Data processing policy

Name of data controller:

MACCABI VÍVÓ ÉS ATLÉTIKAI CLUB (hereinafter: Service Provider or Data controller)

Seat and other contacts of Data controller:

• seat: 1061 Budapest, Paulay Ede u. 1.
• site: 1061 Budapest, Paulay Ede u. 1.
• phone number: +36 1 374 3070
• e-mail address: info@maccabi.hu
• organizational form: non-governmental organization
• Registration Office: Municipal Court of Budapest
• Registry number of non-governmental organization: 954, number, date of decision: Pk.61174/1989/1, 10/01/1990
• KSH statistic number: 19016247932952101
• website: maccabi.hu

Represented by:

• name: Lela Paran
• e-mail address: ceo@maccabi.hu
• mailing address: 1061 Budapest, Paulay Ede u.1.

The purpose of present guideline is to inform all visitors of the website and registering people, and all other affected parties (hereinafter: Affected parties), whom personal data the Service provider manages of personal data management and of Affected parties’ rights according to current legislation.

The Service provider shall reserve the right to modify the present guideline and shall inform the Affected parties of the modification by publishing it on its website. The present guideline will be continually available on the website of Service provider.

Basic terms:

personal data: Any information related to identified or identifiable natural person (‘affected’); identifiable person is the natural person who can be identified in directed or indirect way, particularly based on any identifier such as name, number, location data, online identifier or based on one or several facts related to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identification;

special data: Personal data referring to racial or ethnic origin, political opinion, religion belief or world view conviction, or trade union membership, or genetic and biometric data that identify individual identification of natural people, medical data and personal data referring to sexual life or sexual orientation of natural people;

data management: Complexity of any operation or operations made on personal data or data file in automatic or not automatic way via collection, recording, systemization, dividing, storing, converting or changing, querying, insight, using, informing, transferring or other method, harmonizing, limiting, canceling or eliminating;

data manager: Natural or legal person, public authority, agency or any other organization that individually or with others shall define the purposes and tools of managing personal data; the purposes and tools of data management is defined by law of European Union or Member State, special viewpoints relating to assign the data manager can be defined by the law of European Union of Member State;  

data processor: Natural or legal person, public authority, agency or any other organization that manages personal data on the behalf of data manager;  

creating profile: In the course of any form of automated managing personal data when personal data will be used to value, analyze or forecast certain personal attributes connected to any natural person, specially workplace performance, economic situation, state of health, personal preferences, inquiry, trustiness, behavior, residency or movement;  

pseudonymisation: Managing personal data in such a way that the personal data can no longer be attributed to any concrete natural person without the use of additional pieces of information, if these additional pieces of information are stored separately, and it is secured by technical and organizational regulations that this personal data cannot be attributed to identified or identifiable natural people;  

addressee: Natural or legal person, public authority, agency or any other organization with which the personal data will be informed whether it is a third party or not; public authorities, that have access to personal data within the individual framework of 2016.5.4. L 119/33 Official Site of European Union HU in accordance with law of European Union or Member State, are not addressees; the mentioned data managed by these public authorities must meet the data protection rules in conformity with purposes of data management; 

third party: Natural or legal person, public authority, agency or any other organization that is not equal to the affected person, the data manager, the data processor or the people who have authority to manage personal data under the direct control of data manager or data processor;

contribution of the affected party: Evident and free will proclamation of affected party’s intention based on concrete and suit information when the affected party shall indicate by declaration or by an act expressing the confirmation unmistakably that it concedes to manage personal data concern it;

data protection incident: Injury of security that results accidental or tortious reversing, losing, changing, unauthorized notification or access to transferred, stored or other way managed data; 

company: Natural or legal person carrying economic activity, regardless of the legal form, including  partnerships carrying regular economic activities;

data forwarding: Making the data be accessed to assigned third party;

publicizing: Making the data be accessed to anyone;   

canceling data: Making data be unrecognizable in such a way that data recovery will be impossible;

data destruction: Total physical destruction of the data medium contains all data;

data processing: All data management operations made by data processor entrusted by the data processor or based on provision of the data processor;

data file: Total data managed in one register;

1. Certain data managements, principles, purpose of data management, scope, time and legal basis of managed data, time and legal basis

1. Preliminary provisions

Principles of managing personal data

Legality, fair trial and transparency:  Personal data shall be managed legally and fairly, and shall be transparent to the affected party.   

