PRIVACY AND DATA MANAGEMENT POLICY


1. Purpose of the Policy

The purpose of the present Policy is to lay down, the principles of data protection and data management applied by Századvég Foundation and its institutional units, Századvég Publisher, Századvég Alumni Club and Civil Society Information Centre of Budapest (hereinafter referred together as: Foundation), furthermore the data protection and data management policy of the Foundation which is acknowledged by the Foundation as obligatory and self-binding.

At the drafting of the present document the Foundation has taken into consideration in particular the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.), furthermore the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and the Act V. of 2013. on the Civil Code.

2. Definitions

Personal data: data that might be related to a determined natural person (hereinafter: Data Subject) – especially the Data Subject’s name, tax number, one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject -, furthermore a conclusion which is deducted from the data concerning to the Data Subject. In the course of data processing, the data in question shall be treated as Personal as long as the Data Subject remains identifiable through it;

Data Subject: a natural person who grants its Personal data to the Foundation – such as especially: a participant of  any research, a registered user of the Századvég Publisher’s webshop (hereinafter: webshop), the user of the Civil Society Information Centre of Budapest’s service sor a person who can be related to it, or a member of Századvég Alumni Club (hereinafter: Alumni);

Data Set: shall mean all data contained in a filing system;

Processing of data: shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);

Controller: the Foundation, as it follows:

Name:                             Századvég Foundation

registered seat:                   1037 Budapest, Hidegkuti Nándor street 8-10.

registration number:  Fővárosi Törvényszék, 01-01-0004243

tax number:                  18052411-2-41

Destruction of data: shall mean the complete physical destruction of the medium containing data;

Disclosure by transmission: shall mean making Personal data available to a specific third party;

Public disclosure: shall mean making Personal data available to the general public;

Erasure of data: shall mean the destruction or elimination of data sufficient to make them irretrievable;

Data processing: shall mean the fulfillment of technical tasks related to data processing operations, irrespectively of the method and tools used for the operation, and of the place of application, provided that the technical tasks will be fulfilled on the data;

Data processor: shall mean a natural or legal person or unincorporated institutional unit of the Foundation, who or that is engaged by the Controller to do processing operations on Personal data (contact);

Automated data set: shall mean stream of data that will be the subject of automated data processing;

Mechanical processing: contains the following operations, in case of these are done partially of fully by automated tools: storage of data, logical or arithmetical operations with the data, alteration, cancellation, retrieval and distribution of data;

Pseudonymization: shall mean the processing of Personal data in such a manner that without the use of additional information it can not be determined anymore towhich concrete natural person the Personal data is concerned, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that these Personal data are not attributed to identified or identifiable natural persons;

Consent: any freely given and unambiguous expression of the Data subject’s wills which are based on adequate information, and by which the data subject gives its consent in no uncertain terms to the processing of its Personal data– fully or concerning to certain operations-;

Objection: the declaration of the Data Subject bywhich the Data Subject protests against the processing of its Personal data and requires the termination of data processing, or the cancellation of the data being processed;

Personal data breach: shall mean unlawful processing of Personal data or Personal data processing, especially such as unlawful access, alteration, transmission, disclosure to the public, erasure or destruction, destruction by accident and defect.

3. Scope of managed personal data

3.1. The Data Subject may disclose based upon its decision the following data:

3.1.1. During the research: during the research the data determined in the declaration signed by the Data Subject. The Controller processes the Personal data handed over to it relating to the research activity merely for the purpose of facilitating the research activity and the Controller is entitled to disclose these data to third persons only in case of the approval of the Data Subject is granted. The answers given by the Data Subject in course of the research will be processed and as a result of this they loose their personal aspects hence they might not be related to the Data Subject anymore.

Personal data fixed for the purpose of scientific research shall be used only for the purpose of scientific research. The verifiability of the relation between the personal data and the Data Subject – as soon as the purpose of research makes it possible – shall be made impossible irrecoverably. In the interim those data, which are suitable for the identification of a determined or possibly determinable natural person, shall be kept separately. These data may be associated with further data only in case of it is necessary for the purpose of the research.

The Foundation may disclose personal data to the public only in the event of

a)    the Data Subject gave its consent to it, or

b)    it is necessary for the presentation of research results concerning to historical events.

