PRIVACY POLICY
Date of publication: 20th May 2021
Updated on: 20th May 2021
1. Introduction
The purpose of this Privacy Policy (hereinafter “the Policy”) is to set out the data protection and data management principles applied by Hungary Helps Ügynökség Nonprofit Zrt. (hereinafter “the Agency”) (registered office: H-1016 Budapest, Naphegy tér 1., company registration number: 01-10-041633, as the owner of the Website www.hungaryhelps.gov.hu) and the Agency’s data protection and data management policy, which the Agency as the data controller acknowledges as binding. This Policy sets out the principles for the processing of personal data provided by users on the Website and provides information to data subjects about the processing of their personal data. The purpose of this Policy is also to provide the data subjects with information on the data management of the financial support provided to the Agency, which can be partly provided through the Website and partly through other means.
In drafting the provisions of the Privacy Policy, the Agency has taken into particular account the provisions of Regulation 2016/679 (“GDPR”) of the European Parliament and of the Council, Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (“Civil Code”), Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (“Advertising Act”) and Act CXX of 2018 on the Hungary Helps Program.
2. Data of the data controller
The Agency is the controller of your personal data, which means that the Agency is responsible for the lawful processing of your personal data.
You can contact us using the contact details below:
I. Data management for the website
3. Brief description of data management at the level of each data management process
On the Website, the Agency provides users with the possibility of sending a message under the “Contact” menu for general contact and to answer any questions that may arise, during which the data subject is required to provide the personal data necessary for contacting the Agency.
4. Legal basis for data processing
The legal basis for the processing of personal data collected and published via the Website is always your consent as the data subject, as defined in Article 6(1)(a) of the GDPR. The data processing is in any case voluntary. You may withdraw your consent at any time by sending a request to this effect to gdpr@hungaryhelps.gov.hu. 5. The personal data we collect, indicating the legal basis and purpose
| | |
---|
| Purpose of data processing | Legal basis for data processing |
| | In accordance with Article 6(1)(a) of the GDPR, the legal basis for data processing is your consent |
6. Duration of data processing
The Agency will process your personal data in this context until your consent is withdrawn or until it receives your request to delete your data, but at the latest 1 year after the end of the exchange of messages.
_II. Da_ta processing for donations
7. Brief description of data management at the level of each data management process
You can pay by card using the GP webpay online payment system operated by Global Payments Europe, a subsidiary of Global Payments Inc. However, in order to proceed to gpwebpay.com, the donor must first provide the Agency with certain personal information via the Website. The purpose of the data processing is to ensure the proper functioning of the Website, including the sending of control system messages, to help to solve any problems as soon as possible in case of errors, and to contact the donor directly. The Agency has included its bank account number on its Website so that those who wish to help can support the Agency’s work by making a one-time or regular transfer.
Storage of personal data of potential donors and inactive donors
The names and contact details (phone number, email address) of potential sponsors (individuals and companies) are stored electronically by the Agency. The Agency is allowed to do this under Article 6(1)(f) of the GDPR.
8. The personal data we collect, indicating the legal basis and purpose
In accordance with Article 9(3) of the HHP Act, in order to fulfil its statutory obligations, the Agency shall record the following data on the donors and donations (i.e. voluntary contributions, donations, grants, endowments and other receipts from international organisations, institutions and other sources made by natural persons, legal entities and unincorporated organisations, whether domestic or foreign) referred to in Article 7(3)(a), © and (e) of the HHP Act, in order to ensure the verifiability of payments and transfers and their possible reimbursement, as well as the possible repayment thereof, which come to its knowledge or are communicated by the donor:
a) the name of the donor,
b) the address or registered office of the donor,
c) the donor’s phone number and email address,
e) the bank details of the payment or transfer, in particular the name of the financial institution holding the account, the name of the payer or account holder, the amount of the donation, the donor’s communication,
f) the donor instructions for the use of the donation, and
g) additional information that the Agency deems necessary, other than personal data.
