Who processes your data (Data Controller)?

Name of data controller: One step further Hajós István Foundation

Seats: 1036 Budapest, Bécsi út 81.

represents: István Hajós, Chairman of the Board of Trustees

registration number: 01-01-0013418

tax number: 19353825-1-41

website contact details: www.egylepesseltobb.hu

e-mail address: info@egylepesseltobb.hu

telephone contact: +36703198303

(hereinafter referred to as the “Data Controller”)

The Data Controller respects your personal data and your personal rights, therefore it has prepared the following Data Protection Notice, which is available electronically on the Data Controller's official website.

Our principles and laws that bind us when processing data:

2.1. During Data Management, we are bound by the following laws:

GDPR (General Data Protection Regulation) – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
Data Protection Act – Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information and the legislation issued for its implementation
Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society;
Act V of 2013 on the Civil Code;
Act CL of 2017 on the Taxation System and the legislation issued for its implementation;
Act C of 2000 on Accounting and the legislation issued for its implementation;
Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities;
Act CXXXIII of 2005 on the rules of personal and property protection and private detective activities.

2.2. We follow the following principles when processing data:

a) Personal data shall be processed by the Controller only for the purposes and for the period specified herein. The Controller shall process only personal data that is necessary for the purpose of the processing and is adequate for the purpose.

b) Personal data that come to the knowledge of the Data Controller in the course of processing may only be disclosed to persons acting on behalf of the Data Controller or in an employment relationship with the Data Controller who have a task in connection with the processing.

Explanation of terms used in the Data Protection Notice:

„personal data” means any information relating to a natural person (data subject); a natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

„data subject” means a natural person who is or may be identified on the basis of any information.

„processing” means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

„controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

„processing” means the performance of technical tasks related to data processing operations;

„data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (on the controller's behalf, on the controller's instructions and at the controller's choice);

„profiling” means any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

„third party”: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

„the data subject's consent” means a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;

What personal data do we process? (The individual data processing operations):

4.1. Processing of personal data necessary for the performance of the contract:

Legal basis for processing: your consent; performance of a legal obligation and performance of a contract

Purpose of processing: to enable the Data Controller, as the Grantor, to fulfil its obligations to you under the Donation Agreement (to make a financial donation).

Data processed: surname, first name, place and date of birth, mother's name, address.

Duration of processing: 10 years from the date of performance of the contract, after which the personal data will be destroyed.

Data transfer: the hosting provider is Websupport Magyarország Kft. (registered office: 1132 Budapest, Victor Hugo utca 18-22.).

4.2. Appearance on the website (www.egylepesseltobb.hu), as well as on Instagram, Facebook, Tik-tok platforms:

For the purpose of fulfilling the Donation Agreement, the Data Controller, as a Support Provider, publishes personal data on its website and on Instagram, Facebook, and TikTok, thereby seeking additional supporters with whose help it can provide you with a fixed monthly monetary donation.

Legal basis for processing: your consent; performance of a legal obligation and performance of a contract

Purpose of processing: to enable the Data Controller, as the Grantor, to fulfil its obligations to you under the Donation Agreement (to make a financial donation).

Data processed: name, surname, first name, place and date of birth, mother's name, medical data (name of illness, status), photograph.

Duration of processing: 10 years from the date of performance of the contract, after which the personal data will be destroyed.

Data transfer: the hosting provider is Websupport Magyarország Kft. (registered office: 1132 Budapest, Victor Hugo utca 18-22.).

4.3. Assistance in healthcare:

The Data Controller also provides assistance in healthcare, in cases agreed with you, by helping you find the appropriate healthcare institution, treating physician and/or treatment. To this end, the Data Controller may process your personal data as defined below.

Legal basis for processing: your consent.

Purpose of the processing: to assist in the provision of healthcare.

Data processed: surname, first name, place and date of birth, mother's name, medical data (name of illness, status, treating doctors, treating institution, name of treatments carried out).

Duration of processing: 3 years from the date of consent.

Transfers of data: the Data Controller may, on a case-by-case basis and subject to your agreement, transfer the personal data specified in this section to the potential treatment institution and/or the treatment physician.

Your rights

In relation to data processing, you have the rights detailed in points 5.1.-5.7. If you would like to exercise any of them, please write to us at one of the following contact details:

address: 1036 Budapest, Bécsi út 81.

e-mail address: info@egylepesseltobb.hu

Conditions for the child's consent

The processing of personal data in relation to information society services offered directly to children is lawful if the child has reached the age of 16. In the case of a child under the age of 16, the processing of children's personal data is lawful only if and to the extent that the consent has been given or authorised by a person exercising parental responsibility over the child. In such cases, the Data Controller shall verify whether the consent has been given by a person exercising parental responsibility over the child.

Identification

We will always need to verify your identity before we can fulfill your request. If we are unable to identify you, we will unfortunately not be able to fulfill your request.

Responding to the request

After identification, we will provide information about the request in writing or electronically. Please note that if you submitted the request electronically, we will respond electronically. Of course, in this case, you also have the option to request another method.

Processing deadline

We will inform you of the action taken on your request no later than 1 (one) month from the date of receipt of your request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further 2 (two) months, of which we will inform you within the 1-month administrative deadline.

We are also obliged to inform you of the failure to take action within the one-month administrative deadline. You may file a complaint against this with the National Data Protection and Freedom of Information Authority (section 6.1) and exercise your right to judicial remedy (section 6.2).

Administration fee

The requested information and action will be provided free of charge. An exception is made if the request is clearly unfounded or excessive, in particular due to its repetitive nature. In such cases, we may charge a fee or refuse to comply with the request.

5.1. You can withdraw your consent

In the case of data processing based on your consent, you may withdraw your consent at any time. In such a case, we will delete your personal data related to the given data processing within 5 working days of receiving your notification.

