Privacy Policy

Privacy Policy

Foundation for the Research on Central and Eastern European History and Society

Data processing Guidelines

on data processing implemented in connection with the Photo Gallery

Effective from: 10/04/2024

1./ Aim and scope of the Guidelines

1.1./ The aim of these Guidelines is to provide you with information required by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, henceforward: GDPR) and by the Hungarian Act 2011/112 on the Right of Informational Self-Determination and on the Freedom of Information (henceforward: Data Protection Act) concerning the use of and your rights regarding the personal information you provided via the Photo Gallery (Fotótár) on the www.terrorhazafoto.hu website operated by the Foundation for Research on Central and Eastern European History and Society.

1.2./ The scope of these Guidelines only covers the processing of personal information you provided via the Photo Gallery on the www.terrorhazafoto.hu website.

1.3./ These Guidelines and their amendments implemented from time to time shall be considered effective from the moment that they are published on the website www.terrorhazafoto.hu.

1.4./ Before you provide any data or information to us, please read the current version of the Guidelines, which shall always be accessible from www.terrorhazafoto.hu. Please note that you should only provide data or information to the Public Foundation at any time if you have read the current version of these Guidelines, and explicitly agree with their contents.

2./ Definitions

Data subject: all natural persons identified or identifiable based on any given information.

User: data subjects who provide their personal data for the purpose of submitting an order through the Photo Gallery at www.terrorhazafoto.hu, operated by the Foundation (henceforward: the Photo Gallery).

Customer: any User that submits an order with a payment obligation in the Photo Library.

Personal data: all information that relates to the data subject.

Data controller: natural or legal persons or organisations not having legal personality that (independently or jointly with others) may determine the purpose of the data processing, make and execute decisions regarding the data processing (including the devices used), or have their decisions executed by the data processor. The Foundation is the controller of the personal data provided in the context of the Photo Library.

Data processing: all activities or the sum of activities carried out by the Foundation on the data provided by the users, including especially collecting, recording, organizing, storing, modifying, using, querying, transmitting, publishing, harmonising or interconnecting, locking, deleting and destroying the data, as well as preventing further use of the data.

Data breach: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to any personal data transmitted, stored or otherwise processed.

3./ The description of the data controllers

Name: Foundation for Research on Central and Eastern European History and Society

Registered seat: H-1122 Budapest, Határőr út 35, Hungary

Registration No.: 01-01-0007526 (Company Registry Court of Budapest Capital-Regional Court)

VAT nr: 18237010-2-43

Phone number: +361/212-7140

E-mail: info@terrorhazafoto.hu

Mailing address: H-1062 Budapest, Andrássy út 60, Hungary

NAIH ID of the Public Foundation: NAIH-97531/2016.

Data Protection Officer: Közép- és Kelet-európai Történelem és Társadalom Kutatásáért Alapítvány, 1062 Budapest, Andrássy út 60., phone number: +361/212-7140, e-mail: info@terrorhazafoto.hu

4./ Legal basis for data processing

4.1./ The legal basis of the processing carried out by the Foundation regarding the Photo Gallery is, on the one hand, your consent [GDPR Art.6 par.1 section a)], on the other hand the fact that processing is necessary for entering into a contract and for the fulfilment of the existing contract regarding the Photo Gallery [GDPR Art.6 par.1 section b)], furthermore, regarding invoicing, it is because the Foundation as controller is bound by law to process data [GDPR Art.6 par.1 section c)].

4.2./ By giving your express consent to the processing of your personal information when registering and placing an order through the www.terrorhazafoto.hu website, the legal basis of processing shall be considered fulfilled; by placing an order on the www.terrorhazafoto.hu website, then beside your consent the legal basis regarding the conclusion and performance of contracts is also fulfilled.

5./ Processing related to registration and placing orders

5.1./ A brief description of the data processing activities: If you wish to use the services of the Photo Gallery you must register on the www.terrorhazafoto.hu website prior to placing an order. In order to register you need to fill in the form found under the Registration tab. The personal data you provide while registering or placing an order is handled by the software used for the www.terrorhazafoto.hu page on the proprietary server of the Foundation. The software transfers the data to the employee in charge of fulfilling the contracts concluded with regard to the Photo Gallery.

