1. Introduction
The purpose of this Privacy Policy (hereinafter: Policy) is provide appropriate and transparent information to the users of the website regarding the processing of their personal data.
Applicable laws and regulations in particular:
– Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR),
– Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Information Act).
By using the website, you confirm that you have read, comprehended and understood the content of this Policy. For information about the Controller’s processing for other purposes and in other subjects, please refer to documents separate from this Policy. Should you have any questions, please do not hesitate to contact our colleagues.
2. Controller
Name: Egységes Magyarországi Izraelita Hitközség (Statusquo Ante)
Seat: 1037 Budapest, Bokor utca 1-5.
Reg. No.: 00005/2012
Reg. Dec. No.: 29145-1/2012/EKEF
Tax No.: 18705016-2-41
Represented by: Köves Máté Slomó lead rabbi
Phone: +36 1 268 0183
Email: info@zsido.com
DPO: adatvedelem@zsido.com
3. Definitions
“data subject”: any identified or identifiable natural person;
“personal data”: any information concerning the data subject;
“consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by any other clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“controller”: any natural or legal person or entity without a legal personality which, alone or jointly with others, determines the purpose of data processing, takes and implements the decisions concerning the processing (including the equipment used) or has those implemented by the processor, within the limits defined by law or by a legally binding act of the European Union;
“processing”: any operation or set of operations performed on data, regardless of the procedure used, in particular any collection, registration, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure or destruction, and prevention of further use of data, taking photographs, making audio or video recordings and recording physical characteristics suitable for identifying a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
“transfer”: the making available of data to a specific third party;
“processing”: all processing operations carried out by a processor acting on behalf of or under the instructions of the controller;
“processor”: a natural or legal person or entity without a legal personality which processes personal data on behalf of or under the instructions of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
“third party”: a natural or legal person or entity without a legal personality other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, perform operations with the purpose of processing personal data;
“personal data breach”: a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transmission or disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“profiling”: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, health, personal preferences or interests, reliability, behaviour, location or movements;
“recipient”: the natural or legal person or entity without a legal personality to whom or to which personal data are disclosed by the controller or processor;
“EEA State”: a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;
“third country”: any state that is not an EEA state;
“international organisation”: means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
4. Processing guidelines
Personal data may only be processed for clearly specified, legitimate purposes, to exercise rights and meet obligations. All stages of the processing must meet the purpose of processing, and the collection and processing of the data must be fair and lawful (“lawfulness, fairness and transparency”)
Only personal data that is necessary for the purpose of the processing and is suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary for the purposes for which they are collected (“purpose limitation”)
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the period necessary for the purposes for which the data are processed (“accuracy”)
Personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The personal data will retain this quality during the processing as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the controller has the technical conditions necessary for such restoration (“storage limitation”)
The processing of personal data shall ensure an appropriate level of security for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures (“integrity and confidentiality”).
The Controller shall be responsible for, and be able to demonstrate compliance with, these guidelines (“accountability”).
5. Information
Please note that if processing is performed based on the consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent and carried out before its withdrawal (Article 6 a) of the GDPR).
5.1. Links to external websites
The website may also contain links to external websites. If you wish to use content from third party (external) parties on our site, you may be required to accept the specific terms and conditions of those third parties, including the terms and conditions regarding the use of cookies, over which we have no control. The Controller is not responsible for the content, data and information protection practices of external sites accessible from the website. If the Controller becomes aware that the linked website or the linking itself violates any law, it will immediately remove the link from the website.
5.2 Cookies, tracking
We use cookies to make the website more attractive to you and to enable you to use certain features on the website. Cookies are small text files that are stored on your device. Some of the cookies we use are deleted when you stop browsing, i.e. when you close your browser (session cookies), while other cookies remain on your device and allow us to recognise your browser on subsequent visits (persistent cookies). When you access the website for the first time, you will be informed about the installation of cookies, at which point you can decide whether or not to accept their use on your device. If you do not accept cookies, the usability of the website may be limited.
5.3. Social plugins
We may use the services of other social networking sites on the website. When you use the plugins, your web browser establishes a direct connection with the servers of the specific social network. This will inform the service provider that your internet browser has gained access to our site. In this case, the log files (including your IP address) are transmitted directly from your web browser to the server of the respective service provider, where these files may even be stored. The service provider or its server may be located outside the European Union or the EEA (e.g. in the United States). These plugins are standalone extensions used by social network providers. Therefore, the Controller cannot control the scope of the data these providers collect and store. For information about the purpose and scope of the collection, further processing and use of your data, as well as your privacy rights and the settings that support the protection of your personal data, please consult the privacy statements of the relevant social networking sites. If you do not want the social network’s service provider to link the data collected from your use of the website to your user account, you need to log out of your user account before visiting our website.
