Data Processing Policy of Nemzeti Filmintézet Közhasznú Nonprofit Zrt. on the Data Processing Related to Newsletters

 

1.1 Name and contact details of Data Controller

Name of data controller: NEMZETI FILMINTÉZET KÖZHASZNÚ NONPROFIT ZRT. (hereinafter the “Data Controller”)
Registered seat: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: nfi@nfi.hu
Phone no.: (+36 1) 461 1320
Website: http://nfi.hu

1.2 Data Protection Officer

The contact details of the Data Protection Officer are as follows:

Name: Dr. Bottyán Béla
Address: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: bottyan.bela@nfi.hu
Phone no.: +36 1 461 1403

1.3 Scope of processed personal data, purpose, legal basis of the data processing, the period for which the personal data are stored

Categories of personal data Purpose of data processing Legal basis of data processing Period for which the personal data are stored
Name and e-mail address of the data subject; if the data subject is a minor (under the age of 18), the date and place of birth Subscription to newsletters on Data Controller’s websites: http://nfi.hu Consent of the data subject Until the data subject’s consent is withdrawn or until the purpose of the data processing terminates
Sending newsletters about professional events, special occasions, invitations these special occasions, planned films, upcoming premiers, any other topics relating to the activities of the Data Controller The processing of the place and date of birth related personal data is performed in accordance with Section 6 (2) of Act XLVIII of 2008 (legal obligation)

In respect of the above instances of data processing, the Data Controller emphasizes that the consent to the data processing is voluntary and informed. If the data subject does not provide all of the above information, it is possible that in consequence of the lack of the necessary information, the Data Controller may not send the data subject the newsletters, thus the data subject can get information about the professional events of the motion picture industry on the Data Controller’s websites. 

In the case of consent-based data processing, the data subject may refuse or withdraw his/her consent at any time, without any restriction or causes, without any charges through the Data Controller’s central e-mail address or phone number or by unsubscribing from the newsletter. The withdrawal of the consent has no impact on the lawfulness of the data processing performed prior to the withdrawal. The data subject may not suffer any detrimental legal consequences because of his/her refusal or withdrawal of consent. 

Name of recipients Categories of personal data transferred to recipients Category of the recipient (if any) Activity of the recipient
Care All Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság; AW-DEV Computer Korlátolt Felelősségű Társaság; IT-PNG-SYSTEM Korlátolt Felelősségű Társaság; Blueray Digital Korlátolt Felelősségű Társaság.; Daazo Film- és Médiaszolgáltató Korlátolt Felelősségű Társaság; MICROWARE HUNGARY Informatikai Korlátolt Felelősségű Társaság Personal data stored on the IT systems of the Data Controller Data processor The data processors provide full scope IT services to the Data Controller and thus performs operations that are specified by the Data Controller and that are related to the technical operation of the IT system.

The Data Controller will not transfer any personal data of the data subject transferred to the data processor to any third country outside of the European Economic Area. 

The Data Controller will not transfer the personal data to any recipient other than the above-mentioned, unless the data transfer is mandatory by law or is prescribed by any authority or court. 

1.5 Processing of special categories of personal data

The Data Controller will not process any special categories of personal data in the course of processing data for the purposes of sending newsletters.

1.6 Rights of data subjects

The data subject may request the Data Controller to grant access to his/her personal data, the rectification of inaccurate personal data, the erasure of personal data, and in certain cases, the restriction of the processing. The data subject is also granted the right to file a complaint with the supervisory authority and the right to an effective judicial remedy.

During the course of the consent-based data processing, the data subject is also entitled to withdraw his/her consent at any time, however the withdrawal has no impact on the lawfulness of the data processing performed prior to the withdrawal.

A) Right to access

The data subject is entitled to request information at any time about whether and how the Data Controller processes his/her personal data, including the purposes of the data processing, the recipients to whom the data have been disclosed or the period for which the personal data will be stored, any right of the data subject. During the exercise of the right to access, the data subject is also entitled to request copies of the personal data; in the case of requests submitted electronically, the Data Controller, in lieu of a request from the data subject that says otherwise, provides the requested information electronically (in pdf format). If the right to access of the data subject has detrimental effects on the rights and freedoms of other persons, especially the business secrets or intellectual property of others, the Data Controller is entitled to refuse to comply with the request to the necessary and proportionate extent. If the data subject requests several copies of the personal data, the Data Controller charges HUF 200 per copy/page as a reasonable amount of fee that is proportionate to the administrative costs of preparing the additional copies.

