Politika privatnosti

PREAMBLE

The JDC Hungary Foundation is committed to protecting the privacy of all its campers and visitors. Accordingly, we will ensure that such data is handled securely and that JDC Hungary Foundation processes personal data in accordance with the applicable legal requirements. By drafting and publishing this notice, we wish to fulfil our obligation to provide the information required by Articles 13-14 of the GDPR.

JDC Hungary Foundation, as data controller, acknowledges that it is bound by the contents of this notice. It also reserves the right to change the content of this notice, which will be communicated to the data subjects in due time.

1. THE IDENTITY OF THE DATA CONTROLLER

The controller of your personal data:JDC Hungary Foundation (“Foundation” or “Data Controller”) registration number: 01-01-0012517

tax number: 18942408-2-42

registered office: Síp u. 12., 1075 Budapest, Hungary e-mail: info@jdchungary.hu

Contact of the data protection officer:

Data Protection Office Kft. (“DPO”)

e-mail: contact@dataprotectionoffice.hu

2. SCOPE OF THE PRIVACY STATEMENT

Material scope: This notice covers all personal data processing carried out during or in relation to the application to and participation at the JDC-Lauder International Jewish Youth Camp ("Szarvas Camp" or "Camp") and related online events.

Personal scope: Accordingly, this information notice applies

to all visitors to the website www.szarvas.camp (“Website”) who register a user account (“User”) with the explicit purpose of registering themselves or another participant represented by them in the Camp;
all participants of the Camp (“Participant” or “Camper”); and
all legal representatives of the Camper (“Legal Representatives”).

Period of validity: the standard text of this notice entered into force on 12 April 2024 and is valid from its publication until its withdrawal, but the Data Controller reserves the right to unilaterally modify this notice, after having informed the data subjects.

Joint application: Please note that the scope of the privacy notice published here (https://szarvas.camp/privacy-policy) covers all general processing activities of the Data Controller that are being carried out through the website but are not exclusive to the application to Szarvas Camp (e.g. cookies, newsletter services, etc.). When opening the Website for the purpose of obtaining information on the Camp, subscribing to the newsletter, registering a user account, or submitting the application (either on your own behalf or a minor), you acknowledge and consent to the above privacy policy as well as this notice.

3. GOVERNING LEGISLATION

The Foundation’s data management policies and procedures are in compliance with the applicable data protection legislation in force, in particular, but not limited to:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (“GDPR“);
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive“);
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (“Information Act”);
Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (“E-commerce Act“);
Act V of 2013 on the Civil Code (“Civil Code”);
Act C of 2000 on Accounting (“Accounting Act“).

4. POSSIBLE LEGAL GROUNDS FOR DATA PROCESSING

In accordance with EU data protection legislation, a legal basis is required for the processing of personal data. The applicable legal basis depends on the purposes for which the data are processed.

Please note that the Foundation currently processes your personal data on one of the following legal bases:

(i) the processing is based on your consent [Article 6(1)(a) GDPR],

(ii) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6(1)(b) GDPR],

(iii) processing is necessary for compliance with a legal obligation to which the Controller is subject [Article 6(1)(c) GDPR];

(iv) processing is necessary in order to protect the vital interests of the data subject [Article 6(1)(d) GDPR],

(v) processing is necessary for the purposes of the legitimate interests pursued by the Foundation as controller or by a third party [Article 6(1)(f) GDPR].

In some cases, your consent is therefore also required for the processing of data. Please note that if you have given your consent, you may withdraw it at any time, but please ensure that the withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

In other cases, the processing of personal data is necessary for us to comply with our legal obligations, in which case the applicable legal provision is specified in Chapter 10 of this notice.

It may also be the case that the processing of your personal data is based on the legitimate interests of the Foundation or a third party, in which case we will indicate the identified legitimate interests in Chapter 10 of this notice.

5. LEGITIMATE INTEREST AS A LEGAL BASIS

According to Article 6(1)(f) of the GDPR, a legal basis exists where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

This means that the Foundation is only entitled to process your personal data on the basis of a legitimate interest if it first carries out an interest test to determine whether the legal basis is justified.

In doing so, the Foundation

(i) identifies its own or a third party’s legitimate interest in the processing of the personal data;

(ii) identifies your interests and fundamental rights as a data subject;

(iii) weighs the fundamental rights and interests, thus carrying out a necessity-proportionality test.

