These Data Processing Guidelines contain the rules regarding the processing carried out by Trinspire Informatikai Szolgáltató és Tanácsadó Kft. (1138 Budapest, Madarász Viktor u. 47-49., hereinafter: Masterfield) as Controller, as well as information on the rights of data subjects. Masterfield is committed to protecting the personal data of its partners and the visitors of its websites and considers it especially important to respect its clients’ right to informational self-determination. These Data Processing Guidelines duly cover processing performed on Masterfield’s website (http://Masterfield.hu) as well as any processing carried out in an off-line form. Masterfield reserves the right to modify these Data Processing Guidelines, in which case it shall inform its clients of this fact via its websites. .
The terms used in these Data Processing Guidelines are defined as follows:
- data subject: natural persons who are explicitly defined or identified, or can be explicitly or implicitly identified by the use of personal data;
- personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
- sensitive data:
- personal data related to racial or ethnic origin, political opinion or party membership, religion or beliefs, trade union membership, sexual orientation,
- health status, harmful addictions, as well as criminal record;
- consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- objection: a statement by the data subject in which he or she objects to the processing of his or her personal data, and requests that the processing cease and his or her processed data be deleted;
- controller: natural or legal persons or organizations not having legal personality that (independently or jointly with others) may determine the purpose of the data processing, make and execute decisions regarding the data processing (including the devices used), or have their decisions executed by the data processor;
- data controlling: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; as well as the prevention of further use, audio or video recordings, and the recording of physical characteristics suitable for the identification of a person (finger or palm prints, DNS sample, iris imaging);
- data transfer: making data available to certain third parties;
- disclosure: making the data accessible for anyone;
- erasure of data: making any data unrecognizable in a way such data may no longer be restored;
- data identification: assigning identifiers to data with the purpose of distinguishing them;
- data blocking: assigning an identifier to the data with the purpose of limiting - permanently or for a fix term - the further processing of such data;
- data erasure: complete physical destruction of the media containing the data;
- data processing: performing technical tasks in connection with data processing activities, regardless of the methods and tools used for executing the operations, or the location where they are performed, provided that such technical tasks are performed on data;
- processor: natural or legal person, or organization without legal personality that performs the processing of the data on a contractual basis, including contracts stipulated by law;
- third country: all those states that are not a member of the EEA.
- Information Act: Act CXII of 2011 on informational self-determination and the freedom of information
DATA AND CONTACT INFORMATION OF CONTROLLER
Name: Trinspire Informatikai Szolgáltató és Tanácsadó Kft.
Address: 1138 Budapest, Madarász Viktor u. 47-49. (Madarász Irodapark) 1. épület 5. emelet
Data control registration number: NAIH-145990/2018
THE NEWSLETTER MODULE OF CONTROLLER IS HANDLED BY
Name: Etalon Bázis Kft.
Registered seat: 2500 Esztergom, Mohácsy köz 4/b
Branch office: 1063 Budapest, Szinyei M. P. 21. I/5.
PRINCIPLES OF PROCESSING AND DATA SECURITY
Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing, the recording and processing of personal data shall be done under the principle of lawfulness and fairness. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose. The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded. The data subject shall be responsible that the data provided be true and accurate. Masterfield shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects during processing. Masterfield or if a processor is employed, then the processor shall, within its scope of activities, ensure the security of the data, and shall take all technical and organizational measures and lay down such procedural rules that are needed to enforce the Information Act as well as other data security and confidentiality regulations. Masterfield shall protect the personal data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, unavailability due to accidental destruction and damage resulting from a change in the technology used. Should Masterfield hire a third-party processor for the purpose of processing, it shall inform the data subjects of the fact of processing and the person of the processor prior to the consent to processing being given. The external processor may not make any substantial decisions affecting the processing, and may process any personal data obtained pursuant to the instructions of Masterfield as the controller; it may not perform data processing for its own purposes, and is obliged to store and preserve personal data as required by Masterfield as the controller. During data controlling and processing, only Masterfield and its external processor - if the latter is used - may access the data, as well as the employees of Masterfield and its external processor - if the latter is used - who take part in realizing the processing goals laid down in these Data Processing Guidelines, and who are bound by an obligation of non-disclosure by their employment contract and the legal regulations related to their employment regarding all data they learn. They may not disclose, use or make them available to third parties or make them public.
