Information on Data Management

Preamble

In the course of its data management activities, the Data Controller always strives to implement data security measures appropriate to the duration of the managed data and to maintain these security measures without interruption.

Personal data is stored in the Data Controller’s own closed system, ensuring the continuous availability, integrity and confidentiality of the data.

Furthermore, the Data Controller pays special attention to the continuous monitoring of legislative changes and to continuous compliance with them, as well as to the creation of the widest possible framework for the exercise of the rights of the data subject.

The purpose of this Information Sheet is for users of the www.hellomako.hu website to receive information about data management by the Data Controller in a way that is understandable to the public, as a result of which the entire process of data management becomes transparent and this creates the basis for them to exercise their rights as data subject.

Concepts

Data Processor:

Natural or legal person, public authority, agency or any other organisation that processes personal data on behalf of the Data Controller.

Data Management:

Any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, registration, organisation, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or other making it available, adjustment or linking, restriction or deletion or destruction.

Limitation of Data Management:

Making of stored personal data for the purpose of restricting their future processing.

Data Protection Incidents:

A breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise handled.

GTC:

The General Terms and Conditions applied by the Data Controller, with the acceptance and application of which a cooperation contract is created between the Data Subject and the Tourist association of Makó and Its Region.

Addressee:

The natural or legal person, public authority, agency or any other organisation to whom the personal data is communicated, regardless of whether it is a third party.

Data Subject:

Identified or naturally identifiable person to whom the personal data applies.

Parties:

The Data Subject and the Data Controller together.

User Account:

On the www.hellomako.hu website, the private user interface created by the Tourist Association of Makó and Its Region for the Data Subject which can be modified or terminated with immediate effect within the framework of the current GTC.

GDPR:

Regulation (EU) 2016/679 of the European Parliament and the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Directive 95/46/EC (general data protection regulation) (Text related to the EEA-European Economic Area).

Third Party:

The natural or legal person, public authority, agency or any other organisation that is not the same as the Data Subject, the Data Controller, the Data Processor or the persons who have been authorized to handle personal data under the direct control of the data controller or data processor.

Third Country:

Any country outside the European Union and the European Economic Area is considered a third country.

Authorities:

National Data Protection and Freedom of Information Authority, whose current contact details can be found on the website www.naih.hu .

Website:

https://hellomako.hu website.

Law:

Law CXII of 2011 on the right to information self-determination and freedom of information.

Personal Data:

Any information relating to an identified or identifiable natural person; a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

Name of Data Controller

Name: Tourist Association of Makó and Its Region
Seat: 6900 Makó, 22 Széchenyi Square
Postal address: 6900 Makó, 22 Széchenyi Square
Phone: +36 20 444 4546
E-mail: kapcsolat@makoregio.hu

Principles Valid Throughout the Entire Data Management Process

Legality of Data Management

The processing of personal data is only legal if and to the extent that at least one of the following is fulfilled:

• The data subject has given his consent to the processing of his personal data for one or more specific purposes;
• Data management is necessary to fulfil a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract;
• Data management is necessary to fulfil the legal obligation of the data controller;
• Data management is necessary to protect the vital interests of the data subject or another natural person;
• Data management is in the public interest or is necessary for the execution of a task performed in the context of the exercise of the public authority granted to the data controller;
• Data management is necessary to enforce the legitimate interests of the data controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

Rights of Data Subjects

Pursuant to point f) of Article 57 (1) and Article 77 (1) of the GDPR, all stakeholders, including you, are entitled to file a complaint with the Authority if, in your opinion, the handling of personal data concerning you violates you.

As a general rule, all stakeholders can apply to the given data controller:

• Access to your personal data,
• Correcting your personal data,
• Deleting your personal data,
• The limitation of the given data management,
• Portability of your personal data,
• You can also object to the processing of your personal data.

At this point, the Data Controller specifically draws the Data Subject’s attention to the fact that the right to protest is not applicable to the data processing covered by this Data Management Information Sheet, given that no data processing activity is based on the legitimate interests of the Data Controller or of a third party, and that the data processing does not take place due to its public authority nature.

Regardless of the request for the exercise of any data subject right, the Data Controller shall inform the Data Subject without undue delay, but in any case within one month of the receipt of the request, of the measures taken following the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline can be extended by another two months. However, the Data Controller is obliged to inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.

If the Data Controller does not take measures following the Data Subject’s request, without delay, but at the latest within one month from the receipt of the request, it is still obliged to inform the Data Subject of the reasons for the failure to take action, as well as the fact that the Data Subject may file a complaint with the Authority and seek legal remedies with his right, before the competent court according to his place of residence or stay (you can find out about the contact details of the courts at the following link: http://birosag.hu/torvenyszekek).

If the Data Controller has reasonable doubts about the Data Subject's identity when submitting a request to exercise a data subject's right, the Data Controller may request the Data Subject to provide additional information necessary to confirm the identity. If the Data Controller proves that it is unable to identify the Data Subject, it may refuse to fulfil the request to exercise the data subject's right.

As a general rule, information and measures regarding data subject requests are free of charge. However, if the request is clearly unfounded or - especially due to its repetitive nature – excessive, the Data Controller may, taking into account the administrative costs associated with providing the requested information or taking the requested action, charge a reasonable fee or refuse to take action based on the request. However, it is the responsibility of the Data Controller to prove that the request is clearly unfounded or exaggerated.

Based on Article 37 of the GDPR, it is not necessary to appoint a data protection officer at the Data Controller.