6. SOURCE OF DATA

As a general rule, we collect personal data directly from the data subject. In cases where we may also process personal data from other sources, we will indicate this separately in Chapter 10 of this notice in the description of the relevant data processing operation; where there is no such description, the source of the data will be the data subject.

7. THE TRANSFER AND THE RECIPIENTS OF THE DATA

There may be cases where the Foundation transfers your personal data to a third party, with appropriate information and data transfer guarantees.

The person to whom the data is disclosed is the recipient of the transfer and may fall into one of the following categories based on his or her relationship with the Foundation as data controller:

(i) The recipient of the transfer is a data processor, since they carry out the processing exclusively on behalf of the Foundation as data controller. They are typically external service providers who perform technical operations on the basis of instructions from the controller (e.g. accountant, payroll or system administrator);

(ii) The recipient of the transfer is an independent controller, since they determine the purposes and means of the personal data processing independently of the Data Controller and is in many cases subject to specific legal requirements. These are typically lawyers, doctors, but also public authorities and courts;

(iii) The recipient of the transfer is a joint controller with the Data Controller, as they jointly determine why and how personal data should be processed; often this is the case for affiliated companies.

1) Our independent controller recipients

In the performance of our obligations under the law and in the course of any dispute we may have with you, we may transfer data about you to the competent authorities, courts or our respective legal representatives who are in any case considered as independent data controllers, as explained above.

2) Our joint controller recipients

We hereby inform you that the Foundation does not carry out joint data processing with other data controllers in connection with your data.

3) Our data processor recipients

The Foundation uses the services of external partners for the purpose of operating the Website, using hosting services, and performing accounting and invoicing. All service providers process the personal data on the basis of the mandate and instructions received from the Foundation, for the sole purpose of carrying out operations of a technical nature, and are therefore considered as data processors in accordance with the provisions of the GDPR.

a) Accounting

1) Data processor name: Niveus Consulting Group Kft.
Registered office: Bécsi út 3-5. 1. em. 1., 1023 Budapest, Hungary
Website: www.niveus.hu
Contact: office@niveus.hu

2) Data processor name: Impuesto Kft.
Registered office: Visi Imre utca 14., 1089 Budapest, Hungary
Website: www.impuesto.hu
Contact: info@impuesto.hu

b) Billing software provider
Data processor name: BMD Rendszerház Kft.
Registered office: Madarász Viktor utca 47-49., 1138 Budapest, Hungary
Website: https://www.bmd.com/hu
Contact: support@bmd.hu

c) Hosting providers

1) Data processor name: 23VNET Kft.
Registered office: Liliom utca 24-26. II/5., 1094 Budapest, Hungary
Website: www.hostit.hu
Contact: info@hostit.hu

2) Data processor name: DigitalOcean, LLC
Registered office: 101 6th Ave New York, NY 10013, USA
Website: www.digitalocean.com
Contact: privacy@digitalocean.com

d) E-mail hosting provider
Data processor name: Microsoft Ireland Operations Limited
Registered office: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Website: www.privacy.microsoft.com
Contact: +353 1 706 3117

e) System administrator
Data processor name: Rewaresoft Kft.
Registered office: Szerencse utca 8/A., 1185 Budapest, Hungary
Website: www.rewaresoft.hu
Contact: info@rewaresoft.hu

f) Webdesigner
Data processor name: WEBSTATION Bt.
Registered office: Makovecz Imre utca 23., 1034 Budapest, Hungary
Website: www.wst.hu
Contact: info@wst.hu

g) Payment system providers

1) Data processor name: PayPal (Europe) S.à r.l. et Cie, S.C.A.
Registered office: 22-24 Boulevard Royal, L-2449 Luxembourg
Website: https://paypal.com
Contact: enquiry@paypal.com

2) Data processor name: Barion Payment Zrt.
Registered office: Irinyi József utca 4-20. 2. em., 1117 Budapest, Hungary
Website: https://barion.com
Contact: compliance@barion.com

3) Data processor name: Apple Distribution International Ltd.
Registered office: Hollyhill Industrial Estate, Hollyhill, Cork, Ireland
Website: https://www.apple.com/hu/apple-pay/
Contact: apple.com/hu/privacy/contact

In Chapter 10, in the details of each processing operation, we will inform you whether the Foundation transfers your data to third party recipient(s) in the course of that processing operation and, if so, the relationship of that person(s) with us for data protection purposes.