Purpose limitation: Collecting personal data shall happen only from defined, obvious and legal purpose, and personal data cannot be managed in a way is reconcilable with the above purposes.  

Data sparing: Personal shall be suitable and relevant to purpose of data management, and shall limit to necessary. 

Punctuality: Personal data shall be punctual and up-to-date on demand, and must make every reasonable provision in order to cancel forthwith or to correct personal data are unpunctual from viewpoint of purposes of data management. 

Limited storage: Personal data shall be stored in a way that enables for the period that is enough for the identification of affected parties only for accessing purposes of personal data management.

Integrity and confidentiality: Personal data shall be managed in such a way that ensures security of personal data by applying technical or organizing provisions, and ensures security against unauthorized or tortious management, against accidental losing, destruction or damage of personal data.  

According to the principle of accountability, the Service provider shall be responsible to meet the requirements of these principles, in addition it shall be able to certify this adequacy.

The Service provider provides its activity, services partially through its website by requisite it.  Processing personal data shall happen with informatics tools, data storage shall be managed on paper based and on computer. The Service provider manages data solely in a case when it is essential to realize the purpose of data management for the necessary period and in the sort. It shall store personal data in a way that affected party can be identified only for the period is needed for purpose of storage. The Service provider shall not collect special data.

Personal data can be managed when the affected party contributed to manage its personal data in because of one or several concrete purposes. Data management made by Service provider shall be based on free-will contribution. The affected party is entitled to withdraw its contribution. The withdrawal of contribution shall not affect legality of data management based on contribution before withdrawal. If data management is based on contribution, the data manager shall be able to certify that the affected party has contributed to manage its data. The Service provider collects personal data from the affected parties. If the informant gives not its own personal data, the informant shall be liable for getting contribution from the affected parties.

Personal data can be managed, if data management is necessary for performing a contract in which the affected party is one of the parties, or it is necessary to make the steps asked by the affected party prior to contracting; if data management is necessary for performing legal obligation related to data processor; if data management is necessary for protecting vital interests of the affected party or of another natural person; if data management is necessary for enforcing the rights of the data processor or a third party, except when protection of personal data will be necessary because of the interests, fundamental rights and freedom of affected party have priority against the interest mentioned above, particularly if the affected party is a child. When data management is necessary for performing legal obligation or contract, or enforcing legal interest, the data management will be independent from affected party’s contribution.

The Service provider shall manage personal data given by the affected party mainly for purpose of identification, contacting, providing service. The Service provider shall erase the personal data in case of end of data management purpose, or expiration of deadline of data storing in accordance with the legislation, or request of the affected party. After erasing data, backup copy can store personal data temporarily, up to 24 hours.   

2. Certain data managements

2.1. Contacting

The affected party has possibility to make contact with the Service provider via contact details on the website. By initiating contact, the affected party contributes free-will, concrete and obvious, based on prior information, to manage its personal data by Service provider for the purpose of contact through the given e-mail address.   

• Purpose of data management:
• Scope of managed data: Name, e-mail address, and personal data given in the message.
• Legal basis of data management: Free-will contribution of the affected party, GDPR Article 6 (1) (a).
• Period of data management: Till withdrawal of affected party’s contribution, or till 31st December of current year of last contact.
• Scope of affected parties: Affected parties initiating contact.
• Possible consequences of failing to data provision: In absence of data for making contact, it is impossible to make contact and keep in contact.

2.2. Data provision, addressees, categories of addressees

Head of the Service provider and the assigned employee are entitled to know the personal data. 

