Privacy Policy
Preamble
Thank you for visiting Veszprém-Balaton 2023 JSC’s website. Data protection and data security are especially important for us.
Below you can find information about how we process personal data to reach the aims of our organization and Veszprém-Balaton 2023 European Capital of Culture, what we use them for and what data we collect when you visit our website.
The data you provide to us will at all times be treated in accordance with all legal requirements and with utmost care.
Information on data controller (hereinafter: VEB2023) and data processors:
Veszprém-Balaton 2023 Joint-stock Company
Registered office: 8 Cserhát ltp., Veszprém, H-8200
Company registration No.: 19-10-500277
E-mail: [email protected]
Phone: +36 88 794 028
Public Foundation for the Culture of the Veszprém-Balaton Region
Registered office: 9 Óváros tér, Veszprém, H-8200
E-mail: [email protected]
Phone: +36 88 794 028
Measureland Ltd
Registered office: 13 (2 ground floor, Bdg A, Staircase B) Béla király út, Budapest, H-1125
Email: [email protected]
Tel:
Data protection officer contact: [email protected]
Data management principles
Personal data is any information about an identified or identifiable natural person, such as your name, age, address, telephone number, date of birth, e-mail address, IP address or user behaviour. Information that is not (or only with a disproportionate effort) personally identifiable, such as anonymised data, is not considered as personal data. Data processing (e.g. the collection, retrieval, use, storage or transfer of data) always requires a legal basis or your consent.
The personal data processed will be deleted as soon as the purpose of the processing is fulfilled and there is no data retention obligation to be complied with.
Principles for the processing of personal data
Legality, fair procedures, and transparency: personal data may only be processed on the basis of a specific legal basis (consent or other legal basis). Personal data must be processed fairly and in a way that is transparent to the data subject. Information on the processing must be provided in an accurate, transparent, intelligible and easily accessible form, in plain and intelligible language.
Purpose limitation: Personal data may only be collected for specified, explicit and legitimate purposes. Further processing of personal data may only be carried out in accordance with these purposes. The balancing of the interests of the data controller and the data subject, directly linked to purpose limitation, will in many cases provide the legal basis for processing. Therefore, the specific purpose of the processing must be specified in each case.
Data minimisation: According to the principle of data minimisation, data collection and processing should be limited to the data that are actually necessary for the purpose for which they are collected.
Accuracy: Data must be processed in such a way as to ensure that they are accurate, complete and up-to-date, and that inaccurate data are promptly deleted or rectified. To ensure that this Principle is implemented by the Controller or within the Controller's organization, the Controller shall implement routine procedures for updating the personal data processed.
Storage limitation: Personal data may be stored in a form which permits the identification of data subjects for the time necessary to achieve the purposes for which the data are processed, subject to the time limits provided for by law.
Integrity and confidentiality: Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organizational measures. Appropriate measures should therefore be taken, in particular in IT and organizational aspects (e.g. access and authorisation procedures, encryption), taking into account in particular the provisions of Articles 32 (security of processing) and 35 (data protection impact assessment) of the GDPR.
Accountability: The basic principle of accountability under Article 5(2) of the GDPR requires the Company to be able to document compliance with the principles set out above.
Legal basis for processing personal data
According to Article 6 of the GDPR, the processing of personal data is lawful only if and insofar as at least one of the following conditions is met:
• the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
• data processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into the contract;
• data processing is necessary for compliance with a legal obligation to which the controller is subject;
• data processing is necessary for the protection of the vital interests of the data subject or of another natural person;
• data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
VEB2023 shall carry out its activities in accordance with the following legislation:
• The Fundamental Law of Hungary
• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (InfoAct)
• Act LXVI of 1992 on Keeping Records on the Personal Data and Address of citizens
• Act CXXXIII of 2005 on Personal and Property Protection and the Private Detective Activities (Security Services Act)
• Act VI of 1998 on the Proclamation of the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data of 28th January 1981
• Act V of 2013 on the Civil Code (Civil Code)
• Act CLV of 1997 on Consumer Protection
Data controlling
Data control relating to social media
Data Controller maintains websites involving the following data processors: Facebook, Instagram, LinkedIn, and Twitter in order to present the activities, structure, job opportunities and novelties related to the company.
Clicking on the “Like” link on social media sites of VEB2023, Data Subject automatically accepts the publication of the news and offers of VEB2023 on their social media platforms. Data Controller shares photos/videos of certain events etc. on these sites. Data Controller always asks for written consent of the Data Subject before publishing the photos and ensures that they cannot be tagged in the pictures if it is not a crowd scene.
Information about the data control of the mentioned social media sites can be found in their related Privacy Policy.
Purpose of data controlling: presenting and promoting the activities, structure, job opportunities and novelties related to VEB2023.
Scope of Controlled Data: According to the Privacy Policy of the related social media site.
Lawfulness of processing: the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes [Art. 6 GDPR par (1) point a)]
Storage limitation: According to the Privacy Policy of the related social media site.
Data storage method: electronic
Data control relating to marketing activities and contact details
VEB2023 operates a newsletter through a data processor to keep in touch with its guests and to promote its services.
Purpose of data processing: liaising with potential partners, guests and visitors.
Lawfulness of processing: the Data Subject has given consent to the processing of his or her personal data; legitimate interest of Data Controller to maintain and develop relations with business partners [Art. 6 GDPR par (1) point a) resp f)]
Scope of Controlled Data: name, e-mail address
Storage limitation: unsubscribing from newsletter – via e-mail to the Data Controller or clicking on the unsubscribe button in the newsletter.
