Data controller name: Budapest Festival Orchestra
Headquarter: 1033 Budapest, Polgár utca 8-10.
2. Data management rules
The Budapest Festival Orchestra (hereinafter: BFZ) It handles personal data in connection with this interface and the website in accordance with its data protection and data security regulations. The material scope of the Regulations extends to all processes carried out in all departments of the BFZ during which the processing of personal data specified in Article 4 of the * GDPR takes place.
Personal data may only be processed for the purpose of exercising a right or fulfilling an obligation. The use of personal data processed by BFZ for private purposes is prohibited. Data management must always comply with the purpose limitation principle.
BFZ processes personal data only for the purpose specified in Article 6 (1) of the GDPR.
The BFZ shall, before recording the data, in all cases – if the data come from the data subject in accordance with Article 13 (1) of the GDPR. – or – if the data do not come directly from the data subject in accordance with Article 14 (1) of the GDPR. communicate the required obligations to the data subject in accordance with
Employees performing data management at BFZ’s organizational units and employees of organizations participating in data management on behalf of BFZ and performing one of its operations are obliged to keep the personal data they know confidential. Persons handling personal data and having access to it are obliged to make a Privacy Statement.
If a person covered by the Regulations becomes aware that the personal data processed by the BFZ is incorrect, incomplete or out of date, he / she is obliged to correct it or initiate the correction with the employee responsible for recording the data.
The data protection obligations of natural or legal persons or organizations without legal personality performing data processing activities on behalf of BFZ shall be enforced in the contract concluded with the data processor.
The director of the BFZ defines the organization of data protection, the tasks and powers related to data protection and related activities, and appoints the person in charge of data management, taking into account the specifics of the BFZ.
In the course of their work, the employees of BFZ ensure that unauthorized persons cannot access personal data, and that the storage and placement of personal data is designed in such a way that it cannot be accessed, learned, changed or destroyed by unauthorized persons.
The BFZ’s data protection system is supervised by the Executive Director through a data protection officer appointed by him.
3. Enforcing the rights of data subjects
The data subject may request information on the handling of his / her personal data, as well as request the correction of his / her personal data, or – with the exception of the data processing ordered by law – the deletion or restriction of the contact details indicated in the BFZ.
The data subject has the right to receive the personal data concerning him / her made available to the Data Controller in a structured, widely used, machine – readable form, and he / she has the right to transfer this data to another data controller.
The BFZ is obliged to forward the received application or protest to the head of the organizational unit responsible for data management within three days of receipt.
The head of the organizational unit with tasks and competencies shall respond to the request related to the processing of the personal data of the data subject in writing, in a comprehensible form, no later than within one month from the date of his / her arrival.
At the request of the data subject, the Data Controller shall provide information on the data processed by the data subject or processed by the data controller by him or her, their source, purpose, legal basis, duration, name, address and activities related to data processing, circumstances of the data protection incident. , its effects and the measures taken to remedy it, and, in the case of transfers of personal data of the data subject, the legal basis and the recipient of the transfer.
As a general rule, the information is free of charge if the person requesting the information has not yet submitted an information request to the Data Controller for the same data set in the current year. In other cases, reimbursement may be established. The amount of the reimbursement may also be fixed by the contract concluded between the parties. Reimbursement of costs already paid shall be reimbursed if the data have been processed unlawfully or if a request for information has led to a correction.
Inaccurate data shall be corrected by the head of the department handling the data, if the necessary data and the official documents proving them are available, the GDPR. If the reasons set out in Article 17 exist, it shall take measures to delete the personal data processed.
Personal data must be deleted if
(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
(b) the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
(c) the data subject objects to the processing and there is no overriding legitimate reason for the processing;
(d) personal data have been processed unlawfully;
(e) personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the controller;
(f) personal data have been collected in connection with the provision of information society services to children under the age of 18;
(g) if the controller has disclosed the personal data and the personal data are no longer needed for the purpose for which they were collected or otherwise processed, it shall delete them and take reasonable steps, including technical measures, taking into account available technology and implementation costs. measures to inform the controllers that the data subject has requested the deletion of links to the personal data in question or of a copy or duplicate of such personal data.
The data subject may object to the processing of his or her personal data;
– if the processing or transfer of personal data is necessary only for the fulfillment of a legal obligation to the Data Controller or for the enforcement of the legitimate interests of the Data Controller, the data recipient or a third party, except in the case of mandatory data processing;
– if the use or transfer of personal data is for the purpose of direct business acquisition, public opinion polling or scientific research; and
– in other cases specified by law.
The Data Controller shall examine the protest as soon as possible, but not later than within one month from the submission of the request, make a decision on the merits of the request and inform the applicant in writing of its decision.
