PRIVACY POLICY OF GATTYÁN FOUNDATION
Version 1.2. Effective as of June 8, 2021 The protection of personal data is of utmost importance for us, and therefore the present Privacy Policy aims to inform you (“Data Subject”) of the categories of personal data controlled by the Gattyán Foundation (“Controller”), as well as the purposes of, and grounds for, processing. The Privacy Policy also includes your data subject rights.
- Details of Controller Name of controller: Gattyán Foundation (Gattyán Alapítvány) Registered office: 1101 Budapest, Expo tér 5-7. Registration number: 01-01-0012819 Website: https://gattyanalapitvany.hu/ E-mail address: info@gattyanalapitvany.hu
- Laws and regulations serving as basis or background of the processing a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”) b) Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”) c) Act V of 2013 on the Civil Code of Hungary (“Civil Code”) e) Act C of 2000 on Accounting (“Accounting Act”)
- Characteristics of the processing activities
3.1. Execution of payment transactions and invoicing In case the donor intends to provide Controller with a donation, the donation may take place by wire transfer or card payment. In the case of wire transfer, the Controller shall process the name and bank account number of the donor, as well as the amount of donation; in the case of payment via PayPal, the e-mail address of the donor and the amount of donation shall pe processed; in the case of card payment, the name, e-mail address, address, phone number of the donor and the amount of donation shall be processed. The Controller shall process the personal data in the course of the fundraising for the purpose of execution of payment transactions and for meeting the related statutory accounting obligations. The Controller shall issue and retain the invoices issued in connection with the payment of donation, as accounting supporting documents, for a retention period of 8 years as set out in Article 169 of the Act on Accounting, then the data shall be deleted. The ground for processing is the compliance with a legal obligation to which the Controller is subject (Article 6(1)c of GDPR). Based on the consent of the Data Subject, Controller shall forward the following personal data submitted on the website www.gattyanalapitvany (hereinafter: Website) to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.), as processor. Categories personal data forwarded: family name, given name, country, phone number, e-mail address. Purpose of data forwarding: providing users with customer support assistance, confirmation of transactions and fraud monitoring carried out for the protection of users. Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.
3.2. Publication of the name of the donor On the basis of the consent given by the donor, the Controller shall publish the name of the donor on the Website. The purpose of the processing is to promote the fundraising activity of Controller. The ground for processing is the consent of the Data Subject (Article 6(1)a of GDPR). The processing is voluntary. The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The Controller shall process the name of the donor until the withdrawal of the consent or the elapse of the term needed for the fulfillment of the purpose of the processing. Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.
3.3. Processing of contact data of persons contacting the Controller The Controller processes the contact data of the persons contacting the Controller at the contact details set out on the Website, including the web form on the website, for the purpose of keeping contact, the ground for processing is to take steps at the request of the data subject prior to entering into a contract between the Data Subject and the Controller and the performance of the contract (Article 6(1)b of GDPR). The personal data shall be retained for the following periods of time: 5 years from the performance of the agreement under Article 6:22 of the Civil Code of Hungary (if no agreement is concluded by and between the parties, then the personal data shall be deleted after 2 months from the last communication). Controller shall not transfer personal data to third countries or to non-governmental organizations. Furthermore, no automated decision making or profiling shall be carried out in respect of the personal data processed.
3.4. Newsletters The Controller processes the name and e-mail address of the persons contacting the Controller via the web form on the Website or by other means in writing; the purpose of processing is to send newsletters; the ground for processing is the consent of the data subject (Article 6(1)a of GDPR). The newsletters sent by the Controller pertain to the activities of the Controller, the tasks planned and carried out by, and the initiatives pursued by, the Controller. The processing is voluntary. The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The Controller shall process the name and e-mail address of the Data Subject until the withdrawal of the consent.
3.5. Processing of contact details and details of legal representatives set out in contract. In its agreements made with legal entities and associations not having legal personality, the Controller sets out the personal data (name and contact details) concerning the representative and contact person of the contracting person. The above specified personal data are processed for the following purposes: keeping smooth contact, providing information, consulting with respect to all legal and real acts related to the contract, which is carried out for the preparation, execution, performance of the agreement, management of complaints, resolving of issues, termination of the agreement, and enforcement of legal claims. The grounds for processing is the legitimate interest pursued by the Controller (Article 6(1)f of GDPR), which pertains to the followings: prompt and smooth, oral discussion of the questions and notifications with the contractual partner, that may arise in the course of the preparation, performance and termination of the agreement, resolution of any issues, management of complaints, and enforcement of legal claims , in order to take the necessary measures and – if necessary – record the contents thereof in written form. The Controller shall process the personal data concerning the contact persons and representatives for the retention period of 8 years set out in the Act on Accounting (Article 169 of the Act on Accounting), then the above personal data shall be deleted.