The Agency will keep the personal data listed above for 5 years.
In addition to the above, the Agency processes personal data as follows:
| | |
---|
| Purpose of data processing | Legal basis for data processing |
DATA PROCESSED BY THE AGENCY: sex, name, email address, phone number, mailing address, birth date; INPUT DATA: personal data on the credit card (name, credit card type, number, expiry date, CVC/CVV code), address | Donation by credit card payment | In accordance with Article 6(1)(a) of the GDPR, the legal basis for data processing is your consent. |
Name, bank account number | Bank transfer from a private individual | In accordance with Article 6(1)(a) of the GDPR, the legal basis for data processing is your consent. |
Name, email address, phone number, amount of aid | Storage of personal data of potential donors and inactive donors | According to Article 6(1)(f) of the GDPR, the legal basis for data processing is the legitimate interest of the Agency. An interest assessment test has been carried out. |
9. Duration of data processing
In this context, the Agency will keep your personal data for 8 years.
In this context, the Agency will keep your personal data for 8 years.
Storage of personal data of potential donors and inactive donors
In this context, the Agency will keep your personal data for 8 years.
III. Common provisions
10. Data processors
The following personal data of donors who choose to donate by credit card will be transferred to Hungary Helps Ügynökség Nonprofit Zrt. (registered office: H-1016 Budapest, Naphegy tér 1.) as the data controller. The data transmitted are: user name, surname, first name, country, phone number, email address. Purpose of the data transfer: customer service assistance to users, confirmation of transactions and freud monitoring for the protection of users.
11. IT tasks related to the Website
The Agency shall take appropriate technical and other measures to protect the personal data of the data subject, to ensure the security and availability of the data and to protect it against unauthorised access, alteration, damage or disclosure and any other unauthorised use. The Agency shall use password protection and anti-virus software as part of its technical measures.
12. Your rights and remedies
What rights do you have as a data subject in relation to your data?
Right to information and access
You have the right to receive, at the Agency’s request, feedback on whether your personal data are being processed and, if such data processing is ongoing, the right to access your personal data and the following information:
purposes of data processing;
categories of personal data concerned;
the recipients to whom the personal data are or will be disclosed (including in particular data processors);
the envisaged storage period of the personal data;
your rights regarding the processing of your personal data;
the source of the data, if not collected from you;
information on automated decision-making.
We will provide you with information about your personal data free of charge in accordance with applicable law. We will respond to your request in writing within one month. However, where the request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Agency may, having regard to the administrative costs entailed in providing the information or information requested or in taking the action requested:
charge you a reasonable fee, or
may refuse to act on the request.
If you have already paid a fee but your data has been processed unlawfully or we need to correct your data as a result of your request, we will refund this fee to you.
If, despite our efforts to protect your personal information through our advanced data security measures, anyone unauthorisedly accesses, changes, transfers, discloses, deletes, destroys, causes accidental destruction or damage to, or otherwise unlawfully interferes with your personal information, we will, upon your request, inform you of the circumstances of such an incident, including when it occurred, what the effects may be, and what we have done to prevent or mitigate the consequences.
If the personal data we process is inaccurate, we will correct it without undue delay at your request. You also have the right to ask us to complete your incomplete personal data by means of a declaration to that effect.
The Agency will delete your personal data without delay where:
the personal data are no longer necessary for the purposes of carrying out the specific data processing operations;
the processing of personal data is unlawful;
deletion is necessary to comply with a legal obligation to which the Agency is subject;
consent to the processing of the data of a child under the age of 16 has not been given or authorised by the person having parental authority over the child;
the Agency has disclosed the personal data.
You can also ask us to delete your personal data by withdrawing the consent you have previously given to us. In this case, however, we may refuse to continue to provide our services to you or certain services may no longer be available to you.
We will block your personal data instead of deleting it if you request it or if we have reason to believe that deletion may affect your legitimate interests.