3.1.2. In case of the webshop (concerning to a natural person): Delivery and invoice data: name; postal code; settlement; street; house number. Contacts of the orderer: name; phone number; e-mail address; product cathegory purchased by the orders of the User, the type of payment and takeover applied by the User, the item amount of the purchases made by the User.

3.1.3. In case of the Alumni: name, address and e-mail address of the proposant.

3.1.4. In case of the Civil Society Information Centre of Budapest: names of Data Subjects listed as participants on the attendance registers of events (in case of a legal person the name of the legal person and its representative), and their e-mail address; by application for a newsletter the e-mail address of the Data Subject; furthermore the contacts required for the fulfillment of legal duties of the Centre, which contacts stam, from authority registrars that are available for the public or, from the result of the perfomance of services (name, phone number, e-mail address).

3.2. Data to be recorded technically during the operation of Controller’s website: those login data of the Data Subject’s computer, which are generated during the use of service and which are recorded as the authomatic result of technical courses by the Controller’s system. The data to be recorded authomatically are logged by the system authomatically at entry and exit without the additional declaration or action of the Data Subject. These data may not be related – except for mandatory cases ordered by the law – to further Personal user data. Exclusively the Controller has access to the data (requirement of Data safety).

3.3. Controller places through its website for the purpose of individualised service a small data package (so-called ’cookie’) on the computer of the Data Subject. The purpose of the cookie is to ensure the utmost high quality operation to improve user experience. The Data Subject is able to cancel the cookie from its own computer, and it is also possible for the Data Subject to fix settings regarding the browser so the cookies will be prohibited. By prohibiting the use of cookies Data Subject aknowledges and accepts that the website does not operate on highest possible level without cookies.

3.4. During the events of the Foundation – accordig to the regulations of crowd scene and public performance – video and audio records are made of the participants. The Foundation informs about this also specifically the participants of its events.

4. Legal basis, purpose and method of data management

4.1. Data management takes place based upon a voluntary, specific and definite expression based upon sufficient information ensured to the Data Subject individually or for the users of the internet website www.szazadveg.hu available on the website, whereby they give their consent to the use of their Personal data disclosed, while in exceptional cases it is based upon statutory regulation. The legal basis of Processing of data is accordingly the voluntary consent of the Data Subject based upon Infotv. 5. § (1) point a), or in certain cases a mandatory data management based upon Infotv. 5. § (1) point b).

4.2. The purpose of the Processing of data is to ensure the above activities of the Controller, furthermore to fulfill the legal duties related to these.

4.3. The purpose of authomatically recorded data (see article 3.2.) is to ensure the providing of services available though the internet site of the Controller, to view the customized contents and advertisements, to make statistics, to technically develop the informatical system, and to protect the rights of users. The data made available by the Data subject during the use of services may be used by the Controller to form user groups and to display purposeful contents and/or advertisements on the websites of the Controller towards the user groups.

4.4. The Controller is not entitled to use the disclosed Personal data to purposes other than determined in the present articles. The handover of Personal data to any third person or authority – except any Act orders distinctly with mandatory force – is only possible by the preliminary and expressed consent of the Data Subject.

4.5. Controller does not verify the Personal data disclosed to it. Exclusively the Data Subject is liable for the appropriacy of the data disclosed by the Data Subject. By diclosing its e-mail address any Data Subject undertakes simultanously a liability that exclusively the former Data Subject uses the services under the given e-mail address. Considering this liability undertaking all liability in relationship with the entries under a given e-mail address burdens that Data Subject who registered the e-mail address.

4.6. Provided the Processing of data is made by another person on behalf of the Controller, then the Controller may exclusively hire such Data processors who or which grant adequate guaranties to keep the legal regulations of data management and to implement the sufficient technical and management measures that ensures the protection of Data Subject’s rights.

5. Principles for the Processing of data

5.1. The processing of Personal data may happen only lawfully and fair, furthermore in a way that is transparent for the Data Subject (’lawfullness, fair process and transparency’).

