Privacy Policy

Introduction

The operator of this website, the Tom Lantos Institute (registered office: H-1016 Budapest, Bérc u. 13-15, tax registration number: 18212251-1-41) (hereinafter: Service Provider or Controller) submits to the provisions of the following Privacy Policy.

In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), please be advised of the following.

This Privacy Policy regulates the processing of personal data by the controller on its website at www.minorityforum.info and elsewhere.

This Privacy Policy is accessible at: www.minorityforum.info/adatvedelem Any amendments to this Privacy Policy shall enter into force on publication at the above address.

The controller and its contact details:

Name: Tom Lantos Institute
Registered office: H-1016 Budapest, Bérc u. 13-15.
By post: H-1016 Budapest, Bérc u. 13-15.
Email: info@tomlantosinstitute.hu
Telephone: +36 1 209 0024

Definitions

(1) ‘Personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3) ‘controller’: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(4) ‘processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(5) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(6) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

(7) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, the above (‘accountability’).

Data processing

Messages, orders and contact

1 Data collection, the scope of the processed personal data and the purpose of data processing: Personal data The purpose of processing personal data
Name, email address, phone number and postal address Contact details and identification
Date and time of the message Performing a technical procedure
Sender’s IP address Performing a technical procedure

2 Data subjects include: Anyone who sends a message, places an order or requests quotation through the website.

3 Period of data storage, and deadline for the erasure of personal data: Data are stored until the data subject requests their erasure.

4 Potential data controllers entitled to have access to personal data and the recipients of the personal data: The controller may process personal data in compliance with the above outlined principles.

5 Description of data subjects’ rights regarding data processing:
- A data subject may request the controller to provide access to their personal data, rectify or erase them, or restrict their processing, and
- may object to the processing of such personal data, and
- has the right of data portability and may withdraw his or her consent at any time.

6 A data subject may request access to his or her personal data, the erasure, rectification, or restricting the processing of such personal data; may request data portability, or may object to data processing in the following ways:
- by post at the address H-1016 Budapest, Bérc u. 13-15;
- by email sent to info@tomlantosinstitute.hu;
- by phone at (+36) 1 209 0024;
- if contact was established using a form, through a data modification link embedded in the confirmation email.

7 Legal basis of data processing: the data subject’s consent, Article 6 (1) a) of Regulation (EU) 2016/679, Article 5 (1) of Act CXII of 2001 on Informational Self-Determination and the Freedom of Information (hereinafter: Info tv.), and Article 13/A (3) of Act CVIII of 2001 on Specific Issues Related to Electronic Commerce and on Information Society Services (hereinafter referred to as “Elker tv.”):
In order to provide the service, the service provider may process the personal data that are technically indispensable for providing the service. Ceteris paribus, the service provider must, at all times, select and operate the means used for the provision of services related to the information society in a way to only process personal data if they are indispensable for providing the service or for achieving the other objectives set out in the Info tv., and even then, only to the required extent and for the required period of time.

8 Please be advised that
- data processing is based on your consent;
- you are required to specify the personal data that enable us to respond to your request;
- should you fail to specify the required data, we will be unable to fulfil your request.

Data processors used

1 Activity performed by the data processor, and the data processor’s name and contact details:

Hosting service provider
IntroWeb Kft.
Tax no.: 13037176-2-06
Company registration number: 06-09-008564
Registered office: H-6724 Szeged, Gelei József u. 5
Tel: (+36) 20 414 2574

The provision of technical support
IntroWeb Kft.
Tax no.: 13037176-2-06
Company registration number: 06-09-008564
Registered office: H-6724 Szeged, Gelei József u. 5.
Tel: (+36) 20 414 2574

2 Data processing and the scope of the processed personal data: All the personal data specified by the data subject.

3 Data subjects include: Any data subject who uses the website or whose personal data are processed by the data processor.

4 The purpose of processing personal data: The provision of access to the website and of technical support

5 Period of data storage, and deadline for the erasure of personal data: The personal data are processed up to the day when the contract concluded by the data processor and the service provider is terminated, or when the data subject requests the service provider to erase the personal data.

6 Legal basis of data processing: the user’s consent, Article 5 (1) of the Info tv., Article 6 (1) a) of Regulation (EU) 2016/679, and Article 13/A (3) of Act CVIII of 2001 on Specific Issues Related to Electronic Commerce and on Information Society Services.