The Controller may operate social media pages for easy accessibility, through which users can interact with the Controller. You can view our social media platforms and news feed without registering. The personal data of registered users and followers may be processed when they visit and interact with social media platforms. The Controller collects these data either directly from the data subject or in a processed form made available by the provider of the social media platform. In such cases, the legal basis for processing is your consent, and the scope of the data processed is the same as the scope of the data you have made public on the relevant social media platform. The duration of the processing for that purpose is until the consent is withdrawn. There are no consequences for not providing the data. The visitor data registered by the Controller’s social media platforms are not compiled into a database and are not used for purposes other than the one stated. Pursuant to the decision of the Court of Justice of the European Union in Case C-210/16, the processing of personal data relating to our official Facebook page is subject to joint processing between the controllers and Facebook Ireland Limited.
5.5. Newsletter
The purpose of the processing in connection with the newsletter service is to inform the recipient about the Controller’s latest promotions, events and news on a general or personalised and regular basis. Subscription to the newsletter is based on voluntary consent. The data subjects are natural persons who wish to be regularly informed about news, promotions, discounts, products, etc. of the Controller and, therefore, subscribe to the newsletter service by providing their personal data. Scope and purpose of the data processed: name (identification); email address (sending the newsletter); date of accepting the privacy statement (proof). The Controller or its designated processor shall process the personal data collected for this purpose only until the data subject unsubscribes from the newsletter or, in the case of a request for confirmation of consent, until the deadline for providing confirmation expires without confirmation. Processing is primarily electronic, but data subjects can also subscribe and unsubscribe on paper. The data source is the data subject who subscribes.
5.6. Donation
It is possible to pay the donation by card using the Barion online bank card payment system operated by Barion Payment Zrt. During the execution of the bank card payment, Barion Payment Zrt. qualifies as the data processor of the Controller, and the data management and data processing performed by it are governed by the Barion General Terms and Conditions in force at any time and its Privacy Policy attached to it. In order to proceed to the Barion system, the donor must first provide the Controller with certain personal data via the website: name (required), e-mail address (required), telephone number (required).Data entered into the Barion system: personal data on the bank card (name, bank card type, number, expiry date, CVC / CVV code). The credit card details will not be sent to the Controller. Donations through the Barion system are free of charge. In the case of credit card donations, Barion manages the personal data provided on the Barion system in accordance with its regulations in force. The Controller is not responsible for the processing of data provided on the payment system operated by Barion. The purpose of data management is to ensure that donations are made online. The legal basis for data processing, as set out in Article 6 (1) a) of the GDPR, is the consent of the user concerned who initiates the payment. In accordance with the applicable accounting regulations, the Controller retains the personal data obtained and processed in connection with the donation for 8 (eight) years. The Controller stores the names and contact details (telephone number, e-mail address) of potential sponsors (contacts of individuals and companies) electronically. The Controller has the opportunity to this activity on the basis of Article 6 (1) f) of the GDPR, i.e. on the basis of a legitimate interest as a legal basis. On the same legal basis, the Controller stores the name and contact details of the previous, currently inactive sponsors and the amount of the grants.
5.7. Contact
The user can send a direct request or message for a personalised quote and contact. The following are required fields on the contact form: email address, message. No other personal data is required to send the message, but if the user includes such data in the text of the request, we will process that during the processing of the request. Please note that you should only share information in the message you send us that you explicitly want the Controller to know. After responding to the request, the data will be stored for 5 years or until the consent is withdrawn in order to ensure effective communication and to keep track of the customer’s history. The legal basis for processing is the user’s explicit consent. You have the right to unilaterally withdraw your consent to processing at any time. Providing your data is voluntary, but not doing so or providing incomplete data will mean the Controller failing to respond in a meaningful way. The purpose of the processing is for the Controller to maintain contact with the data subject and to provide direct access to its customer service. If a contractual relationship is established after the contact, a separate privacy statement will be provided. The processing is primarily electronic, but data subjects can also contact us by phone or mail. The source of the data is the user who initiated the contact as the data subject.
