The purpose of our website is to present our events and artists. The designation “One Page” refers to a one-page website that either lacks menu items or does have menu items but they link to specific nodes in the same opening page. The purpose of such websites is to provide all necessary information to the visitors of the website in the most straightforward manner possible.
Denomination of Data Processor
Csimborasszó Művészeti Közhasznú Nonprofit Korlátolt Felelősségű Társaság
Business registration number: 01-09-179892
Tax number: 24742032-2-42
Company Seat: H-1061 Budapest, Paulay Ede utca 41. fszt. 36.
Phone number of the company: +36 1 413 76 43
E-mail address of the company: firstname.lastname@example.org
Hereinafter referred to as: Csimborasszó Közhasznú Nonprofit Kft
The purpose of this document is to order the regulation of the processing, security and protection of the personal data existing and obtained during the operation of Csimborasszó Közhasznú Nonprofit Kft, and to provide the visitors of Csimborasszó Közhasznú Nonprofit Kft information concerning the One Page website, pursuant to the dispositions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter as DP Act) and Decree 2016/679 (hereinafter as GDPR).
The new regulation on data protection of the European Union applicable as of 25 May 2018 (hereinafter referred to as: GDPR);
Act XXXVIII of 2018 on the amendment of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information in relation to the data protection reform of the European Union and the amendment of other related acts;
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information;
Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest;
and Act C of 2003 on Electronic Communications.
The scope of this document covers the One Page website operated by Csimborasszó Közhasznú Nonprofit Kft available under the address http://www.queensymphonic.hu/.
Explanatory Notes and Definitions based on regulation 2016/679 (EU)
“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
“pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
“biometric data” means personal data resulting from specific technical processing relating to the physical, physio logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
“consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“enterprise” means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
“supervisory authority” means an independent public authority, the National Authority for Data Protection and Freedom of Information.
General Rules concerning Data Processing
Csimborasszó Közhasznú Nonprofit Kft observes the following principles concerning the processing of personal data (GDPR Article 5):
(1) Personal data:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
(2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Legal Bases for Processing
Processing shall be lawful only if and to the extent that at least one of the legal bases specified in the following sections applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes (hereinafter referred to as processing of data based on consent).
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (hereinafter referred to as data processing based on a contract).
- Data processing is required for complying with the legal obligations concerning the enterprise (hereinafter referred to as data processing based on legal obligation).
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person (hereinafter referred to as processing of data based on vital interest).
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company (hereinafter referred to as processing of data based on powers as a public authority).
- Processing is necessary for the purposes of the legitimate interests pursued by the enterprise or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (hereinafter referred to as processing of data based on legitimate interest).
In respect of the processing of a specific range of personal data, the enterprise shall always process data based on only one legal basis. The legal basis for data processing may vary during data processing.
Data processing of Csimborasszó Közhasznú Nonprofit Kft concerning its One Page website
Ticket sales on the One Page website in an interface by jegy.hu
Clicking on the tab “purchase ticket” opens a new webpage and https://www.jegy.hu website would provide ticketing for the event.
Purposes of our processing: Ticketing
Processor: InterTicket Kft.
Address: H-1139 Budapest, Váci út 99.
Name of the data protection officer: András Bacskai
Contact details of the data protection officer: +36 1 266-0000 / ext. 320 or email@example.com
Legal basis for the processing: The legal basis for the processing is basically voluntary consent, nevertheless ticketing via your order constitutes a contract.
Public concerned: In the process of ticketing, you provide your data in the interface of jegy.hu, Csimborasszó Közhasznú Nonprofit Kft would process data for seat reservation tickets, season tickets and in preparing invoices.
Scope of data processed: in the event of ticketing, your first and last names, phone number (optional, only if you provide it for accepting notifications), e-mail address, the password provided in the pre-registration, the delivery address provided in case of a home delivery, the number, date and time of the transaction, the client code, the number of the cultural gift coupon will get stored.
