hu
en
Joined the Community:1134
About Us Campaigns Services OPEN
Survey
OPEN
Backstage
OPEN
Conference
Supporting
Circle
Resources
Joined the Community:1134

Privacy Policy

Privacy Notice

(“Notice”)

Last amended: 6th March 2019

1. General information

The We Are Open Nonprofit Limited Liability Company (H-1056 Budapest, Belgrád rakpart 26, Hungary; “Data Controller”) is an organisation that is convinced that everyone should be judged solely on the basis of their achievements and actions. Companies, organisations, and communities that also consider this kind of openness to be their core value (“Adherents”) may join the initiative of the Data Controller and, through their representatives, make a statement to that effect on the Data Controller’s website at www.nyitottakvagyunk.hu (“Website”). The Data Controller organises conferences, other events and campaigns on a regular basis. Upon request, the Data Controller shall send newsletters and other information related to its activities to the representatives of adherents and to other interested parties (“Data Subjects”). In relation to these activities, the Data Controller shall also process information that is considered “personal data” according to Article 4(1) of Regulation (EU) 2016/679, the EU General Data Protection Regulation (“GDPR”).

The Data Controller hereby informs the Data Subjects of the scope of personal data processed in connection with its activities, the identity and contact details of the Data Controller and the processors, the practices of data processing, the organisational and technical measures applied to protect personal data, the way and opportunities of exercising the rights of Data subjects, and other circumstances related to data processing.

2. The Data Controller and its contact details

The Data Controller’s registered address: H-1056 Budapest, Belgrád rakpart 26, Hungary

The Data Controller’s company registration number: 01-09-275170, registered by the Company Registry Court of the Budapest-Capital Regional Court (Fővárosi Törvényszék Cégbírósága)

The Data Controller’s email address: [email protected]

The Data Controller’s website: www.nyitottakvagyunk.hu

The Data Controller’s representative: Melinda Miklós managing director.

3. Acknowledgement and acceptance of the Notice, and the right to amend its provisions

By visiting the Website, the Data Subject declares that he or she has read the current version of this Notice effective at the time of the visit and expressly accepts it. However, the Data Controller reserves the right to unilaterally amend this Notice. Any amendments shall take effect regarding the Data Subject upon his or her first visit following the publication of the amendments. In order to be informed of any amendments, it is recommended that the Data Subject reviews the Notice at the time of each visit.

4. The scope of data processed and the purposes of data processing

In each case, Data Subjects shall provide personal data concerning themselves and any other person to the Data Controller in accordance with the applicable legislation. The Data Subject warrants that when he or she discloses the personal data of someone else to the Data Controller, he or she has an appropriate and informed consent or another legal ground to do so at all times. The Data Controller shall not be liable for any damage, loss or injury resulting from any breach of the above obligations or of the statement of the Data Subject.

The table below shows the scope of data processed, the purpose of data processing, the legal ground for data processing, as well as the period of data processing and the persons who have the right to access the data.

Description and purpose of data processing

Legal ground for data processing

The scope of data processed

Duration of data processing

Who has the right to access the personal data within the Data Controller’s organisation?

Accession and registration of Adherents

Article 6(1)(f) of the GDPR (the legitimate interest of the Data Controller and of the Adherents in relation to joining the Data Controller’s initiative, the publication thereof on the Website and maintaining contact in this regard)

  1. The name, title, telephone number, e-mail address of the Adherent’s representative and the name, address and website of the Adherent; in addition, the data concerning the Adherent’s contributors provided by the Adherent’s representative to the Data Controller either at the time of joining or later (e.g. the e-mail addresses of the Adherent’s Chief Executive Officer, HR Director, Communications Director, Marketing Director).

  2. The Data Controller stores the above data on its hosting system that is also used for the operation of the open source WordPress content management system and on the so called Mailchimp system of The Rocket Science Group LLC.



As long as the Adherent remains signed up

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT and hosting provider of the Data Controller as data processor, the operator of the Mailchimp system.