5.2./ Legal basis for data processing: By completing the Registration process and providing your data, you accept the existing provisions of the current version of the Data Processing Guidelines, and explicitly consent to the Foundation processing your data regarding the Photo Gallery. Thus GDPR Art.6 par.1 section a) forms the legal basis for data processing. By placing an order in the Photo Gallery,  an additional legal basis is established for the data processing: processing is required for concluding contracts and performing existing ones regarding the Photo Gallery [GDPR Art.6 par.1 section b)].

 5.3./ The purpose of data processing: In order to create a user account for the person registering to the www.terrorhazafoto.hu website, through which orders may be submitted. This is a legitimate purpose for data processing. The purpose of the data processing is the operation of the Photo Gallery, the provision of the services available from the Photo Gallery, the operation of the related databases, the fulfilment of orders placed by the users, the collection of the payments related to the orders, and especially:

a) Processing the orders and financial transactions initiated by the user.

b) Sending order confirmations to the user.

c) Responding to user requests, queries and complaints.

d) Administering the user accounts.

5.4./ Scope of the data processed with regard to the Photo Gallery (provided during the registration process):

a) last name and first name/company name,

b) e-mail address,

c) phone number,

d) postal address/registered office (country, municipality, postal code, street name, house number, floor, door number),

e) for legal persons, VAT number.

5.5./ Further processed data provided during the ordering process from the Photo Library:

a) billing address.

5.6./ Duration of data processing: The data you provided while registering or placing an order is stored until you withdraw your consent; or until you ask us to delete your personal account. The Foundation shall only process the personal data provided by the user as long as the user has an active account, until the user requests the deletion of their data, or withdraws their consent to the processing of their personal data. You may send your requests via e-mail to info@terrorhazafoto.hu.

5.6./ Relevant IT systems : the software of www.terrorhazafoto.hu and the server owned by the  Foundation.

6./ Processing related to invoicing and payments

6.1./ A brief description of the data processing activities: When you place an order through the Photo Gallery, the Foundation shall issue an invoice for the sum of the order.

6.2./ The legal basis for data processing: According to Section c) of Paragraph (1) of Article 6 of the GDPR, Controller has a legal obligation to processing the data. Governing regulations: Act 2007/127 on Value Added Tax (hereinafter referred to as: VAT Act) par.159 (obligation to issue invoices), par.169 (the obligatory contents of invoices), Act 2000/100 (Accounting Act) par.166-169 (accounting documents, documents subject to strict accounting, obligation to keep documents).

6.3./ Purpose of processing: to confirm and certify financial transactions (orders and their performance), which is a legal purpose for data processing.

6.4./ Scope of the processed data: name of the natural person; e-mail address, phone number, billing address. Name of legal person or other entity; address; tax number; e-mail address, phone number.

6.5./ Duration of data processing: 8 years

6.6./ Relevant IT systems: Novitax, SimplePay

7./ The rights and obligations of Users

7.1./ By providing their e-mail address and other personal data, the User assumes responsibility for ensuring that only the User shall provide data and submit orders from that e-mail address, and that the data provided shall always be correct. In light of this assumption of responsibility, the User registering the -mail address shall bear all liability related to the logins performed with that e-mail address. Please note that if you do not provide your own personal data, it is your responsibility as User to obtain the consent of the relevant data subject.

7.2./ The minimum age for consenting to the personal data processing carried out by the Photo Gallery is 18 years. If you are not yet 18 years of age, please do not provide your data on this website, and do not use our services.

8./ Data processing related to webpage visitors

8.1./ A brief description of the data processing activities: The Foundation uses cookies on the www.terrorhazafoto.hu website. Typical cookies include so-called “cookies related to password-protected sessions”, “cookies needed for shopping carts” and “security cookies”, the use of which does not require prior consent from the data subjects. The range of data subjects: all data subjects visiting the webpage.