3.6. Processing of photographs. The events held with the participation of the representatives of the Controller may be photographed. With the exception of recordings made of a crowd, the Controller requests the consent of the data subject under Article 2:48, which may be given in writing or by conduct. The Controller pays attention that in the case of minor data subjects, the consent of the legal representative shall be made in written form. The Controller publishes the photographs on the Website, but the use of the photographs by third parties is not permitted without the prior written consent of the Controller. The Controller groups the photographs by events but shall not use them for identification purposes and shall not use facial recognition software on them.
3.7. Processing related to tender procedures. With respect to the tender procedures organized by the Controller, the tender invitation shall be accompanied by separate privacy policy taking into account the terms and intended purpose of the tender procedure.
3.8. Information on the cookies used on the Website
What is a cookie and what is its purpose?
The Controller uses small text files (cookies) on the Website, which are generated on the user’s device (e.g.: computer, telephone, tablet) when visiting or using the Website. The cookies allow the server to differentiate between users who view the Website at the same time and to store the user’s activities and preferences. The Controller uses cookies on the Website for the purposes indicated below.
The Controller uses cookies to collect data about the device and activity of the user who visits the Website, such as the type and other data of the browser, computer operating system, IP address, pages viewed by the user and the functions used.
Own and foreign cookies
On the one hand, the Controller may use own cookies on the Website, the purpose and function of which is determined by the Controller, without the influence of a third party. On the other hand, the Controller may allow third-party service providers to place foreign cookies on the Website for the reasons mentioned above. For example, in order to understand what content a user is viewing or what services they are using on the Website, what they are interested in, and how the Controller can improve its services, the Controller can enlist the help of a data analyzing service providers, including Google Analytics. The user can prevent the analysis performed by Google Analytics by installing the Google Analytics Browser Blocker (http://tools.google.com/dlpage/gaoptout).
How does the Controller use cookies?
Guaranteeing the safe operation of the Website
The Controller uses cookies on the Website in order to maintain a secure and reliable user environment. A session cookie serves to differentiate between users who visit the Website at the same time and to ensure the proper and ordinary functioning of the Website.
Analysis and research
The Controller uses cookies used for analytical purposes on the Website (as part of the Google Analytics service). The purpose for the use of cookies is to give the Controller a more detailed view of how the user uses the Website. This helps the Controller understand how the user uses the Website, what they are interested in, and how the Controller can improve its services, while also improving the user experience.
How can the user manage the cookies?
The user can enable or disable the use of certain categories of cookies in a pop-up window when opening the Website (provided that the Controller uses cookies other than the ones essential for the operation of the Website). Also, most browsers automatically accept cookies, but the user can disable them by changing their browser settings.
If the user disables all cookies on the Website in the settings of their browser or device, they can use the services of the Website in a restricted manner.
Functional cookies
This category of cookies enables the Website to remember the prior settings made by the eser (e.g. to display the Website in English or Hungarian language), thereby it provides the user with a higher level, more personalized service. The information collected by these cookies are anonymized and cannot serve for tracking the browsing activity of the user on other websites.
| Cookie ID | Cookie provider | Data contained in the cookie | Purpose of the cookie | Duration of processing | Cookie type |
| wordpress_test_cookie | own cookie | anonymous data | it detects if cookies are disabled in the browser | the duration of the session (session cookie) | Functional |
| moove_gdpr_popup | own cookie | anonymous data | it stores the consent of the user to the use of cookies | the duration of th e session (session cookie) | Functional |
| pll_language | own cookie | anonymous data | it stores the language settings of the Website | 1 year (persistent cookie) | Functional |
Google Analytics cookies
This category of cookies enables the Controller to measure how users interact with the pages of the Website. When the user is browsing the Website, the Google Analytics service used by the Controller for tracking the pages of the Website visited by the user, e.g. by recording the URL of the given page. Google Analytics provides the Controller with JavaScript libraries to track the user activities. The Google Analytics cookies are foreign cookies, i.e. these are managed by Google with the permission of the Controller.