Organising and managing conferences and other events

Article 6(1)(b) of the GDPR (conclusion and performance of a contract), or if a special diet or sign language interpreter is requested, Article 9(2)(a) of the GDPR (consent)

  1. Name, surname, position, field of expertise, e-mail address and mobile phone number of the Adherent, name and activity of his or her employer, billing details. The Data Controller stores these data on the Eventbrite system developed and operated by Eventbrite, Inc., from which the Data Controller transfers data to the Mailchimp system.

  2. If participation is subject to fee payment, the invoice issued in this regard, which shall be stored at closed premises by the Data Controller’s accountant.

With respect to the enforcement of civil law claims and the fulfilment of obligations related to the conference and other events, the period for which the personal data shall be stored is 5 years following the termination of the civil legal relationship with the person concerned, pursuant to Article 6:22 (1) of Act V of 2013 on the Civil Code (“Civil Code”).


The period for which the accounting documents shall be stored is 5 + 1 years in accordance with the tax return deadline as set out in Articles 78 (3) and 202 (1) of Act CL of 2017 on the Rules of Taxation (“Taxation Act”) and a period of 8 years following the date of issue as set out in Articles 168-169 of Act C of 2000 on Accounting (“Accounting Act”).

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT provider of the Data Controller as data processor, the accountant of the Data Controller, the operators of the Eventbrite and Mailchimp systems.

.

.

.

.

.

Photos and other personal contents published on the Website

Article 6(1)(a) of the GDPR (consent) on the proviso that, according to Article 2:48 (2) of the Civil Code, the consent of the Data Subject shall not be required for recording his/her image or voice and for the use of such a recording if the recording was made of a crowd or of an appearance in public life.

The photo or video taken of the Data Subject (e.g. at a conference, other event, etc.), and the intention of the Data Subject to participate in the conference, as well as any other personal content transferred such purpose by the Data Subject to the Data Controller and published on the website. These data will be stored on the server used for the WordPress system. The Data Controller may publish photos and videos taken of the Data Subject on the Data Controller’s Facebook, LinkedIn, Instagram and Twitter pages.

Until withdrawal of the Data Subject’s consent.

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT and hosting provider of the Data Controller as data processor.

Sending newsletters and other information, maintaining contact with the representatives of Adherents

Article 6(1)(f) of GDPR (the legitimate interest of the Data Controller to inform the representatives of the Adherents of news and events related to the Data Controller’s activities).

  1. The name, title, telephone number, e-mail address of the Adherent’s representative and the name, address and website of the Adherent represented, which data will be stored in the Mailchimp system.

  2. To monitor contacts, the Data Controller uses the HubSpot system developed by HubSpot, Inc., where the Data Controller records the above data and information relating to contacts.

Until the Adherent’s representative objects to processing under Article 21(2) of the GDPR.

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT provider of the Data Controller as data processor, the marketing agency of the Data Controller, the operators of the Mailchimp and HubSpot systems as data processors.

Assessing the scopes of interest of the Adherents’ representatives and other interested parties

Article 6(1)(a) of the GDPR, Article 6 (1) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising, Article 14 (5) of the Electronic Commerce Act (consent)

The name, e-mail address and telephone number of the Data Subject subscribed, his or her title in case of Adherents’ representatives, the name, address and website of the Adherent represented; the scope(s) of interest indicated and the contact channel(s) chosen, which data will be recorded by the Data Controller in the Mailchimp system operated its newsletter service provider. The Data Controller mostly uses the indicated scopes of interest and contact channels to assess demands. At the same time, the lack of indication of certain possible topics or communication channels has the consequence that the Data Controller will not provide information to the Data Subject on topics outside the scope(s) of interest indicated and on the channels not designated by the Data Subject.

Until the settings regarding scopes of interest and communication channels are changed, or until the withdrawal of consent.

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT and hosting provider of the Data Controller as data processor, the marketing agency of the Data Controller, the operators of the Mailchimp and HubSpot systems as data processors.

Data processing related to cookies

Article 6(1)(a) of the GDPR (consent)

The fact of visiting the website and its duration.

Until the end of the visit.

The managing director of the Data Controller and contributors authorised by the managing director to the extent necessary for the performance of their duties, the IT provider of the Data Controller as data processor.

