1.1 Name and contact details of Data Controller
Name of data controller: NEMZETI FILINTÉZET KÖZHASZNÚ NONPROFIT ZRT. (hereinafter the “Data Controller”)
Registered seat: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: nfi@nfi.hu
Phone no.: (+36 1) 461 1320
Website: nfi.hu
1.2 Data Protection Officer
The contact details of the Data Protection Officer are as follows:
Name: Dr. Bottyán Béla
Address: 1145 Budapest, Róna u. 174.; Pf: Budapest 1365 Pf. 748.
E-mail address: bottyan.bela@nfi.hu
Phone no.: +36 1 461 1403
1.3 Scope of processed personal data, purpose, legal basis of the data processing, the period for which the personal data are stored.
| Categories of personal data | Purpose of data processing | Legal basis of data processing | Period for which the personal data are stored |
|
Contact details of the data subject* for liaison (name, e-mail address, phone number) *Data subject in the context of this policy means all the natural person data subjects except for the employees of the Data Controller. |
Liaison with the data subjects in relation to the attendance of professional events (including festivals) and travel arrangement | The Data Controller’s legitimate interest arising from the high-quality performance of the tasks specified in Section 9/B of Act II of 2004 on Motion Picture | Subsequent to the end of the legal relationship, until the deadline for the enforcement of the claims arising from the contract expires |
| Data necessary for the travel arrangement and accommodation (personal identification numbers, passport number / ID card number, bank account number, nationality, tax identification number, if necessary) | Travel arrangement and /or reservation of accommodation for the data subject(s) | Consent of the data subject | Subsequent to the end of the legal relationship, until the deadline for the enforcement of the claims arising from the contract expires |
| If the travel arrangement and reservation of accommodation can only be performed via the Data Controller, the legal basis is the performance of the contract | |||
| Name of person making video and sound recordings (photos, video recordings) | Publication of happenings at the event on the Data Controller’s own websites and social media channels for marketing purposes | The Data Controller’s legitimate interest arising from the high-quality performance of the tasks specified in Section 9/B of Act II of 2004 on Motion Picture | Subsequent to the end of the legal relationship, until the deadline for the enforcement of the claims arising from the contract expires |
| Data required for registration at the event | Registration of data subject at the professional event | Consent of the data subject | Subsequent to the end of the legal relationship, until the deadline for the enforcement of the claims arising from the contract expires |
| If the registration of the data subject at the event can only be performed via the Data Controller, the legal basis is the performance of the contract | |||
| Professional CV of the data subject | Providing the event organizer with the professional CV of the data subject necessary for the attendance | Consent of the data subject | Subsequent to the end of the legal relationship, until the deadline for the enforcement of the claims arising from the contract expires |
| If the professional CV can only be submitted via the Data Controller, the legal basis is the performance of the contract |
In respect of the above instances of data processing, the Data Controller emphasizes that if the data subject does not provide all of the above information required for the attendance of an event or the arrangement of a trip, provided that both the registration and the travel arrangement can only be performed via the Data Controller, it is possible that in consequence of the lack of the necessary information, the data subject may not attend the event.
In the case of consent-based data processing, the data subject may refuse or withdraw his/her consent at any time, without any restriction or causes, without any charges through the Data Controller’s central e-mail address or phone number. The withdrawal of the consent has no impact on the lawfulness of the data processing performed prior to the withdrawal. The data subject may not suffer any detrimental legal consequences because of his/her refusal or withdrawal of consent.
In the case of data processing based on legitimate interest, the data subject is granted and may exercise the right to object (please see Point 1.7. E).