In the event of invoicing, data included in the respective VAT acts shall be provided.
Duration of data processing: 15 days subsequent to the last performance included in the transaction. As far as billing information is concerned, retention period is 8+1 years according to the Accouting Law.
Message sending service in our One Page website
Purposes of the processing: Contacting opportunity for visitors of the website with Csimborasszó Közhasznú Nonprofit Kft concerning the event
Legal Basis for the Data Processing: voluntary consent.
Scope of data subjects: visitors of the website initiating contact
Scope of data processed: Your name, email address, possibly other personal data included in the message you write
Term of data processing: Based on the content of the message, but for 3 years at latest, or until you ask for erasure.
Csimborasszó Közhasznú Nonprofit Kft employs the following processor for its One Page website:
Web hosting service for One Page website is provided by the company Webonic.
Name of the company: Webonic Kft.
Address of the company: H-8000 Székesfehérvár, Budai út 9-11.
Phone number of the company: +36 22 78 76 74
E-mail address of the company: firstname.lastname@example.org
Administrative Procedures for Csimborasszó Közhasznú Nonprofit Kft concerning Data Security
In accordance with the principle of accountability Csimborasszó Közhasznú Nonprofit Kft registers data processing activities with the purpose of being able to track and certify compliance with the GDPR.
The enterprise keeps the following records of the data processing activities under its responsibility:
- registering data transmission
- registering applications for the enforcement of data subjects’ rights and responses for them provided by Csimborasszó Közhasznú Nonprofit Kft
- registering official requests and responses for them provided by Csimborasszó Közhasznú Nonprofit Kft
- registering applications for stopping data processing
- registering clients
- registering the processing of personal data related to employment
- registering recruitment
- registering personal data breaches.
Csimborasszó Közhasznú Nonprofit Kft keeps its records on previously defined data processing activities under its responsibilities with the following content:
- the name and contact details of the enterprise and, where applicable, of the representative of the enterprise, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- categories of addressees to whom personal data are or will be communicated
- information on transfer of personal data to third country or international organisations, if applicable;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
Responsibility of Csimborasszó Közhasznú Nonprofit Kft
It is the responsibility of all employees of Csimborasszó Közhasznú Nonprofit Kft and its partners responsible for data processing, to process data of the data subjects under adequate security measures in accordance with the regulations of Csimborasszó Közhasznú Nonprofit Kft.
Concerning our website, Csimborasszó Közhasznú Nonprofit Kft strives to apply the most advanced safety features taking into account the technical possibilities and financial opportunities.
We inform the visitors of our website about the fact that electronic mails transmitted via the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable against network threats that aim at dishonest practices, challenging of the agreement, or the disclosure or amendment of information. In order to defend against such threats, web hosts do every expectable protective measure. It monitors systems in order to record any security derogations and provide evidence concerning every security incident. Otherwise, system monitoring enables checking the efficiency of the applied protective measures.
Contact to our data protection officer:
Should you have any problem with the data processing of Csimborasszó Közhasznú Nonprofit Kft or should you have any question, contact our data protection officer:
Name: Éva Kramarik
Phone: +36 1 413 76 43
Access to the courts:
Should the data subject’s right be violated, they may institute proceedings against Csimborasszó Közhasznú Nonprofit Kft. The court will proceed in these cases with priority. The court in the territorial jurisdiction of Csimborasszó Közhasznú Nonprofit Kft (Fővárosi Törvényszék, Municipal Court, H-1055 Budapest, Markó u. 27., +36 1 354 6000) or the data subject also may choose the competent court in their place of residence.
Procedure by the data protection authority:
Complaint may be lodged with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Company Seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: H-1530 Budapest, P.O.B.: 5
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Security of processing
IT systems and other data retention locations for Csimborasszó Közhasznú Nonprofit Kft may be found at its company seat and at its processors.
