necessary for achieving the purpose of the data processing. The circumstances and results of this review shall be documented by the Data Controller, and this documentation shall be retained for ten years following the completion of the review and made available to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.
The Data Controller is entitled to establish and amend the Privacy Policy, with the Data Protection Officer (name: György Sárosi, phone number: +36 20 928 60 23, email: tvvideonet@tvvideonet.hu) authorised to do so on their behalf.
In the case of amendments, the validity date of the Policy must always be recorded.
The Data Controller reserves the right to unilaterally amend the Privacy Policy. Visitors to the Website accept the provisions of the current Privacy Policy. In addition to the Privacy Policy, the Data Controller has data protection and data security policies.
Version: 1.
Date: 1st July 2024
Changes: First issue
