Terms and conditions

Concerning data control related to the PATHWAY OF LIGHT tender of the Zsolnay Light Festival

Introduction

This data control information is a supplement to the Privacy Policy of Zsolnay Heritage management Non-profit Ltd. dated May 16, 2018, and specifically applies to the control of the personal data of natural persons managed by related to the Pathway of Light tender.

1. GENERAL PROVISIONS1.1. Name of data controller: Zsolnay Heritage management Non-profit Ltd. (hereinafter ZSÖK NLtd.)Represented by:Registered office:Email:

2. LEGISLATION THE DATA CONTROL IS BASED ON

2.1. In accordance with the Fundamental Law of Hungary, Zsolnay Heritage management Non-profit Ltd. (hereinafter ZSÖK) ensures the protection of personal data in particular, but not exclusively, subject to the following legislation: a) Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the control of personal data and the free flow of such data, as well as the repeal of Directive 95/46/EC (hereinafter: GDPR); b) Government decree 272/2014 (XI. 5.) on the procedure for using subsidies from individual European Union funds in the 2014-2020 programming period (hereinafter, Government decree 272/2014) c) Act CXCV of 2011 on public finances, as well as Government Decree No. 368/2011 on the implementation of the Act on Public Finances. (XII.31.) (Decree on IAPF) d) Government decree 136/2018 (VII. 25.) on the technical deregulation of certain government decrees.2.2. When developing the regulations of its privacy policy, ZSÖK also takes into account the guidelines of the EU Data Protection Working Group established based on Article 29 of Directive 95/46/EC, as well as the guidelines of the EDPB (European Data Protection Board).

3. DATA CONTROL RELATED TO APPLICATIONS AND GRANTS – SCOPE OF DATA CONTROLLED

3.1. ZSÖK controls personal data in the following cases:

3.2. Legal grounds for data control Pursuant to item e) of Article 6 (1) of the GDPR, public duties related to the management and administration of grants by the data controller. 3.3. Duration of data controlZSÖK controls personal data in accordance with the provisions of the relevant legislation for ten years from the date of approval of the beneficiary’s report by the sponsor. After the sponsor’s decision, the data of applicants who not receiving sponsorship are stored based on their consent for a maximum of three years after registration. 3.4 Other data

The collection, storage, and publication of photographs, video and audio recordings taken during individual events on the website of the ZSÖK or the sponsor, or in the case of a child under the age of 16, takes place with the prior written consent of the legal representative (custodial parent) concerned.3.5. The legal grounds for data control is the consent of the data subject (or its legal representative) based on item a) of Article 6 (1) of the GDPR.3.6. Duration of data control: ZSÖK controls the personal data provided to it in accordance with the relevant legislation for ten years from the date of approval of the beneficiary’s report by the sponsor. Consent for the control of photographs, video and audio recordings can be withdrawn at any time for the future.

4. ACCESS TO PERSONAL DATA, RECIPIENTS OF DATA CONTROL

4.1. The personal data provided can be accessed by those who have a subsidiary or other employment relationship with ZSÖK for the purpose of performing their duties.4.2. ZSÖK forwards the personal data of the data subjects to other state bodies in the cases specified by law, in order to fulfil reporting obligations.4.3. In addition to employees, the following persons can access the data managed by ZSÖK in the application systems:a) developers of tender systems;b) the experts participating in the evaluation of tenders, members of the evaluation committee, in relation to the tenders they have evaluated, according to the provisions of their respective appointment and commission contract.

5. DATA SECURITY

5.1. ZSÖK stores the personal provided data on servers located at ZSÖK’s headquarters and premises. It does not use the services of other companies to store personal data. The data controller uses the appropriate IT, technical and personal measures to protect the personal data it manages, among other things, against unauthorized access or unauthorized changes. Thus, for example, it logs access to data stored in the IT system, meaning that it is always possible to check who and when and had access to personal data and what were accessed.5.2. When defining and applying data security measures, the current state of technology must be taken into account. Among several possible data control solutions, the one ensuring the highest level of protection of personal data must be chosen, unless it would cause a disproportionate difficulty for the ZSÖK.

6. RIGHTS OF DATA SUBJECTS

6.1. Right of accessData subjects have the right to request information from the data controller via the contact details provided in section 1 as to whether their personal data are being controlled, and if such data control is in progress, they are entitled to find out– what personal data;– on what legal grounds;– for what purpose of data control;– for how long

• the data controller controls; furthermore,
• to whom, when, based on which legislation, access to their personal data were provided and what personal data were involved, or to whom their personal data were forwarded;
• the source of their personal data (if they were not provided by the data subjects);
• whether the data controller uses automated decision-making and its logic, including profiling.