Csimborasszó Közhasznú Nonprofit Kft knows and complies with data security expectations and requirements in Section 32 of GDPR, and it has an internal procedure for handling data breaches.
Csimborasszó Közhasznú Nonprofit Kft chooses and operates IT equipment applied in providing the service in a way that:
(a) the processed data is available for those permitted (availability);
(b) the authenticity and authentication of the processed data is ensured (authenticity of data processing);
(c) the persistence of the processed data is justifiable (data integrity);
(d) the processed data is protected against unauthorised access (data confidentiality).
Csimborasszó Közhasznú Nonprofit Kft. shall protect data by adequate measures, particularly against unauthorised access, alteration, transmission, disclosure, erasure or destruction, and accidental destruction and damage, moreover unavailability due to the change of the technology applied.
For the protection of electronically managed files in its several registers, Csimborasszó Közhasznú Nonprofit Kft. shall impede by an adequate technical solution that data stored be directly linked and assigned to the Data Subject, unless law allows it.
Csimborasszó Közhasznú Nonprofit Kft ensures the protection of data processing security by technical, organisational and corporal measures, in light of the current development of technology that provides a level of protection corresponding to risks on data protection.
In the processing of data, Csimborasszó Közhasznú Nonprofit Kft would preserve
(a) secrecy: it protects information so that it shall be accessed only by those authorised;
(b) integrity: it protects the accuracy and completeness of its information and the method of processing;
(c) availability: it ensures that, whenever the authorised user needs to access any requested information, they can actually do it, and related equipment be available.
Both the IT system and the network of Csimborasszó Közhasznú Nonprofit Kft and its partners are protected against computerised fraud, espionage, sabotage, vandalism, fire and flood, and computer viruses, computer intrusions and attacks leading to the refusal to supply. The operator shall ensure security by server-level and application-level security procedures.
The data subject may require information on the processing of their personal data, and may also require the rectification of his personal data, or its erasure or blocking, excluding mandatory data processing, in the manner indicated at the recording of the data, or at the above contact details of Csimborasszó Közhasznú Nonprofit Kft.
Right to access – right to information (Article 15)
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information detailed in the decree.
At the data subject’s request, Csimborasszó Közhasznú Nonprofit Kft as controller shall provide information on the data it or the assigned sub-processor processed, their sources, the purpose, legal basis, term of the data processing, the name, address of the processor, and its activity related to the data processing, the circumstances and effects of the data breach, and the measures taken in order to avoid it, and, in case of data transmission, its legal basis and addressee. Within the shortest time possible from the submission of the request, though within 25 days at latest, Csimborasszó Közhasznú Nonprofit Kft shall provide information in writing to the request of the data subject. This information is free of charge, should the requester have not submitted any request for information in the same data set to Csimborasszó Közhasznú Nonprofit Kft in the current year. In other cases, Csimborasszó Közhasznú Nonprofit Kft shall establish a reimbursement.
Right to rectification (Article 16)
Csimborasszó Közhasznú Nonprofit Kft shall rectify personal data should it be inaccurate and should accurate personal data be available.
Blocking and referencing:
Csimborasszó Közhasznú Nonprofit Kft shall block personal data should the data subject request that or if according to the information available it can be presumed that the erasure would adversely affect their legitimate interest. Blocked personal data may be processed only until the purpose of the data processing that excluded the erasure of the personal data exists. Csimborasszó Közhasznú Nonprofit Kft shall reference the personal data it processes, should the data subject discuss its accuracy and precision, but the inaccuracy or imprecision of the discussed personal data may not be clearly stated.
Right to erasure (Article 17)
Csimborasszó Közhasznú Nonprofit Kft will erase personal data should its processing be unlawful or should the data subject request it or should the processed data be incomplete or incorrect –, should this condition be legally irretrievable, provided that the erasure is not precluded, the purpose of the data processing ended, or the deadline of the storage of data specified by the law has expired, or it was ordered by the National Authority for Data Protection and Freedom of Information.