5.2. You can request information (access)

You may request information about whether your personal data is being processed and, if so, about:

What is its purpose?
What kind of data processing exactly is involved?
To whom do we transfer this data?
How long do we store this data?
What rights and remedies do you have in this regard?
Who did we receive your data from?
Do we make automated decisions about you using your personal data? In such cases, you can also request information about the logic (method) we use, the significance of such data processing, and the expected consequences.

You can request a copy of your processed personal data (We may charge a fee based on administrative costs for additional copies.)

5.3. You can request correction

You may request that we correct or complete your inaccurate or incomplete personal data.

5.4. You can request that your personal data be deleted (“forgotten”)

You can request that we delete your personal data.

We will fulfill your request within 5 business days of receiving it in the following cases:

a) The personal data are no longer necessary for the purposes for which they were processed;

b) For processing based solely on your consent;

c) If it is found that the personal data is unlawfully processed;

d) Required by EU or national law.

We inform you that in the cases specified in points a), c) and d), personal data will be deleted without request.

We cannot delete personal data if it is necessary:

a) for the exercise of the right to freedom of expression and information;

(b) to comply with an obligation under Union or Member State law that requires the controller to process personal data or in the public interest;

c) on the basis of public interest in the field of public health

(d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where deletion would be likely to render impossible or seriously impair such processing; or

(e) for the presentation, exercise or defence of legal claims.

5.5. You can request that we restrict data processing

You may request that we restrict data processing if one of the following applies:

You dispute the accuracy of the personal data, in which case the restriction applies for a period that allows us to verify the accuracy of the personal data;
The processing is unlawful, but you oppose the erasure of the data and instead request the restriction of its use;
We no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims;
You have objected to the processing; in this case, the restriction applies for a period of time until it is determined whether the legitimate grounds of the Data Controller override your legitimate grounds.

In the event of restriction, personal data may only be processed, with the exception of storage, with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

We will inform you in advance of any possible lifting of the restriction.

5.6. You can request that we transfer your personal data (right to data portability)

You have the right to receive your personal data processed by us in a machine-readable format and have the right to transmit these data to another data controller – or at your request – where the processing is based solely on your consent or on a contract concluded with you or in your interest and is carried out by automated means.

This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest. It shall not prejudice the right to erasure or adversely affect the rights and freedoms of others.

5.7. You can object to the processing of your personal data

You may object to the processing of your personal data if:

The processing is necessary for the performance of a task carried out in the public interest;

The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
The data is processed for direct marketing purposes (you can also object to profiling in this context);
Personal data is processed for scientific and historical research purposes or for statistical purposes;
If you object to the processing of your personal data, we will delete your personal data within 14 working days of receiving your objection. The exception is if the processing is justified by compelling legitimate grounds, including public interest or where the processing is necessary for the establishment, exercise or defence of legal claims.

Legal remedies

6.1. You can file a complaint with the National Data Protection and Freedom of Information Authority

If you believe that the processing of your personal data is contrary to the provisions of the General Data Protection Regulation, you have the right to file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH).

NAIH

President: Dr. Attila András Péterfalvi

mailing address: 1534 Budapest, PO Box: 834
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

phone number: +36 (1) 391-1400
fax: +36 (1) 391-1410

website contact details: http://naih.hu

e-mail: ugyfelszolgalat@naih.hu

6.2. You can go to court

If you believe that the processing of your personal data is contrary to the provisions of the Data Protection Regulation and that your rights under the Data Protection Regulation have been violated, you have the right to appeal to court.

The trial falls within the jurisdiction of the court. The Metropolitan Court (1055 Budapest, Markó utca 27.) is competent for the trial. The trial may also be initiated – at the choice of the data subject – before the court of the data subject’s place of residence or residence. A party to the trial may also be a person who otherwise does not have legal capacity to litigate. The Authority may intervene in the trial in the interest of the data subject’s success.

In addition to the provisions of the Data Protection Regulation, the provisions of Book Two, Part Three, Title XII (Sections 2:51 – 2:54) of Act V of 2013 on the Civil Code, as well as other legal provisions relating to court proceedings, apply to the court proceedings.

6.3. Compensation and damages

If the Data Controller causes damage or violates the personal rights of the data subject by unlawfully processing the data, compensation may be claimed from the Data Controller. The Data Controller shall be exempt from liability for the damage caused and from the obligation to pay compensation if it proves that the damage or violation of the personal rights of the data subject was caused by an unavoidable cause outside the scope of data processing.

Data security

We will do everything we can to ensure that, taking into account the current state of science and technology, the costs of implementation, the nature of the data processing, and the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to guarantee a level of data security appropriate to the degree of risk.

We always treat personal data confidentially, with limited access, encryption and maximum possible resilience, ensuring restoreability in the event of a problem. We regularly test our systems to ensure security. When determining the appropriate level of security, we take into account the risks arising from data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

We will do everything we can to ensure that persons acting under our control who have access to personal data only process such data in accordance with our instructions, unless they are required to do otherwise by EU or Member State law.

The identity of potential data controllers authorized to view the data

The Data Controller's employees, for the time and to the extent necessary to perform their duties.

Data transmission

We will only transfer your personal data to the data processors and data controllers indicated in this Data Management Notice, solely in accordance with the provisions of this Data Management Notice. By consenting to the detailed data management, you also consent to the necessary transfer of data to the additional Data Controller or Data Processor indicated there, as well as to the persons indicated in points 8 and 9 of this Data Management Notice. The Data Controller may transfer your personal data to other data controllers only after your prior consent.

We reserve the right to transfer the processed personal data to the competent authorities and courts, in accordance with their request, even without the specific consent of the data subject, in cases specified by law.

Budapest, July 7, 2023.