DATA PROCESSING NOTICE
1. Name and Contact Details of the Controller
Controller: Nemzeti Színház Nonprofit Zrt. (hereafter referred to as: Company)
Registered office: 1095 Budapest, Bajor Gizi park 1.
Phone number: (1) 476-68-00
2. Data Processing Regulations
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
3. Processing of Data Provided at Registration
3.1. Sending Newsletters, Electronic Communication, and Press Communications
The name of the user registering for newsletters is needed in the database for identification purposes, as the newsletter service is only provided to the Company’s customers. It also serves the purpose of communication between the Company and the person registering.
The e-mail address of the user registering for newsletters is needed in the database for identification purposes. It also serves the purpose of communication between the Company and the person registering.
Represented press/media organizations
This serves the purpose of identifying the representatives of the press and the media, as the Company, in its press communication, wishes to specifically address press and the media players and intermediaries.
Please note, that the provision of the above-mentioned data is mandatory. However, it is not necessary for the e-mail address to contain the name of the data subject. For example, addresses like firstname.lastname@example.org can also be provided. The data subject is free to decide whether they wish to register an e-mail address that includes information on their identity.
3.1.1. Legal Basis of Data Processing
The legal basis of the processing in the context of the above-named data provided in the e-mail is the consent of the data subject.
3.1.2. Period of Data Processing
Contact details provided in messages sent to the Company are retained until the consent of the data subject has been withdrawn. Cancelling of the registration may be initiated in the system by clicking on the “send e-mail” icon and sending a message to our colleagues.
3.2. Data Processing on the Company’s Facebook Page
The Company maintains a Facebook page to provide information and to promote its products and services.
3.2.1. Legal Basis of the Data Processing
The voluntary registration of the data subject serves as the legal basis of the data processing in terms of the above-mentioned data.
3.2.2. Information on Data Processing
Visitors should abide by Facebook’s Term of Service for Data Privacy.
In the event that illegal or offensive content is published, the membership of the data subject may be suspended without any prior notice, or the post may be deleted.
The Company does not assume liability for any unlawful data content or comments posted by users.
The Company does not assume liability for any technical faults or breakdowns resulting from a malfunctioning of Facebook nor for problems caused by a change in the operation of the system.
4. Other Personal Data Logged in the System
4.1. Categories of Data and Purpose of Data Processing
Purpose of data processing
A record is kept of which newsletter, was sent to which e-mail address and at what time it was sent. The system can be trace whether the person with the given e-mail address has opened the newsletter or any of the links in it.
4.2. The Legal Basis of the Data Processing
The legal basis of the data processing is the legitimate interest of the Company in protecting the security of the processed data and the IT infrastructure that ensures the functioning of the system. In order to detect any potentially malicious use or abuse and to adopt appropriate data- and information security measures (e.g. vulnerability and workload assessment) and for internal auditing purposes, it is essential to keep a record of the above-mentioned data in the system. The legitimate interest in ensuring the safe operation of the system is in proportion to the processing of the above-mentioned personal data logged at the time of registration.
4.3. Period of Data Processing
The system stores the data indicated for 6 months after they are generated, after which period they are automatically deleted.
5. Access to Data and Data Security Measures
5.1. Access to Data and Data Transfer
The Company, as Controller, is entitled and obliged to transfer all available and correctly stored data to the competent authorities if so required by a statutory instrument or a final court order. The Controller cannot be held responsible for such data transfer and for the consequences thereof.
Access to personal data is granted to designated employees only, in order to fulfil their duties.
The Company shall transfer data to a third party only as indicated in relevant legislation and for the purposes expressed therein.
5.2. Data Security Measures
Personal data provided at registration shall be stored at the Company’s headquarters (1095 Budapest, Bajor Gizi Park 1.). In order to process the personal data, the Company shall employ the services of the following data processing companies:
Name of the processor: nGROUP Kft.