Management of cookies

1 Data processing and the scope of the processed personal data: Unique identifiers, dates and times

2 Data subjects include: All data subjects who visit the website.

3 The purpose of processing personal data: User identification and visitor tracking.

4 The period of data storage, and deadline for the erasure of personal data:

Cookie type: Session cookies

Processed personal data: These cookies are required for enabling users to browse our website and use its functions, e.g. for remembering your actions on particular websites during your visit. Legal basis of data processing: Article 13/A (3) of Act CVIII of 2001 on Specific Issues Related to Electronic Commerce and on Information Society Services (“Elker tv.”).
The purpose of processing personal data: Ensuring the proper functioning of the website
Period of data storage: Up to the end of the visitor’s session

Cookie type: Functional cookies Personal data processed: These enable us to remember your preferences related to our website or the fact that you visit our websites made for blind and partially-sighted persons.
Legal basis of data processing: Your consent.
The purpose of processing personal data: Improving user experience and the convenience of website use
Period of data storage: 5 months

Cookie type: Targeting and advertising cookies Personal data processed: These cookies are used on the websites to deliver advertisements that better suit your interests or are more relevant to you. These cookies are also unable to determine who you are, they collect information on the pages viewed by our visitor or the part of a website the user has clicked on.
Legal basis of data processing: Your consent.
The purpose of processing personal data: To collect information on the way visitors use our website.
Period of data storage: Session or 5 months

Targeting and advertising cookies These cookies are used to deliver, on the websites, advertisements that better suit your interests or are more relevant to you. These cookies are also unable to determine who you are, they collect information on the pages viewed by our visitor or the part of a page the user has clicked on. Your consent. To collect information on the way visitors use our website. Session or 5 months

5 Potential data controllers entitled to have access to personal data: The controller does not process personal data by using cookies.

6 Description of data subjects’ rights regarding data processing: Data subjects have the opportunity to delete cookies from the browsers.

For further information on cookie setting on the most popular browsers, visit the following links:
- Google Chrome
- Firefox
- Microsoft Internet Explorer 11
- Microsoft Internet Explorer 10
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 8
- Safari

7 Legal basis of data processing: The data subject’s consent is not required if the sole purpose of using cookies is the transmission of communication through the electronic communication network, or if the cookies are indispensable for the service provider to provide the information society service explicitly requested by the subscriber or user.

Using Google AdWords conversion tracking

1 The controller uses the online advertising program Google AdWords, and more specifically, Google’s conversion tracking service. Google conversion tracking is a service provided by the analysing company Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

2 When a user lands on a website through a Google advertisement, a cookie required for conversion tracking is transferred to his or her computer. As such cookies have a limited validity, and they do not contain any personal data, the user is unidentifiable by them.

3 While the user is browsing certain pages of the website, and the cookie has not expired yet, both Google and the controller can see that the User has clicked on the advertisement.

4 As every Google AdWords client is assigned a different cookie, they cannot be tracked through AdWords clients’ websites.

5 The information obtained with the help of conversion tracking cookies serve the purpose of compiling conversion statistics for AdWords clients who choose to track conversions. Thus clients are informed of the number of users who have clicked on their advertisements and have been transferred to the website tagged for conversion tracking. However, they cannot have access to any information that enables user identification.

6 If you wish not to participate in conversion tracking, you may refuse it by disabling cookie installation in your browser. Then you will not be included in conversion tracking statistics.

7 For further information and for Google’s Privacy Policy, visit the following website: https://policies.google.com/privacy/

Google Analytics application

1 This website uses the application Google Analytics, a service provided by the web analysing company Google Inc. (“Google”). Google Analytics uses certain text files called “cookies”, saved on your computer to facilitate the analysis of using the website visited by the user.

2 The information generated by the cookies in relation to the website used by the user is generally transferred to and stored on one of Google’s servers located in the USA. By enabling IP anonymization on the website, Google cuts the user’s IP address short before transfer, already in the Member States of the European Union or any other state that is a party to the treaty on the European Economic Area.

3 The full IP address is only transferred to and cut short in the Google server located in the USA in exceptional cases. Mandated by the operator of this website, Google will use such information to evaluate the user’s website use, to compile reports on website activities for the website operator, and to provide further services related to website and Internet use.

4 Within the framework of Google Analytics, the IP address transferred by the user’s browser is not compared to other Google data. The user may prevent the storage of cookies by appropriately setting his or her browser. Note, however, that in this case not every function of this website can be fully used. In addition, the user may also prevent Google from collecting and processing personal data obtained through cookies about his or her use of the website (including the IP address) by downloading and installing the browser plugin accessible at the following URL:
https://tools.google.com/dlpage/gaoptout

Complaints management

1 Data collection, the scope of the processed personal data and the purpose of data processing:
Personal data The purpose of processing personal data
Surname and last name Identification and contact
Email address Contact
Phone number Contact
Invoicing name and address Identification, management of complaints, questions and problems related to the quality of the services ordered

2 Data subjects include: All data subjects who use the service and object to its quality or make a complaint.

3 Period of data storage, and deadline for the erasure of personal data: Pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection, copies of the record made of the complaint, its transcript, and the response must be retained for a period of 5 years.

