Privacy notice

Pursuant to Article 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.) and Article 12 (1) of the European General Data Protection Regulation (hereinafter GDPR), the Institute of Business Administration of Eötvös Loránd University informs you about the processing of your data in the context of this registration.

SCOPE, PURPOSES AND LEGAL BASIS OF DATA PROCESSING

The personal data provided during the registration for ELTE GTI events is collected and used exclusively for the purpose of informing applicants about the events and the training opportunities provided by ELTE GTI, in accordance with the provisions of the applicable data protection legislation, in particular the General Data Protection Regulation (GDPR) of the European Parliament and of the Council (EU) 2016/679, Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, and the Data Protection, Data Security and Data Management Policy of Eötvös Loránd University.

The provision of data is voluntary on the part of the Applicants: it is based on their knowledge and acceptance of this Information.

The personal data processed on the basis of the registration: name, e-mail address and age of the applicant, and, if he/she requests a postal delivery, his/her postal address.

The purpose of the data request is: to notify in advance your intention to participate in an event, to contact you, to inform you about our events, our training courses, information about the admission procedure, information about university life.

Privacy Notice

The data provided by you in the above form will be processed exclusively by the administrative staff of the Institute of Business Administration of Eötvös Loránd University of Applied Sciences in accordance with the applicable legislation and will be kept for 24 months after registration. Your personal data [GDPR Article 4, 1. Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person] will not be shared with third parties in any form, nor used for automated decision-making, and in this context you have the following rights under the applicable legislation:

1. the right to transparent information,
2. the right of access to your personal data,
3. the right to access to your personal data, the right to rectification or erasure of your data upon request ("right to be forgotten") and the right to restriction of processing,
4. information about the identity of recipients,
5. the right to data portability: only in relation to data processed on the basis of consent or on the basis of a contract, in the case of automated processing;
6. right to object: in the case of processing based on legitimate interest or in the public interest/when carrying out a task carried out in the exercise of official authority vested in the controller,
7. in the case of automated decision-making, the right not to be subject to the decision;
8. the right to a remedy: the data subject may refer any breach of his or her rights to the Data Protection Officer or to the National Authority for Data Protection and Freedom of Information or to a court.

BELOW IS AN EXPLANATION OF EACH OF THE RIGHTS OF THE DATA SUBJECT

1. Right to transparent information (Articles 12-14 GDPR)

The controller hereby fulfils its obligation to inform the data controller, the data protection officer, the purposes and legal basis of the processing, the duration of the processing, the source of the data, the data subject's rights and remedies.

Oral information may be provided at the request of the data subject, provided that he or she proves his or her identity.

2. Data subject's right of access (Article 15 GDPR)

The data subject may request the controller to provide access to personal data relating to him or her, including a copy of the personal data which are the subject of the processing.

The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:

1. the purposes of the processing;
2. the purposes for which the personal data are being processed; the categories of personal data concerned;
3. the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
4. where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
5. the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;
6. the right to lodge a complaint with a supervisory authority;
7. where the data have not been collected from the data subject, any available information concerning their source;
8. the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

3. Rectification, erasure and restriction of processing of the data subject's data (Article 16 GDPR)

3.1 Right to rectification (Article 16 GDPR)

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification by the controller of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

3.2 Right to erasure - "right to be forgotten" (Article 17 GDPR)

Personal data must be erased if

1. the purpose of the processing has ceased;
2. the data subject has withdrawn his or her consent and there is no other legal basis for the processing;
3. the processing is based on a legitimate interest or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and the data subject objects to the processing;
4. the processing is unlawful;
5. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
6. the data have been erased in relation to information society services offered directly to children.

3.3 Right to restriction of processing (Article 18 GDPR)

The controller shall restrict processing at the request of the data subject where

1. the data subject contests the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the data;
3. the controller no longer needs the personal data but the data subject requests them for the establishment, exercise or defence of legal claims;
4. the processing is based on a legitimate interest or is necessary for the performance of a task carried out in the public interest/ in the exercise of official authority vested in the controller and the data subject objects to the processing.

The controller shall inform the data subject of the action taken on the request without undue delay and at the latest within one month of receipt of the request . If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request. Where the data subject has made the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise.

4. Obligation to notify rectification or erasure of personal data or restriction of processing (Article 19 GDPR)

The controller shall inform any recipient to whom or with whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of those recipients.

5. Right to data portability (Article 20 GDPR)

The data subject shall have the right to obtain the personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, where the processing is based on consent or a contract and the processing is carried out by automated means.

In exercising the right to data portability, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.

The exercise of this right shall be without prejudice to the right to be forgotten.

6. Right to object (Article 21 GDPR)

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on grounds of legitimate interest or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on those legal grounds. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

7. Data subject's right in the event of automated decision-making (Article 22 GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This provision shall not apply in the following cases:

(a) necessary for the conclusion or performance of a contract between the data subject and the controller;

(b) permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or

(c) based on the explicit consent of the data subject.

The controller shall ensure that the data subject has at least the right to obtain human intervention by the controller, to express his or her views and to object to the decision.

8. Access to legal remedies - alternatives available

8.1.

If the controller fails to act on a request from the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right to judicial remedy (Article 12(4) GDPR).

Data Protection Officer of the ELTE:
Dr. Klára Csibra
ELTE Data and Strategic Information Management Office
HU-1053 Budapest, Szerb utca 21-23.
Email: adatvedelem@elte.hu

8.2.

Anyone (i.e. not only the data subject) may lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), in order to initiate an investigation on the grounds that a personal data processing incident has occurred or is likely to occur.
It is important that the notification is not anonymous, otherwise the Authority may reject the notification without any substantive investigation. Further grounds for refusal are set out in the Infotv. Article 53 of the Infotag.
The Authority's investigation is free of charge and the costs of the investigation are advanced and borne by the Authority. Detailed rules on the conduct of the procedure are laid down in the Infotv. Sections 54-58 of the Infotov.
As a rule, a decision is taken within two months of receipt of the notification.

Contact details of the National Authority for Data Protection and Freedom of Information:
1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1374 Budapest, Pf. 603.
Website: www.naih.hu
Tel: +36-1-391-1400

8.3.

The data subject may take the controller to court in the event of a breach of his/her rights, as all data subjects have an effective judicial remedy if they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in a way that does not comply with the GDPR (see above).

The action against the controller or processor must be brought before the courts of the Member State where the controller or processor is established. Such proceedings may also be brought in the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

In Hungary, the action may also be brought, at the option of the data subject, before the courts for the place where he or she resides or is domiciled.

In the action, the data subject may claim compensation/damages from the controller:

• if the controller causes damage to another person by unlawful processing of the data subject's data or by breaching the requirements of data security, the controller must compensate the damage;
• if the controller has infringed the data subject's right to privacy by unlawfully processing his or her data or by breaching data security requirements (e.g. by disclosing or communicating personal data to an unauthorised person), the data subject may claim damages from the controller.