Privacy Notice on data processing related to participation in the exhibition
MNB-Ingatlan Kft. (‘MNB-Ingatlan’ or ‘MNB Arts and Culture’) hereby informs its visitors and other participants of its events (the ‘Data Subjects’) about its practice regarding the processing of personal data, about the organisational and technical measures it has taken to protect the data, as well as about the related rights of the Data Subjects and the possibilities of their enforcement.
- Actors involved in data processing
1.1 Data Controller
Name: MNB-Ingatlan Kft. (MNB-INGATLAN),
Contact: info@mnbarts.hu
1.2 Data processor
In the course of data processing, the Data Controller uses a data processor:
Name: Várkapitányság Integrált Területfejlesztési Központ Nonprofit Zártkörűen Működő Részvénytársaság
Contact: onder.peter@onder.hu
- Data processing activities
2.1 Registration
Purpose of processing
| If registration is required for participation in the exhibition (event), the purpose of data processing is to identify the registrants, to confirm the registration and to provide access control to the persons registered for the event. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR): Conducting the event in a transparent and administered manner. |
Scope of the data processed | • Name • Email address • age (children’s programmes) • food sensitivities (catering) • licence plate number (parking registration) |
Term of processing | Until the given exhibition (event) is held. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.2 Access control
Purpose of processing
| To identify and to control access by exhibition participants and safe and smooth conducting of the event. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR) |
Scope of the data processed | • Name • Email address |
Term of processing | Until the Data Subject requests the erasure of their data or withdraws their consent. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.3 Signing the attendance sheet
Purpose of processing
| To document and verify the attendance of the of the exhibition by the participants through the signing of the attendance sheet. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR) |
Scope of the data processed | • Name • Email address |
Term of processing | Until the Data Subject requests the erasure of their data or withdraws their consent. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.4 Data processing related to the issue of invoices
Purpose of processing
| To invoice the fees for services related to participation in the exhibition and to provide financial settlement in accordance with the law. |
Legal grounds for processing | The data are processed on the basis of compliance with the statutory obligation under Article 6(1)(c) GDPR. |
Scope of the data processed | • Name • Address • Email address • Tax number • Telephone number |
Term of processing | The data are retained until the end of the eight-year retention period specified in Section 169 of Act C of 2000 on accounting. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.5 Processing of data of contracted partners
Purpose of processing
| To fulfil contractual obligations related to participation in the exhibition and to ensure effective contact with contracted partners. |
Legal grounds for processing | The legitimate interest of the Data Controllers (Article 6(1)(f) GDPR). |
Scope of the data processed | • Contact person name • Email address of contact person • Contact person telephone number |
Term of processing | The Data Controller processes personal data for the duration of the purpose of data processing, thus primarily during the term of the contract concluded between the parties or until the Data Subject requests the erasure of their data. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.6 Subscribing to the newsletter
Purpose of processing
| Electronic newsletters about current and future exhibitions, events and other news are sent out from time to time. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR) |
Scope of the data processed | • Name • Email address |
Term of processing | Until the Data Subject requests the erasure of their data or withdraws their consent. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.7 Processing the data of event speakers
Purpose of processing
| To liaise with the speakers of the event, to organise and conduct the presentations, and to document the speakers’ activities. |
Legal grounds for processing | The data are processed pursuant to Article 6(1)(b) GDPR, for the purpose of fulfilling the rights and obligations set out in the contract, on grounds of the performance of the contract. |
Scope of the data processed | • Name • Email address • Tax number • Telephone number • Bank account details |
Term of processing | The Data Controller processes personal data for the duration of the purpose of data processing, thus primarily during the term of the contract concluded between the parties or until the Data Subject requests the erasure of their data. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.8 Complaints management
Purpose of processing
| To effectively handle and investigate complaints related to the exhibition and to take appropriate action to remedy any problems, as well as to effectively liaise with the complainant. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR) |