A személyes adatok kezelése jogszerű, amennyiben legalább az alábbiak egyike teljesül:

The processing of personal data is lawful provided at least one of the below conditions is fulfilled:

a)    the Data Subject gave its consent to the processing of its personal data for one or more concrete purposes;

b)    the processing of data is requires for the performance of such an agreement inwhich the Data Subject is one of the contraing parties or it is needed to make steps required by the Data Subject before concluding the contract;

c)     the processing of data is required for the fulfillment of a legal duty concerning to the Data Subject;

d)    the processing of data is needed to protect the essential interests of the Data Subject or of another natural person;

e)    the processing of data is of public interest or it is required for the fulfillment of a task within the frames of exercising the power of the state delegated to the Controller;

f)     the processing of data is needed for the enforcement of the Controller’s or a third person’s lawful interests, except for the case when the Controller’s such interests of fundamental rights and freedoms have priority which require the protection of Personal data, especially if the Data Subject is a child.

5.2. Personal data shall be stored merely for determined, unambiguous, and legal purposes, and may not be used for an alternate purpose. The further processing of data for the purpose of research or statistics (’assignment of purpose’) shall not be considered as inconsistent with the original purpose.

5.3. The Personal data shall be adequate and relevant considering the purposes of data processing and shall be limited to the necessary minimum (’data sparing’).

5.4. The Personal data shall be accurate and up to date in case of necessary; all reasonable measures shall be done for the purpose of the cancellation or correction of those Personal data which are inaccurate considering the purposes of processing of data (’accuracy’).

5.5. The method through Personal data are kept shall enable the identification of the Data Subject merely until the period which is necessary for the purpose of storage (’limited possibility of storage’).

5.6. Adequate security measures shall be taken for the protection of Personal data kept in automated data sets to hinder accidental or illegal destruction, accidental loss, furthoremore the illegal access, change or distribution (’integrity and privacy’).

5.7. The Controller is liable for the compliance of the above furthermore it shall be able to verify the compliance (’accountability’).

5.8. Processing of Personal data for the purpose of research or statistics shall be made under the adequate guarantee of protecting the rights and freedoms of the Data Subject. These guarantees shall ensure technical and organizational measures being in force which secure especially to keep the principle of data sparing. To such measures may belong the Pseudonymization, provided the mentioned purposes can be fulfilled in such a way. In case of these purposes are reachable through such further processing of data which does not or already does not make possible the identification of the data subjects, then the purposes shall be achieved in such a way.

6. Data protection directives applied by the Foundation (Controller)

6.1. The Controller uses the Personal data which are indispensably required to perform the Controller’s activities based upon the consent of the Data Subjects and exclusively for the concrete purpose.

6.2. Controller undertakes to manage the Personal data possessed considering the regulations of Infotv. and GDPR according to the data protection principles determined in the present document, and does not hand over these to a third party without the approval of the Data Subject or without the permission of the law.

6.3. Controller undertakes obligation to disclose a clear, attention calling and unambiguous notification before recording, fixing, processing any of the Data Subjects’ Personal data, inwhich they are informed about the method, purpose and priciples of the data recording. Beyond these, all in those cases when the recording, processing and fixing is not mandatory by the law, the Contoller attracts the Data Subject’s attention to the voluntary nature of data supplying. In case of a mandatory data supplying the law which orders it shall be determined as well. The Data Subject shall be informed about the purpose and the persons who will manage and process the Personal data. The notification about data management is fulfilled also in case of the law regulates the data recording through transmission or connecting arising from an already existing data management.

6.4. Considering the state of science and technology and the costs of implementation, futhermore the type, scope, circumstances and purposes of data management, furthermore the variable probability and severity of risk meant regarding the rights and freedoms of natural persons the Controller implements by determining the type of data management and during data management such technical and organizational measures – e.g. pseudonymization -, and the aim of these measures is on one hand the effective implementation of data protection principles such as data sparing, on the other hand to set in guarantees into the course of data management which are necessary to fulfill the legal requirements and to protect the Data Subjects’ rights.

The Controller carries out adequate technical and organizational mesures to ensure that in terms of default interpretation merely such Personal data are to be processed which are necessary for the current concrete purpose of data management. This duty is concerned to the amount of collected Personal data, to the extent of their processing, to the period of storage and to availability.

6.5. In all such cases, when the Controller intends to use the Personal data provided to an alternate purpose which is different from the original purpose of data recording, then the controller shall inform the Data Subject about this and acquires its preliminary and expressed consent, furthermore ensures the possibility to the Data Subject to prohibit the use.

