AIESEC Magyar Közgazdászhallgatók Egyesülete (hereinafter referred to as „Association”) is an Association created to complement the training and development of skills of students in higher education institutions in Hungary, with the aim of actively participating in the training of professionals with a wide range of viewpoints with the aim of contributing to the development of the Hungarian economy and society. 

The Association is committed to defending the personal information of the people who are in contact with it and considers the respect for their information right of self-determination to be of utmost importance.

The delegation meeting of the Association therefore contains the following rules in the regulation of the data protection acts of the European Union, in compliance with the requirements of the national data protection legislation and in the protection of personal data:

I. Subject of the Policy

1. The purpose of this Policy is to regulate personal data management practices of the Association as European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as on repealing 95/46/EK Regulation (General Data Protection Regulation) (hereinafter referred to as „GDPR”) as defined in Article 4 Point (7) (hereinafter referred to as „Association, data controller”).

II. Scope of the Policy

2. The scope of this Policy shall apply to all members of the Association’s executive officers, corporate bodies, employees, and trustees of its staffing organizations, and to all data registered by the Association and the Local Committees of the Association for the purposes of the Association’s achievement and performance.

III. Interpretative provisions

3. Subject to the regulation of GDPR, for the purposes of this Policy: 

(a) personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Article 4, point 1);

(b) processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means,such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (GDPR Article 4, point 2);

(c) controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (GDPR Article 4, point 7);

(d) processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (GDPR Article 4, point 8);

(e) consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR Article 4, point 11);

(f) personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed (GDPR Article 4, point 12);

(g) information society service means a service provided electronically, for the benefit of absent persons, usually for consideration to which the recipient of the service can access individually (Section 2 (f) of Act CVIII of 2001). 

The definitions in the rules governing the protection of the GDPR as regards the protection of personal data and the free flow of personal data are fully defined in Article 4, points 1 to 26 of GDPR.

IV. Data controller and contact information

1. Data controller’s data and contact details:

– Name: AIESEC Magyar Közgazdászhallgatók Egyesülete

– Headquarters: 1094 Budapest, Ferenc körút 23 4/3

– Registration Number: 01-02-0000680

– Name of the registration court: General Court of Budapest

– Tax number: 19001834-2-43

– Phone number: +36705318515

– E-mail: hungary@aiesec.net

2. The Data Protection Officer is appointed by the Presidency.

V. Principles relating to processing of personal data

The principles for handling personal data are the followings:

– lawfulness, fairness, and transparency: the processing of personal data should be carried out legally and fairly, as well as to the data subject transparently;

– purpose limitation: the collection of personal data is to be carried out only for a specific, clear, and legitimate purpose and not treated in a way that is incompatible with these objectives; no further processing of data is considered incompatible with the original purpose for purposes of public interest archiving, for scientific and historical research purposes or for statistical purposes;

– data saving: the handling of personal data is appropriate and relevant to the purposes of data management and should be limited to the need;

– accuracy: personal data must be accurate and, if necessary, up-to-date; all reasonable measures must be taken to delete or correct any inaccurate personal data for the purposes of data management;

– limited storage: personal data must be stored in a form that allows the identification of the data subjects only for the time necessary for the purpose of managing the personal data: the storage of personal data for a longer period of time may only take place if the personal data is handled for public interest archiving purposes, scientific and historical research or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required to protect the rights and freedoms of the data subjects;

– integrity and confidentiality: personal data must be managed in such a way as to ensure adequate security of personal data, including the protection against unauthorized or unlawful handling, accidental loss, destruction, or damage of data by the use of appropriate technical or organizational measures;

– accountability: The Association is responsible for compliance with the above principles and must be able to verify this compliance.

VI. The scope of the data processed, the purpose, legal basis, and duration of the data management

Data management of the activities of the Association is based on a voluntary contribution or a statutory mandate. In the case of data management based on a voluntary contribution, the data subjects may withdraw their consent at any stage in the processing of data. In some cases, the management, storage and transmission of the data or a part of the data are made mandatory by law. In this case, the Association is obliged to act according to the applicable laws.

