DATA PROTECTION NOTICE

Privacy Policy for the data of the Customers of MűvészTerem

 

I. Legal background and purpose of data protection

When creating these regulations, we took into account the CXII of 2011 on the right to self-determination of information and freedom of information. Act (Infotv.), as well as Article VI of 1998 on the promulgation of the Convention on the Protection of Individuals during the Machine Processing of Personal Data, dated January 28, 1981 in Strasbourg. law, as well as the provisions of Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter: GDPR), as well as the recommendations of the "ONLINE PRIVACY ALLIANCE".

This data protection policy and questions related to data protection shall be governed by Hungarian law, in the event of any legal dispute arising in the context of data protection, the courts of Hungary shall have jurisdiction and the Hungarian courts at the seat of the Data Controller(s) shall have exclusive jurisdiction.

The purpose of this data protection policy is to ensure that in all areas of our services, for all individuals, regardless of their nationality or place of residence, their rights and fundamental freedoms, especially their right to privacy, are respected during the machine processing of their personal data (data protection).

 

II. Data of data controllers

  • Name: Művészterem (www.muveszterem.hu, maintained by: Művészterem Kft.)
  • Headquarters: 1141 Budapest, Kalauz utca 21.
  • Tax number: 32355189-1-42
  • Company registration number: 01-09-419804

 

III. Definitions

personal data: any information relating to an identified or identifiable natural person (hereinafter: data subject); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

data handling: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making available in any other way through, alignment or connection, restriction, deletion or destruction;

data transmission: if data is made available to a specific third party;

Disclosure: if data is made available to anyone;

data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

data deletion: rendering data unrecognizable in such a way that their recovery is not possible;

 

ARC. Data management principles

In accordance with Article 5 of the GDPR, the Data Controller ensures that personal data are

the) its handling must be carried out legally and fairly, as well as in a transparent manner for the data subject ("legality, fair procedure and transparency");
b) be collected only for specific, clear and legitimate purposes, and they should not be handled in a way that is incompatible with these purposes; further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes, or for statistical purposes is not considered incompatible with the original purpose ("purpose limitation");
c) they must be appropriate and relevant for the purposes of data management and must be limited to what is necessary ("data sparing");
d) they must be accurate and, where necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data processing ("accuracy");
e) its storage must take place in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management; personal data may be stored for a longer period only if the personal data will be processed in accordance with Article 89 (1) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, the rights of the data subjects and subject to the implementation of appropriate technical and organizational measures required to protect your freedoms ("limited storage capacity");
f) must be handled in such a way that adequate security of personal data is ensured by the application of appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage of data ("integrity and confidentiality").

 

V. Additional guarantees protecting data subjects

Everyone has the right to

receive information about your data and data management (the data subject's right of access),

the data subject has the right to request that the data controller limit the processing of data if one of the following is met: (a) the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to verify the personal data accuracy; (b) the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use; (c) the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or (d) the data subject has legally objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

in justified cases, you can correct or delete these data without delay (the right to be forgotten). The Data Controller informs all recipients of all corrections, deletions or data management restrictions to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the data controller informs about these recipients;

during consent-based data management, the personal data provided by him to MűvészTerem (maintainer: Művészterem Kft.) will be received in a segmented, widely used, machine-readable format, and he is also entitled to have MűvészTerem (maintainer: Művészterem Kft.) these transfer data to another data controller. The exercise of this right must not violate the right to be forgotten and must not adversely affect the rights and freedoms of others;

can avail of legal remedies if his request for information or, in justified cases, communication, correction or deletion, as stipulated in the legislation, is not fulfilled. At the request of the data subject, the data controller shall provide information on the data managed by it or processed by the processor commissioned by it, the purpose, legal basis, duration of data processing, the name, address (headquarters) of the data processor and its activities related to data processing, as well as by whom and for what purpose it is or was received data. The data controller is obliged to provide the information in writing in an understandable form as soon as possible, but no later than 30 days after the submission of the request. In the event of a violation of their rights, the data subject may appeal to the court against the data controller. The data controller is obliged to compensate the damage caused to others by the illegal processing of data of the data subject or by violating the requirements of technical data protection. The data controller is also liable to the data subject for damage caused by the data processor. The data controller is released from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data management. There is no need to compensate the damage if it resulted from intentional or grossly negligent behavior of the injured party.

