+36 34 312 419 info@rdvegtc-spf.eu

Data protection and data processing policy



Events organized by Rába-Duna-Vág EGTC



The purpose of the present data protection and data processing policy (hereinafter referred to as ‘Policy’) is to define data protection and data processing principles related to the events organized by Rába-Duna-Vág Limited Liability European Grouping of Territorial Cooperation and therefore, the data subject will be provided with adequate information of data processed by the EGTC or the data processor, source of the data, purpose of the processing, legal basis for the processing, period of processing, name and address of data processor involved by data controller, activity of data processor related to data processing, furthermore, where personal data is transferred the legal basis for and recipient of transfer of personal data. Acts and their abbreviations used and considered in relation to the Policy

the Act
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as ‘Act’)


GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as ‘GDPR’)


Government Decree Government Decree No. LXXV (2014of the European territorial association

Definitions in the present Policy meet definitions of Article 4 of GDPR:
personal data
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

processing
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

controller
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

processor
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

third party
a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

consent of the data
subject any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her


Where definitions of GDPR in force are different from the definitions of the present policy, definitions of GDPR in force shall prevail.


I. Data controller and contact details



Data controller regarding subscribing to newsletter on the Website:
name:
Rába-Duna-Vág Limited Liability European Grouping of Territorial Cooperation

registered office:
2800 Tatabánya, Fő tér 4.

reg. no:
65.003/2012/2.

represented by:
Vasiová Ema, director

e-mail:
director@rdvegtc.eu



II. Data processor and contact details



Data protection officer designated by the EGTC:
name:
Vasiová Ema
postal address:
2800 Tatabánya, Fő tér 4.
e-mail:
director@rdvegtc.eu



III. Personal data, purpose of processing, legal basis for processing, period of processing



Personal data:
name, e-mail, photos or video taken during the event


Purpose of processing:
Ensuring registration, managing contact for sending the relevant information material and fulfilling the reporting obligations of the Programme and the data controller

Legal basis for processing:
• consent of the data subject {Paragraph a) of Subsection (1) of Section 5 of the Act}

Means of processing:
paper and electronic


Period of processing: for 5 years after 31st December following submitting accounts of eligible costs related to the implementation of the small project but latest until 31 December 2027.


IV. Principles



The EGTC processes personal data in accordance with principles of good faith and fair dealing and transparency and subject to law in force and provisions of the present Policy.

The EGTC processes personal data only on the basis of the present Policy and for a specific purpose(s) and does not go beyond them.

If the EGTC intends to use personal data for purpose(s) other than the original purpose(s), the EGTC informs the data subject of such a purpose and use and obtain the previous and express consent of the data subject (where there is no other legal basis determined by GDPR) and the EGTC allows the data subject opportunity to defy the use of personal data.

The EGTC does not control personal data provided, person who provided the personal data, shall be liable for adequacy.

The EGTC does not transfer personal data, except that the EGTC is entitled and obliged to transfer or forward personal data available to and properly stored by the EGTC to competent authority where transfer and forward of personal data is determined by law or legally binding order of authority. EGTC shall not be liable for such a transfer or its consequences.

The EGTC ensures the security of personal data, takes all technical and organizational measures and establishes rules of procedure that guarantee protection of recorded, stored and processed personal data, and prevent accidental losses, destruction, unauthorised access, unauthorised use, unauthorised alteration and unauthorised dissemination.


V. Rights of the data subject



The data subject may exercise right in the following ways:
– e-mail
– by post
– in person
– unsubscribe/in case of request for erasure by clicking on the link for unsubscribing on the bottom of the newsletter

The EGTC draws attention to the fact that in case of data processing based on consent, data subject is entitled to withdraw the consent at any time, however this withdrawal shall not concern the lawfulness of data processing based on consent before withdrawal.
Right of information and access to personal data
The data subject may at any time request the EGTC to provide information on data processed by the EGTC or the data processor involved by or according to the order of the EGTC, purpose of the processing, legal basis for the processing, period of processing, name and address of data processor, activity of data processor related to data processing, the circumstances, effect of a personal data breach, measures taken for averting personal data breach, furthermore, where personal data is transferred the legal basis for and recipient of transfer of personal data. In relation to the above, the data subject may request a copy of his/her processed data. In case of an electronic request the EGTC executes the request first electronically (PDF format), except where the data subject requests expressly otherwise. The EGTC already draws attention to the fact that if the above right of access affects adversely the rights or freedoms of others, including in particular trade secrets or intellectual properly, the EGTC may refuse the execution of the request, to the extent it is necessary and proportionate.

Right to rectification and modification
The data subject may request the rectification, modification and completion of personal data processed by the EGTC.

Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the EGTC, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the EGTC.
Furthermore, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to erasure (‘right to be forgotten’)
The data subject may request the erasure of one or all personal data concerning him or her.

In this case, the EGTC erasures the personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
– data processing is based on legitimate interest of the EGTC or third person but the data subject objects to the processing and (except objection to processing related to direct marketing) there are no overriding legitimate grounds for the processing;
– the personal data have been unlawfully processed;
– the personal data have to be erased for compliance with a legal obligation.

The EGTC informs the data subject of the refusal to the request of erasure in any event (e.g. data processing is required for the establishment, exercise or defence of legal claims), indicating the reason of the refusal. Erasure of personal data is executed that after fulfilment of request of erasure personal data (erasured) cannot be restored. In addition to the exercise of right to erasure, the EGTC erases personal data if the data processing is unlawfully, the purpose of data processing is no longer exists, data storage period determined by law is already expired, it is ordered by court or authority.

Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the data subject, for a period enabling the EGTC to verify the accuracy of the personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the EGTC no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
– the data subject has objected to processing pending the verification whether the legitimate grounds of the EGTC override those of the data subject

Where processing has been restricted, such personal data won’t be processed or will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject will be informed by the EGTC before the restriction of processing is lifted.

Right to object
Where the legal basis for processing is legitimate interest of the EGTC or third person (except compulsory data processing) or data is processed for direct marketing, scientific or historical research purposes or statistical purposes, the data subject, has the right to object to processing of personal data concerning him or her. Objection may be rejected if the EGTC demonstrates
– compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or
– that data processing is related to the establishment, exercise or defence of legal claims of the EGTC.
The EGTC examines the lawfulness of the objection of the data subject and where the objection is grounded, the EGTC stops data processing.

Right to legal remedy See Section VII.


VI. Modification of the Policy



The EGTC reserves the right to modify the present Policy through an unilateral decision at any time.

I the data subject does not agree with the modification, he/she may request the erasure of his/her personal data as determined above.


VII. Legal remedies and enforcement



The EGTC as data controller may be contacted for the purpose of any question or comments related to data processing using contact details above.

In case of any violation related to data processing, the data subject may make a complaint to the competent data protection supervisory authority of the Member State of residence, workplace or the place of the alleged violation. In Hungary, complaint shall be made to Hungarian National Authority for Data Protection and Freedom of Information („NAIH”, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

The data subject may bring the following cases before court:
– violation of rights
– against the legally binding decision of the supervisory authority
– if the supervisory authority does not deal with the filed complaint or does not inform the data subject of aspects or result of the procedure related to the filed complaint within 3 months