Privacy Policy
1 Purpose of the policy 3
2 General communication 3
3 Data of the controller 4
4 Data processing procedures 4
4.1 Contacting and communication 4
4.2 Processing involving Organizers 5
4.3 Processing involving Participants 7
4.4 Processing concerning customer service 10
4.5 Data processing concerning invoicing 12
4.6 Data Processing concerning products ordering or credit purchase 13
4.7 Data processing concerning notifications of updates 14
5 What are the Users’ rights? 15
5.1 Right to access 15
5.2 Right to rectification 15
5.3 Right to erasure 15
5.4 Right to be forgotten 15
5.5 Right to restriction of processing 15
5.6 Right to data portability 15
5.7 Right to object 16
5.8 Right to respond to requests 16
5.9 Possibilities for redress 16
6 Our procedure regarding requests for exercising rights 16
6.1 Informing recipients 16
6.2 Mode and deadline of notification 17
6.3 Monitoring 17
6.4 Costs of measures and notifications 17
7 Possible recipients of personal data, processors 17
7.1 During the operation of our website 17
7.2 During issuing invoices 17
7.3 During payment 18
7.4 During delivery of products 18
7.5 Other cases 18
8 Data security 18
8.1 Organizational measures 18
8.2 Technical measures 18
9 Cookies 20
9.1 Cookies in general 20
9.2 Google Analytics 20
9.3 How can the cookies be processed? 21
10 Other provisions 21
10.1 Processing for different purpose 21
10.2 Record of processing 21
10.3 Data breaches 21
10.4 Amendments 21
11 Appendixes 22
11.1 The relevant legal acts 22
11.2 Definitions with regard to the processing of personal data 22
11.3 The rights o the data subject 23
Right to access 23
Rectification 24
Erasure 24
Restriction of data processing 24
Data portability 25
Objection 25
11.4 Arrangement of joint controllership 25
1 Purpose of the policy
The goal of our Privacy Policy is to provide all necessary information for natural persons using our services (hereinafter referred to as User) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and assist the Users in exercising their rights under Section 4. Our services are available on the website Balloon-tracking.eu.
The legal basis of our duty to communicate information is Article 12 of Regulation 2016/679 of the European Parliament and Council (hereinafter referred to as: GDPR), Section 16 of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as Information Act) and Section 4 of Act CVIII of 2011 on electronic commerce and on information society services (hereinafter referred to as Electronic Commerce Act).
The Privacy Policy was prepared by taking into account the GDPR, the Information Act and further legal acts relevant from the viewpoint of specific data processing. The list of the legal acts is detailed in Annex 11.1, the main concepts and definitions are determined in Annex 11.2 and the detailed information on the right of the data subject is included in Annex 11.3 of the Privacy Policy.
During the drafting and applying this Privacy Policy, we proceeded in the spirit of the findings of the recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information and Article 5 of the GDPR, especially the principle of accountability laid down in Article 5, Paragraph 2 thereof.
We also monitor the practice of the European Union with regard to the protection of personal data, accordingly, we shall also implement the findings of Article 29 Working Party of the European Commission in its Guideline on Transparency into our data processing practice.
2 General communication
Balloon-tracking.eu is an online, cloud-based service, which provides information technology support for air balloon competitions, as professional events. Balloon-tracking.eu service consists of a website (balloon-tracking.eu) and an application (Balloon-tracking.eu App). Users of Balloon-tracking.eu may be enterprises who organize competitions (hereinafter: „Organizers”) as well as invited private persons and enterprises who participate in the competitions as competitionrs or supporting staff (hereinafter: „Participants”).
One of the functions of the website is that the system, based on the data provided by the Organizer, generates a subpage, where the Participant may find information regarding the event. Organizer may decide the categories of data Participant is obliged to provide for the participation to the competition.
The aim of the application is to support the competition, through which Participants may provide different information for the facilitation of the competition.
3 Data of the controller
PEVIKTERA Consulting Kft.
Registered seat: 3000 Hatvan, Jókai utca 78.
Registry number: 10-09-026307
Tax number: 13416924-2-10
E-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone number: +36302078357
4 Data processing procedures
We shall set forth in detail in this Section the essential circumstances regarding specific data processing which the GDPR and other sectoral legal acts require from every controller.
4.1 Contacting and communication
It is possible to connect us through our contact information located on the website. Also, by communicating with our business partners, we process the personal data of their contact person. The details of these processing are described hereunder.
4.1.1 Processed personal data and purpose of processing
Personal data purpose of processing name identification of the User, or the contact person of our business partner e-mail address contacting and communication with the User, or the contact person of our business partner phone number contacting and communication with the User, or the contact person of our business partner public profile data available on social media identification of the User
4.1.2 Legal basis of processing
If the User contacts us through our website, we process the User’s personal data on his/her freely given consent provided by him/her by an express conduct (phone call, sending of an e-mail), at the moment of contacting, for the purposes set out in Section 4.1.1 (Article 6, Paragraph 1, Point a) of GDPR).
Should we use the User’s data for a purpose other than the original purpose of collecting such data, then we shall inform the User thereof and acquire his/her prior and expressed consent thereto, furthermore, we shall ensure the possibility to object to such processing (see Section 10.1).
If you, as the representative of our business partners provide your personal data to communicate with us, the legal basis of processing personal data is the legitimate interest of us and our business partners (Article 6, Paragraph 1, Point f) of GDPR). It is each Party’s legitimate interest to maintain an effective business communication during the use of the Website and the negotiations between the partners, and to perform the contract, and in order thereto, to provide information to the designated representatives of each Party, on the essential circumstances affecting such contract. Since it is the employment or contractual duty of the contact persons of the business partners to promote the communication between the Parties and to provide the personal data for that purpose, in our view, processing the name and contact data of your contact persons does not restrict disproportionately the privacy and freedom of selfdetermination of such persons. The contact person of our business partner may object to such data processing.
