Castle Garden

Privacy Policy

The online privacy policy of Várkapitányság Nonprofit Zrt

1.       Introduction

Várkapitányság Integrált Területfejlesztési Központ Nonprofit Zártkörűen Működő Részvéntársaság (hereinafter referred to as “Várkapitányság” or “Service Provider”) is committed to safeguarding the personal information of its employees, users, and partners, and considers it especially important to respect the right of its customers to informational self-determination as well as to ensure the security of personal information management. Várkapitányság, as a data controller, shall implement state-of-the-art safety measures to protect the privacy of the users registering for the newsletter services as well as the customers purchasing tickets to events held in the Várkert Bazár through the varkertbazar.hu website, and shall not disclose any of their personal information to third parties or only disclose such information to third parties if its owner provides explicit consent.

This Privacy Policy (hereinafter referred to as “Privacy Policy”) shall govern the terms and conditions of managing the personal information obtained by Várkapitányság in relation to the operation of its website, the provision of its electronic services, such as the newsletter service, as well as online ticket purchases to events held in the Várkert Bazár.

Várkapitányság accepts the provisions of this Privacy Policy as biding upon itself and assumes a unilateral obligation to ensure that all activities thereof related to the processing of personal information shall be in compliance with the provisions of this Privacy Policy as well as the provisions of the relevant Hungarian and European Union laws and ethics regulations.

In this document, Várkapitányság shall present its online data management principles as well as the conditions it has set and voluntarily fulfils with respect to its activities as data controller. Várkapitányság warrants that the provisions of this Privacy Policy are in compliance with the applicable Hungarian and European Union legislation, especially the provisions of Act CXII of 2011 on the right to informational self-determination and the freedom of information (Information Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

2.       Legal basis and principles of the data management activities of Várkapitányság

The data processing shall be in compliance with the following principles at all times and all personnel employed by the data controller, who process personal information as part of their job or workplace tasks, shall ensure for the entire duration of their work that they are fully in compliance with these principles.

  1. Legality, fairness, and transparency

The processing of personal information shall be carried out in a legal and fair manner that is transparent to the owner of the personal information.

The processing of personal information may only be carried out for a specific purpose, such as the exercise of a certain right or the performance of a certain obligation. The processing of personal information shall be carried out for this specific purpose only during all stages of processing. In the case of the data processed under this Privacy Policy, the purpose of the data processing is the performance of marketing activities and the operation of the online ticket sales system; therefore, it the legal basis of the processing is voluntary consent.

Only personal information essential and suitable for fulfilling the purposes of the processing shall be processed, and only to the extent and for the duration that is required by such purposes.

  1. Purpose of processing

The collection of personal information shall be performed for specific, clearly-defined and legal purposes, and they shall not be processed in any way that is not compatible with such purposes; the use of the information for public archiving, scientific, historical, and statistical research do not fall within the scope of actions not compatible with such purposes.

  1. Limitation of processing

The personal information shall be suitable and relevant with respect to the purposes of the data processing, and shall be restricted to the information essential for fulfilling such purposes.

  1. Accuracy

The personal information shall be accurate and up-to-date if applicable; all reasonable steps shall be taken in order to ensure that all personal information that is found to be inaccurate for the purposes of the processing is deleted or rectified.

  1. Limited transparency

Personal information may only be stored in a format that only allows the identification of the data subject for the period of time required for the completion of the purpose of the data processing; personal information may only be stored for a period of time in excess of the one specified above if the processing takes place for the purpose of archiving data in the interest of the public or for scientific, historic, or statistical research purposes, while implementing the technical and organisational measures required for ensuring that personal rights and freedoms of the data subject are not violated.

  1. Integrity and confidence

The processing of personal information shall be performed in such a way that the application of suitable technical and organisational measures ensures the safety of the personal information and prevents unauthorised access thereto, as well as the accidental loss, deletion, or damaging of the personal information.

  1. Accountability

The data controller shall be responsible for ensuring the legality of the data processing, and the data controller shall be able to provide proof of their compliance with the applicable legislation.