If the Data Controller does not fulfil a request of the Data Subject in a verifiable manner, taking into account the above deadlines, the Authority – based on a complaint - will investigate the manner.

The Right to Access Your Data

Based on this right, the Data Subject is entitled to receive feedback from the Data Controller as to whether his personal data is being processed, and if such data processing is in progress, he is entitled to have his personal data and the information listed in the General Data Protection Regulation (for example, the purpose of the data processing, legal basis, the recipients of the personal data or the categories of recipients, the related information in the case of data transfer to a third country or international organization; the duration of the data management or its aspects, the rights of the data subject, the legal remedies, the consequences of the failure to provide the data).

The Data Controller is obliged to provide the Data Subject with a copy of the personal data that is the subject of data management. However, the Authority draws your attention in a general manner to the fact that the data controller may charge a reasonable fee based on administrative costs for the requested additional copies, and the exercise of the right to request a copy may not adversely affect the rights and freedoms of others.

The Right to Correct Your Personal Data

Based on the right to rectification, the Data Subject has the right, on the one hand, to request that the Data Controller to correct inaccurate personal data concerning the Data Subject without undue delay, and on the other hand, he is entitled to request the addition of incomplete personal data.

Your Right to Have Your Personal Data Deleted and “Forgotten”

As a general rule, based on his right to deletion, the Data Subject is entitled to have the Data Controller delete his/her personal data without undue delay upon request, and the Data Controller is obliged to delete them without undue delay if one of the following reasons exists:

• The personal data are no longer needed for the purpose for which they were collected or otherwise managed by the Data Controller;
• The Data Subject withdraws his consent, which is the basis of the data management, and there is no other legal basis for the data management;
• The Data Subject objects to the data processing for reasons related to his own situation, and there is no legitimate reason for the data processing;
• The Data Subject objects to the processing of his/her personal data for the purpose of direct business acquisition, including profiling, if it is related to direct business acquisition;
• Personal data is handled illegally by the Data Controller;
• The collection of personal data took place in connection with the providing of information society-related services offered directly to children.

The right to be “forgotten” means the extension of the right to erasure to the online environment, based on which, if the Data Controller has disclosed the Data Subject’s personal data and is obliged to delete it, it is obliged to take reasonably expected steps in order to inform the data controllers managing the Data Subject’s personal data, that the Data Subject has requested the deletion of the links to his personal data or the copy or duplicate of this personal data.

Regarding this data subject right, it is important to note, however, that it is not possible to delete and “forget” personal data if one of the cases defined below exists (GDPR Article 17 (3)):

• For the purpose of exercising the right to freedom of expression and information;
• On the basis of public interest affecting the field of public health;
• For the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the exercise of the right to deletion would make this data management impossible or seriously jeopardize it; or
• To present, enforce and defend legal claims.

Your Right to Restrict the Processing of Your Personal Data

The Data Subject has the right to have the Data Controller restrict, more commonly known as, blocking the data processing at his request, if one of the following conditions is met:

• The Data Subject disputes the accuracy of his personal data. In this case, the limitation applies to the period that allows the Data Controller to verify the accuracy of this personal data;
• The data management is illegal and the Data Subject opposes the deletion of personal data and instead requests the restriction of their uses;
• The Data Controller no longer needs the personal data for the purpose of data management, but the Data Subject requires them to present, enforce or defend legal claims;
• The Data Subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the data controller’s legitimate reasons take precedence over the data subject’s legitimate reasons.

Your Right to Portability of Your Personal Data

Based on this right, the Data Subject is entitled to receive his/her personal data provided to the Data Controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this personal data to another data controller without being hindered by the data controller to whom the Data Subject made data available. The Data Subject can exercise this right if the data management is based on consent or a contract and the data management is automated.

Your Right to Object to Processing of Your Personal Data

You have the right to object to the processing of your personal data at any time for reasons related to your own situation, if the processing of your personal data takes place due to the legitimate interest of the data controller or the nature of public authority. If personal data is processed for direct business acquisition, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, if it is related to direct business acquisition. If you object to the processing of your personal data for direct business purposes, your personal data may no longer be processed for this purpose.

The Data Subject’s Right of Complaint and Legal Remedy

The Data Subject has the right to file a complaint with the Authority in relation to or in connection with the data management, or to initiate civil litigation against the Data Controller directly before the competent court.

The Authority’s contact details are available on the Authority’s website at www.naih.hu ; short-cut options for reaching the Authority:

• Phone: +36/1-391-14-00 és +36/30-683-5969 és +36/30-549-6838;
• Electronic mail address: ugyfelszolgalat@naih.hu;
• Seat: 1055 Budapest, 9-11 Falk Miksa Street;
• Postal address: 1363 Budapest, P.O. Box 9;
• Office gate: short name: NAIH; KR ID: 429616918.

The Data Subject can initiate a civil lawsuit against the Data Controller, pursuant to Code of Civil Procedure Code CXXX of 2016, by applying the provisions of the law, and the fact that the case falls under the jurisdiction of the court is determined either by the place of residence (or place of stay) of the Data Subject, or by the seat of the Data Controller, and the court acts out of turn during the assessment of the claim.

However, before submitting a complaint to the Authority or initiating any civil litigation, it may be expedient for the Data Subject to report his or her grievance directly to the Data Controller, by sending an informal request to any of the Data Controller's contact details in accordance with this Information Sheet, or to any of the Data Protection Officer's contact details. In such a case, the Data Controller will contact the Data Subject directly within the shortest time possible under the circumstances, in order to resolve the aggrieved situation as soon as possible, based on the consensus of the parties.