1. Data concerning the membership registration of the Association

The Association is a legal person established with a registered membership on the basis of the Act V of 2013 on the Civil Code (hereinafter: CC), to ensure the common, lasting, statutory goals of the members. The Association manages the data of its members specified in the Civil Code and the Act CLXXV of 2011 governing NGOs. The legal basis of the Association Membership legal relationship is voluntary, and the legal basis for handling the data submitted in the application for membership is the consent of the data subject. After the membership has been established, the legal basis for the handling of the members’ data is Section 3:67 and Section 3:80 i, on the basis of which the Association keeps records of its members. Data about the members is not public, therefore, in the course of their management, the Association ensures the confidentiality of personal data with the appropriate organizational and technical means.

The scope of data processed: name, address.

Deletion date of treated data: If the request for the establishment of membership is rejected, the data will be deleted immediately by the Association. In the event of termination of the membership, the member’s data will be deleted within 5 years after the termination.

2. Data on the records of the Association’s executive officers

The management tasks of the Association are carried out by an executive body, which is a Presidency consisting of 10 members under the Bylaws of the Association. The members of the Presidency are executive officers of the Association. The Association handles the data of executive officers based on point a) of Subsection 5 and points e) and f) of Subsection 1 of Section 20 of Act CLXXXI of 2011 and Subsection 2 of Sections 3:26 and 3:22 in Civil Code.

The scope of data processed: name, place and time of birth, mother’s name, address, tax number.

Deletion date of treated data: The Association deletes the data of the previous executive officer 5 years after termination of the order in accordance with the Sections 3:24 and 3:86 of Civil Code.

3. Data concerning employees of the Association

The Association manages the personal data of persons involved in the employment relationship in order to achieve its goals and to carry out its activities. The legal basis for data handling is Section 10 of Act I of 2012. The scope of treated data: name, place and time of birth, mother’s name, address, school qualification, tax number, Hungarian social security number, basic salary of employee and job description, determination of employment duration, workplace and working time as well as other data determined in Section 26 of Act I of 2012.

Deletion date of treated data: The Association deletes the data of employees 5 years after termination of the employment relationship.

4. Data of the Association’s Volunteers

In order to continue the activities of the Association and to accomplish its goals, the Association has been assisted by Volunteers during the organization of programs, conferences, camps, and internships. Volunteers are persons who voluntarily apply for the various tasks in connection with the above events and, for this purpose, enter into a contract with the Association. The legal basis for handling the data submitted by Volunteers during the application and the conclusion of the contract is the contribution of Volunteers (Points (a) and (b) of Section (1) of Article 6 of the GDPR).

The scope of treated data: name, place and time of birth, mother’s name, address.

Deletion date of treated data: In case of the refusal of application of Volunteer and withdrawal by Volunteer, the data will be deleted immediately by the Association. In the event of the existence of a contract between the Association and the Volunteer, the data of Volunteer will be deleted within 5 years of termination of the contract.

5. Personal data of persons benefiting from the services of the Association

● The purpose of data management:

The Association does not exclude the possibility for others to benefit from public services. The most important tool for this is through the public announcement of its programs through its website, which allows users to use their services on the basis of different applications. When compiling the application forms for each program and service, the Association requires the data necessary for the given program and service, taking into account the principles of data management.

● Lawfulness of processing, conditions for consent and legal effect:

The legal basis for data processing is in all cases the consent of the party concerned (based on the Subsections (a) and (b) of Section 1 of Article 6 of the GDPR), in respect of which the Association is required to prove that it has consented to the processing of the personal data concerned. If the data subject gives his/her consent within the framework of such a written statement that applies to other programs or services as well, the request for consent must be made distinct from these other programs and services in a clear, understandable, and easily accessible form with clear and simple language. Any part of such statement containing the consent of the data subject that violates GDPR has no binding force.