  1. Transfer of information

Personal information may be transferred or different data processing activities aggregated only if the data subject has agreed to such measures or such measures are permitted by the applicable legislation and all other conditions of data processing are fulfilled with respect to every piece of personal information.

3.       Rights of the data subject

3.1.    Right to receive information at the beginning of data processing

The data controller shall provide concise, transparent, clear, and publicly accessible information to the data subject at the beginning of the processing of their personal information regardless of the information being collected from the data subject directly or from a third party. Among other details, the data subject shall be informed of the name and address of the data controller and its representative, the contact details of the data protection officer if applicable, the purpose and legal basis of the data processing as well as the possible consequences of the data processing not being performed.

3.2.    Right of access

The data subject shall be entitled to receive confirmation of the processing of their personal information being in progress as well as to request further information regarding the purpose of the processing, the categories of data being processed, the expected storage period, options to submit complaints, etc.

3.3.    Right for rectification

The data subject shall be entitled to rectify any inaccuracies in their personal information and provide additional details.

3.4.    Right to request deletion (“right to be forgotten”)

The data subject shall be entitled to request the deletion of their personal information in the following cases (and the data controller shall comply with such a request): the data processing is no longer necessary; the data subject revokes their consent and there is no other legal basis for the processing; the data subject protests the processing; the processing is unlawful.

This right to request deletion may be overridden by other legitimate reasons for processing. (Such as the freedom of speech; the right to request information; compliance with legal obligations; enforcement of legal claims, etc.) Even if the data subject protests the processing, if there is a legitimate reason for the processing, the data controller is not obliged to delete the personal information (such as the obligation to retain invoices for 8 years under the Accounting Act).

3.5.    Right to restrict data processing

The data controller shall restrict the processing of personal information upon request of the data subject if

  • the data subject disputes the accuracy of the personal information - the restriction shall last until the accuracy of the data is verified;
  • the data processing is unlawful - the data subject protests the deletion of the data but requests that their use was restricted;
  • the data controller is no longer in need of the personal information but the data subject requires them to be stored for the submission or enforcement of legal claims or defence against such claims;
  • the data subject has protested the data processing and the data controller is in the process of conducting investigations.

If the data processing falls within the scope of either clauses provided above, the personal information in question, besides storage, may only be processed with the consent of the data subject or for the submission of legal claims, the protection of the rights of third parties, or if it serves substantial public interests.

3.6.    Right to information portability

The data subject shall be entitled to receive the data it has provided the data controller with in delimited, commonly used format, and upon request of the data subject, data controller shall forward these information to another data controller.

3.7.    Right to protest the processing

The data subject shall be entitled to protest the processing of their personal information if the legal basis for the processing is public interest, the exercise of the rights of a public authority, or the exercise of the rights of the data controller or a third party, including profile creation. The data subject is also entitled to protest the processing if the purpose thereof is direct marketing.

It shall constitute an exception from the above provisions if the data controller is able to prove that the processing is necessary due to compelling reasons that have priority over the interests, rights, and freedoms of the data subject, or ones that are related to the submission, enforcement, or defence against legal claims, in which case it is not obliged to cease the processing.

3.8.    Rights related automatic decision-making and profile creation

Várkapitányság does not perform any activities related to automatic decision-making or profile-creation.

4.       Data controller

Company name:              Várkapitányság Nonprofit Közhasznú Korlátolt Felelősségű Társaság

Registered office:           1013 Budapest, Ybl Miklós tér 6.

Tel.:                   + 36 1 2250310

E-mail:               titkarsag@varkertbazar.hu

Representative:         Gergely Fodor, chair of the board of directors

5.       Contact details of the data protection officer

Name:                   Katalin Wetter

Address:                   1013 Budapest, Ybl Miklós tér 6.

Tel:                    + 36 70 5156940

E-mail:               wetter.katalin@vargondnoksag.hu

6.       Certain data processing activities

6.1.    Data of the visitors to the websites varkapitanysag.hu and varkertbazar.hu

Following the visit to the websites, Várkapitányság does not record any personal information.

