Gattyán Foundation

PRIVACY POLICY

PRIVACY POLICY FOR THE FUNDRAISING CARRIED OUT BY THE GATTYÁN FOUNDATION

Version 1.1. Effective as of October 05, 2020 The protection of personal data is of utmost importance for us, and therefore the present Privacy Policy aims to inform you (“Data Subject”) of the categories of personal data controlled by the Gattyán Foundation (“Controller”) in the course of the fundraising carried out on the website www.gattyanalapitvany.hu, as well as the purposes of, and grounds for, processing. The Privacy Policy also includes your data subject rights.

1. Details of Controller Name of controller: Gattyán Foundation (Gattyán Alapítvány) Registered office: 1101 Budapest, Expo tér 5-7. Registration number: 01-01-0012819 Website: https://gattyanalapitvany.hu/ E-mail address: info@gattyanalapitvany.hu

2. Laws and regulations serving as basis or background of the processing a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”) b) Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”) c) Act V of 2013 on the Civil Code of Hungary (“Civil Code”) e) Act C of 2000 on Accounting (“Accounting Act”)

3. Characteristics of the processing activities

3.1. Execution of payment transactions In case the donor intends to provide Controller with a donation, the donation may take place by wire transfer or card payment. In the case of wire transfer, the Controller shall process the name and bank account number of the donor, as well as the amount of donation; in the case of card payment, the name, e-mail address, address, phone number of the donor and the amount of donation shall be processed. The Controller shall process the personal data in the course of the fundraising for the purpose of execution of payment transactions. Grounds for processing: the processing is necessary for the performance of a contract to which the Data Subject is party (Article 6(1)b of GDPR). The duration of processing shall be 3 months from the payment of the donation. Section 3.3 shall apply to the data processing activity related to the invoices issued in respect of the payment of donations. Based on the consent of the Data Subject, Controller shall forward the following personal data submitted on the website www.gattyanalapitvany to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.), as processor. Categories personal data forwarded: family name, given name, country, phone number, e-mail address. Purpose of data forwarding: providing users with customer support assistance, confirmation of transactions and fraud monitoring carried out for the protection of users. Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.

3.2. Publication of the name of the donor On the basis of the consent given by the donor, the Controller shall publish the name of the donor on the website www.gattyanalapitvany.hu. The purpose of the processing is to promote the fundraising activity of Controller. The ground for processing is the consent of the Data Subject (Article 6(1)a of GDPR). The processing is voluntary. The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The Controller shall process the name of the donor until the withdrawal of the consent or the elapse of the term needed for the fulfillment of the purpose of the processing. Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.

3.3. Meeting accounting and tax obligations The Controller shall retain the invoices issued in connection with the payment of donation, as accounting supporting documents, for a retention period of 8 years as set out in Article 169 of the Act on Accounting, then the data shall be deleted. The purpose of processing is meeting the document retention obligation set out in the Act on Accounting, the ground for processing is the compliance with a legal obligation to which the Controller is subject (Article 6(1)c of GDPR). Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.

3.4. Processing of contact data of persons contacting the Controller The Controller processes the contact data of the persons contacting the Controller at the contact details set out on the website www.gattyanalapitvany.hu, including the web form on the website, on the basis of the consent given by the Data Subjects (Article 6(1)a of GDPR), for the purpose of keeping contact with the Data Subjects. The processing is voluntary. The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The Controller shall process the name of the Data Subject until the withdrawal of the consent or the elapse of the term needed for the fulfillment of the purpose of the processing. Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.

4. Processors Docler Services Kft. (registered office: 1101 Budapest, Expo tér 5-7., company registration number: 01-09-186181, VAT number: 24856984-2-42) provides the Controller with accounting services (processing activities set out in sections 3.1 and 3.3). The website of Controller (www.gattyanalapitvany.hu) is operated by Docler SSC Kft. (registered office: 1101 Budapest, Expo tér 5-7., company registration number: 01-09-203601, VAT number: 25165522-2-42 - processing activity set out in section 3.2).

5. Rights of the Data Subject

5.1. Right to information The Data Subject shall be entitled to request information from the Controller in writing as to what personal data concerning the Data Subject is processed, the grounds and purpose of processing, the source of personal data, the term of processing, any recipients to whom personal data is forwarded or to whom access to personal data is granted, the records of personal data forwarded and the statutory provision serving as grounds for the forwarding. The Controller shall process the request of the Data Subject within one month and shall send the information to the contact detail specified by the Data Subject.

5.2. Right to rectification The Data Subject may request the Controller in writing to modify or amend any personal data concerning the Data Subject (e.g. Data Subjects may change their e-mail address or other contact detail at any time). The Controller shall process the request of the Data Subject within one month, and shall send the notification on the completion of the amendment or rectification to the contact detail specified by the Data Subject.

5.3. Right to erasure The Data Subject may request the Controller in writing to delete the personal data concerning the Data Subject. The Controller may refuse to comply with the request for deletion in case the Controller is subject to a statutory obligation to retain the personal data. In case the Controller is not obliged to retain the personal data on statutory grounds, the Controller shall process the request of the Data Subject within 5 business days and shall send the notification on the completion of the deletion to the contact detail specified by the Data Subject.

5.4. Right to data portability The Data Subject may request the Controller in writing to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller. The right to data portability may be exercised when the processing is based on the consent of the Data Subject or the processing is necessary for the performance of a contract to which the data subject is party (including where the processing is in order to take steps at the request of the data subject prior to entering into a contract); and the processing is carried out by automated means. In exercising their right to data portability, the Data Subjects shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

5.5. Right to restriction of processing (blocking) The Data Subjects may request the Controller in writing to block their personal data (by clearly marking that the processing is restricted and by ensuring that the data concerned are separated from other data). The restriction shall be maintained as long as the retention is necessary for the reason specified by the Data Subject. The Data Subject may request the restriction of processing, when, for instance, the Data Subject claims that the processing by the Controller was unlawful, but the personal data are required for the administrative or judicial procedure launched by the Data Subject, and therefore the Data Subject requests the Controller not to delete the personal data concerning the Data Subject. In this case, the Controller shall retain the personal data (e.g. the data to be submitted) until being requested for disclosure by the authority or court, and the Controller shall delete the personal data after the closing of the administrative or judicial procedure.

5.6. Right to object The Data Subjects shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the legitimate interest pursued by the Controller (including profiling), or for the purposes of public opinion research or scientific research (including data forwarding and data use).

5.7. Legal remedies Data Subjects may submit their queries and requests related to processing and the enforcement of their data subject rights to the contact details of the Controller set out in Section 1 hereof. In case of breach of their data subject rights, the Data Subjects may seek the remedy of the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH, mailing address: 1374 Budapest, Pf. 603., telephone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu). In case the Data Subjects find that the personal data concerning them are processed unlawfully, they may seek judicial remedy. The regional courts shall have competence in these matters. The proceedings may be launched – subject to the discretion of the Data Subject – before the regional court with a jurisdiction based on the address of residence of the Data Subject (see the contact details of the regional courts at the following link: https://birosag.hu/torvenyszekek).

6. Updates and availability The Controller reserves the right to unilaterally modify the present Privacy Policy. The present Privacy Policy may be modified, in particular, due to any change in legislation, the practice of the data protection supervisory authority, business needs or newly discovered security risk. If requested by the Data Subject, the Controller shall provide the Data Subject with one original of the prevailing Privacy Policy, in a format mutually agreed with the Data Subject.