Scope of the data processed | • Name • Email address • Telephone number |
Term of processing | Until the Data Subject requests the erasure of their data or withdraws their consent. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.9 Prize game
Purpose of processing
| To administer the prize game, to identify and notify the winners, and to issue or send out the prizes. |
Legal grounds for processing | Consent of the Data Subject (Article 6(1)(a) GDPR) |
Scope of the data processed | • Name • Email address • Telephone number |
Term of processing | Until the Data Subject requests the erasure of their data or withdraws their consent. |
Place of storage | MNB-INGATLAN stores the data on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.10 Taking photos and making video recordings
Purpose of processing
| To make recordings, to capture the elements of the event, to promote future events on the Data Controller’s own and its media partners’ websites and social media platforms, and to document the event, which requires the processing and use of images of the event. |
Legal grounds for processing | The legitimate interest of the Data Controllers (Article 6(1)(f) GDPR). |
Scope of the data processed | • Likeness of recorded people • Recorded events: behaviour of Data Subjects • Recorded audio (video recording only) • Place and time of recording (video recording only) |
Term of processing | Until the data subject requests the erasure of their data. |
Place of storage | The Data Controller stores the recordings on its own internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed in an employment relationship or engaged in other ways for work, for whom this is absolutely necessary to achieve the above purpose. |
2.11 Security camera footage
Purpose of processing
| To ensure the security and order of the exhibition, and to document incidents occurring on site and to use them for investigative purposes. |
Legal grounds for processing | The legitimate interest of the Data Controllers (Article 6(1)(f) GDPR). |
Scope of the data processed | • Likeness of recorded people • Recorded events: behaviour of Data Subjects • Recorded audio (video recording only) • Place and time of recording (video recording only) |
Term of processing | For a maximum of 30 days from the date of recording and for three days in the case of cameras that can also see public places unless some kind of violation is recorded in the footage, in which case until the violation is investigated. |
Place of storage | The data processor stores the data on its own, internal server exclusively in Hungary. |
Who can access the data | Access is strictly limited to designated employees of the Data Controller employed exclusively in an employment relationship or engaged in other ways for work (including an employment relationship or agency relationship with the Data Controller) for whom this is absolutely necessary to achieve the above purpose. |
- Transfer of data:
3.1 Domestic data transfer
- The personal data specified in Section 2.10 will be transmitted by our Company to the founder of the Company (Central Bank of Hungary, 1013 Budapest, Krisztina körút 55., info@mnb.hu) on a case-by-case basis for the purpose of enabling the founder to oversee the exhibitions and events of the Company and for the Central Bank of Hungary to be able to use them for illustration purposes in its publications.
- Our Company disclose personal data to courts, prosecutors, other authorities and official bodies in the context of our legal obligations or in the case of enforcement of claims, in the scope and manner appropriate to our legitimate interest.
3.2 Data transfer abroad
The data will not be transferred outside Hungary.
- Data processing methods and data security
As Data Controller, MNB-Ingatlan takes all reasonable measures to ensure that the data collected, stored and processed by it are accurate and, if necessary, up-to-date, and inaccurate personal data are erased or corrected.
The appropriate security of the personal data is ensured by appropriate technical and organisational measures against the unauthorised or unlawful processing, accidental loss, destruction or alteration of, or damage to, data. However, please note that data transfer via the internet cannot be considered a form of fully secure data transfer. The Data Controller will make every effort to ensure that the processes are made as secure as possible, but we cannot take full responsibility for data transfer via our website. However, regarding the data received by the Data Controller, we comply with strict regulations in order to ensure the safety of the Data Subject’s data and to prevent any illegal access.
The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or erased by unauthorised persons. The processed data may only be accessed by the Data Controller, its employees and the data processors used by it.
The Data Controller uses a data processor in connection with its offers sent by email and other mass email inquiries, information and data cleaning. The Data Controller and the data processors used by it are entitled to access the personal data in accordance with the applicable legislation.