Right to be forgotten (Article 17)
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restrict the processing (Article 18)
The data subject shall have the right to obtain from the controller restriction of processing where one of the following conditions applies:
• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claim;
• the data subject has objected to the processing; in this case, the restriction applies to the period pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Right to data portability (Article 20)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…).
Right to object (Article 21)
The data subject may object against the processing of their personal data if
(a) processing and transmission of personal data is exclusively necessary for the compliance with the legal obligations concerning the controller or for claiming the legitimate interest of the controller, the data importer or a third party, except if the processing of data was ordered by the law;
(b) the personal data is used or transmitted directly for the purposes of direct marketing, survey or scientific research;
(c) in any other case determined by the law.
Objection in case of direct marketing (Article 21)
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Csimborasszó Közhasznú Nonprofit Kft is provided 25 days to erase, block or rectify personal data. Should Csimborasszó Közhasznú Nonprofit Kft fail to comply with the the data subject’s demand for rectification, blocking or erasure, it shall within 25 days notify the reasons for the rejection in writing or, with the data subject’s consent, by electronic means.
Csimborasszó Közhasznú Nonprofit Kft shall notify the data subject and all those to whom the data was transmitted earlier for data processing purposes on the blocking, the referencing and the erasure. The notification shall be omitted if this does not prejudice the legitimate interest of the data subject regarding the purpose of the data processing.
Csimborasszó Közhasznú Nonprofit Kft shall inspect the objection as promptly as possible but within 15 days at the latest, shall make a decision regarding its grounding, and shall inform the claimant on that decision in writing. Should Csimborasszó Közhasznú Nonprofit Kft ascertain the grounding of the data subject’s objection, it shall stop the data processing, including further data acquisition and transmission, and block the data, and shall notify everyone to whom the personal data concerned by the protest has been previously transmitted and those who shall arrange for the enforcement of the right to object, on the protest and the measures taken thereunder. Should the data subject disagree with the decision made by the controller, they may contest it at court within 30 days from its notification. Csimborasszó Közhasznú Nonprofit Kft shall not erase any data of the data subject if the erasure of the data processing was ordered by law. The data shall not be transmitted to the data importer if Csimborasszó Közhasznú Nonprofit Kft agreed with the objection or the court found the objection legitimate.
Compensation and tort:
Any damage caused to others by Csimborasszó Közhasznú Nonprofit Kft by unlawfully processing the data subject’s data or by breaching the requirements of data security shall be compensated. Should the data subject’s rights of personality be violated, the data subject may claim tort (Section 2:52 of the Civil Code). Csimborasszó Közhasznú Nonprofit Kft is liable also for damages caused to the data subject by the processor. Csimborasszó Közhasznú Nonprofit Kft shall be exempted from liability if the damage was caused by a force majeure falling outside the scope of data processing. Csimborasszó Közhasznú Nonprofit Kft shall not compensate any damage and shall not be claimed any tort if the damage resulted from the damaged party’s or the impairment caused by the violation of the rights of personality resulted from the data subject’s intentional or gross negligence.
Management of Data Protection Incidents
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
The enterprise shall notify any personal data breach without undue delay and, if possible, at least 72 hours after having become aware of the personal data breach.
Personal data breach shall not be notified to the authority if the privacy incident is unlikely to pose a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Should the notification of the personal data breach to the authority be necessary, the notification shall:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the enterprise to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the enterprise shall communicate the personal data breach to the data subject without undue delay.
In the notification according to the above the nature of the personal data breach shall be described in clear and plain language, also including the following:
- the name and contact details of the Data Protection Coordinator or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the enterprise to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject shall not be required if any of the following conditions are met:
- the enterprise has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the enterprise has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Should the enterprise also perform data processing, any personal data breach happening there shall be notified to the controller to whom it performs the data processing without delay.
Should the enterprise employ a processor, the processor’s contract shall include that the processor is liable to notify any personal data breach they experience to the enterprise without delay.