If the Data Controller finds that the data subject’s objection is justified, the data processing, including further data collection and data transfer, shall be terminated, the data shall be restricted and the protest and the measures taken on the basis thereof shall be notified to all persons to whom the data subject has previously transmitted and are obliged to take measures to enforce the right to protest.
If the data subject does not agree with the decision of the Data Controller, or if the Data Controller fails to meet the deadline, the data subject may apply to a court within thirty (30) days from the notification of the decision or the last day of the deadline.
If you do not receive the data necessary to enforce the data subject’s right due to the data subject’s protest, you may, within 30 days of the notification, apply to the court against the Data Controller for access to the data. The Data Controller may also sue the data subject.
If the Data Controller fails to notify, the Data Recipient may request information from the Data Controller regarding the circumstances related to the failure of the data transfer, which the Data Controller is obliged to provide within 8 days after the delivery of the Data Recipient’s request. In the event of a request for information, the data recipient may file a lawsuit against the Data Controller within 30 days of the provision of the information, but no later than within the open deadline. The Data Controller may also sue the data subject.
The Data Controller may not delete the data of the data subject if the data processing has been ordered by law. However, the data may not be transferred to the data recipient if the Data Controller has agreed to the protest or the court has established the legitimacy of the protest.
If the assessment of the case is unclear in the exercise of the data subject’s rights, the head of the data processing unit may request a resolution from the data protection officer by sending the case file and his / her position on the case, who shall comply with it within three days.
BFZ also indemnifies for the damage caused to others by the unlawful processing of the data subject’s data or the breach of data security requirements, as well as the damages for personal injury caused by him or her or the data processor used by him or her. The data controller shall be released from liability for the damage caused and the obligation to pay damages if he proves that the damage or the violation of the data subject’s right to privacy was caused by an unavoidable cause outside the scope of data processing. Likewise, it does not compensate for damage if it was caused by the intentional or grossly negligent conduct of the injured party.
The person concerned may appeal to the National Data Protection and Freedom of Information Authority (1125 Budapest, Szilágyi Erzsébet fasor 22 / C.) Or to the court competent according to his or her place of residence or stay.
4. Data management during the use of the BFZ website
Place of data management: the registered office of BFZ and the registered offices of the partners in the legal relationship.
4.1. Data management on the website
Anyone can access the BFZ’s own website without disclosing their identity and providing their personal data, and in the case of registration, by providing the related mandatory data. You have free and unrestricted access to information on the Website and related sites. However, the website collects non-personal information from visitors unrestrictedly and automatically, using so-called cookies. However, no personal data can be obtained from this data, so it does not implement data management under the GDPR.
4.2. Data management related to contact, registration, loyalty program (contact)
BFZ operates its own website with the involvement of an authorized third party (ies), where visitors have the opportunity to contact them as well as other ways of contacting them.
purpose of data management: liaising with the BFZ
legal basis for data management: the stakeholder contribution under Article 6 (1) (a) of the GDPR, and Act CVIII of 2001 on certain issues in electronic commerce services and information society services. Act 13 / A. § (3)
scope of data managed: name, e-mail address, as well as other personal data provided by the data subject in case of registration
deadline for deleting data: until the contact case is settled (until the goal is achieved)
data storage method: in electronic form
individual rights: under the GDPR; right of access, right of rectification, right of erasure or restriction, right of objection and right of data portability
5. DPO Contact Information
E-mail: adatvedelem@bfz.hu
6. Issues and intellectual property rights not covered in this prospectus
For matters not covered in this prospectus a GDPR and the BFZ Privacy and Data Security Policy apply.
As part of the consent, the user consents to the publication of the contents in accordance with this Prospectus in justified cases.
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR / General Data Protection Regulation)
ANNEX I
Sponsorship Club and Loyalty Program Data Management
The purpose of data management: payment to the Data Controller, registration of payers, differentiation from each other, documentation of the payment, fulfillment of the accounting obligation, contact of the payer, provision of discounts by the loyalty program
Legal basis for data management: the processing is necessary for the performance of the contract [Article 6 (1) (b) GDPR] and the Court of Auditors. tv.169. § (2)
Type of personal data processed: identification number, date, time, name, address, telephone number, name, address, telephone number of members of the community, additional data related to the Supporting Club Membership and the loyalty program
Duration of data management: the Accounting TV. In accordance with Section 169 (2), eight years.
In the case of card payment, the details of the bank card and the card payment transaction are handled by the bank of each store.
Data transmission:
In case of payment by credit card, the ID of the depositor, the amount, date and time of the transaction to the Bank.
Data processors:
Financial institution and other legal entities related to the Data Controller
Complaints can be lodged primarily with the Data Controller and the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet avenue 22 / C.