 

VI. The legal basis, purpose, scope and time of data management

 

  1. Legal basis for data management

The regulations related to data management and the protection of visitors' personal data apply only to natural persons, given that personal data can only be interpreted in relation to natural persons (based on Act CXII of 2011 on the right to self-determination of information and freedom of information), therefore this data protection policy is binding only with regard to the management of the personal data of natural persons registering on the website.

a) VI.2. The legal basis for the data management included in point a) is the consent of the data subjects and the legitimate interest of the Data Controller to be able to fulfill the contract between the data subject and the Data Controller (GDPR Article 6 (1) point b).

b) VI.2. f) The legal basis for the data management included in points (ii)-(iii) is the consent of the data subjects. The data subjects give their consent during the registration for the individual data management purposes separately, so-called by ticking a check box, and later by handing over their personal data.

c) VI.2. The legal basis for the data management contained in point b) is, in particular, CXXVII of 2017 on general sales tax. TV. § 169 and § 202, as well as § 167 of Act C of 2000 on accounting. Website users accept the operation of cookies if they click on the "I understand" sign on the Website. If the use of cookies is accepted, the information and consent also extends to the use of the website during subsequent connections of the user's device.

d) VI.2. The legal basis for the data management included in point d) e) f) is the legitimate interest of the Data Controller in order to be able to fulfill the contract concluded between the data subject and the Data Controller (GDPR Article 6 (1) point b)).

 

  1. The purpose of data management and the scope of the data managed

Personal data may only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. All stages of data management must meet this goal. Only such personal data can be processed that is essential for the realization of the purpose of data management, is suitable for achieving the purpose, and only to the extent and for the time necessary for the realization of the purpose.

  • Purpose: provision of sales services, fulfillment of related contractual rights and obligations.
  • Data: name, e-mail address
  • Purpose: fulfillment of statutory tax and accounting obligations (bookkeeping, taxation).
  • Data: personal data defined by law, especially name, payment data.
  • Purpose: use for marketing purposes, sending newsletters (commercial offers), use for direct business acquisition purposes.
  • Data: e-mail address.
  • Purpose: sale of image to data controller

Data: name, e-mail address, phone number, photo of the painting (paintings), additional information about the picture provided in the comments section (review number, reproduction or exhibition list, etc.)

  1. e) Purpose: informing other users about sales activities

Data: name, e-mail address, phone number, photo of the painting (paintings), additional information about the picture provided in the comments section (review number, reproduction or exhibition list, etc.)

  1. f) Cookie: cookies are information automatically logged by our servers. The Fund Manager uses the following cookies:

(i) Session cookies

(ii) Performance cookies (analytics)

(iii) Third Party Cookies

 

  1. Duration of data management
    a) VI.2. b) manages the data for the period specified in the law (the end of the 8th year after the termination of the contract between the parties).
    b) The data controller deletes the user data within 14 working days if the user submits a deletion request, if the user indicates this request to the customer service.
    c) VI.2. The data processing included in point c) lasts until the user unsubscribes, which can be done at any time by clicking on the "Unsubscribe" link at the bottom of the newsletter, or you can indicate your unsubscribe request to our customer service, in which case the unsubscribe will take place automatically within 14 working days.

 

VII. Data security

A data controller, or a data processor within the scope of their activities, is obliged to ensure the security of the data, and is also obliged to take the technical and organizational measures and establish the procedural rules that are necessary to enforce the data protection law and other data and privacy protection rules. The data must be protected in particular against unauthorized access, alteration, disclosure or deletion, as well as against damage or destruction.

 

VIII. Privacy Policy

The Data Controller undertakes to publish a clear, attention-grabbing and unequivocal statement (data protection statement) before recording, recording and processing any of its users' data, in which it informs them about the method, purpose and principles of data collection. In addition to all this, the Data Controller draws the user's attention to the voluntary nature of data provision. The data subject must be informed about the purpose of the data management and who will manage and process the data. All employees and senior officers of the Data Controller are entitled to access the data managed by the Data Controller. Information about data management is provided even if the law provides for the collection of data from existing data management by transmission or connection.