8.2./ Legal basis for data processing: The GDPR Art.6 par.1 section a) forms the legal basis for data processing. By clicking the “Accept” button on the webpage you consent to the processing of your data. The consent of the data subject is not necessary if the sole purpose of using cookies is the transmission of a communication over an electronic communications network, or strictly necessary in order to provide an information society-related service, which was expressly requested by the subscriber or the user.

8.3./ The purpose of data processing: For registered users, to identify the user, to prepare statistics, to track visitors; in case of customers, to administer the “shopping cart”.

8.4./ Scope of the processed data: unique IDs, dates, times.

8.5./ Duration of data processing: Session cookie: to identify users logging in, PHP session id: is deleted on closing the browser.

8.6./ Relevant IT systems: the software of www.terrorhazafoto.hu and the server owned by the Foundation.

8.7./ Controllers eligible to view the data: personal data may be processed by employees of the Foundation in line with the above principles.

8.8./ Informing data subjects about their rights regarding processing: data subjects may delete cookies from the appropriate menu of their browser.

9./ Controllers, processors, data transfer

9.1./ In the context of card payment (Simplepay) in the Photo Library, the Foundation transfers the personal data of the Customer listed in Section 9.3 to OTP Mobil Kft. (acting as the data processor), and for every order, the Foundation transmits this information to the accounting firm tasked with fulfilling the accounting obligations of the Foundation. Except for these cases, the Foundation does not use a separate data processor.

9.2./ The personal data submitted by Customers during the course of using the Photo Gallery are processed by the accounting firm employed to carry out the accounting obligations of the Foundation, as well as those employees of the Foundation in charge of fulfilling orders placed via the Photo Gallery and monitoring the related payments. The personal data provided upon registration is stored by the software of the www.terrorhazafoto.hu website on the server owned by the Foundation, and shall not be disclosed to any third parties.

9.3./ 9.3./ By accepting this conditions, the Customer acknowledges that the personal information (listed below) that they provide and that is stored in the user database of https://www.terrorhazafoto.hu (as the point of payment) by the Foundation for the Research of Central and Eastern European History and Society (registered seat: 1122 Budapest, Határőr út 35.) as the Service Provider (data controller) shall be transferred to OTP Mobil Kft. (1143 Budapest, Hungária körút 17-19.) as the data processor. The data controller transfers the following data: name, e-mail address, phone number of the Customer, billing address.

You may find more information on the nature and purpose of the processing activities carried out by the processor in the privacy statement of SimplePay, available at: https://simplepay.hu/adatkezelesi-tajekoztatok/

9.4./ By completing the Registration process and placing an order, the User consents to the employees of the Foundation defined by Sections 9.2. and 9.3 handling and processing their personal data.

9.5./ We shall not transfer your personal data to any third parties (except for those persons listed in Sections 9.2. and 9.3.) unless we are obliged by law or a binding decision of a court or an authority to do so.

9.6./ We do not provide personal data to other natural or legal persons for the purpose of carrying out marketing activities related to their products or services.

10./ Data security measures

10.1./ The Foundation provides protection to the data by undertaking suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique. In determining the measures to ensure security of processing, the Foundation shall proceed by taking into account the latest technological developments. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable difficulties for him.

10.2./ Personal data provided by the user is protected during their transfer and after their arrival to the databases of the data controller. However, there are no completely safe methods for transferring data online and storing data electronically. We implement industry-standard solutions for the protection of personal data; however, their absolute safety cannot be guaranteed.

10.3./ The IT system of the Foundation is hosted on a server stored in a secure, custom-designed server room by Invitech Megoldások Zrt.

10.4./ The operator has put into service several safety and security procedures to safeguard the IT systems and networks of the Foundation, among them the following:

a) The useris only able to access their user profile with the password and user ID that they provided. The password is encrypted. The use of a strong, alphanumerical password (one that contains both letters and numbers) is required, and the user should not share the password with others.

b) Your personal data are stored on a secure server. The servers are only accessible to certain employees of the Foundation, and are password-protected.

c) to prevent data loss we make backup copies,

d) Physical protection: The server is located in a facility protected by a fence, CCTV surveillance, armed guards and a multi-stage entry system.

c) Software-based protection: On one hand, Invitech continuously monitors whether there are any external threats against the computers they use, on the other hand, they provide a so-called “firewall” for their users. On top of this, they also protect their server with a dedicated “firewall”. Access to the server is only allowed with system administrator rights, and only from certain external locations (IP addresses).