The Service provider may have resort data processor, data manager in order to ensure continual and suitable operation of its website, to perform certain services, to do its accounting duties, and to settle accounts. 

In other cases, the Service provider shall not distribute for third party without legal authorization, contribution or in the lack of other legal basis.

Possible consequences of failing to data provision: The affected party cannot use certain services of the Service provider.

Personal data management shall happen at seat of service providers doing data management, data processing. If the Service providers supply data for these service providers, the regulations of their own data protection policy are the normative.

2.3. Other data managements

In case of violation of law, the Service provider shall collaborate with the authorities with the relevant jurisdiction in the frame of possibilities provided by laws in order to impeach the wrongdoer parties.  Other authority shall contact the Service provider based on contribution of court, prosecution office, investigation office, or legislation in order to give information, to give data, to deliver documents.  The Service provider, knowing the exact purpose and scope of data, shall deliver personal date to the authorities such an extent that is essential for performing the purpose of contact.

II. Rights and legal remedies of affected parties related to data management

1. Rights and exercise of rights of affected parties

The affected parties may turn directly to the Service provider with their complaints, objections, and the Service provider shall undertake every action required to end and to remedy any violation. 

Rights of affected parties in connection with data management:   

• Access rights of the affected party
• Right of adjustment
• Right of cancel („right of effacing”)
• Right of limiting data management
• Right of data portability
• Right of objection

According to the regulation (GDPR), the Service provider will give more detailed information about rights of the affected party, about the cases when the affected party can require Service provider to access personal data, to modify them, to cancel them or to limit the data management, about when the affected party can object to manage its personal data, and about the right of portability of affected party.   

The data manager shall inform every addressee about modification, cancellation or data management limitation who was informed about the personal data, except when it is impossible or it requests disproportionately great effort. The data manager shall inform the affected party about these addressees on the request of the affected party.

The Service provider shall bend every effort in order to deliver each information related to management of personal data to the affected party in concise, understandable, clear and easily accessible form, the information shall be framed unequivocally and reasonably. The Service provider shall deliver the information in written or other form including electronic way in certain cases. The Service provider shall inform verbally on the request of the affected party, if the identity of the affected party is validated.

The Service provider shall inform the affected party about the provisions made based on the request without undue delay within one month of arriving of request. In case of need, this deadline can be extended by taking into consideration the complexity and number of requests. The Service provider shall inform the affected party about deadline extension by naming the reasons of delay within one month of receiving the request. If the affected party submitted the request electronically, the information shall be given in electronically if it possible, except when the affected party asks it in other way.

If the Service provider does not make arrangements based on the affected party’s request, the Service provider shall inform the affected party about the reasons of default of making arrangement without delay, but one month within receiving of the request the latest, and shall inform the affected party that the affected party can make a complaint at any supervisory authority, and can exercise its remedy right. 

The Service provider shall provide information and arrangement free. If the affected party’s request is obviously unsubstantiated or exaggerated because of its particularly repetitive nature, the data manager may charge reasonable amount administrative fee for providing suitable information, or it may deny the arrangements based on the affected party’s request. 

If the data manager has well-founded doubts regarding the natural person who submitted the request, it may ask additional information in order to confirm the affected party’s identity.

1.1. Access rights of the affected party

The affected party is entitled to get feedback from the data manager regarding proceeding of its personal data and if so, the affected party is entitled to get access to the personal data and the information determined in the regulation. 

These pieces of information particularly:

• purposes of data management;
• categories of affected party’s personal data;
• addressees and categories of addressee who with the personal data informed or will be informed including addressees of third-country and international organizations;
• planned period of personal data storage, or it is not possible, the viewpoints of determination of this period;
• the affected party is entitled to request to correct, to cancel or to limit the management of its personal data from the data manager and to protest against managing personal data;
• right to submit complaint to any supervisory authority;
• if the data were not collected from the affected party, it can access to all available information regarding their source;
• fact of automated decision-making including creating profile, and information about the applied logic at least in these cases and about the significance of data management and the consequences of data management for the affected party.