1.2 Recipients of personal data, categories of recipients
| Category/name of recipients | Category of personal data transferred to recipients | Category of the recipient (if any) | Activity of the recipients |
| Event organizer | Data necessary for the registration; professional CV (if required for attending the event) | Individual data controller | Registration on behalf of and of the data subject |
| Travel arranger (currently Blaguss Travel Agency) | Data necessary for travel arrangement and the reservation of accommodation | Individual data controller | Travel arrangement, reservation and verification of plane tickets, hotel accommodation |
| AW-DEV Computer Korlátolt Felelősségű Társaság; Care All Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság, IT-PNG-SYSTEM Kft., PROGEN Mérnöki Fejlesztő és Szolgáltató Korlátolt Felelősségű Társaság, MICROWARE HUNGARY Informatikai Korlátolt Felelősségű Társaság, SZÁMORG-Invest Számítástechnikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság | Personal data stored on the IT systems of the Data Controller; personal data relating to IT store services | Data processor | The data processors provide IT services to the Data Controller and thus performs operations that are specified by the Data Controller and that are related to the technical operation of the IT system. |
For data transfer to foreign even organizers:
(i) As regards event organizers operating within the European Economic Area, no additional guarantees are required for data transfers;
(ii) Data transfers to the following third countries are based on the compliance decisions specified in Article 45 of the GDPR as the legal systems of these countries comply with the standards the European Union prescribes for the protection of personal data: Canada, Switzerland, Argentina. The respective decisions may be accessed at the flowing links:
Canada: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002
Switzerland: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518
Argentina: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32003D0490
(iii) Data transfers to other third countries, because of the activity of the Data Controller, including among others the USA, China, Russia, India, Japan and Egypt are performed on the basis of Article 49 Section (1) c) of the GDPR.
1.5 Processing of special categories of personal data
The Data Controller will not process any special categories of personal data in the course of processing data for the purposes of event organization and travel arrangement.
1.6 Personal data of data subjects obtained from other sources
| Categories of personal data | Sources of processed personal data |
| Data related to the verification of the registration | Event organizer |
| Data related to the verification of travel and accommodation arrangement | Travel arranger |
| Video and sound recordings | Event organizer, service providers providing photography and video recording services |
1.7 Rights of data subjects
The data subject may request the Data Controller to grant access to his/her personal data, the rectification of inaccurate personal data, the erasure of personal data, and in certain cases, the restriction of the processing, and may object to the processing of his/her personal data. The data subject is also granted the right to file a complaint with the supervisory authority and the right to an effective judicial remedy.
During the course of the consent-based data processing, the data subject is also entitled to withdraw his/her consent at any time, however the withdrawal has no impact on the lawfulness of the data processing performed prior to the withdrawal.
A) Right to access
The data subject is entitled to request information at any time about whether and how the Data Controller processes his/her personal data, including the purposes of the data processing, the recipients to whom the data have been disclosed or the period for which the personal data will be stored, any right of the data subject, in addition, information on automated decision-making, profiling, and in the case of transferring personal data to any third countries or any international organization, information on the related guarantees. During the exercise of the right to access, the data subject is also entitled to request copies of the personal data; in the case of requests submitted electronically, the Data Controller, in lieu of a request from the data subject that says otherwise, provides the requested information electronically (in pdf format). If the right to access of the data subject has detrimental effects on the rights and freedoms of other persons, especially the business secrets or intellectual property of others, the Data Controller is entitled to refuse to comply with the request to the necessary and proportionate extent. If the data subject requests several copies of the personal data, the Data Controller charges HUF 200 per copy/page as a reasonable amount of fee that is proportionate to the administrative costs of preparing the additional copies.
B) Right to rectification
At the request of the data subject, the Data Controller corrects or completes the personal data of the data subject. If any doubt arises from the corrected data, the Data Controller may request the data subject to certify the corrected data to the Data Controller appropriately, primarily by documents. If the Data Controller has disclosed such personal data of the data subject that are subject to this right to other persons (e.g. the recipient as data processor), the Data Controller shall immediately inform the affected persons after correcting the data, provided that such notification is possible or it does not require a disproportionate amount of effort from the Data Controller. At the request of the data subject, the Data Controller informs him/her about these recipients.
