1.1 Name and contact details of Data Controller
Name of data controller: MAGYAR NEMZETI FILMALAP KÖZHASZNÚ NONPROFIT ZRT. (hereinafter the “Data Controller”)
Registered seat: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: email@example.com
Phone no.: (+36 1) 461 1320
1.2 Data Protection Officer
The contact details of the Data Protection Officer are as follows:
Name: Dr. Bottyán Béla
Address: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: firstname.lastname@example.org
Phone no.: +36 1 461 1365
1.3 Scope of processed personal data, purpose, legal basis of the data processing, the period for which the personal data are stored
|Categories of personal data||Purpose of data processing||Legal basis of data processing||Period for which the personal data are stored|
|Name and e-mail address of the data subject||Sending newsletters about professional events, special occasions, invitations these special occasions, planned films, upcoming premiers, any other topics relating to the activities of the Data Controller||The legitimate interest of the Data Controller on the basis of which the Data Controller can send the newsletters to those persons who have already subscribed to the newsletters during the period for which the personal data are stored, until the data subjects gives his/her express consent to the data processing related to the newsletters.||Until 30 September 2018 at the latest|
In respect of the above instances of data processing, the Data Controller emphasizes that if the data subject does not provide all of the above information, it is possible that in consequence of the lack of the necessary information, the Data Controller cannot send the data subject the newsletters, thus the data subject can get information about the professional events of the motion picture industry on the Data Controller’s websites.
The Data Controller hereby informs the data subject of his/her right to object (please see Point 1.6 E) hereinunder), which right may be exercised in the case of data processing based on legitimate interest.
1.4 Recipients of personal data, categories of recipients
|Name of recipients||Categories of personal data transferred to recipients||Category of the recipient (if any)||Activity of the recipient|
|Care All Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság; AW-DEV Computer Korlátolt Felelősségű Társaság; IT-PNG-SYSTEM Korlátolt Felelősségű Társaság; Blueray Digital Korlátolt Felelősségű Társaság.; Daazo Film- és Médiaszolgáltató Korlátolt Felelősségű Társaság; MICROWARE HUNGARY Informatikai Korlátolt Felelősségű Társaság||Personal data stored on the IT systems of the Data Controller||Data processor||The data processors provide full scope IT services to the Data Controller and thus performs operations that are specified by the Data Controller and that are related to the technical operation of the IT system.|
1.5 Processing of special categories of personal data
The Data Controller will not process any special categories of personal data in the course of processing data for the purposes of sending newsletters.
1.6 Rights of data subjects
The data subject may request the Data Controller to grant access to his/her personal data, the rectification of inaccurate personal data, the erasure of personal data, and in certain cases, the restriction of the processing. The data subject is also granted the right to data portability and the right to file a complaint with the supervisory authority and the right to an effective judicial remedy. In the case of automated-decision-making (including profiling) applied to individual cases, the data subject is granted the right to contest the decision, as well as the right to request human intervention.
During the course of the consent-based data processing, the data subject is also entitled to withdraw his/her consent at any time, however the withdrawal has no impact on the lawfulness of the data processing performed prior to the withdrawal.
A) Right to access
The data subject is entitled to request information at any time about whether and how the Data Controller processes his/her personal data, including the purposes of the data processing, the recipients to whom the data have been disclosed or the period for which the personal data will be stored, any right of the data subject, in addition, information on automated decision-making, profiling, and in the case of transferring personal data to any third countries or any international organization, information on the related guarantees. During the exercise of the right to access, the data subject is also entitled to request copies of the personal data; in the case of requests submitted electronically, the Data Controller, in lieu of a request from the data subject that says otherwise, provides the requested information electronically (in pdf format). If the right to access of the data subject has detrimental effects on the rights and freedoms of other persons, especially the business secrets or intellectual property of others, the Data Controller is entitled to refuse to comply with the request to the necessary and proportionate extent. If the data subject requests several copies of the personal data, the Data Controller charges HUF 200 per copy/page as a reasonable amount of fee that is proportionate to the administrative costs of preparing the additional copies.