Service Provider and the specified third-party service provider may create and read at a later time a small packet of data (a so-called cookie) on the user’s device in order to customise the experience. If the browser returns a cookie that was saved on the user’s device earlier, the service provider managing such cookie is able to connect the current visit to earlier visits by the same user; however, only with respect to the content of the visit.

Users are able to delete cookies from their device and may prohibit their use through their browser settings. Generally, cookies are able to be managed in the Tools/Settings menu of browsers, in the Privacy or Cookies section.

6.2.    Newsletters

If the data subject consents to Várkapitányság sending them information or offers by subscribing to the newsletter service, they may revoke such consent and delete their registration by using the unsubscribe option in the footer of each newsletter or by writing an e-mail to us directly.

The legal basis of the processing in the case of newsletters is the consent of the data subject and Section 13/A of Act CVIII of 2001 on certain matters concerning electronic business services and informational societal services as well as Section 6 (5) of Act XLVIII of 2008 on the essential conditions of commercial marketing activities and certain applicable restrictions.

The purpose of the data processing: the data controller sending newsletters to the data subject for marketing purposes, with the consent of data subject.

The scope of the processed personal information with respect to newsletters: the name and e-mail contact of the data subject.

Duration of data processing: until consent is revoked and/or until the data subject unsubscribes from the newsletter service.

6.3.    Online ticket sales

If the data subject purchases tickets online, using the website varkertbazar.hu, operated by data controller, to one of the events held at the Várkert Bazár, data controller shall be entitled to process the personal information of the data subject, that is the ticket buyer, provided during the sale and purchase process.

Legal basis of data processing: the consent of the data subject, and the fulfilment of the contract concluded with respect to the ticket purchase.

Purpose of data processing: The fulfilment and performance of the online ticket sales service.

Duration of data processing: 8 years from the date of the purchase.

The data controller hereby notifies data subjects that the online ticket sales service of the data controller is operated by INTERTICKET Kft (Cg. 01-09-736766, registered office: 1139 Budapest, Váci út 99.), who also processes the personal information provided by the data subjects as a joint data controller. The data controller hereby notifies data subjects that the privacy policy of INTERTICKET Kft is directly available to data subjects during the ticket sale and purchase process. By purchasing the ticket, the data subject consents to data controller and INTERTICKET Kft processing their personal information.

6.4.    The data controller shall retain the personal information of data subjects until the data subjects revoke their consent or until it is necessary for fulfilling the purpose of data processing specified herein.

6.5.    Disclosure of personal information

Service Provider may not disclose personal information to any third parties (with the exception of the third-party data controller specified above).

Courts, prosecutors, investigation agencies, regulatory authorities, administrative authorities, the data protection authority or other organisations entitled to do so pursuant to applicable legislation may contact the data controller and request the transfer of data and information or access to written documents.

Service Provider shall provide such authorities, provided that their request is legitimate under the applicable legislation and they provide the specific scope of the data requested as well as the purpose of the request, with the data and information requested but only to the extent and in the scope essential for the fulfilment of the purpose specified in the request.

In the event that Service Provider is required by a final and enforceable administrative or court decision to disclose data or information, Service Provider shall comply with such decisions but disclose the personal information to the requesting court or authority exclusively and specifying the personal nature of the information being disclosed.

7.       Storage of the personal information and security of the processing

The IT systems and other data storage media of the Service Provider are located at the registered office thereof as well as at the registered offices of its data processors (see below).

Service Provider shall choose and operate the IT systems used during the processing of personal information and the provision of its services so that

a) the data is accessible to authorised personnel (accessibility);

b) the data is sufficiently authenticated and certified (authenticity of data processing);

c) it can be certified that the data has not been altered (data integrity); and the data is protected against unauthorised access (confidentiality).

Service Provider shall implement technical, organisational, and management practices that ensure the protection of the data to a level that is in proportion with the risks related to the data processing.

During data processing, Service Provider shall ensure

a) secrecy: the protection of the information against unauthorised access;

b) data integrity: ensuring the accurate and complete nature of the processed information;

c) data availability: ensuring that the information is available and the storage devices are accessible when the data subject or authorised personnel wishes or needs to access it.