C) Right to erasure (“right to be forgotten”)
If the data subject requests the erasure of any or all of his/her personal data, the Data Controller shall erase such data without unjustified delay if
- the Data Controller does not need the personal data in question any more for the purpose for which the data were collected or otherwise processed;
- the request affects data processing that was based on the consent of the data subject, but the data subject has withdrawn the consent and the data processing has no other legal basis;
- the request affects data processing that had been based on the legitimate interests of the Data Controller or any third party but the data subject has objected to the data processing and, with the exception of objection to data processing for direct marketing purposes, there are no legitimate grounds for the data processing that would take priority;
- the Data Controller processed the personal data unlawfully, or
- the erasure of personal data is necessary for the fulfillment of legal obligations.
If the personal data under this right have been disclosed by the Data Controller to another party (e.g. the recipient as, for example, the data processor), the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients. The Data Controller is not required to delete personal data in all the cases, especially if, for example, the data processing is necessary for the establishment, exercise or defense of legal claims.
D) Right to restriction of data processing
The data subject may request the restriction of the processing of his/her personal data in the following cases:
- the data subject contests the accuracy of the personal data – in this case, the restriction affects the period during which the data controller is able to check the accuracy of personal data;
- the data processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the data controller no longer needs the personal data for the purposes of the processing, but the personal data are needed for the establishment, exercise or defense of legal claims; or
- the data subject has objected to the data processing – in this case, the restriction affects the period until which it is verified whether the legitimate grounds of the Data Controller override those of the data subject.
The restriction of data processing means that the Data Controller will not process the personal data subject to the restriction except for storage, or such data are only processed to the extent to which the data subject consented, or even if without such consent, the Data Controller may process those personal data that are necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of other natural persons or legal entities, or that are necessary for the important public interests of the European Union or any European Union member state. The Data Controller informs the data subject in advance about releasing the restriction on the data processing. If personal data under this right have been disclosed to other persons (e.g. the recipient, for example, as the data processor), the Data Controller shall immediately inform such persons about the restriction of data processing, the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients.
E) Right to object
If the legal basis for the data processing related to the data subject is the legitimate interest of the Data Controller or any third party, the data subject is entitled to object to the data processing. The Data Controller is not required to accept the objection if the Data Controller can evidence that
- the data processing is justified by legitimate and compelling causes that take precedence over the interests, rights and freedoms of the data subject, or
- the data processing relates to the data for the establishment, enforcement or defense of Data Controller’s legal claims.
F) Right to lodge a complaint, right to an effective judicial remedy
If the data subject comes to the conclusion that the processing of his/her personal data by the Data Controller infringes the applicable data protection regulations, especially the General Data Protection Regulation, the data subject has the right to file a complaint with the competent data protection supervisory authority in the Member State of his/her habitual residence, place of work or the place of the alleged infringement. In Hungary, this authority is the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”). The contact details of NAIH are as follows:
Website: http://naih.hu/
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mail address: 1530 Budapest, PO Box: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The data subject, regardless of his/her right to file a complaint, may also bring proceedings before a court for such infringement. The data subject is entitled to bring proceedings against the binding decision of the supervisory authority concerning the data subject. The data subject is also entitled to an effective judicial remedy if the supervisory authority fails to address the complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged
1.8 AUTOMATED DECISION-MAKING, PROFILING
No automated individual decision-making or profiling is performed in the course of the data processing of the Data Controller concerning the data subjects.
1.9 DEADLINE FOR RESPONDING TO THE REQUEST OF THE DATA SUBJECT
The Data Controller ensures that if the data subjects whose personal data are processed by the Data Controller exercise any of their rights, and therefore contact the Data Controller, the Data Controller must respond to such requests without unjustified delay but within one month at the latest, not including the withdrawal of the consent in which case the personal data processed on the basis of the data subject’s consent must be deleted immediately. If necessary, in view of the complexity and the number of the requests, the aforementioned deadline may be extended by two months. In respect of extended deadlines, the Data Controller informs the data subject about the extension of the deadline within one month from the receipt of the request, and also specifies the reasons of the delay. If the data subject has submitted the request electronically, the information, if possible, must be provide electronically too.
* * *
Effective from 9 January 2020