8. TRANSFERS TO THIRD COUNTRIES

Please note that in certain cases, as set out in Chapter 10, your personal data will be transferred to a third country outside the EU, so we will provide specific information on this fact in the description of the relevant process and indicate the safeguards under Chapter V of the GDPR in relation to which the transfer to the third country may take place.

We would also like to draw your attention to the fact that one of the Foundation's storage providers, DigitalOcean LLC (registered office: 101 6th Ave New York, NY 10013, USA) as per section 7.3 c) stores the Foundation's electronically stored data in a third country, i.e. in the United States of America. DigitalOcean LLC participates in the EU-US Privacy Framework, the framework governing the transatlantic exchange of personal data for commercial purposes, and has completed its compliance with the Framework (certification date: July 26, 2023). Accordingly, the Foundation declares that DigitalOcean LLC, as a data processor, has the appropriate safeguards (adequacy decision) under Article 45 of the GDPR for the transfer of your personal data to the United States.

9. AUTOMATED DECISION-MAKING, PROFILING

Automated decision making is the ability to make decisions using technology without human intervention, with or without profiling. Profiling is the collection of information about an individual (or group of individuals) and the assessment of their characteristics or behaviour with a view to classifying them into a category or group.

Article 22 of the GDPR prohibits, as a general rule, automated decision-making in individual cases, including profiling; this can only be done by the controller, subject to the safeguards set out in the GDPR, and with the data subject being informed.

Please be informed that the Foundation does not currently use automated decision-making or automated profiling when processing your personal data. If we intend to change this in the future, we will inform you in advance and we will also inform you of the legal basis under Article 22(2) GDPR before we start processing and provide you with a duly conducted data protection impact assessment.

10. OUR DATA MANAGEMENT PROCESSES, BY PROCESSING PURPOSES

The data processing for each of the Foundation’s activities are as follows:

10.1. Data processing related to the user accounts

purpose of processing: creating a user account on the Website in order to enable registration to the Campscope of the data processed: first name, surname, e-mail address, whether you are above the age of 18, password

legal basis for processing: the consent of the User, pursuant to Article 6(1)(f) of the GDPRduration of data storage: until withdrawal of consent (deletion of user account), but no longer than 5 years from the last activityrecipient(s) of the transfer: –transfer to a third country: –

10.2. Data processing related to the application to Camp

a) Application and contracting procedure, keeping contact

purpose of processing: acceptance and assessment of applications to the Camp, preparation of contracts, keeping in touchscope of the data processed: 1) Camper's data: surname, first name, place and date of birth, nationality, gender, e-mail address (optional), phone number (optional); 2) In the case of a Camper under the age of 18, the details of the Legal Representative(s): surname, first name, telephone number, e-mail address, residential address, nature of the legal relationship with the Camper

source of the data processed: in the case of a Camper over the age of 18, the source of the data is the data subject; in the case of a Camper under the age of 18, the source of the data is the Legal Representative who created the user account

legal basis for processing: 1) In the case of a Camper over the age of 18, the legal basis is Article 6(1)(b) of the GDPR, i.e. the conclusion and fulfilment of a contract for camping between the Camper and the Foundation; 2) In the case of a Camper under the age of 18, the legal basis is consent, as per Article 6(1)(a) of the GDPR, but the consent is given by the Legal Representative of the Camper, and in the case of the Legal Representative, the legal basis is Article 6(1)(b) of the GDPR, i.e. the conclusion and fulfilment of a contract (between the Foundation and the Legal Representative)duration of data storage: until the statute of limitations of any legal claims that may arise in connection with the Camp, i.e. 5 years from the end of the given tourrecipient(s) of the transfer: –transfer to a third country: –

b) Identification, conclusion of insurance, travel arrangements

purpose of processing: identification of the Camper, verification of the Camper’s identity, and recording of any information necessary for insurance and travel arrangementsscope of the data processed: name of the attendee, social security number, address (home street and number, city, country, postal code), ID info (document type, number, issuing country, expiration date)

legal basis for processing: 1) In the case of a Camper over the age of 18, the legal basis is consent, as per Article 6(1)(a) of the GDPR; 2) In the case of a Camper under the age of 18, consent is given by the Legal Representative on behalf of the Camper