The data subject has the right to withdraw his/her consent at any time. The withdrawal of the contribution does not affect the lawfulness of the consent-based data management. Before consent is given, the data subject must be informed thereof. The withdrawal of the consent must be allowed in the same simple way as the granting of the consent. In determining whether the contribution is voluntary, account should be taken, to the greatest extent possible, of the fact that the contribution to the performance of the contract, including the provision of services, is conditional on the contribution to the treatment of personal data which is not necessary for the performance of the contract.

● Scope of data processing:

The Association handles the following data in organizing various camps, conferences/multi-day programs, when applying for them: name and nickname, place and time of birth, telephone number, email address, address, parent/guardian’s name, parent/guardian’s phone number and email address and address, Hungarian social security number, tax number, educational institution name, drug sensitivity and other allergy, language knowledge, student ID.

The Association handles the following data in organizing various camps, conferences/multi-day programs, in order to participate in them: name, place and time of birth, mother’s name, address, the name of the institution in which the applicant studies/studied, telephone number, email address or any other electronic contact, identity card or passport number, parent’s name and contact details, drug sensitivity and other allergy, Hungarian social security number, tax number and student ID.

The Association handles the following data in connection with the various professional practice and volunteer programs, in order to participate in them: name, place and time of birth, mother’s name, address, the name of the institution in which the applicant studies/studied, telephone number, email address or any other electronic contact, identity card or passport number, parent’s name and contact details, CV (voluntary content, in particular: name, place and time of birth, qualification, language skills, previous professional practice, ongoing studies), professional information, bank account number, base salary and job descriptions of participant in internship program, definition of workplace and working time, and other data specified in Section 26 of Act I of 2012.

The Association handles the following data of the participating companies and institutions in organizing the various professional practice and volunteer programs: name, headquarters, tax number, registration number, name and position of the representative, name and position of the contact person, bank account number, positions opened by the company/institution, job descriptions with voluntary content provided by the company/institution, in particular: description of job, definition of working hours and pay, expected experience.

● Erasure of treated data

The information provided by the data subject will be deleted immediately if the application is refused or the application is withdrawn.

The data provided by the data subject will be deleted immediately by the Association if the data subject withdraws his/her consent to the processing of data. Prior to granting consent, the data subject must be specifically informed of this right and shall be informed of the legal consequences of the withdrawal of the consent for the given service or contract.

The data provided by the data subject will be deleted by the Association 5 years after the service has been provided or the performance of the contract.

VII. Technical details of data management

The Association selects and manages the IT tools used to manage personal data in the provision of the service so that the data processed is accessible to the authorized persons, its credibility and validation provided, it can be justified and protected against unauthorized access.

The Association protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction, damage, and the technique used.

The Association ensures, by means of an appropriate technical solution, that data stored in its various registers cannot be directly linked and assigned to the data subject, unless permitted by law.

The Association provides technical, organizational, and institutional measures to protect the security of data management in view of the current state of the art, providing a level of protection that meets the risks associated with data management.

The Association maintains confidentiality in the course of data management, that is, it protects the information so that it can only be accessed by those entitled to it. It ensures integrity, protects the accuracy and completeness of the information and processing method, and ensures the availability based on which if the eligible user needs it, he/she can actually access the information and related tools he/she need.

VIII. Rights of the data subject

1. Procedural rules for the exercise of the rights of the data subject

The Association shall take appropriate measures to provide the data subject with all information defined in GDPR for the processing of personal data in a concise, transparent, understandable, and easily accessible form, in a clear and unambiguous manner, in particular or any information addressed to children. The information shall be provided in writing or otherwise, including, where appropriate, the electronic path. Oral information may be provided at the request of the data subject, provided that the identity of the data subject has been verified otherwise.