LEGAL BASIS AND PURPOSE OF PROCESSING
Personal data may be processed based on the consent of the data subject, stipulated by law or a decree of a municipality (mandatory processing). Before initiating the processing of data, the data subject shall be informed by Masterfield that the processing is based on consent or is mandatory. Before initiating the processing of data, the data subject shall be informed by Masterfield of the purpose and legal basis for processing, the persons authorized to process their data, the period for processing and the scope of persons to whom their data may be disclosed to. Information on the rights of the data subject regarding processing, as well as the possibilities of legal remedy may be found in these Data Processing Guidelines. Masterfield processes data for the following purposes:
- identifying the data subject, distinguishing them from other data subjects, keeping in contact with the data subject,
- performing other record-keeping obligations,
- preparing statistics and analyses,
- handling complaints,
- marketing activities,
- performing processing and data provision stipulated by law
If Masterfield is engaged in providing courses falling under Act LXXVII of 2013 on adult education, then during the processing stipulated by law, it shall, in accordance with section 21 sub-section (4) of Act LXXVII of 2013, provide data for statistical purposes, and to store and process those data from the date of their creation until the data subject asks them to be erased, as per section 21 sub-section (6). As per section 20 sub-section (1) point b) of Government Decree 393/2013 (XI. 12.) on the procedure and requirements of obtaining permission to perform adult education activity, the administration of adult education institutions and the detailed rules of controlling adult education institutions, if the circumstances described in section 20 arise, Masterfield shall provide data. As per Act CXXVII of 2007 on value-added tax, section 169 point e), the mandatory contents of invoices include the name and address of the buyer of a product or the user of a service, thus Masterfield performs processing with regard to these data, as well. In such cases, processing is independent from the data subject’s consent as the processing is stipulated by law. When Masterfield processes the data not out of its legal obligation, then it always does so with the data subject’s consent, as per section 5 sub-section (1) of the Information Act. Applying for a course constitutes consent to the data on the application form being processed.
PROCESSING FOR OTHER PURPOSES
SUBSCRIBING TO THE NEWSLETTER
STORING INFORMATION ON HOMEPAGE VISITORS
Masterfield is entitled to record the IP address of visitors, the time of their visit and the title of the pages viewed, for technical reasons and in order to compile statistics regarding user habits. By using the website, visitors accept that these anonymous data be recorded.
THE WAY OF REQUESTING CONSENT ON THIS WEBSITE
- Cookies sent in this way are used in the following ways: External service providers, among them Google, use these Cookies to track if the user has previously visited the advertiser’s website, based on which external service providers - among them Google - display advertisements to the user on their partners’ websites.
- Users may disable the use of Google Cookies on the page used to turn off Google Ads.
- On the link http://www.networkadvertising.org/choices you may block the Cookies of other external service providers, too.
DATA TRANSFER - TO EXAMINATION CENTRES
Masterfield only transfers the personal data of the data subjects as per these Data Processing Guidelines, or by special consent of the data subject based on prior information. Masterfield shall only transfer data to the United States of America if, on top of the above, the local controller there appears on the PrivacyShield list (https://www.privacyshield.gov/list), which lists organizations meeting the European data security regulations. The scope of the data transferred: username, surname, first name, country, phone number, email address. The purpose of data transfer: to provide customer service assistance to users, and to confirm transactions.
RIGHTS OF DATA SUBJECTS AND THEIR ENFORCEMENT
The data subject may request the following from Masterfield:
- information on the processing of their personal data,
- correction of their personal data, and
- deletion or blocking of their personal data, except the data under mandatory data processing.