Address: 1146 Budapest, Thököly út 162.
Company registration number: 01 09 999285
Purpose of data processing: Web development, web programming, website maintenance (and other related services)
Name of the processor: YPSYLON Média Kft.
Address: 1053 Budapest, Királyi Pál utca 18. 4/1.
Company registration number: 01 09 951284
Purpose of data processing: Press communication and marketing
Name of the processor: DARIDA ISTVÁN e.v.
Address: 1145 Budapest, Bácskai u. 35
Registration number: 50631562
Purpose of data processing: System administration
The Company shall protect the personal data it is managing from unauthorized access and unlawful alteration by adopting appropriate IT, technical and staff measures. These shall include logging access to data stored in the IT system, i.e. it shall always be verifiable what kind of data has been accessed, by who and when.
6. Rights of the Data Subject
6.1. Right to Information
Using the contact details provided in point 1. the data subject can make a written request to the Company for information about the type of the personal data concerning him or her, the legal basis and the purpose of the processing, the source of the personal data, and the period of time the data will be stored. Information can also be requested concerning when, on what grounds, to whom and to what kind of personal data the Company has granted access, and also who the Company has transferred the personal data concerning the data subject to. The Company shall fulfil the data subject’s request within a maximum of one month and the reply shall be sent by e-mail to the address provided.
6.2. Right to Rectification
Using the contact details provided in point 1. the data subject can make a written request to the Company to alter the personal data concerning him or her (for example e-mail addresses and postal addresses can be altered at any time). The Company shall fulfil the data subject’s request within a maximum of one month and shall notify them about the rectification by email sent to the address provided.
6.3. Right to Erasure
Using the contact details provided in point 1. the data subject can make a written request to the Company and ask to erase the personal data concerning him or her. The request for erasure shall be rejected if the Company is under legal obligation to continue to store personal data. An example of such obligation is if the time limit prescribed in general accounting law has not yet expired. If, however, there is no such obligation, then the Company shall fulfil the request within no longer than one month, and shall notify the data subject about the erasure by mail sent to the address provided for this purpose.
6.4. Right to restriction of processing
Using the contact details provided in point 1. the data subject can make a written request to the Company to restrict the personal data concerning him or her (by clearly marking the restriction of processing and by ensuring processing separate from other data). Restriction will prevail as long as the reason provided by the data subject makes storing of the data necessary. The data subject can request restriction for example when he or she believes, that the data provided have been unlawfully processed, but it is necessary for the data not to be deleted due to administrative or court procedures initiated by the data subject. In this case the Company shall store the personal data (for example submisssion) until the authority or the court issues a petition. Thereafter the data will be deleted.
6.5. Right to object to processing
Using the contact details provided in point 1. the data subject can object in writing to data processing if the Company transfers or uses the personal data for opinion polling or academic research.
7. Enforcement Actions Linked to Data Processing
7.1. Initiation of Legal Proceedings
If the data subject experiences unlawful processing of personal data that concerns him or her, he or she may initiate a civil procedure against the Company. The case shall fall within the jurisdiction of the Regional Court. Legal proceedings –at the option of the data subject – may also be initiated at the Regional Court of the data subject’s place of residence. (the list and contact details of the Regional Courts can be found here: http://birosag.hu/torvenyszekek).
7.2. Proceedings of the NAIH (Hungarian National Authority for Data Protection and Freedom of Information)
If the data subject experiences unlawful processing of personal data that concerns him or her, he can file an online complaint to the NAIH through the following link: https://www.naih.hu/online-uegyinditas.html.
Appointments may be arranged for personal visits on Tuesdays and Thursdays between 9:00 and 12:00 and between 13:00–16:00 PM by telephoning: +36 (1) 391-1400.
Please note that the Authority shall examine the complaint only in the event that the data subject has already contacted the controller (the Company) about the complaint but the issue could not be resolved.
Budapest, October 15th 2018.