The data manager shall provide the copy of personal data that are subject of data management to the affected party. The data manager may charge reasonable administrative fee for the additional copies asked by the affected party. If the affected party submitted the request electronically, the information shall be provided in ubiquitously electronic way except when the affected party does not ask other way. The mentioned right for requesting copy shall not affect disadvantageously the others’ rights and freedom.    

1.2. Right of adjustment

The affected party is entitled to request the data manager to adjust its inaccurate personal data without undue delay. Considering the purpose of data management, the affected party is entitled to request to amend the incomplete personal data via supplemental declaration.  

1.3. Right of cancel (“right of effacing”)

The affected party is entitled to request the data manager to cancel its personal data without undue delay, and the data manage is liable for cancel the affected party’s personal data without undue delay in one of the following cases: 

• the personal data are no longer necessary for the purpose of collection or they were managed other way;
• the affected party withdraws its contribution that was the base of the data management, and the data management has no other legal basis;
• the affected party protests against the data management according to Article 21 (1), and there is no legal reason having priority for data management, or the affected party protests against the data management according to Article 21 (2);
• the personal data were managed wrongful way;
• the personal data must be cancelled in order to perform the legal obligation prescribed in the law of European Union or State Member;
• collection of personal data happened in connection with offering services mentioned in Article 8 (1) related to informational society.

If the Service provider published the personal data, and it is liable for cancel them, it shall take expectable steps, including technical regulations, considering costs of the available technology and realization in order to inform data managers who manage the data about the affected party’s request to cancel the links and copies of personal data.  

The current point cannot be applied if the data management is necessary for the followings: Deliverance for practicing right of freedom and orientation; for submitting, validating and protecting legal demands.    

1.4. Right of limiting data management

The affected party is entitled to request the data manager to limit the data management if any of the followings fulfils: 

• The affected party debates the accuracy of personal date, in this case the limitation refers to the period that enables the data manager to check the accuracy of personal data;
• The data management is wrongful, and the affected party debates the cancel of personal data, and the affected party rather requests the limitation of using them;
• The data manager does not need the personal data for managing them, but the affected party requests them in order to submit, validate or protect legal demands; or
• The affected party protested against the data management according to Article 21 (1); in this case, the limitation refers to the period till it is stated whether legal reasons of data manager have priority against the legal reasons of affected party.

If the data management is limited, the personal data can be managed, except the storage, with the affected party’s contribution or in order to submit, validate and protect legal interests, or in order to protect rights of other personal or legal person, or if the personal data are necessary because of important public interests or the European Union or one of the State Members.   

The data manager shall inform the affected party who requested the limitation about unlock of the limitation of data management. 

1.5. Right of data portability

The affected party is entitled to get its personal data handed over to the data manager in articulated, well-known, readable format, additionally it is entitled to forward the personal data to another data manager, but the data manager shall not limit this forward who have got these data, if: 

• The data management is based on contribution or contract; and
• The data management happens in automated way.

In the course of right of data portability, the affected party is entitled to ask the direct forward of personal data between the data managers, if it is technically realizable. 

Right of data portability shall not affect others’ rights and freedom disadvantageously. 

1.6. Right of objection

From the reason of its own situation, the affected party is entitled to protect against the data management of public utility of its personal data, against the data management of public power, or against data management based on legal interest, including the profile creation based on the mentioned regulations. In this case, the Service provider shall not manage the data any longer, except when the Service provider proves that the data management is justified by such compelling legal reasons that have priority to the affected party’s interests, rights and freedom, or connect to submission, validation, and protection of legal demands.    

If the data management of personal data happens in order to direct marketing, the affected party is entitled to protest against managing its personal data anytime, including profile creation, if it is in connection with the direct marketing. If the affected party protests against managing its personal data in purpose of direct marketing, then the personal data shall not be managed any longer from this purpose.

2. Exercise of rights in Court and authority

The affected party may exercise its rights in Court related to data management based on Infotv.