B) Right to rectification

At the request of the data subject, the Data Controller corrects or completes the personal data of the data subject. If any doubt arises from the corrected data, the Data Controller may request the data subject to certify the corrected data to the Data Controller appropriately, primarily by documents. If the Data Controller has disclosed such personal data of the data subject that are subject to this right to other persons (e.g. the recipient as data processor), the Data Controller shall immediately inform the affected persons after correcting the data, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs him/her about these recipients.

C) Right to erasure (“right to be forgotten”)

If the data subject requests the erasure of any or all of his/her personal data, the Data Controller shall erase such data without unjustified delay if

  • the Data Controller does not need the personal data in question any more for the purpose for which the data were collected or otherwise processed;
  • the request affects data processing that was based on the consent of the data subject, but the data subject has withdrawn the consent and the data processing has no other legal basis;
  • the Data Controller processed the personal data unlawfully, or
  • the erasure of personal data is necessary for the fulfillment of legal obligations.

If the personal data under this right have been disclosed by the Data Controller to another party (e.g. the recipient as, for example, the data processor), the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients. The Data Controller is not required to delete personal data in all the cases, especially if, for example, the data processing is necessary for the establishment, exercise or defense of legal claims.

D) Right to restriction of data processing

The data subject may request the restriction of the processing of his/her personal data in the following cases:

  • the data subject contests the accuracy of the personal data – in this case, the restriction affects the period during which the data controller is able to check the accuracy of personal data;
  • the data processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the data controller no longer needs the personal data for the purposes of the processing, but the personal data are needed for the establishment, exercise or defense of legal claims.

The restriction of data processing means that the Data Controller will not process the personal data subject to the restriction except for storage, or such data are only processed to the extent to which the data subject consented, or even if without such consent, the Data Controller may process those personal data that are necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of other natural persons or legal entities, or that are necessary for the important public interests of the European Union or any European Union member state. The Data Controller informs the data subject in advance about releasing the restriction on the data processing. If personal data under this right have been disclosed to other persons (e.g. the recipient, for example, as the data processor), the Data Controller shall immediately inform such persons about the restriction of data processing, the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients.

E) Right to lodge a complaint, right to an effective judicial remedy

If the data subject comes to the conclusion that the processing of his/her personal data by the Data Controller infringes the applicable data protection regulations, especially the General Data Protection Regulation, the data subject has the right to file a complaint with the competent data protection supervisory authority in the Member State of his/her habitual residence, place of work or the place of the alleged infringement. In Hungary, this authority is the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”). The contact details of NAIH are as follows:

Website: http://naih.hu/
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mail address: 1530 Budapest, PO Box: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

The data subject, regardless of his/her right to file a complaint, may also bring proceedings before a court for such infringement. The data subject is entitled to bring proceedings against the binding decision of the supervisory authority concerning the data subject. The data subject is also entitled to an effective judicial remedy if the supervisory authority fails to address the complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

1.7 Automated decision-making, profiling

No automated individual decision-making or profiling is performed in the course of the data processing of the Data Controller concerning the data subjects.

1.8 Deadline for responding to the request of the data subject

The Data Controller ensures that if the data subjects whose personal data are processed by the Data Controller exercise any of their rights, and therefore contact the Data Controller, the Data Controller must respond to such requests without unjustified delay but within one month at the latest, not including the withdrawal of the consent in which case the personal data processed on the basis of the data subject’s consent must be deleted immediately. If necessary, in view of the complexity and the number of the requests, the aforementioned deadline may be extended by two months. In respect of extended deadlines, the Data Controller informs the data subject about the extension of the deadline within one month from the receipt of the request, and also specifies the reasons of the delay. If the data subject has submitted the request electronically, the information, if possible, must be provide electronically too.

* * *

Effective from 9 January 2020