4 Potential data controllers entitled to have access to personal data and the recipients of the personal data: The controller may process personal data in compliance with the above outlined principles.

5 Description of data subjects’ rights regarding data processing: - A data subject may request the controller to provide access to, or rectify, erase or restrict the processing of the personal data concerning him or her and
- may object to the processing of such personal data, and
- the data subject has the right to data portability and is entitled to withdraw his or her consent at any time.

6 A data subject may request access to his or her personal data, the erasure, rectification or restricting the processing of such personal data; may request data portability, or may object to data processing in the following ways:
-by post at the address H-1016 Budapest, Bérc u. 13-15;
-by email sent to info@tomlantosinstitute.hu;
-by phone at (+36) 1 209 0024;


7 Legal basis of data processing: the data subject’s consent, Article 6 (1) a) of Regulation (EU) 2016/679, Article 5 (1) of the Info tv., and Article 17/A (7) of Act CLV of 1997 on Consumer Protection.

8 Please be advised that - the specification of personal data is based on a contractual obligation;
- the processing of personal data is a precondition of contract conclusion;
- you are required to specify personal data to enable us to manage your complaint;
- failure to specify the required data will prevent us from managing your complaint received by us.

Social network sites

1 Data collection and the personal data processed: The user’s name registered on the social network sites Facebook / Google+ / Twitter / Pinterest / Youtube / Instagram etc. and his or her public profile picture.

2 Data subjects include: All data subjects who have registered on the social network sites Facebook / Google+ / Twitter / Pinterest / Youtube / Instagram etc. and have “liked” the website.

3 Purpose of data collection: Sharing, liking and popularising the website and its individual content elements, products and actions on various social network sites.

4 Period of data storage, deadline for the erasure of personal data, potential data controllers entitled to have access to the personal data, and a description of data subjects’ rights of regarding data processing: The data subject may obtain information on the source and processing of personal data and on the method and legal basis of data transfer on the relevant social network site. As personal data are processed on social network sites, the period and method of processing personal data and the erasure and amendment of personal data are subject to the regulation of the relevant social network site.

5 Legal basis of data processing: The data subject’s voluntary consent to the processing of his or her personal data on social network sites.

Contact by phone

1 Data collection, the scope of the processed personal data and the purpose of data processing:
Personal data The purpose of processing personal data
Name, phone number, address of the property: Contact, identification, business purpose, placing an order for a service.

2 Data subjects include: All the data subjects liaising with the controller by phone.

3 Period of data storage, and deadline for the erasure of personal data: Data are stored until the data subject requests their erasure.

4 Potential data controllers entitled to have access to personal data and the recipients of the personal data: The controller may process personal data in compliance with the above outlined principles.

5 Description of data subjects’ rights regarding data processing: - A data subject may request the controller to provide access to, or rectify, erase or restrict the processing of the personal data concerning him or her and
- may object to the processing of such personal data, and
- the data subject has the right to data portability and is entitled to withdraw his or her consent at any time.

6 A data subject may request access to his or her personal data, the erasure, rectification or restricting the processing of such personal data; may request data portability, or may object to data processing in the following ways:
-by post at the address H-1016 Budapest, Bérc u. 13-15;
-by email sent to info@tomlantosinstitute.hu;
-by phone at (+36) 1 209 0024;

7 Legal basis of data processing: the data subject’s consent, Article 6 (1) a) of Regulation (EU) 2016/679, Article 5 (1) of the Info tv.

8 Please be advised that
- data processing is based on your consent;
- you are required to specify the personal data that enable us to respond to your request.
- failure to specify the required data we will prevent us from fulfilling your request, performing the job etc.

Customer relations and other cases of processing personal data

1 Should any question arise in the course of using the controller’s services or if the data subject has any problem, he or she may contact the controller at the addresses (phone number, email address, social network site etc.) specified on the website.

2 The controller shall erase the email and other messages received and the data specified by phone or via Facebook etc., including the inquirer’s name and email address as well as any voluntarily specified other personal data on expiry of 2 years after data reporting.

3 On any cases of personal data processing not listed in this Privacy Policy information will be provided upon data collection.

4 On an exceptional request from a regulatory authority or from other organizations under statutory mandate, the service provider must make a report, share personal data and/or provide access to documents.

5 In such cases the service provider may share personal data with the requesting party, provided that the latter has accurately specified the purpose and the required personal data, only to the extent indispensable for achieving the purpose of the particular request.