The Association promotes the exercise of the rights of the relevant GDPR. The data subject has the right to request information on the processing of his/her personal data, to request the rectification of his/her personal data or, with the exception of mandatory data management, he/she can request the cancellation and revocation of them, and he/she may exercise his/her right to record and protest as indicated in the recording data or the Association’ above-mentioned contact details.

The Association shall inform the data subject of the measures taken on the application without delay, but in any case, within one month from the receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by two additional months. The Association shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the application. If the data subject submits the application electronically, the information should be provided electronically, if possible, unless otherwise requested by the data subject.

If the Association fails to take measures in response to the request of the data subject, it shall inform the data subject without delay about its reasons for the failure to take action but no later than one month after the receipt of the application, and that the data subject may submit complaint to the supervisory authority and he/she can exercise his/her right of judicial remedy.

The Association provides the requested information free of charge. If the claim in question is clearly unfounded or exaggerated, in particular because of its repetitive nature, the Association may charge a reasonable fee regarding the provision of the requested information or the administrative costs of the requested action or it may refuse to take action on the basis of an application.

To prove that the application is manifestly unfounded or exaggerated, the Association is obliged.

If the Association has reasonable doubts about the identity of the natural person who submits the application, it may request additional information to confirm the identity of the data subject.

2. Special rules for the protection of children

If data management based on the consent of the data subject is applicable, the processing of personal data relating to information society services is lawful if the child has reached the age of 16. In the case of a child who is not 16 years of age, the treatment of the child’s personal data is legitimate only if the consent has been granted or authorized by the parental control over the child.

The Association, taking into account the available technology, makes reasonable efforts to verify in such cases that the consent has been granted or authorized by the parental custody practitioner.

The above rules do not affect the current Sections 2:10-2:18 of CC, which regulates the validity of minors’ legal declarations, such as the rules on the validity, formation, or effect of a contract in relation to a child.

3. Processing of special categories of personal data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, other than exceptions in Sections (2) and (3) of Article 9 of the GDPR, shall be prohibited.

Accordingly, special categories of personal data can be handled particularly when:

– data subject gave his/her express consent unless the ban cannot be solved with the consent of the data subject based on EU law or national law;

– data processing is necessary for the fulfilment of the obligations of the Association or the subject data as a result of the legal requirements governing employment, social security and social protection and the exercise of his/her specific rights;

– refers to personal data that is expressly disclosed to the subject data;

– data processing is necessary for preventive health or workplace health goals.

4. Rights of the data subjects and the means of their exercise

a) Information to be provided where personal data have been obtained from the data subject

In case of personal data relating to the data subject are collected from the data subject, the Association shall provide the information and data to be provided to the data subject at the time of the personal data acquisition, as set out in Sections (1) to (4) of Article 13 of GDPR.

In case of personal data are not obtained from the data subject, the information to be provided to the data subject by the Association are included in Sections (1) to (5) of Article 14 of the GDPR.

The right to information can be exercised in writing through the given contact details of the Association. At the request of the data subject, information may be given orally, after verifying his/her identity.

b) Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The Association shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

c) Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

d) Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– the data subject withdraws consent and where there is no other legal ground for the processing;

– the data subject objects to the data management and there are no overriding legitimate grounds for the processing, or the data subject objects to data management for direct business acquisition

– the personal data have been unlawfully processed;

– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

– the personal data have been collected in relation to the offer of information society services.

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Data erasure cannot be initiated if data processing is required: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise, or defence of legal claims.

e) Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

– the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

– the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;

– the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted as above mentioned, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

f) Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Association shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform

the data subject about those recipients if the data subject requests it.

g) Right to data portability 

Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract; and the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The right to data portability shall not adversely affect the rights and freedoms of others.

h) Right to object and automated individual decision-making cases

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, or the treatment necessary to enforce the legitimate interests of the Association or a third party, including profiling based on above mentioned provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.

At the latest at the time of the first communication with the data subject, the right shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. 