B) Right to rectification
At the request of the data subject, the Data Controller corrects or completes the personal data of the data subject. If any doubt arises from the corrected data, the Data Controller may request the data subject to certify the corrected data to the Data Controller appropriately, primarily by documents. If the Data Controller has disclosed such personal data of the data subject that are subject to this right to other persons (e.g. the recipient as data processor), the Data Controller shall immediately inform the affected persons after correcting the data, provided that such notification is possible or it does not require a disproportionate amount of effort from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients.
C) Right to erasure (“right to be forgotten”) If the data subject requests the erasure of any or all of his/her personal data, the Data Controller shall erase such data without unjustified delay if
- the Data Controller does not need the personal data in question any more for the purpose for which the data were collected or otherwise processed;
- the request affects data processing that was based on the consent of the data subject, but the data subject has withdrawn the consent and the data processing has no other legal basis;
- the request affects data processing that had been based on the legitimate interests of the Data Controller or any third party but the data subject has objected to the data processing and, with the exception of objection to data processing for direct marketing purposes, there are no legitimate grounds for the data processing that would take priority;
- the Data Controller processed the personal data unlawfully, or
- the erasure of personal data is necessary for the fulfillment of legal obligations.
If the personal data under this right have been disclosed by the Data Controller to another party (e.g. the recipient as, for example, the data processor), the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients. The Data Controller is not required to delete personal data in all the cases, especially if, for example, the data processing is necessary for the establishment, exercise or defense of legal claims.
D) Right to restriction of data processing
The data subject may request the restriction of the processing of his/her personal data in the following cases:
- the data subject contests the accuracy of the personal data – in this case, the restriction affects the period during which the data controller is able to check the accuracy of personal data;
- the data processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the data controller no longer needs the personal data for the purposes of the processing, but the personal data are needed for the establishment, exercise or defense of legal claims; or
- the data subject has objected to the data processing – in this case, the restriction affects the period until which it is verified whether the legitimate grounds of the Data Controller override those of the data subject.
The restriction of data processing means that the Data Controller will not process the personal data subject to the restriction except for storage, or such data are only processed to the extent to which the data subject consented, or even if without such consent, the Data Controller may process those personal data that are necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of other natural persons or legal entities, or that are necessary for the important public interests of the European Union or any European Union member state. The Data Controller informs the data subject in advance about releasing the restriction on the data processing. If personal data under this right have been disclosed to other persons (e.g. the recipient, for example, as the data processor), the Data Controller shall immediately inform such persons about the restriction of data processing, the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs him/her about these recipients.
E) Right to object
If the legal basis for the data processing related to the data subject is the legitimate interest of the Data Controller or any third party, the data subject is entitled to object to the data processing. The Data Controller is not required to accept the objection if the Data Controller can evidence that
- the data processing is justified by legitimate and compelling causes that take precedence over the interests, rights and freedoms of the data subject, or
- the data processing relates to the data for the establishment, enforcement or defense of Data Controller’s legal claims.
F) Right to lodge a complaint, right to an effective judicial remedy
If the data subject comes to the conclusion that the processing of his/her personal data by the Data Controller infringes the applicable data protection regulations, especially the General Data Protection Regulation, the data subject has the right to file a complaint with the competent data protection supervisory authority in the Member State of his/her habitual residence, place of work or the place of the alleged infringement. In Hungary, this authority is the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”). The contact details of NAIH are as follows:
The data subject, regardless of his/her right to file a complaint, may also bring proceedings before a court for such infringement. The data subject is entitled to bring proceedings against the binding decision of the supervisory authority concerning the data subject. The data subject is also entitled to an effective judicial remedy if the supervisory authority fails to address the complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
1.7 Automated decision-making, profiling
No automated individual decision-making or profiling is performed in the course of the data processing of the Data Controller concerning the data subjects.
* * *
Effective from 25 May 2018