6.6. The Controller keeps the restrictions determined by the law in any and all cases during the recording, fixing and processing of the data, and informs about its activity the Data Subject on demand of the latter via electronic correspondence. The Controller undertakes obligation not to impose any sanctions towards those Data Subjects who denies ti fulfill the non-mandatory providing of data.

6.7. Controller undertakes obligation to provide the safety of Personal data, furthermore makes those technical and organizational measures and develops those procedural rules which ensure that the Personal data recorded, stored or processed are protected, and prevents their distruction, illegal use and illegal amendment. Controller undertakes also obligation that all third party to whom the Controller occurrently forwards or hands over the Personal data, are requested to fulfill the above obligations.

6.8. Provided the Personal data does not comply with the truth and the true and valid Personal data are in possession of the Controller, then the Personal data shall be corrected by the Controller or by the Data processor based upon the order of the former one. 

7. Period for Processing of data

7.1. The Personal data provided by the Data Subject remain under procession until the Data Subject (especially in case of the newsletter of Alumni and Civil Society Information Centre) unsubscribes itself – under the concrete user name -, or until it does not apply for the termination of Personal data procession in a written form, or until the purpose of the Personal data processing is exists. In the event of an illegal or misleading Personal data use or in case of a crime committed by the Data Subject or in case of an attack against the system the Controller is entitled to cancel immediately the data of the Data Subject simultaneously with the termination of its regisration, and in case of a suspicion of a crime or civil law liability it is entitled also to keep the Personal data for the period of the procedure to be conducted.

7.2. The data, fixed automatically and technically during the operation of the website, will be stored in the system from their generation until the period of time which is reasonable to ensure the operation of the website. The Controller ensures that these, automatically fixed data can not be associated with further Personal user data – except for the cases which are mandatory by the law-. In case of the Data Subject has terminated its consent to the processing of its Personal data, or it unsubscribed itself from the service, so after these its identity will not be determinable anymore based upon the technical data.

8. Data processing

The Controller does not use a third party data processor. The Personal data processed by the Controller are processed by the Controller or its employees in charge of the data processing. The processed data are managed relating to each activity by the Data processors determined in the information chard concerning to it.

9. Registry, safety

9.1. Provided the processing of data is not occasional, then the Controller keeps a registry about the data management activities belonging to its responsibility. This registry contains the following information:

  1. Name and contact of the Controller, furthermore the name and contact of the Controller’s representative;
  2. the purposes of data processing;
  3. review of the Data Subject cathegories, and the Personal data cathegories;
  4. cathegories of such addressed persons or entities towhom the Personal data are or will be disclosed, including also the third country addressed persons or entities or international organizations;
  5. in particular cases information concerning to the transmission of Personal data to third countries or to international organizations, including also the identification of a third country or international organiztation, or in case of a transmission according to GDPR section 49. (1) second chapter the description of the adequate guarantees;
  6. if applicable, the planned deadlines for the cancellation of different data cathegories;
  7. if applicable, the general description of technical and organizational measures implemented as the guarantee of data safety.

The Controller grants access to the registry according to the law exclusively for the supervising authority based upon its request.

9.2. Considering the state of science and technology and the costs of implementation, futhermore the type, scope, circumstances and purposes of data management, furthermore the variable probability and severity of risk meant regarding the rights and freedoms of natural persons the Controller and the Data Processor implements adequate technical and organizational measures for the purpose of data safety to be guaranteed on a level complying with the extent of the risk, including also, among others, in particular cases:

  1. the pseudonymization and encryption of Personal data;
  2. the ensurance of the continual privacy, integrity, availability and the capability of resistance for the systems and services used for Personal data management;
  3. in the event of a physical or technical incident the capability of Personal data access and availability restoration in adequate time;
  4. a process for systematical testing, examining and evaluating the effectiveness of technical and organizational measures ordered to guarantee the safety of data processing.

By determining the adequate safety level those risks arising from data management shall be expressly taken into consideration, which may occur by the accidental or illegal destruction, loss, alteration, or by illegal disclosure to public, or by illegal access to the Personal data especially when transmitted, stored or managed in any other ways.

The Controller and the Data processor take measures to ensure that the natural persons having access to the Personal data acting according to the directions of the Controller or Data processor have the possibility to manage the above menioned data merely according to the instruction of the Controller, except these persons are obligated to alter from such instruction by force of the law.