The rights of data subjects

1 Right to access
You have the right to obtain confirmation from the controller as to whether or not personal data concerning you is being processed, and, if that is the case, to have access to the personal data and to the information listed in the Regulation.

2 Right to rectification
You are entitled to the rectification of your inaccurate personal data by the controller upon your request without undue delay. Taking into account the purpose of processing, you are entitled to request the completion of any incomplete personal data, including by means of a supplementary statement.

3 Right to erasure
You are entitled to the erasure of your personal data by the controller upon your request without undue delay, and the controller must erase your personal data without undue delay if the statutory conditions apply.

4 Right to be forgotten
If the controller has disclosed the personal data to the public and it is required to erase the personal data, the controller, taking account of the available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform the controllers processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.

5 Right to the restriction of processing
You are entitled to obtain restriction of processing by the controller if any of the following conditions applies:
- You contest the accuracy of the personal data, in which case processing must be restricted for a period that enables the controller to verify the accuracy of the personal data;
- Processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- The controller no longer needs the personal data for processing, but you request them for the establishment, exercise or defence of legal claims;
- You have objected to processing; in this case processing must be restricted until it is verified whether the legitimate grounds of the controller override those of yours.

6 Right to data portability
You are entitled to receive, in a structured, commonly used and machine-readable format, the personal data concerning you and provided by yourself to a controller, and you are also entitled to transmit such data to another controller without hindrance from the controller to which the personal data have been provided (...)

7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling based on the above-mentioned regulations.

8 Objection to processing for direct marketing purposes
If personal data are processed for direct marketing purposes, you are entitled to object at any time to the processing of your personal data for such purposes, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

9 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects concerning you or affects you similarly significantly. The previous paragraph does not apply if such a decision:
- is necessary for the conclusion or performance of a contract between you and the data controller;
- is authorised by any statutory regulation of the European Union or any of its Member States to which the controller is subject and which also lays down measures for safeguarding your rights, freedoms and legitimate interests; or
- is based on your explicit consent.

10 Legal basis of data processing pursuant to the Regulation:
a) the data subject’s consent;
b) performance of a contract,
c) compliance with a legal obligation to which the controller is subject;
d) protection of the vital interests of the data subject;
e) the personal data are processed in the framework of a task in public interest or the exercise of official authority vested in the controller;
f) processing the personal data is required for the enforcement of the legitimate interests of the controller or of a third party.

Deadline for action

The controller must inform you on any action taken on the above-specified requests, without undue delay but in any case no later than within one month following receipt of the request.
This period may be extended by two months, if necessary. The controller must inform the data subject of any such extension within one month following receipt of the request, and specify the reasons for the delay.
If the controller fails to take any action on your request, it must inform you without delay, but in any case no later than within one month following receipt of the request, of the reasons for its failure to take action, and you may submit a complaint to any supervisory authority and exercise your right to a judicial remedy.

The security of processing personal data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Communication of a personal data breach to the data subject

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.
The communication to the data subject must include a description, in clear and plain language, of the nature of the personal data breach, and specify the name and contact details of the data protection officer or another contact point where more information can be obtained; a description of the likely consequences of the personal data breach; a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Communication to the data subject may not be required if any of the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those actions that render the personal data unintelligible to any person not authorised to access it, such as encryption;
- after the personal data breach the controller has taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- communication would involve disproportionate efforts. In such a case, the data subjects must be informed by a public notice or a similar measure that ensures equally effective information for the data subjects concerned.
If the controller has not yet informed the data subject of the personal data breach, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Reporting a personal data breach to the supervisory authority

The controller must report a personal data breach without undue delay and, where feasible, no later than within 72 hours after having become aware of it, to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If it is not reported to the supervisory authority within 72 hours, the reasons justifying the delay must also be enclosed with the report.

Complaints procedures

Against the controller’s eventual infringement, complaints may be made to the Hungarian National Authority for Data Protection and Freedom of Information at:
Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: H-1530 Budapest, Post office box: 5
Phone: +36 (1) 391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Epilogue

During the compilation of this Privacy Policy, the following statutory regulations were taken into consideration:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (hereinafter: Info tv.)
- Act CVIII of 2001 on Certain Issues Related to Electronic Commercial Services and on Services Related to the Information Society (with special regard to Article 13/A)
- Act XLVII of 2008 on the Prohibition of Unfair Business-to-Consumer Commercial Practices;
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Article 6);
- Act XC of 2005 on the Freedom of Information by Electronic Means
- Act C of 2003 on Electronic Communication (particularly Article 155);
- Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
- Recommendation by the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information
- Regulation (EU) 2016/679 of the European Parliament and of the Counil of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing
Directive 95/46/EC (General Data Protection Regulation).