In any case, if the Data Controller intends to use the provided data for a purpose other than the purpose of the original data collection, it is obliged to inform the user of this and to obtain his prior express consent, or to provide him with the opportunity to prohibit the use.

When collecting, recording and handling data, the Data Controller always complies with the restrictions set out in the basic principles, and informs the data subject of his activities by electronic mail, according to his request. The Data Controller undertakes not to enforce any sanctions against users who refuse to provide non-mandatory data.

The Data Controller undertakes to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules that ensure that the recorded, stored and managed data are protected, as well as to prevent their destruction, unauthorized use and unauthorized change. You also undertake to call on all third parties to whom you may forward or transfer data to fulfill their obligations in this regard.

Although Művészterem (maintainer: Művészterem Kft.) does not offer services intended for persons under the age of 16, it hereby declares that it does not collect or process personal data about persons under the age of 16.

When our users visit our sites, they can generally do so without revealing their identity or providing any personal information. Of course, when entering the name and e-mail address, users have the option to use an alias instead of their real name upon registration. In this case, however, the Data Controller may not be able to provide the purpose of data management.

Anonymous information that is collected with the exclusion of personal identification and cannot be linked to a natural person is not considered personal data, nor is demographic data that is collected in such a way that it is not linked to the personal data of identifiable persons and therefore cannot be identified as personal data. connection with a natural person.

As a general principle, we declare that in all cases where we request personal data from our visitors, after reading and interpreting the necessary information text, they can freely decide whether to provide the requested information. However, we must note that if someone does not provide their personal data, they may not be able to use the service that requires the provision of personal data.

This data protection policy is related to the protection of visitors' personal data that is not intended for the public, but is provided to the Data Controller. If someone voluntarily discloses their personal data or part of it, such information is not covered by the data protection policy.

In all cases, we indicate which data, for which purpose and under which conditions, are required to be provided during registration. In this case, the mandatory term does not refer to the mandatory nature of the data collection, but to the fact that there are records without which the registration cannot be completed successfully, so leaving certain fields blank or filling them in incorrectly may lead to the rejection of the registration.

In the absence of authorization, we will not pass on the personal data provided to us by our visitors to third parties under any circumstances.

If the authorities authorized to do so request the service provider to hand over personal data in the manner prescribed by law (e.g. on suspicion of a crime, in an official data seizure decision), the Data Controller - fulfilling its legal obligation - will hand over the requested and available information.

If our users provide us with personal data, we will take all necessary steps to ensure the security of this data - both during network communication (i.e. online data management) and during data storage and protection (i.e. offline data management).

The Data Controller ensures that visitors can access, correct and supplement their own personal data through the communication channels and by providing the same options through which their personal data was previously made available to us. In this way, we want to ensure that the personal data of our users is always fresh, accurate and up-to-date. If any of our users requests that we delete their personal data from our own system (assuming, of course, in certain cases that they will no longer be able to use the service to which this data belonged), we will do so immediately.

 

IX. Within this framework, the rules applied by the Data Controller during data collection

  1. Data suitable for unique access by users.

Users' individually accessible data (e.g. e-mail addresses) will only be used for purposes previously approved by the user, and will not be transferred to third parties under any circumstances without the user's prior written permission - apart from the exceptions provided for by law.

  1. Data suitable for physical access by users

We only use data for purposes approved in advance by the user, they are not passed on to third parties, with the exception of the exceptions provided for by law.

At the User's request, the Data Controller provides information about the User's data managed by it, the purpose, legal basis, duration of the data processing, the name, address (headquarters) of the data processor and its activities related to data processing, as well as about who and for what purpose the data is or has been received. Information at info@muveszterem.hu.

If our users believe that we have violated their right to the protection of their personal data, they can apply to the court or request the National Data Protection and Information Freedom Authority (1125 Budapest, Szilágyi Erzsébet fasor 22/c, www.naih.hu) help as well.

The court acts out of sequence in the case. Adjudication of the lawsuit falls within the jurisdiction of the court. According to the user's (data subject's) choice, the lawsuit can also be initiated before the court of the user's (data subject's) place of residence or residence.

The detailed legal provisions regarding legal remedies and the obligations of the data controller can be found in Act CXII of 2011 on the right to self-determination of information and freedom of information. contained in the law.