Restriction of data processing may take place if:
you contest the accuracy of your data; in this case, the Agency will restrict the processing of your personal data for a period of time until the accuracy of the data is established;
the data processing is unlawful and you request restriction of use instead of erasure;
the Agency no longer needs the data, but you need them to bring a legal claim;
you have objected to the processing of your personal data, until such time as the objection has been considered.
The Agency will suspend the processing of your personal data for the duration of its assessment of your objection to the processing of your personal data, but for a maximum of 5 days, and will examine the grounds for the objection and take a decision, which it will inform you of without delay.
If the objection is justified, the Agency will restrict the data, i.e. only storage as data management can take place as long as
you consent to the data processing;
the processing of your personal data is necessary to pursue legal claims;
processing of personal data becomes necessary in order to protect the rights of another natural or legal person; or
a law requires data processing in the public interest.
If you have requested the restriction of data processing, you will be informed in advance by the Agency of the lifting of the restriction.
Right to data portability
You have the right to receive personal data concerning you provided to the Agency in a structured, commonly used, machine-readable format (such as .doc or .pdf) and the right to transmit such data to another data controller without the Agency’s hindrance.
What happens and what can you do if your request is rejected?
If the Agency refuses your request for rectification, restriction or erasure, we will inform you in writing within one month of receipt of the request why we have been unable to comply with your request and inform you of your legal remedies and that you can lodge a complaint with the National Authority for Data Protection and Freedom of Information. Our response will be sent by email if you agree to this.
What are your rights if you consider the data processing unlawful?
If you have concerns about the lawfulness of the data processing, you have the right to object to the data processing. The objection must include a request that we stop processing your data and delete your data.
If you object to the processing of your personal data, the Agency will examine the grounds for your objection within one month, take a decision on the merits and notify you in writing of its decision.
What remedies are available to you?
If you believe that our Agency is processing your personal data in breach of the provisions of the GDPR, you as the data subject have the right to lodge a complaint with a supervisory authority (i.e. a public authority established by any EU Member State under Article 51 of the GDPR) – in particular in the Member State where you are habitually resident, employed or where the alleged breach occurred. In Hungary, the supervisory body established in accordance with the criteria set out in Article 51 of the GDPR is the National Authority for Data Protection and Freedom of Information (hereinafter “NAIH” or “the Authority”). Accordingly, the following section provides details of the possibility to lodge a complaint with the NAIH. Please note, however, that you are not only entitled to lodge a complaint with the Authority, as set out above, but also with any supervisory authority established in an EU Member State.
Notification to the National Authority for Data Protection and Freedom of Information
Compliance with data protection legislation is monitored by the National Authority for Data Protection and Freedom of Information. If you consider that our data processing does not comply with the relevant legislation, or if you consider that there is an imminent risk of non-compliance, you can notify the Authority using the following contact details.
Name of authority: National Authority for Data Protection and Freedom of Information
Address: **H-1055 Budapest, Falk Miksa utca 9-11.
**Mailing address: **H-1363 Budapest, Pf. 9.
**Email address: ugyfelszolgalat@naih.hu
Phone number: +36 1 391 1400
Fax number: +36 1 391 1410 More information on data protection issues can be found on the Authority’s website: http://naih.hu/ Please also note that the Agency is obliged to notify the Authority of any data breach (i.e. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data) relating to the Website without undue delay and, if possible, no later than 72 hours after the data breach has come to its attention. If the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Agency shall inform you, as the data subject, of the personal data breach without undue delay.
If you believe that we have violated your right to privacy, or if you believe that we have made an incorrect decision about your objection or have not responded to your objection, you may take legal action. You can also choose to bring your case in the courts in the place where you live or where you are resident.
In addition, under the conditions set out in the law, if we cause you damage as a result of unlawful data processing or a breach of data security requirements, you may bring a claim for damages against the Agency in court. If your privacy rights have been violated, you may be entitled to damages, which you may also claim in court.
We are responsible for our data processors in this context.