9.3. The Controller shall report a personal data breach without an unjustified delay and if possible, it shall report latest within 72 hours after the personal data breach came to its knowledge, to the competent supervising authority except the personal data breach probably does not mean a risk to the rights and freedoms of the natural persons.

In the report the nature of personal data breach including also – if possible – the cathegories of Data subjects and their estimated number, the cathegories and estimated number of data affected by the breach shall be descibed; the name and availability of the contact person providing further information shall be disclosed; the potential consequences arising from the data breach shall be listed; measures done or planned by the Controller as a remedy of the data breach, including also if necessary the measures to ease the occurrent detrimental consequences arising from the data breach. Provided the information can not be disclosed simultanously, then it can be disclosed without further unjustified delay later in parts.

The Controller keeps a record about the Personal data breaches, listing the fact, the consequences of it and the measures to remedy related to the data breach.

10. Possibility of data transmission

The Controller is entitled and obligated to transmit all such Personal data available and stored lawfully by the Controller to the competent authorities, towhich transmission the Controller is obligated by the law or by final and enforceable authority decision. Controller shall not be liable for such data transmission or for the consequences that stam from such transmission.

11. Data subjects’ rights relating to their Personal data managed by Controller

11.1. Data subjects are entitled to ask or inquire in a written form, via registered mail or with receipt required sent to the Controller’s address or to the e-mail address of the Data processor appointed in the concerning information chart about the following

  • to ask information about the management of their Personal data;
  • to ask correction of their data in case of a change in their Personal data or in case of the data are registered wrong;
  • to ask for cancellation or lockup of their Personal data
  • to ask for a restraint of the management of their Personal data; or
  • to ask for the sending of their Personal data in a proportioned, widely used, machine-readable format, furthermore to forward these data by the Controller – without interference – to another Controller (right to portability of data).

A request for information sent in e-mail can be considered as official only if – provided it is available for the Controller – it was sent from the registered e-mail address of the Data subject. The request for information may cover the Data subject’s data managed by the Controller, its source, the purpose of data management, its legal basis, the period of it, the names and addresses of the possible Data processors, the activities related to the data management, furthremore in case of the transmission of Personal data who and for what purpose received or will receive the data of the Data subject. 

After the fulfilment of a request concerning to the cancellation or amendment of a Personal data the former (cancelled) data can not be restored anymore.

11.2. Regarding a query on data management the Controller shall give the information in a written form upon the request of the Data subject, in a plain form, within the shortest period of time counted from the receipt but latest within 25 days. In case of an e-mail the first working day following the sending shall be considered as the date of receipt.

11.3. About the correction, lockup and cancellation of the Personal data the Data subject furthermore all those persons shall be notified to whom the data has been previously forwarded for the purpose of data management. The notification may be ignored if it does not violate the lawful rights of the Data subject considering the purpose of data management.

11.4. The Data subject is entitled to the cancellation of its Personal data by the Contoller without unjustified delay based upon the Data subjects request, and the Controller is obligated to cancel the Personal data concerning to the Data subject without unjustified delay – except for the alternate regulation of the law -, in case of any of the following reasons emerge:

  1. the Personal data are not needed anymore for the purpose they were collected or managed any other way, or the deadline for Personal data storage determined by the law has been expired;
  2. the Personal data is incomplete or wrong and this status can not be corrected in a lawful way, provided that the cancellation is not excluded by the law;
  3. the Data subject revokes its permissioin as the basis of data management, and the data management has not other legal basis;
  4. the Data subject objects against the data processing and there is no lawful reason having priority for the data processing;
  5. the Personal data has been processed illegally;
  6. the Personal data shall be cancelled to fulfill the regulations of the law (the cancellation of the Personal data has been ordered by the court or authority).

Provided the Controller has disclosed the Personal data to public and the Controller shall cancel such data as written above, then the Controller shall make the reasonably requestable steps considering the costs of the available technology and implementation – including also the technical measures – to inform the controllers who manage the data that the Data subject has requested the cancellation of the links referring to the Personal data in question or the copies or duplicates of such Personal data.

The terms and conditions determined in the present article are not applicable provided the data management is necessary:

  1. to exercise the right to freedom of opinion and expression, and the right to information;
  2. for the purpose of fulfilling the obligation of Personal data processing ordered by the law as the obligation of the Controller, or to execute a task which shall be done arising from public interest;
  3. for the purpose of making public interest archives, for scientific or historical research or statistical purposes provided the cancellation of the data would probably make impossible or would seriously jeopardize such data management; or
  4. to file legal claims, to enforce or protect such claims.