duration of data storage: until consent is revoked, or in the absence of this, until the statute of limitations of any legal claims that may arise in connection with the Camp, i.e. 5 years from the end of the given tourrecipient(s) of the transfer: –transfer to a third country: –

c) Personalizing the programs organized in the Camp, enhancing the camper experience

purpose of processing: ensuring the Camper's comfort at the highest possible level, enhancing the camper experiencescope of the data processed: T-shirt size, food preferences (optional), language preferences

legal basis for processing: 1) in the case of a Camper over the age of 18, the legal basis is consent, as per Article 6(1)(a) of the GDPR; 2) In the case of a Camper under the age of 18, consent is given by the Legal Representative on behalf of the Camper

duration of data storage: until consent is revoked, or in the absence of this, until the end of the given tourrecipient(s) of the transfer: –transfer to a third country: –

d) The Camper's affiliation, roots, relationship with the Jewish religion and culture

purpose of processing: the achievement of the primary goal of the Foundation, i.e. the promotion of Jewish culture and religion and the development of the Jewish community in Hungary through a camp organized for children with the same worldview, ties and rootsscope of the data processed: the Jewish roots and relatives, school name and movement name related to the Camper, and any other information provided voluntarily

legal basis for processing: the legal basis is Article 6(1)(f) of the GDPR, i.e. the Foundation's legitimate interest in the achievement of its primary goal, i.e. the promotion of Jewish culture and religion, and the promotion of the development of the Jewish community in Hungary

duration of data storage: until the end of the given tourrecipient(s) of the transfer: –transfer to a third country: –

e) Healthcare information to prevent and treat medical emergencies

purpose of processing: providing appropriate healthcare services to the Camper and enabling emergency care in order to prevent or in the event of a medical emergencyscope of the data processed: surname, first name, date of birth, height (optional), weight (optional), emergency contact information, current/past conditions (asthma, diabetes, mumps, measles) and specification (all optional), allergies (insect bites/bees, medication, pollen/dust, food) and specification (all optional), medication and specification, medication during camp and specification, other condition and specification, restrictions and specification, additional info (optional), medical history (surgery and specification, broken bones and specification)

legal basis for processing: the legal basis Article 6(1)(d) of the GDPR, i.e. the protection of Camper's vital interest (ensuring the possibility of adequate health and emergency care during the Camp; prevention and quick, effective treatment of medical emergencies)

duration of data storage: until the end of the given tourrecipient(s) of the transfer: doctors and healthcare service providers participating in the Camp as independent data controllerstransfer to a third country: –

f) Payment

purpose of processing: the Website contains online payment options via various payment platforms at the end of the registration process for the Camp's announced camp tours

scope of data processed: bank account owner's name, bank account number, bank card details (number, owner's name, expiry date, CVC code)

legal basis for processing: as per Article 6(1)(b) of the GDPR, the legal basis is the fulfillment of the contract between the Foundation and the Camper (or in the case of a Camper under the age of 18, the Legal Representative) through the payment of the participation fee

data storage period: the data of the bank card is not stored by the Data Controller, the data processing ends at the end of the payment process; the data relating to the bank account can be found on the Data Controller's bank account statements, which the Data Controller stores for a minimum of 8 years

recipient(s) of the data transfer: the Foundation’s accountants, Niveus Consulting Kft. and Impuesto Kft., as data processors; the service provider defined in section 7.3 g) operating the payment system you use (PayPal (Europe) S.à r.l. et Cie, S.C.A., Barion Payment Zrt. or Apple Distribution International Ltd.) as a data processor

data transfers to third countries: -

g) Billing

purpose of processing: receiving the participation fee, as well as forwarding and storing invoices issued for the participation fee in the Campscope of

data processed: data content defined in Section 169 of the VAT Act and Section 167 (1) of the Accounting Act; of which personal data: name and address of the service recipient

legal basis for processing: the fulfilment of a legal obligation on the Foundation pursuant to Article 6(1)(c) of the GDPR in accordance with Articles 165(1), 167(1) and 169(1) of the Accounting Act

data storage period: 8 years from the date of issue of the invoice

recipient(s) of the data transfer: the operator of the invoicing software, BMD Rendszerház Kft, and the Foundation’s accountants, Niveus Consulting Kft. and Impuesto Kft. as data processors