The data controller will provide a copy of the personal data that is the subject of data control at the data subjects’ request free of charge for the first time, after which it may charge a reasonable fee based on administrative costs.In order to meet the data security requirements and protect the rights of the data subjects, the data controller is obliged to make sure that there are 5 matches in identity of the data subject and the person wishing to exercise their right of access, and issuing a copy of them is also subject to the identification of the data subject.6.2. Right to adjustmentData subjects can request in writing that the data controller change some of their personal data via the contact details provided in point 1 (for example, they can change their e-mail addresses or mailing addresses at any time). The data controller shall fulfil the request within a maximum of one month and notify the data subject concerned of this in a letter sent to the contact address provided by you.6.3. Right to deletionData subjects can request the deletion of their personal data from the data controller in writing via the contact details provided in section 1, if the data control is carried out without authorization. The data controller will reject the deletion request if it has legal grounds for further storage and use of the data. Such a case is, for example, if the data controller has a legal obligation. However, if there is no such obligation, or if there are other legal grounds for processing the data concerned, the data controller will fulfil the request within up to one month and will notify the data subject about it in a letter sent to the contact address provided for this purpose.6.4. The right to blocking (restriction of data control)Data subjects can request in writing their personal data to be blocked by the data controller via the contact details provided in section 1 (by clearly indicating the limited nature of the data control and ensuring that it is handled separately from other data). The blocking lasts as long as the reason specified by the data subject concerned makes it necessary to store the data. Data subject may request blocking of the data, for example, if they believe that the data controller has handled their data illegally, however, for the sake of the official or court proceedings initiated by them, it is necessary that the data controller does not delete the data concerned. In this case, the data controller will continue to store the personal data (for example, the application submitted) until the authority or the court requests it, after which the data will be deleted.6.5. Right to objectionData subjects can object to the data control at any time for reasons related to their own situation via the contact details provided in section 1, if, in their opinion, the data controller would handle their personal data inappropriately with regard to the purpose indicated in this privacy policy. In this case, the data controller must prove that the processing of personal data is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subjects concerned, or that are related to the presentation, enforcement or defence of legal claims.6.6. Right to carrying on the dataWith regard to the automated data management based on the consent of the data subjects, using the contact details provided in section 1, they are entitled to receive the personal data concerning them, which were made available to a data controller by them, in a segmented, widely used, machine-readable format, and they are also entitled to forward these data to a data controller without being hindered by the data controller to which the personal data concerned were made available.

7. POSSIBILITY OF LEGAL ENFORCEMENT RELATED TO DATA MANAGEMENT

7.1. In order to ensure the priority protection of personal data, data subjects can contact ZSÖK directly with questions, complaints or comments related to the control of personal data at the email address info@zsokkft.hu.7.2. ZSÖK informs the data subjects of the measures taken following the request contained in section 7 without delay, but at the latest within one month from the receipt of the request concerned. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. ZSÖK informs the data subjects concerned about the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If data subjects submitted the request electronically, the information will be provided electronically, unless the data subjects concerned request otherwise.7.3. If ZSÖK does not take measures following the data subject’s request, it shall inform the data subject of the reasons for the failure to take action, as well as the fact that the data subject may file a complaint with the National Data Protection and Freedom of Information Authority and exercise his or her right to judicial redress.7.4. ZSÖK provides the requested information and information free of charge. If the data subject’s request is clearly unfounded or – especially due to its repeated nature – excessive, the ZSÖK – taking into account the administrative costs associated with providing the requested information or taking the requested measure – may charge a reasonable fee or refuse to take action to fulfil on the request concerned.7.5. ZSÖK informs all recipients of all corrections, deletions or data management restrictions made by it, to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, ZSÖK informs him or her about these recipients.7.6. ZSÖK provides a copy of the personal data that is the subject of data management to the data subjects. ZSÖK may charge a reasonable fee based on administrative costs for additional copies requested by data subjects. If the data subject submitted the request electronically, the information will be provided in electronic format, unless the data subject concerned requests otherwise.7.7. Any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation from the data controller or data processor for the damage suffered. The data processor is only liable for damages caused by data processing if it has not complied with the obligations specified in the law, which are specifically imposed on data processors, or if it has ignored or acted contrary to the legitimate instructions of the data controller.7.8. If both the data controller and the data processor are involved in the same data management and are liable for the damages caused by the data management, the data manager and the data processor are jointly and severally liable for the entire damage caused.7.9. The data controller or the data processor is exempted from liability if they prove that they are not responsible in any way for the event that causing the damage.7.10. If the data subject deems that the data controller has violated the applicable data protection requirements during the control of his personal data, they can either submit a complaint to the Authority (National Data Protection and Information Protection Authority, address: 22/c Szilágyi Erzsébet fasor 1125 Budapest, Hungary, mailing address: Pf.: 5. 1530 Budapest, Hungary, Email: ugyfelszolgalat@naih.hu, website: www.naih.hu), or, in order to protect their data, they have the option to go to court, which will act in the case with expedited trial. In this case, they can freely decide whether to file their claim with the competent court according to their place of residence (permanent address) or place of temporary residence (temporary address), or the one competent at the registered office the Authority. They can find the court according to their place of residence or temporary residence at http://birosag.hu/ugyfelkapcazzolati-portal/birosag-kereso. Taking the registered office of the Authority into consideration, the Metropolitan Court has jurisdiction over the lawsuit.