Privacy Policy
1. The purpose of the Privacy Policy
The purpose of this Privacy Policy (hereinafter: Policy) is to set out the data protection and data processing principles applied by Biggeorge Alapítvány az Esélyekért (In English: Biggeorge Foundation for Opportunities; registered seat: 1023 Budapest, Lajos u. 28-32.; registration number: 01-01-0013384, hereinafter: Foundation or Controller), as the owner of the website www.biggeorgealapitvany.hu, as the provider of the Foundation's newsletter, fundraiser and grant provider, which the Foundation, as data controller, acknowledges as binding on itself in connection with the operation of the website, the provision of its newsletter, fundraising and grant-making activities.
In drafting the provisions of this Policy, the Foundation has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (Freedom of Information Act) and Act V of 2013 on the Civil Code (Civil Code).
With regard to the processing of personal data, the Foundation is the controller, i.e. it is the Foundation that is responsible for the lawful processing of personal data. Data subjects can contact the Foundation using the contact details below:
Name of the Controller: Biggeorge Alapítvány az Esélyekért
Postal address: 1023 Budapest, Lajos u. 28-32
Registration number: 01-01-0013384
E-mail address: alapitvany(at)biggeorge(dot)hu
Website: www.biggeorgealapitvany.hu
The Controller does not have a Data Protection Officer.
2. Definitions
personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
transfer: making the data available to a specified third party;
processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
data subject: any natural person identified or identifiable, directly or indirectly, by reference to specific personal data;
consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
3. Principles governing the processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the law subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Controller shall be responsible for, and be able to demonstrate compliance with, the above (‘accountability’).
4. Data subjects, scope of the data processed, legal basis, purposes and duration of the processing in relation to each processing activity
4.1. Newsletters
Data subjects: natural persons who subscribe to the newsletter and the contact persons of legal persons who subscribe to the newsletter.
Data processed: the data indicated in the panels for subscribing to the newsletter.
Legal basis for processing: the consent of the data subject.
The purpose of processing: sending a newsletter with news about the Foundation, events and programmes organised by the Foundation, sending invitations to these events, inviting people to participate in fundraising campaigns.
Duration of the processing: until the date of unsubscribing from the newsletter.
4.2. Donations, fundraising
Data subjects: donors, natural persons joining the Foundation and contact persons of legal persons joining the Foundation.
Data processed: the name, bank account number, home address, e-mail address, telephone number, photographs and videos taken by the Foundation or at its events.
Legal basis for processing: the consent of the data subject.
The purpose of processing: collecting donations, in the course of this, keeping contact with the donor, managing and administering the donation.
Duration of the processing: until the consent is withdrawn by the data subject or for the period specified in the applicable accounting and tax legislation.
If the data subject gives his or her consent, his or her data may be displayed on the Foundation's website.
4.3. Granting of aid
Data subjects: beneficiaries of aid granted by the Foundation and applicants for aid (natural persons and contact persons of legal persons).
Data processed: any data indicated on the application form, in the contract concluded for the aid and any additional data requested by the Foundation when awarding and granting the aid, photographs and videos taken by the Foundation or at its events.
Legal basis for processing: the consent of the data subject.
The purpose of processing: decision-making on the award of the aid, sending the aid to the beneficiaries, monitoring the use of the aid.
Duration of the processing: for applicants who have not received aid, until the withdrawal of their consent or, failing this, until 5 years after the end of the decision-making procedure. In the case of beneficiaries of aid, until the consent is withdrawn or for the period laid down in the relevant accounting and tax legislation.
5. Recipient of the data, access to the data, transfer of data and data security measures applied
Personal data may be processed by the founders, members of the Board of Trustees, employees and agents of the Foundation in the performance of their duties, in compliance with the above principles.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller (and, where applicable, the processor) shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
No profiling or automated decision-making takes place during the processing of the data.
The Controller does not transfer the data it processes to third countries or international organisations.
6. Assistance of a processor
The processor involved: Linemedia Kft (registered seat: 1141 Budapest, Komócsy utca 29-31. C. ép. 1. em. 1., company registration number: 01-09-940357)
7. Description of Data subjects' rights in relation to Processing
- Right of access: the data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information specified in the regulation;
- Right to rectification: the data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure: the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data concerning the data subject without undue delay under certain conditions;
- Right to be forgotten: where the Controller has made the personal data public and is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Right to restriction of processing: the data subject shall have the right to obtain from the
Controller restriction of processing where one of the following conditions applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
- Right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided;
- Right to object: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions;
- Right to object in case of direct marketing purposes: Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes;
-
Automated individual decision-making, including profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her;
The above paragraph shall not apply if the decision:- is necessary for entering into, or performance of, a contract between the data subject and the Controller;
- is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- is based on the Data subject's explicit consent.
8. Time limit for action
The Controller shall provide information on action taken on a request specified above to the data subject without undue delay and in any event within 1 month of receipt of the request.
That period may be extended by 2 further months where necessary. The controller shall inform the data subject of any extension within 1 month of receipt of the request, together with the reasons for the delay.
If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
9. Personal data breaches
When the Personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the Personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the Controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The communication to the Data subject shall not be required if any of the following conditions are met:
- the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the Controller has not already communicated the Personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that the communication to the data subject is required.
The Controller shall notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification is not achieved within 72 hours, the reasons for the delay should accompany the notification.
10. Possibilities for Data subjects to assert their rights
Complaints against possible infringements by the Controller may be lodged with Nemzeti Adatvédelmi és Információszabadság Hatóság (in English: National Authority for Data Protection and Freedom of Information):
Nemzeti Adatvédelmi és Információszabadság Hatóság (in English: National Authority for Data
Protection and Freedom of Information)
Postal address: 1363 Budapest, Pf.: 9.
Address: 1055 Budapest, Falk Miksa u. 9-11.
Phone number: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat(at)naih(dot)hu
Furthermore, the data subject has the right to seek judicial remedy before a court if his or her rights are infringed.