The affected party may turn to Court against the data manager and the data processor correlated to the operations belong to the core activities, if according to the affected party’s judgement, the data manager or the assigned data processor managed the personal data in a way that violated the regulations of relating legislation or the regulations determined by mandatory legal act of European Union. The data manager or the data processor shall prove that data management meets the requirements of the regulations. The affected party may bring an action in tribunal that is competent to the affected party’s place of residence or place of abode. One can be party in the suit who has no contentious legal capacity. The Authority may intervene into the suit in the interest of the affected party’s prevail.    

The affected party may turn to Hungarian National Authority for Data Protection and Freedom of Information. 

Contacts of Hungarian National Authority for Data Protection and Freedom of Information:

• name: Nemzeti Adatvédelmi és Információszabadság Hatóság
• seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
• website: http://naih.hu
• phone number: +36 (1) 391-1400
• fax: +36 (1) 391-1410
• e-mail: ugyfelszolgalat@naih.hu

3. Right of compensation and the responsibility

Every person who suffers property or not property damage resulted by the injury of regulation, will be entitled to get compensation from the data manager or the data processor for the damage. Every data manager, who is affected in the data management, is responsible for all damages that caused by data management injured the regulation.  

The data processor is responsible for damages caused by data management only in the cases, if it did not observe the obligations determined in the regulation and related specially to the data processors, or if it did not take notice of legal instructions of the data manager, or it proceeded oppositely to the instructions. 

The data manager and the data processor shall be quit of responsibility, if they prove they are not responsible for the event caused the damage.   

If more data managers, more data processors, or both data manager and data processor are affected in the same data management, and have responsibility for the damages caused by data management, each data manager or data processor shall have general responsibility for the whole damage in order to ensure the effective compensation.

Validation for right of compensation shall be initiated in the competent Court.

III. Security of the data management

The Service provider shall ensure the security of personal data, shall make the necessary technical and organizing regulations, shall protect them against the unauthorized access, modification, forward, publishing, cancellation or destruction, in addition accidental destruction and damage, and against being unavailable because of changed technology. The Service provider shall do everything in order to ensure the smooth operation of functions on the website, and in order to protect the server ensuring the access of website against the viruses.

The Service provider shall store the data on its servers encrypted and protected with password. At entering, the affected parties communicate with the server through an encrypted data channel. The servers are in the server room of Pannon Host Informatikai Szolgáltató Kft. (8300 Tapolca, Egry J. utca 9. Office building “A’’, 1st floor, room 4). The parts of the service among others are the reserved power supply with interceptors, air-conditioned environment, electronic power supply, uninterruptable power supply, troubleshooting service, connect to internet.

Paper based data storage at the Service provider’s seat shall happen solely in lockable room, or in draw or in chest so they cannot be accessed or recognized by unauthorized person.

• Data protection incident:

Data protection incident is the damage of security that results wrongful destruction, lost, modification, unauthorized publish, unauthorized access for forwarded, stored and other way managed personal data. 

The data manager shall report data protection incident without undue delay, but if it is possible 72 hours after the data manager noticed the data protection incident to the competent authority except when the data protection incident likely means no risk for rights and freedom of natural persons.   If the data manager does not report the data protection incident within 72 hours, it shall attach the reasons of delay. 

If the data protection incident may have high risk for rights and freedom of natural persons, the data manager shall inform the affected party about data protection incident without undue delay. 

The Service provider shall record the data protection incidents according to Article 33 (5) by marking the facts related to data protection incident, its affects and regulations in order to solve it.

IV. Final clause

The Service provider shall give information about data managements not mentioned in present material prior to data management. 

The present material was prepared by considering the following legislations:

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.);
• Act CLV of 1997 on Consumer Protection (Fogytv.)
• REGULATION 2016/679 (27th April 2016) OF EUROPEAN PARLIAMENT AND COUNCIL OF EUROPE on protection of data management of natural persons and free movement of these data, and about avoiding regulation 95/46/EK (general data protection regulation, GDPR).

In force: 25th May 2018