11.5. Instead of a cancellation the Controller locks up the Personal data in case of the Data subject requires it, or if it is presumable based upon the available information that the cancellation would violate the lawful rights of the Data subject. The Personal data locked up this way may be processed merely until the purpose of data processing, which excluded the cancellation of the Personal data, exists.

11.6. The Data subject, and all those to whom the Personal data was transmitted previously for the purpose of Processing of data, shall be notified about the correction, lock-up, marking and cancellation. The notification can be skipped by the Controller if it does not violate the lawful interest of the Data subject considering the purpose of Processing of data.

11.7. Provided the Controller does not perform the Data subject’s request for correction, lock-up or cancellation so the Controller shall inform the Data subject within 25 days counted from the receipt of request in a written form about the factual and legal justification why the application for correction, lock-up or cancellation has been rejected, furthermore notifies the Data subject that it may turn to the court or to the Hungarian National Authority for Data Protection and Freedom of Information over against the resolution of the Controller.

11.8. The Data subject is entitled to a restricted processing of data implemented by the Controller based upon the request of the Data Subject, provided any of the following conditions are fulfilled:

  1. the Data subject disputes the accuracy of the Personal data, inwhich case the restriction means a period of time which makes possible for the Controller to check the accuracy of the Personal data;
  2. the procession of data is illegal, and the Data subject objects the cancellation of data, instead of it requests the restriction of their use;
  3. the Controller does not need the Personal data anymore for processing of data, but the Data subject claims to get them for the filind, enforcement of protection of a legal claim; or
  4. the Data subject objected against the processing of data; in this event the restriction concerns to the period of time until it is determined whether the lawful reasons of the Controller have priority against the lawful reasons of the Data subject or not.

Provided the processing of data is under restrictions, then such Personal data – except for the storage- can be processed only with the approval of the Data subject, or for the filing, enforcement or protection of legal claims, or for the protection of rights of other natural persons or legal entities, or arising from an important public interest of the European Union or any member state.

The Controller preliminary informs the Data subject - who requested the restrictions of data processing - about the release of data processing restrictions.

11.9. The Data subject may object against the processing of its Personal data,

  1. if the procession or transmission of Personal data is necessary only for the fulfilment of the Controller’s legal obligation or for the enforcement of the Contoller’s, the Personal data recipient’s or third person’s lawful interests, except for a mandatory data processing;
  2. if the use or transmission of Personal data happens for the purpose of direct business acquisition, for a survey or for a scientific research; furthermore
  3. törvényben meghatározott egyéb esetben. in additional cases determined by staturory law.

The Controller examines the objection within the shortest period from its receipt but latest within 15 days, decides on its merits and informs the Data subject about its decision in a written form.

In case of the Controller determines the well-foundedness of the Data subject’s objection, so the Controller terminates the processing of data – including also the further data recording and transmission -, locks up the Personal data and informs about the objection and about the measures imposed based upon it to whom the Personal data affected by the objection previously has been transmitted, and who are obligated to take measures in favour of the enforcement of the objection right. If the Data subject does not agree with the decision of the Controller or if the Controller fails to keep the deadline referred in the present article, then it may to turn to the court within 30 days counted from the disclosure of the decision or from the last day of the deadline.

12. Possibilities for prosecution of rights

The Data subject may exercise its right of prosecution based upon Infotv. and the Act V. of 2013 (Ptk.) at the court, furthermore in any issue related to a Personal data may apply also for the support of the competent supervisory authority, the Hungarian National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: 1530 Budapest, Pf. 5.).

The Data subject may turn to the court in case of the violation of its rights, furthermore in cases determined in section 21. § of the Infotv. against the data recipient and Controller. The court proceeds in the case out of turn. The adjudication of the lawsuit belongs to the competency of the general court. 

Beyond these, the competent Data processors may be also contacted via e-mail as written in the concrete information charts concerning to questions or comments relating to processing of data.

13. Amendment of the Data Management Policy

13.1. The Controller is entitled to amend the present Policy unilaterally at any time. The Data subjects acknowledge and accept the amended data management rules by the continual use of the services, there is no need to ask for their further consent.