data transfers to third countries: –

10.3. Other data processing carried out during the camping, at the site of the Camp

a) Notification to authorities, proof of health status (for Campers under 18)

purpose of processing: Identification of the Camper and making the notification required by law to the competent authority

the scope of the data processed: Minor Camper's name, date of birth, address, mother's name; legal representative's name, signature, address and phone number, as well as a declaration according to Decree 12/1991 (V.18) about the camper's health status and infectious diseases

legal basis for processing: the fulfilment of a legal obligation on the Foundation pursuant to Article 6(1)(c) of the GDPR, in accordance with Sections 2-4 of Decree 12/1991 (V. 18.) on the health conditions of student youth holidays and camping

storage period: Until the end of the given tour

recipient of the transfer: –

data transfers to third countries: –

b) Camera surveillance (CCTV)

purpose of processing: Ensuring the protection of the persons and the property located in the Camp area through the use of an independent, closed-circuit camera system

the scope of the data processed: Image of the person, as well as data that can be obtained with the camera image (e.g. location, time of stay)

legal basis for processing: Article 6(1)(f) of the GDPR, i.e. the Foundation's legitimate interest in the protection of persons and property in the Camp area

storage period: If the recording is not used otherwise, it will be deleted after 15 days from the recording

recipient of the transfer: –

data transfers to third countries: –

c) Entry to the premises

purpose of processing: Identification and registration of employees, volunteers, Campers, Legal Representatives and other visitors entering the Camp territory by checking their personal identification documents and temporarily recording their licence plate numbers

the scope of the data processed: Identification data of the data subject during inspection of the personal identification document (name, number of the identification document, validity), time of entry and exit, registration number of the entering and exiting passenger vehicle

legal basis for processing: Article 6(1)(f) of the GDPR, i.e. the Foundation's legitimate interest in the protection of persons and property in the Camp area

storage period: ID data is not recorded; the licence plate numbers of passenger vehicles are kept until the 24th hour of the day after departure

recipient of the transfer: –

data transfers to third countries: –

d) Making and publishing recordings for marketing purposes

purpose of processing: Recording the events and "life" of the camp (photos, videos) and using them for marketing purposes on the Foundation's website and social media platforms

the scope of the data processed: Image and audio copy of the person concerned, as well as other data that can be obtained based on the recording

legal basis for processing: Article 6(1)(f) of the GDPR, i.e. the Foundation's legitimate interest in presenting the life of the Camp and the Foundation's programs and making them more attractive with the help of recordings, obtaining additional supporters

storage period: In the absence of objection by the data subject, for as long as the individual purpose of the recording justifies

recipient of the transfer: The Foundation's founder (American Jewish Joint Distribution Committee, Inc., hereinafter: AJJDC), its affiliated organizations (“Affiliates”), and organizations that the data controller or its affiliates partner with to advance Jewish life (“Partners”); funders and donors of AJJDC, Affiliates or Partners; Jewish Community Centers; Jewish social and welfare organizations; Jewish community federations; Jewish cultural or educational organizations; and, organizations that assist in Szarvas Camp’s recruitment or operation; as well as the Ronald S. Lauder Foundation; all as independent data controllers; the Foundation's social media accounts on the following platforms: Instagram, Facebook, Twitter/X and YouTube (you can read more about this in chapter 5 of our general data management policy: https://szarvas.camp/privacy-p...)

data transfers to third countries: USA and Israel (for the Foundation’s founder and other donors)

11. CONFIDENTIALITY

The Foundation’s employees and contractors are bound by confidentiality obligations and receive regular training on the handling of personal data and other critical information.

12. DATA SECURITY

The Foundation will make every reasonable effort to maintain physical, technical and regulatory security measures. These security measures are designed to protect against loss, unauthorized access, copying, modification or disclosure, as described below:

a) Restricted access

Personal information provided by you or generated during the course of your relationship with the Foundation is only accessible within the Foundation to those persons within the Foundation who need to know it in order to perform their job duties.