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

i) Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The data subject is not entitled to the abovementioned rights if the decision:

– is necessary for entering into, or performance of, a contract between the data subject and a data controller;

– is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

– is based on the data subject’s explicit consent.

j) Right to withdraw consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.

IX. Processor

Where processing is to be carried out on behalf of the Association, the Association shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this GDPR and ensure the protection of the rights of the data subject.

The processor shall not engage another processor without prior specific or general written authorisation of the Association. In the case of general written authorisation, the processor shall inform the Association of any intended changes concerning the addition or replacement of other processors, thereby giving the Association the opportunity to object to such changes. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, which is binding on the processor with regard to the Association and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Association. That contract or other legal act shall stipulate, in particular, that the processor:

Where a processor engages another processor for carrying out specific processing activities on behalf of the Association , the same data protection obligations as set out in the contract or other legal act between the Association and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this GDPR. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the Association for the performance of that other processor’s obligations.

The Association and any person with access to personal data acting under the guidance of the Association or the data processor may only treat such data in accordance with the instructions of the Association unless such deviation is subject to Union or national law.

X. Records of processing activities

The Association and its executive officers shall maintain a record of processing activities under its responsibility.

If data processing is performed by others on behalf of the Association, the data processor and, if any, a data processing representative, keeps a record of all categories of data processing activities on behalf of the Association in accordance with the GDPR Regulation.

The records shall be in writing, including in electronic form. 

The Association and, if any, data processors shall cooperate with the supervisory authority when it comes to performing its data processing tasks.

XI. Privacy incident

1. Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification referred to in paragraph 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The Association shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with GDPR.

2. Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points XI/1/b)-c) of this Policy.

The communication to the data subject shall not be required if any of the following conditions are met:

– the Association has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

– the Association has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

– it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the Association has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions are met.

XIII. Designation, position, and tasks of the data protection officer

1. Designation of the data protection officer

The Association and the processor shall designate a data protection officer in any case where:

– the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

– the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

– the core activities of the controller or the processor consist of processing on a large scale of special categories of data.

The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks.

The Association shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

2. Position of the data protection officer

The duties of the Data Protection Officer are provided by the designated member of the Association.

The Association and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The Association and processor shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. The Association and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.

He or she shall not be dismissed or penalised by the Association or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the Association or the processor.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.

3. Tasks of the data protection officer

The data protection officer shall have at least the following tasks:

– to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Member State data protection provisions;

– to monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the Association or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

– to provide advice where requested as regards the data protection impact assessment and monitor its performance;

– to cooperate with the supervisory authority;

– to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

 

XIV. Judicial remedies available to data subject

1. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including that the data subject is entitled to a judicial remedy.

Name and contact details of the supervisory authority:

– Name: Hungarian National Authority for Data Protection and Freedom of Information

– Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

– Postal address: 1530 Budapest, Pf.: 5.

– Phone: 06/1-391-1400

– Email: ugyfelszolgalat@naih.hu

– Website: http: www.naih.hu

2. Right to an effective judicial remedy against a supervisory authority

Data subject and Association shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

Each data subject shall have the right to an effective judicial remedy where the supervisory authority, which is competent, does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

3. Right to an effective judicial remedy against the Association

Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

Proceedings against the Association shall be brought before the courts of the Member State where the controller has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

4. Right to compensation and liability

Any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the Association for the damage suffered.

Any controller involved in processing shall be liable for the damage caused by processing which infringes GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Association.

The Association shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. 

Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State. If a data subject is not habitually resident in Hungary, such proceedings may be initiated, in accordance with the decision of the data subject, in the courts of the Member State in which he/she is habitually resident.

 

XV. Transfers of personal data to third countries or international organisations

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of GDPR, the conditions laid down in Chapter V are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in Chapter V shall be applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined.

 

XVI. Final provisions

In the cases not covered by this Policy, GDPR and the provisions of the prevailing national law on information self-determination right and freedom of information shall prevail.

 

 Access document here.