The Data Controller emphasizes that, from the point of view of its data processing practices, the up-to-date processing of personal data is of paramount importance, and cooperation by the Data Subjects is also essential for this. In view of this, Data Subjects can notify the Data Controller of any change in their personal data through the contact details provided in Section 2 herein, and the representatives of Adherents and other interested subscribers can use the Website to modify their previously provided personal data. If the Data Subject fails to report any changes in their personal data or their contact details in due time, they shall be liable for any consequences thereof.

5. Persons authorised to process data

The Data Controller uses the data processors listed in the table below to perform the technical tasks related to the data processing operations. The Data Controller shall determine the rights and obligations of data processors in connection with the processing of personal data within the limitations set by the specific legislation applicable to data processing. The Data Controller is responsible for the legality of its instructions. The data processor shall not take any substantive decision concerning the data processing, and it shall process the personal data obtained only in accordance with the instructions of the Data Controller, it shall not process data for its own purposes, and shall keep and store the personal data in accordance with the instructions of the Data Controller.

Data processor

What kind of personal data can be accessed by the processor, how can it use such data?

For how long can it store the data?

  1. András Vincenzo Angiulli sole proprietor

IT and hosting services

H-1134 Budapest, Bulcsú u. 21/b. III/4, Hungary

The scope of personal data: data referred to in Section 4.1.2, 4.3 and 4.5 above for the purpose of storage and the data listed in Section 4 above for the purpose of IT maintenance.

For the period specified in Section 4.1.2, 2.3 and 4.5 herein and in Section 4 herein

  1. KON-TITRÁK Tanácsadó, Ügyviteli, Szolgáltató Betéti Társaság

Accountancy

H-1085 Budapest,

Baross u. 44. IV. 10, Hungary

The scope of personal data: data referred to in Section 4.2.2 for the purpose of accounting, tax returns and archiving

For the period specified in Section 4.2.2 above

  1. Shaw + Scott Kft.

marketing agency

H-1065 Budapest, Révay köz 4, Hungary

www.showscott.com

 

The scope of personal data: data referred to in Section 4.4 above, for the purpose of online marketing

 

For the period specified in Section 4.4 herein

 The Rocket Science Group LLC

newsletter service

Atlanta, Georgia 30308, 675 Ponce De Lean Ave NE, Suite 5000, USA

+ 1 404 806 5843

www.mailchimp.com

The scope of personal data: data referred to in Section 4.1, 4.2, 4.4 and 4.5 herein

For the period specified in Section 4.1, 4.2, 4.4 and 4.5 herein

Eventbrite, Inc

organisation of events

155 5th St, 7th Floor, San Francisco, CA 94103, USA

www.eventbrite.com

The scope of personal data: data referred to in Section 4.2 herein

For the period specified in Section 4.2 herein

HubSpot, Inc

monitoring of contacts

25 First Street, 2nd Floor
Cambridge, MA 02141 USA

www.hubspot.com

The scope of personal data: data referred to in Section 4.4 herein

For the periods specified in Section 4.4 herein

Google LLC

cloud hosting service

1600 Amphitheatre Parkway, Mountain View California 94043, USA

www.google.com

The scope of personal data: data referred to in Section 4.1 and 4.2 herein

Although personal data may receive a different level of protection in some non-EU countries, The Rocket Science Group LLC, Eventbrite, Inc, HubSpot, Inc, and Google LLC ensure an adequate level of protection of personal data by submitting to the EU-US Privacy Shield measures in accordance with Commission Implementing Decision (EU) 2016/1250 in connection with the services used by the Data Controller.

6. Payment services

The Data Controller provides the opportunity to the Data Subjects to settle the invoices of the services offered by it and which are subject to payment of a fee by using the PayPal payment service provided by PayPal (Europe) S.à r.l. et Cie, S.C.A. (L-2449 Luxembourg, 22-24 Boulevard Royal 22-24;
“Payment Service Provider”) as an external service provider. If the Data Subject expresses his or her intention to settle the fee by using the Payment Service Provider, he or she may do so on the Payment Service Provider’s interface. On the Payment Service Provider’s interface, the payment transaction shall be executed between the Data Subject and the Payment Service Provider without the Data Controller’s the involvement. The scope of the data processed by the Data Controller in relation to the payment transaction is limited to the name, e-mail address, the amount of the fee to be paid and the success or failure of the payment transaction.