Information regarding the Google Analytics cookies can be found on the following page: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=hu
- Processors Docler Services Kft. (registered office: 1101 Budapest, Expo tér 5-7., company registration number: 01-09-186181, VAT number: 24856984-2-42) provides the Controller with accounting services (processing activities set out in section 3.1). The website of Controller (www.gattyanalapitvany.hu) is operated by Jasmin SSC Kft. (registered office: 1101 Budapest, Expo tér 5-7., company registration number: 01-09-203601, VAT number: 25165522-2-42 – processing activity set out in section 3.2).
- Rights of the Data Subject
5.1. Right to information The Data Subject shall be entitled to request information from the Controller in writing as to what personal data concerning the Data Subject is processed, the grounds and purpose of processing, the source of personal data, the term of processing, any recipients to whom personal data is forwarded or to whom access to personal data is granted, the records of personal data forwarded and the statutory provision serving as grounds for the forwarding. The Controller shall process the request of the Data Subject within one month and shall send the information to the contact detail specified by the Data Subject.
5.2. Right to rectification The Data Subject may request the Controller in writing to modify or amend any personal data concerning the Data Subject (e.g. Data Subjects may change their e-mail address or other contact detail at any time). The Controller shall process the request of the Data Subject within one month and shall send the notification on the completion of the amendment or rectification to the contact detail specified by the Data Subject.
5.3. Right to erasure The Data Subject may request the Controller in writing to delete the personal data concerning the Data Subject. The Controller may refuse to comply with the request for deletion in case the Controller is subject to a statutory obligation to retain the personal data. In case the Controller is not obliged to retain the personal data on statutory grounds, the Controller shall process the request of the Data Subject within 5 business days and shall send the notification on the completion of the deletion to the contact detail specified by the Data Subject.
5.4. Right to data portability The Data Subject may request the Controller in writing to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller. The right to data portability may be exercised when the processing is based on the consent of the Data Subject or the processing is necessary for the performance of a contract to which the data subject is party (including where the processing is in order to take steps at the request of the data subject prior to entering into a contract); and the processing is carried out by automated means. In exercising their right to data portability, the Data Subjects shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
5.5. Right to restriction of processing (blocking) The Data Subjects may request the Controller in writing to block their personal data (by clearly marking that the processing is restricted and by ensuring that the data concerned are separated from other data). The restriction shall be maintained as long as the retention is necessary for the reason specified by the Data Subject. The Data Subject may request the restriction of processing, when, for instance, the Data Subject claims that the processing by the Controller was unlawful, but the personal data are required for the administrative or judicial procedure launched by the Data Subject, and therefore the Data Subject requests the Controller not to delete the personal data concerning the Data Subject. In this case, the Controller shall retain the personal data (e.g. the data to be submitted) until being requested for disclosure by the authority or court, and the Controller shall delete the personal data after the closing of the administrative or judicial procedure.
5.6. Right to object The Data Subjects shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the legitimate interest pursued by the Controller (including profiling), or for the purposes of public opinion research or scientific research (including data forwarding and data use).
5.7. Legal remedies Data Subjects may submit their queries and requests related to processing and the enforcement of their data subject rights to the contact details of the Controller set out in Section 1 hereof. In case of breach of their data subject rights, the Data Subjects may seek the remedy of the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH, registered office: 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf. 9., telephone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu). In case the Data Subjects find that the personal data concerning them are processed unlawfully, they may seek judicial remedy. The regional courts shall have competence in these matters. The proceedings may be launched – subject to the discretion of the Data Subject – before the regional court with a jurisdiction based on the address of residence of the Data Subject (see the contact details of the regional courts at the following link: https://birosag.hu/torvenyszekek).
- Updates and availability The Controller reserves the right to unilaterally modify the present Privacy Policy. The present Privacy Policy may be modified, in particular, due to any change in legislation, the practice of the data protection supervisory authority, business needs or newly discovered security risk. If requested by the Data Subject, the Controller shall provide the Data Subject with one original of the prevailing Privacy Policy, in a format mutually agreed with the Data Subject.