A personal data breach is any event that results in the unlawful handling or processing of personal data processed, transferred or stored by the Data Controller, in particular, the unauthorised or accidental access, alteration, disclosure, erasure, loss or destruction, accidental destruction of, or damage to, personal data. Without undue delay, but not later than 72 hours after becoming aware of a personal data breach, the Data Controller shall report the personal data breach to the National Authority for Data Protection and Freedom of Information unless the Data Controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Data Controller keeps record of any personal data breach for the purpose of supervising the measures taken in connection with the personal data breach and for informing the Data Subjects.
- Participation in children’s programmes:
At the children’s programmes organised by MNB Arts and Culture, video and audio recordings may be made of the children participating in the events. These recordings will be used to document and promote the event and to appear on the websites and other forms of appearance of MNB Arts and Culture and its partner organisations.
If the parent or legal guardian does not want their child to appear on the recordings, they can indicate it:
- on site in person or
- later in writing, using the contact details provided on the mnbarts.hu website (e.g. by email).
The Data Controller ensures that, after receipt of the request, the recordings of the child will not be used in the public domain and, if possible, will remove any content already published.
- Rights of the Data Subject:
5.1 Right of information
You have the right to request information on whether MNB-INGATLAN processes your personal data and, if so, on the essential circumstances of data processing (e.g. the purpose, legal grounds, etc. of data processing).
5.2 Right of access
You have the right to access, actually receive or request a copy of your personal data.
5.3 Right to rectification
Within the framework of the right to rectification, you have the right to request:
- the rectification of inaccurate data,
- the completion of incomplete data.
5.4 Right to erasure
You have the right to have MNB-INGATLAN erase your personal data upon request if one of the conditions below is met:
- the personal data are no longer needed for the purpose for which they were originally collected or processed by MNB-INGATLAN;
- you object to the data processing and MNB-INGATLAN has no compelling legitimate interest in continued data processing;
- in the case of unlawful data processing;
- it is necessary to erase the data for compliance with a legal obligation.
In exceptional cases, your data may not be erased even if these conditions are met. For example, if they have to be retained for the submission, enforcement or defence of legal claims.
5.5 Right to restriction of processing
If you dispute the accuracy of your personal data, you have the right to request that MNB-INGATLAN restrict data processing as long as it controls them.
If the data processing is unlawful or the storage period has expired, but you request it in order to enforce your legal claim, you may also request the restriction of data processing instead of the erasure of the data.
The restriction of data processing means that MNB-INGATLAN only stores your data. It does not alter the data and does not perform any other operations on them.
MNB-INGATLAN may use your restricted data if you consent to it or it is necessary to:
- submit, enforce or defend legal claims,
- protect the rights of another person.
5.6 Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data.
However, MNB-INGATLAN may still process your personal data if it is necessary for:
- compelling legitimate interests or
- the submission, enforcement or defence of legal claims.
5.7 Fulfilment of the requests of Data Subjects
If you think that your personal data are not processed in accordance with data protection requirements in force, you may request that this be remedied. A response will be given within a maximum of 25 days of receipt of your request. If we are unable to fulfil your request, if it is complex or if multiple requests are made and we need more time due to their volume, you will also receive information within these 25 days. In such cases, the time limit may be extended once by a maximum of 25 days.
5.8 Right of appeal
You have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH). Website: https://naih.hu/.
Address | Email address / mailing address | Telephone number |
1055 Budapest, Falk Miksa utca 9-11., Hungary | ugyfelszolgalat@naih.hu;
| +36 (30) 683-5969 +36 (30) 549-6838 |
You have the right to go to court. In the event of unlawful data processing, you may initiate a civil action, the adjudication of which falls within the competence of the regional court. The action may also be brought before the regional court at your place of residence. For more information, please visit http://birosag.hu/torvenyszekek.