The Foundation processes and stores your personal data on paper at its headquarters, using physical protection systems, electronically on its own server or on a server provided by a server provider, with strictly limited and protected access.

b) Backup

Whenever data is electronically processed, viewed or accessed, the Foundation will ensure that data is backed up on a regular basis to ensure that your personal data is not irretrievably damaged or lost.

c) Program protection, virus protection

During the electronic storage and handling of data, the Foundation takes care to prevent unauthorised access and attempts to access the data, including by using firewalls and anti-virus software. It will ensure that the risk of data theft, misuse of personal data and loss of data is minimised by involving an IT expert and by regular monitoring.

d) Password protection

In order to protect personal data, all employees and contributors of the Foundation protect their work equipment with an individual password, which they are obliged to change regularly at specified intervals.

13. RIGHTS OF DATA SUBJECTS

You have the right under Articles 13-21 of the GDPR to

a) request information from the Data Controller about the processing of your personal data within the duration of the processing (“right to information“). The Foundation will inform you in writing, in an intelligible form, within the shortest possible period of time from the date of the request, but not later than 1 month, about the data processed, the purposes, legal basis and duration of the processing, and, if the data have been transferred, who is or are receiving the data and for what purposes;

b) receive feedback from the Data Controller as to whether or not their personal data is being processed and, if such processing is taking place, have the right to access the personal data and basic information relating to them (purposes of the processing; categories of personal data concerned; recipients to whom or with which the personal data have been or will be disclosed; envisaged duration of the storage of the personal data); your right to request the Data Controller to rectify, erase or restrict the processing of personal data concerning you and to object to the processing of such personal data; your right to lodge a complaint with a supervisory authority; if the data have not been collected from the data subject, any available information on their source) (“right of access“). The Foundation will provide you with a copy of the personal data that is the subject of the processing. The right to obtain a copy must not adversely affect the rights and freedoms of others;

c) upon your request, the Foundation will correct inaccurate personal data concerning you without undue delay (“right to rectification“). Taking into account the purpose of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration;

d) upon your request, the Foundation will delete personal data concerning you without undue delay (“right to erasure“) where

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
you have withdrawn your consent to the processing and there is no other legal basis for the processing;
you object to the processing and there is no overriding legitimate ground for the processing;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller.

The right of erasure does not extend to data processed by the Foundation in the performance of a contract or legal obligation or on the basis of a legitimate interest;

e) upon your request, the Foundation restricts the processing (“right to restriction“) where

you contest the accuracy of the personal data (for a period of time until the accuracy of the data is established);
the processing is unlawful and you object to the erasure of the data and instead request the restriction of its use;
the Data Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to the processing (pending the completion of the consideration of the objection).

If the processing is restricted, such personal data may be processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.

f) receive personal data concerning you provided to the Foundation in a structured, commonly used, machine-readable format and have the right to transmit such data to another controller without hindrance from the Foundation (“right to data portability“);

g) object at any time, on grounds relating to your particular situation, to the processing of your personal data on the basis of the Foundation’s legitimate interest (“right to object“). In this case, the Foundation may no longer process the personal data unless you can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;

h) withdraw your consent to the processing at any time, but please take note that the withdrawal of your consent does not affect the lawfulness of the processing based on your consent prior to its withdrawal.

Please send your request to exercise these rights to the DPO, at the contact set out in Chapter 1 (contact@dataprotectionoffice.hu), by electronic mail.

The Foundation will inform you without undue delay, but in any event within 1 month of receipt of your request, of the action taken on it (in the form in which you have addressed your request to us, in the event of a request to the contrary). If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Foundation will inform you of the extension, stating the reasons for the delay, within 1 month of receipt of the request.

14. LEGAL REMEDY

a) What can you do if your request is rejected?

If the Foundation refuses your request, we will inform you in writing within one month of receipt of your request why we have been unable to comply with your request, inform you of your legal remedies and inform you that you can lodge a complaint with the National Authority for Data Protection and Freedom of Information.

b) What are your rights if you consider that the processing is unlawful?

If you believe that the processing of your personal data is unlawful, you may initiate an investigation procedure pursuant to Article 52 (1) of the Information Act at the National Authority for Data Protection and Freedom of Information (registered office: Falk Miksa utca 9-11, 1055 Budapest, Hungary; postal address: 1363 Budapest, Pf. 9., e-mail: ugyfelszolgalat@naih.hu; telephone: +36 (1) 391-1400).

Finally, we inform you that if the Foundation wishes to carry out further processing of your personal data for purposes other than those for which they were collected, you will be informed again of the different purposes and any other information relating to the processing prior to the further processing.