Data storage method: electronic
To send newsletters VEB2023 resorts to an other data controller. A data controller contract is in force with the Data Controller.
Data control relating to questionnaires
VEB2023 collects statistical data to measure its programmes. Data collection does not result in the identification of a natural person.
Purpose of data control: statistical indicators, social changes, and the measurment of programme effectiveness.
Scope of Controlled Data: appellation (not your own name), address, postcode, in case of residents of Veszprém: district, year of birth. In addition, cultural consumption and interest preferences, and lifestyle habits.
Storage limitation: The account clearance of VEB2023, latest 31st December 2024.
Data storage method: electronic
Data control relating to tenders
Our Company launches invitations to tender on its website in different subjects for which personal data are being processed.
Purpose of data control: Communication with applicants, coordination of implementation, and accounting in the course of the winning tenders.
Lawfulness of processing: the Data Subject has given consent to the processing of his or her personal data, which was done by the submission of the tender on the completed form. The application form contains the information relating to the processing of the data.
Lawfulness of processing, additional: the legitimate interest of Data Controller to maintain and develop relations with business partners [Art. 6 GDPR par (1) point a) resp f)]
Scope of Controlled Personal Data: The personal data of the applicants and the personal data of the applicant’s contact person
The tender dossier contains detailed information relating to the processing of the data.
Information on cookies
Cookies are text files with small pieces of data placed on the user's computer or other device by the user’s web browser. Among other things, they collect information, store the individual settings of the visitor, and generally facilitate the use of the website for users. A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie (i.e. how long the cookie will remain on your device), and a value, usually a randomly generated unique number. Cookies alone not collect data stored on your computer or in the files. Please read the information below carefully to learn more about how cookies gather information while you use our website www.veszprembalaton2023.hu.
The legal basis of data processing is your freely given consent, which may be provided or revoked at any time by setting your internet browser appropriately.
The aim of data processing is user identification and distinction, and the identification of current user work activity, the storage of data acquired in this manner, and the prevention of loss of data.
The scope of data collection is individual identification numbers, dates, and times. The persons involved are website visitors and users.
Cookie designation: _ga
Cookie function: Specific measurement code generating statistical data connected to website
Expiry date: use 2 years
Cookie designation: _gat
Cookie function: request rate throttler used by Google Analytics
Expiry date: 1 day
Cookie designation: _gid
Cookie function: Specific measurement code generating statistical data connected to website
Expiry date: use 1 day
Cookie designation: collect
Cookie function: sends data to Google Analytics connected to visitor’s device
Expiry date: session
Cookie designation: _fbp
Cookie function: Facebook pixel
Expiry date: session
Data registered are processed by the employees of Veszprém-Balaton 2023 JSC. and the entities partnered on a contractual basis. We do not make automated decisions with regards to data recorded by cookies, and we do not collect your personal data from third parties.
Google Adwords cookie: upon visiting our website, users’ cookie IDs will be put on a remarketing list. This allows for more precise targeting of subsequent ads. This way we can advertise what you are truly interested in. To track ad sales and other conversions, cookies are saved on the user's computer when they click on an ad. It is also by using cookies that we can make certain advertisements that are no longer of interest to you will not appear.
Google Analytics cookie: this service may use cookies to collect information and compile records out of website use statistics data without identifying users on an individual basis. These data facilitate the better usability of our websites. These data facilitate the better usability of our websites.
Facebook pixel (Facebook cookie): These are used for Facebook advertisement analytics, and for the creation of remarketing groups based on interest. The Facebook remarketing list is not suitable for personal identification. For further information on Facebook Pixel see: https://www.facebook.com/business/help/651294705016616
Personal Data Processing Policy for Persons Under 16 Years of Age
Personal data of individuals under 16 years of age may be processed with the consent of the major exercising parental rights over the given young person. The data processor is not in the position to verify the consenting person’s authorisation or the content of their statement; thus it is the consenting person’s (the person exercising parental rights) responsibility to make the consent meet legal criteria. In the absence of a statement of consent, the data processor will collect no personal data pertaining to the person under 16 years of age. In the event we come to the knowledge of having collected personal data of a child under 16 years of age, the fastest possible steps will be taken to delete the data.
Claim compensation
The GDPR gives you a right to claim compensation in connection with our data protection policy:
Privacy Policy contact address: [email protected]
Our organization ensures and promotes the exercise of the rights of the Data Subject.
According to Art. 15 GDPR: The data subject shall have the right to obtain from the controller information on their personal data processed by us.
Particularly, the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source;the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved.
According to Art. 16 GDPR: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data or the completion of personal data concerning him or her.
According to Art. 17 GDPR: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her as long as processing is not necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest or for the establishment, exercise or defence of legal claims.
According to Art. 18 GDPR: The data subject shall have the right to obtain from the controller restriction of processing if the accuracy of the personal data is contested by the data subject; the processing is unlawful; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. Data subject also has the right according to Art. 18 GDPR, if the data subject has objected to processing pursuant to Article 21.
According to Art. 20 GDPR: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
According to Art. 7 GDPR, par. 3: The data subject shall have the right to withdraw his or her consent at any time. Therefore, we will not have the right to process your personal data based on your consent in the future.
According to Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority. You can turn to the supervisory authority competent for your habitual residence, your place of work, our place of establishment or the competent court in your area.
Designation, address and contact details of the authority in charge of supervising:
Hungarian National Authority for Data Protection and Freedom of Information
Correspondence address: 1363 Budapest, P.O. Box No. 9.
Address: 9-11 Falk Miksa St., Budapest, H-1055
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: [email protected]
You can find detailed information on the exercise of the above rights in our Privacy Policy. The policy is available here.