The IT systems and network of the Service Provider and its partners are all protected against computer fraud, spying, sabotage, vandalism, fire and flood damage, computer viruses, hacking, and denial-of-service attacks. The operator of these systems ensures safety through server-level and application-level protection procedures.

 

8.       Data and contacts of the data controller(s)

 

Regarding official matters:

Name:                   Katalin Wetter

E-mail address:        wetter.katalin@vargondnoksag.hu

 

Regarding contractual matters:

Name:                   Dr Gabriella Somogyi

E-mail address:        somogyi.gabriella@vargondnoksag.hu

 

Regarding sales matters:

Name:                   Viktória Török

E-mail address:        torok.viktoria@vargondnoksag.hu

9.       Legal remedies

9.1.    Request for information

The data subject may request information regarding the processing of their personal information and may request the rectification and - with the exception of cases specified in the relevant legislation - the deletion of their personal information through the customer service department of the data controller and in the manner specified during the collection of the personal information.

Upon request by the data subject, the Service Provider as the data controller shall provide information regarding the data processed by Service Provider itself and the data controllers it entrusted with the processing of the data as well as the purpose, legal basis, and duration of the processing, the name and address (registered office) of the data controllers, their activities related to data processing, and finally, the list of persons with access to the information and the purpose of their access thereto. Following the submission of such a request, the data controller shall provide this information as soon as possible and not later than 30 days of the request being submitted, in writing, and in an easy-to-understand manner. This information shall be free of charge provided that the data subject has not submitted a similar request to the data controller within the same year and concerning the same area of processing. In all other cases, the Service Provider shall be entitled to specify a price for fulfilling such requests.

9.2.    Protest, rectification, deletion

Service Provider shall not be entitled to delete the personal information of the data subject if the processing is mandated by law.

Service Provider shall delete the personal information if it is suspected that the processing is unlawful, the deletion is requested by the data subject, the deadline for the storage of the personal information provided by law has expired, or the deletion was required by a court of the data protection authority.

Service Provider shall notify the data subject and all other parties to whom the information has been forwarded with the purpose of processing if the data is rectified or deleted. Such notification can be omitted if such inaction does not violate the legal interest of the data subject with respect to the purpose of the processing.

The data subject may protest the processing of their personal information if

a) the processing (forwarding) of the personal information is necessary only for the enforcement of the rights or legal interests of the data controller, with the exception of cases where the data processing is required by law;

b) the use or forwarding of the personal information is performed for the purposes of direct business activities, public opinion surveys, or scientific research;

c) some other legal provision entitles the data subject to protest the processing.

In the event that the data subject protests the processing, Service Provider shall suspend the processing activity and investigate the request as soon as possible but within 15 days of its submission, and notify the data subject of the results of the investigation in writing. If the protest is found to be substantiated, data controller shall cease the data processing, including the collection and forwarding of any additional data, block access to the data, and inform all third parties to whom it has forwarded the personal information affected by the protest of these measures. Such third parties shall also implement the same measures to fulfil the protest request.

In the event that the data subject does not agree with the measures taken by the data controller, it may seek court remedies within 30 days of being notified of such measures.

However, data shall not be forwarded to any data recipient if the data controller agrees with the protest or if a court of law finds the protest to be substantiated.

In the event that the rights of the data subject are violated, they may seek court remedies. The court shall treat such cases as a priority.

Service Provider shall be liable for damages caused by unlawful data processing or the violation of the relevant technical requirements of data protection. The data controller may waive the liability if the damage is the result of causes outside of the sphere and influence of the data controller, which it was unable to prevent.

The data controller shall not be liable for damages if the damage occured due to the wilful or gravely negligent behaviour of the claimant.

In case of complaints or a need for legal remedies, please contact our data protection officer at the e-mail address wetter.katalin@vargondnoksag.hu or the competent authority directly:

Nemzeti Adatvédelmi és Információszabadság Hatóság
[National Authority for Data Protection and Freedom of Information]
Mailing address: 1530 Budapest, P. O. Box: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL http://naih.hu