 11./ Rights and their enforcement available to data subjects

11.1./ According to the Data Protection Act, a "data subject" is a natural person who is or van be identified based on any kind of information.

11.2./ Please note that before complying with any requests submitted by data subjects regarding the exercise of their rights, the Foundation is obliged to identify the person submitting the request. Where the Foundation has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the applicant.

11.3./ You may contact the Foundation or the Data Protection Officer in order to exercise your rights listed below:

a) You have the right to request information about processing, as well as to request a copy of your stored and processed data (right to information, right of access - Article 15 of the GDPR, Article 14 a) and b), Articles 16-17 of the Data Protection Act)

b) You have the right to request the correction of incorrect or incomplete data (right to rectification - Article 16 of the GDPR, Article 14(c), Article 18 of the Data Protection Act).

c) You have the right to request the deletion of your personal data; moreover, if your personal data have been made public, you are entitled to request that the Foundation forward your request for deletion to other Controllers as well (right to erasure - Article 17 of the GDPR, Article 14(e), Article 20 of the Data Protection Act)

d) You have the right to request the restriction of some processing activities (right to restriction of processing - Article 18 of the GDPR, Article 14(d), Article 19 of the Data Protection Act).

e) You have the right to obtain your personal data in a generally used and computer-readable form, and to request that these data be handed over to another Controller (right to data portability – Article 20 of the GDPR).

f) You have the right to object to data processing activities (right to object - Article 21 of the GDPR, Article 21 of the Data Protection Act).

g) You have the right to withdraw your consent at any time in case of processing based on consent. The withdrawal of consent does not affect the legality of the processing performed in the period prior to withdrawal (right to withdrawal - Article 7(3) of the GDPR).

h) You have the right to file a complaint with the supervisory authority if you judge that the processing violates any regulations (right to file a complaint with a supervisory authority - Article 77 of the GDPR, Articles 22-23 of the Data Protection Act).

11.4./ Requests pertaining to the rights listed in Section 11.3 shall be sent via e-mail to the following address: info@terrorhazafoto.hu or by mail to the following address: 1062 Budapest, Andrássy út 60. of the Foundation.

11.5./ The Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) shall provide legal remedies, and receives the complaints of the users:

Name: National Authority for Data Protection and Freedom of Information (NAIH)

Registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary

Mailing address: 1530 Budapest, Pf.: 5.

Telephone: +36.1.391.1400

Fax: +36.1.391.1410

Website: http://www.naih.hu

E-mail: ugyfelszolgalat@naih.hu

11.6./ If the Foundation refuses to comply with your request as a data subject, the factual or legal reasons for refusing the request shall be communicated to you electronically within 25 (twenty-five) days of receipt of the request. Should your request be refused, the Foundation shall inform you of the possibilities for seeking judicial remedy or filing a complaint with an Authority.

11.7./ If you disagree with the decision taken by the Foundation, or if the Foundation fails to meet the deadline, you shall have the right to turn to court within 30 (thirty) days of the date of delivery of the decision or from the last day of the time limit. A lawsuit may take place at the tribunal of your choice: either the one that has jurisdiction where the Foundation has its registered seat, or where you are domiciled. The tribunal with jurisdiction where the Foundation has its registered seat is the Budapest Capital-Regional Court.

12./ Records of the Foundation

The Foundation as the data controller, with a view to controlling measures relating to data breaches and to inform data subjects, shall keep records containing the personal data involved, the scope of those affected by the data breach, the time, circumstances and effects of the data breach and measures taken to eliminate further breaches, as well as other information stipulated by law.

In matters not regulated by these Data Processing Guidelines, the provisions of Act 112 of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act 5 of 2013 on the Civil Code as well as other relevant acts shall apply.

 

Dated Budapest, 10 April 2024