6. Data transfer
Other than the contracted processors, personal data may only be accessed by employees of the Controller who must have access to perform their respective tasks. The contracted processor shall carry out the processing as per the Controller’s instructions, shall not make any substantive decisions concerning the processing, shall process the personal data that comes to its attention only as instructed by the Controller, shall not process the personal data for their own purposes, and shall store, retain and keep confidential the personal data as instructed by the Controller. The processor shall not engage another processor without prior specific or general written authorisation of the Controller. The Controller does not transfer your personal data directly to third countries or international organisations, but may use services hosted on servers in third countries. Please note that the court, the prosecutor, the investigating authority, the authority dealing with offences or administrative tasks, or other bodies authorised by law may require the Controller to provide information or to disclose data. To fulfil its legal obligation to provide such mandatory data, the Controller shall only provide personal data that are indispensable for the purpose of such request. Regular, external service providers used for processing data:
Processor | Web | Activity |
Google LLC | https://policies.google.com/privacy | e-communication, web analytics |
Jata Consulting Kft. | https://jata.hu/ | website development |
MailChimp | https://mailchimp.com/gdpr/ | newsletter service |
Barion Payment Zrt. | https://www.barion.com/hu/adatvedelmi-tajekoztato/ | payment service provider |
Viacom Informatikai Kft. | https://viacomkft.hu/adatvedelem/ | hosting provider |
7. Data security, automated decision-making
The Controller ensures the security of data in proportion to risks, takes all the technical and organisational measures and develops the procedural rules required for compliance with the GDPR, the Information Act as well as other data protection and privacy rules. The Controller shall protect the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorised public disclosure or unauthorised access. In accordance with Article 13 (2) f) of the GDPR, please note that no automated decision-making, including profiling, takes place during the Controller’s processing activity.
8. Rights and exercising rights of data subjects
The rights listed in the points below can be exercised in an application submitted to the Controller. The Controller’s contact details can be found in Section 2 of the Policy. The Controller shall fulfil the data subject’s request without undue delay, but no later than one month after receipt of the request, unless this period is extended by up to two months in view of the complexity or the number of requests.
8.1. Information and access right
The data subject shall have the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed. If the data subject’s personal data are being processed, they have the right to receive detailed information about the processing of the personal data, including the categories of personal data processed in relation to the data subject. The Controller shall provide the data subject with a copy of the personal data undergoing processing. The information thereby provided is free of charge if the data subject has not yet submitted a request for information to the Controller for the same data set in the current year. For any further information requested by the data subject, the Controller may charge a reasonable fee based on administrative costs.
8.2. Right of rectification
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. The Controller rectifies personal data if such are not in line with reality and personal data in line with reality are available. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.3. Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the Controller without undue delay the erasure of personal data concerning him or her. The Controller may fulfil this request if the personal data are no longer needed in relation to the purposes for which they were collected or otherwise processed. The data subject’s personal data must be erased if the data subject objects to the processing and there are no overriding legitimate grounds for the Controller or a third party for the processing. The Controller is required to erase the personal data if it illegally processed the personal data or if it is required for compliance with a legal obligation in Union or Member State law to which the Controller is subject. Please note that personal data may not be erased where it is necessary to comply with a legal obligation, to fulfil a legal obligation to retain personal data or to establish, exercise or defend a legal claim.
8.4. Right to restriction of processing
The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend legal claims; or the data subject has objected to the processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted as above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller shall communicate any rectification or erasure of personal data, or for them to be forgotten or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data were disclosed, unless this proves impossible or involves disproportionate effort.
8.5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the Controller, provided the processing is based on consent and is carried out automatically. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right shall be without prejudice to the right to erasure. The mentioned right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. Exercising the right shall not adversely affect the rights and freedoms of others.
8.6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on a legitimate interest or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, including profiling on those legal bases. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.
8.7. Right to take action against automated decision-making
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This provision shall not apply if the decision:
- is necessary for entering into, or performing, a contract between the data subject and the Controller;
- is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
The Controller shall ensure that the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
8.8. Complaints and judicial redress
You have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information as the supervisory authority in relation to or in connection with the processing or to file a civil lawsuit against the Controller directly before the competent court.
Name: Hungarian National Authority for Data Protection and Freedom of Information
Registered office H-1055 Budapest, Falk Miksa utca 9-11
Correspondence to: H-1363 Budapest, Pf. 9.
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
The legal action may be launched at the court with jurisdiction for the residence or domicile of the data subject. Someone without legal capacity in the action may also be a party to the legal action. The supervisory authority may intervene in the action for the benefit of the data subject. However, before lodging a complaint or initiating any civil proceedings, it may be useful for the data subject to notify the Controller directly of his or her grievance by sending a non-formal request to any of the contact details of the Controller listed in this Policy.
9. Final provisions
The Controller does not check the personal data provided to it. The user is solely responsible for providing valid and current personal data. If the data subject does not provide their own personal data but that of a third party, the data subject must have a legal basis to do so. The Controller regularly reviews the content of this Policy and reserves the right to unilaterally amend it at any time at its own discretion and in accordance with the provisions of the applicable laws and regulations. Amendments to the Policy will become effective upon publication. If the changes affect processing based on your consent, we will ask for confirmation of your consent once again, if necessary.
Effective: From 28 June 2022
***