7. Data security measures

The Data Controller processes data related to its activities on password-protected cloud-based computer systems, to which the contributors of the Data Controller have access to the extent necessary to perform their tasks in accordance with their authorisation levels.

The Data Controller places the documents and archive materials related to its activities at its accountant, who stores them at closed premises.

8. The rights and legal remedies available for Data Subjects

8.1 Data protection rights and legal remedies

Data protection rights and legal remedies available for data subjects are contained in detail in the relevant provisions of GDPR (in particular, Articles 15-22, 77-79, 80 and 82 of GDPR). The summary below contains the most important provisions and the Data Controller accordingly informs Employees and other persons concerned of their rights and legal remedies regarding data processing.

The Data Controller shall, without undue delay, but in any case within one month from the receipt of the data subject’s request regarding the exercise of its rights (see Articles 15 to 22 of GDPR), inform the data subject concerned of the measures taken in response to his or her request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by two additional months. The Data Controller shall, within one month of the receipt of the request, inform the data subject of the extension of the deadline by indicating the reasons for the delay.

The Data Controller shall provide the information requested by the data subject in writing or, in case the data subject has submitted its request by electronic means or if it is otherwise requested by the data subject, provide it electronically. The information may be provided orally if the data subject verifies its identity to the Data Controller.

8.2 Right of access by the data subject

  1. The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed. If such data processing is in progress, the data subject has the right to access to the personal data and the following information:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
  2. where the personal data are not collected from the data subject, any available information as to their source;
  3. the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  1. Where personal data are transferred to a third country, the data subject shall have the right to be informed of the appropriate safeguard relating to the transfer.
  2. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. Where the data subject made the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

8.3 Right to rectification

The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Furthermore, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

8.4 Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller
    2. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
    3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
    4. the personal data have been unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in the Union or Member State law to which the Data Controller is subject or;
    6. the personal data have been collected in relation to the offer of information society services.
  2. Where the Data Controller has made the personal data public, and are obliged pursuant to the above to erase the personal data, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that the data subject requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary, amongst others:
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by the Union or Member State law to which the Data Controller is subject;
    3. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    4. for the establishment, exercise or defence of legal claims.

8.5 Right to restriction of processing

  1. The data subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:
    1. the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    3. the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    4. the data subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. The data subject who has obtained restriction of processing shall be informed by the Data Controller before the restriction of processing is lifted.

8.6 Notification obligation regarding rectification or erasure of personal data or restriction of processing

The data subject shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients if the data subject request it.

8.7 Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Company, where:
    1. the processing is based on consent or on a contract; and
    2. the processing is carried out by automated means.
    3. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one data controller to another (such as the Company and other data controllers) where technically feasible.
    4. The exercise of the above right shall be without prejudice to the right of erasure (“the right to be forgotten”) and the rights and freedoms of others shall not be adversely affected by this right.

8.8 Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for scientific or historical research purposes or statistical purposes the data subject, the data subject, on grounds relating to the data subjects particular situation, shall have the right to object to processing of personal data concerning to him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.9 Right to lodge a complaint with a supervisory authority

The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing personal data relating to the data subject infringes the GDPR. In Hungary, the competent supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (website: http://naih.hu/; address: 1125 Budapest, Szilagyi Erzsébet fasor 22/c., 1530 Budapest, Pf.: 5.; phone: +36-1-391-1410; fax: +36-1-391-1410; e-mail: [email protected]).

8.10. Right to an effective judicial remedy against a supervisory authority

  1. The data subject shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning the subject.
  2. The data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
  3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established

8.11 Right to an effective judicial remedy against the Data Controller or the processor

  1. The data subject, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.
  2. Proceedings against the Data Controller or the processor shall be brought before the courts of the Member State where the Data Controller or the processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.