Downloadable request forms (in Hungarian):
REQUEST FOR INFORMATION ON THE PROCESSING OF PERSONAL DATA
The data subject may request that Masterfield provide information concerning their processed data, the sources from where they were obtained, the purpose, grounds and duration of processing, and –in case of data transfer – the legal basis and the recipients. Masterfield shall provide the requested information promptly in writing, within 30 days of the date of the request. The information shall be provided free of charge if the person requesting the information has not submitted a request for information regarding the same scope of data to Masterfield in the year in question. In other cases, the data subject shall pay a fee of 2000 HUF per information request.
CORRECTION OF PERSONAL DATA
If the personal data are incorrect, while the correct personal data are available to Masterfield, the personal data shall be corrected by Masterfield.
ERASURE OF PERSONAL DATA
Personal data shall be erased if:
- it is processed unlawfully;
- the data subject requests it (except mandatory processing);
- it is incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;
- the purpose of processing no longer exists or the legal time limit for storage has expired;
- it was ordered by the National Authority for Data Protection and Freedom of Information (NAIH).
BLOCKING OF PERSONAL DATA
Instead of erasing personal data, Masterfield shall block it if
- it is requested by the data subject, or
- there are reasonable grounds to believe that erasure would be injurious to the legitimate interests of the data subject.
Personal data blocked in this way may only be processed as long as the purpose of the data processing that made the erasure of personal data impossible still exists.
MARKING OF PERSONAL DATA
Masterfield shall mark the processed data if the data subject disputes their correctness or accuracy, as long as such incorrectness or inaccuracy may not be clearly ascertained. Masterfield shall inform the data subject and all those to whom it previously transferred the data for processing about the correction, blockage and erasure of the data. Notification may be omitted if this does not violate the legitimate interest of the data subject with respect to the purpose of the processing. Should Masterfield refuse to fulfil the data subject’s request for correction, blocking or erasing the disputed data item, then it shall advise the data subject in writing within 30 days upon the receipt of the request on the factual and legal causes of the rejection of the rectification, blockage or erasure request thus submitted.
OBJECTION TO THE PROCESSING OF PERSONAL DATA
The data subject may object to the processing of their personal data
- if the processing of the personal data is required exclusively for fulfilling the legal obligation of the controller, or the enforcement of the legitimate interest of the controller (except in the case of mandatory processing);
- if the purpose of the use or the transfer of personal data is direct marketing, public opinion polling or scientific research; and
- in other cases stipulated by law.
Masterfield shall examine the objection promptly after it was submitted, but within no more than 15 days, it shall make a decision on whether it is well-founded, and inform the person making the request about its decision. If based on the findings of Masterfield the data subject’s objection is justified, it shall terminate all processing operations, block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection. Masterfield shall be liable for any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements. The data subject may demand damages from Masterfield if Masterfield violates the personality rights of the data subject by the unlawful processing of the data subject’s data or by breaching the requirements of data security. Masterfield shall be exempted from liability for the damage caused and for compensation if it can prove that the damage or the infringement of the data subject’s personality rights was a result of inevitable obstacles outside the scope of data processing. Damage need not be reimbursed in case the damage or the infringement of personality rights was a result of deliberate or gross negligence of the data subject.
The data subject may take Masterfield to court in case of a violation of their rights related to processing. If the data subject disagrees with the decision taken by Masterfield regarding their objection to processing, the data subject shall have the right to turn to court within 30 days of the date of delivery of the decision or from the last day of the time limit. Such court proceedings shall be conducted under priority. The case shall be judged by a tribunal. The case may be initiated before the General Court of the data subject’s domicile or place of residence, at the data subject’s discretion. In case of an infringement of the exercising of the data subject’s rights related to the processing of their personal data, they may report the case to initiate an enquiry with the National Authority for Data Protection and Freedom of Information :
Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: 1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Facsimile: +36 (1) 391-1410
In questions not regulated by these Data Processing Guidelines - with the exception of conflict-of-laws rules governing common law - the provisions of Hungarian law shall govern.
Dated: Budapest, 30 April 2018