Privacy Statement
on data processing related to the organisation of the international conference “Spring Conference 2023” by the Nemzeti Adatvédelmi és Információszabadság Hatóság
(Hungarian National Authority for Data Protection and Freedom of Information)
1. Description of the controller
Controller: Nemzeti Adatvédelmi és Információszabadság Hatóság
Seat: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
E-mail: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391-1400
2. Name and contact data of the data protection officer
The Authority’s data protection officer: dr. Attila Kiss
His direct contact data: e-mail address: dpo@naih.hu; phone number: +36 (1) 391-1470
3. Purpose of processing and the range of data processed
3.1. Processing related to the invited speakers
Range and source of the personal data processed |
Purpose of processing |
Name, organisation represented, position, e-mail address
|
Maintenance of contact in relation to the organisation of the presentations at the international conference. |
Name, organisation represented, position, title of presentation, portrait photo, brief CV |
Popularisation of the Project international conference and presentation of its programme on NAIH’s website and in a printed format at the location of the conference |
3.2 Sending out invitations to the event
Range and source of the personal data processed |
Purpose of processing |
Name, organisation represented, position, e-mail address
(The personal data are derived from publicly accessible sources.) |
Calling attention to the international conference, providing information to potential participants. |
3.3. Processing related to online registration
for the international conference
Range of personal data processed |
Purpose of processing |
Name, organisation represented, position, e-mail address. intent to participate on events
|
The purpose of processing is to maintain contact with persons registering for the event and to transfer information related to the event, to grant access to the venue of the event and to survey the expected number of participants. |
Information on possible food intolerance, which may be provided voluntarily |
Surveying the demand for providing special menus at the event. |
3.4. Attendance register and taking photos
related to participation at the international conference and posing questions
Range of personal data processed |
Purpose of processing |
Name, organisation represented, position and signature |
Verification of the number and range of participants of the event in connection with the obligation to account for the conference. |
Image of the data subject in the group photo made of the participants. |
The purpose of taking photos is to record the event and to verify that the event actually took place. The photos may be published on NAIH’s website and in its annual report.
|
If a question is asked, the name of the data subject (not required data) and his question.
|
Answering the questions in the course of the conference with a view to maintaining professional contact. |
There will be no processing based on automated decision-making and profiling in the course of processing.
4. The legal basis of processing
Except for the data concerning the food intolerance of data subjects, processing is based on Article 6(1)(e) of Regulation (EU) 2016/679 of the European Parliament and the Council[1] (hereinafter: GDPR), the processing of personal data in connection with sending out the invitations to the event and the data of the persons registering for it following registration is necessary for the implementation of the Authority’s tasks in the public interest in view of Article 57(1)(b); (g) and (i)[2] and Section 38(2) of Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information, which specifies the monitoring and promoting the enforcement of rights to the protection of personal data as the task of the Authority.
In terms of the purpose according to Section 3.2, the Authority processes the data concerning the data subject’s food intolerance based on the voluntary and express consent of the data subject based on GDPR Article 6(1)(a), also with regard to GDPR Article 9(2)(a).
5. The source of the personal data and the range of the data processed if they were not provided to the Authority by the data subject
The Authority sends out the invitations using publicly accessible contact details in publication lists, press imprints and data on the websites of the controllers concerned by the Project.
6. The addressees or addressee categories of the personal data[3]
The website of the event is hosted by a data processor of the Authority – DotRoll Kft. (1148 Budapest, Fogarasi út 3-5.).
The Authority does not forward personal data to third country addressees or any international organisation.
7. The period of storing personal data
For the purpose according to Section 3.2, data concerning the data subject’s food intolerance will be processed until the day after the conference, then will be erased.
For the purpose according to Section 3.1,Processing related to the invited speakers, the programme of the event and group photos according to Section 3.3 will be archived as part of the annual report for the public interest.
The additional personal data described in this Privacy Statement will be processed by the Authority until 31.12.2024 at the latest.
8. The data subject’s rights related to processing
8.1. Due dates
The Authority grants the data subject’s request to exercise his rights at the latest within a month from its receipt. The day of receiving the request is not included in this period.
If needed and, taking into account the complexity of the requests and their numbers, the Authority may extend this period with an additional two months. The Authority notifies the data subject of the extension of this period, indicating the reasons for the delay, within a month from receipt of the request.
8.2. Data subject’s rights to processing
8.2.1. The right to access
The data subject has the right to request information from the Authority through the contact data provided in Section 1 concerning whether the processing of his personal data is in progress and if so, he has the right to learn
· from the Authority
- which of his personal data are processed;
- on what legal basis;
- for what purpose of processing; and
- for how long,
furthermore
· to which of his personal data has the Authority provided access, to whom, when, based on what legal regulation or to whom his personal data were forwarded;
· what is the source of his personal data; and
· whether the Authority uses automated decision-making, and its logic, including profiling.
the Authority makes a copy of the personal data processed available free of charge for the first time upon the data subject’s request, and thereafter it may charge a reasonable fee based on administrative costs. In order to meet data security requirements and to protect the data subject’s rights, the Authority must verify the identity of the data subject and of the person desiring to exercise the right of access; and to that end, the provision of information, access to data and issuing copies of data are subject to the identification of the person of the data subject.
8.2.2. The right to rectification
Through the contact data provided in Section 1, the data subject may request the Authority to modify any of his personal data. If the data subject can credibly verify the accuracy of the rectified data, the Authority grants the request at the latest within a month and notifies the data subject through the contact details provided by him.
8.2.3. The right to blocking (restriction of processing)
Through the contact data provided in Section 1, the data subject may request the Authority to restrict the processing of his personal data (by unambiguously indicating the restricted nature of processing and ensuring that processing is kept separate from other data), provided
- the accuracy of his personal data is contested (in this case, the Authority restricts processing for the period while it verifies the accuracy of the personal data);
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
- the data subject has objected to processing (in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject).
8.2.4. The right to object
Through the contact data provided in Section 1, the data subject may object to the processing, if in his view, the Authority would process his personal data inappropriately in relation to the purpose indicated in this Privacy Statement. In this case, the Authority hast to verify that the processing of the personal data is warranted by legitimate reasons of compelling force, which override the interests, rights and freedoms of the data subject, or which are related to the establishment, enforcement or defence of legal claims.
8.2.5. The right to erasure
Among the processing operation presented in this Privacy Statement, the data subject may exercise his right to erasure only in relation to the data concerning food intolerance.
9. Right to legal remedy
If the data subject deems that the Authority infringed the data protection requirements in force when processing his personal data
- he may lodge a complaint with the Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9.
E-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu), or
- to protect his data, he can turn to a court, which takes action out of turn in such a case. In this case, the data subject may freely decide whether to submit his petition to the court according to his place of residence (permanent address), or place of stay (temporary address), or to the court competent according to the seat of the Authority. The court competent according to his place of residence or place of stay can be searched at http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso. The competent court for the seat of the Authority is the Fővárosi Törvényszék.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] GDPR Art. 37 (1) Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
[3] For the definition of addressees, see: GDPR Article 4(9).