4.1.3 Duration of the processing
We process the personal data until the withdrawal of consent. The User has the right to withdraw his/her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
In relation to the processing of the personal data of our business partners’ contact persons, we process their personal data until it is no longer necessary in relation to the purposes of communication, or as long as it is possible according to the relevant acts (5 years following the performance or the termination of the contract pursuant to the Civil Code, or 8 years following invoicing, in accordance with Act C of 2000).
4.1.4 Mode of processing
Your personal data are collected in electronic form.
4.1.5 Data protection contractual clause
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing concerning communicating with our business partners, we, as data controllers, while performing the contracts concluded with our business partners, both at the time of the determination of the means for processing, and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR.
4.2 Processing involving Organizers
4.2.1 Processing connecting registration
Use of our service by the Organizers (including the organization of competitions) is possible following pre-registration. The details of these processing are described hereunder.
4.2.1.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing
Name or contact person’s name (owner and administrator), the nature of the user account
Identification of the organizer during the performance of the contract
Fulfillment of the contract / legitimate interest
e-mail adress
contact with the Organizer during the performance of the contract
Fulfillment of the contract / legitimate interest
password
performing technical operations Fulfillment of the contract / legitimate interest
4.2.1.2 Legal basis of processing
Processing is necessary for the fulfillment of the contract concluded between the private Organizer and us (Article 6, Paragraph 1, Point b) of GDPR).
If the registrant is a legal entity, the legal basis for the processing of the above personal data of its contact person is the legitimate interest of the data controller and the organizer (Article 6, Paragraph 1, Point f) of GDPR). It is legitimate interest of both parties to be able to communicate effectively during the use of the system and to be able to provide each other's designated representative with information on any material circumstances affecting the contract between us. The violation of the organizer's contact person's right to information self-determination cannot be diagnosed, because it is his/her job or contractual obligation to facilitate communication between the parties and to provide his personal data for this purpose.
4.2.1.3 Duration of processing
In view of the fact that we enter into a contract with the Organizers, the above personal data we retain for 5 years after registration (6:22. § section 1 of the Act V of 2013 on the Civil Code)
4.2.1.4 Method of processing
In electronic form.
4.2.2 Processing by the Organizer
During the organization of the competitions created by the Organizers, the Data Controller and the Organizer shall be considered as joint data controllers, the categories of personal data in this section shall be considered as jointly processed data. In order to comply with the obligations related to the GDPR in relation to the Organizers, Data Controller applies the terms and conditions of the agreement of joint controllers set out in point 11.4. of the current privacy policy, which the Organizer expressly approves by accepting this policy.
Joint processing of personal data is established when the Participant appliesfor a competition announced by the Organizer and as a result the Organizer gets access to the personal data provided by the Participant in the system. The Organizer may request the Participants, depending on the nature of the competition, to provide additional personal data in order to participate in it.
4.2.2.1 Processed personal data and purpose of processing
The Organizer gets to know the following information about the competition organized by it:
personal data purpose of processing legal basis of processing
Name of participant, nature of user account identification of the participant Fulfillment of the contract
Participant's email address Contact the Participant Fulfillment of the contract
When capturing images and videos, an identifiable image of the Participants on the recordings.
Documentation of the competition through images and videos, promotional activity by sharing images and videos from the event
Consent / legitimate interest
Copy of the required certificate (permit to fly, certificate of registration, medical fitness test), balloon and participant, as well as the validity of the certificates Getting to know a participant's right to fly, sending a notification
message related to the expiration of the validity of certificates
Fulfillment of the contract, in addition,
Article 9 section 2 (a) of GDPR in relation to the medical certificate location data Getting to know the position of a participant during the competition Fulfillment of the contract
4.2.2.2 Legal basis of processing
Processing is necessary for the fulfillment of the contract concluded between the Participant and the Organizer. (Article 6, Paragraph 1, Point b) of GDPR).
In the case of crowd scenes, the legal basis of the processing is the data controller's legitimate interest (to documentate the events, Article 6, Paragraph 1, Point f) of GDPR).
In the case of individual (identifiable to the Participant) images and videos, the legal basis is based on the Participant's consent (Article 6, Paragraph 1, Point a) of GDPR).
4.2.2.3 Duration of processing
The Organizer - excluding the image and video recordings - processes the data of the Participants related to the competition in our system until the end of the competition (at the end of the competition the personal data of the Participant related to the competition will not be available to the Organizer, however we exclusively have access to it through our system). Thereafter, the Organizer is considered as an independent data controller. The image and video recordings are processed until the data controller withdraws the consent or fulfills the data subject's request based on the notification of the object.
4.2.2.4 Method of processing
In electronic form.
4.3 Processing involving Participants
4.3.1 Registration
Use of our service by the Participants is possible following pre-registration. The details of these processing are described hereunder.
4.3.1.1 Processed personal data and purpose of processing personal data purpose of processing legal basis of processing
Name of participant, nature of user account identification of the participant Consent e-mail adress Contact the Organizer Consent password performing technical operations Consent Copy of the required certificate
(permit to fly, certificate of registration, medical fitness test), balloon and participant, as well as the validity of the certificates
Getting to know a participant's right to fly, sending a notification message related to the expiration of the validity of certificates Consent, in addition, Article 9 section 2 (a) of GDPR in relation to the medical certificate
4.3.1.2 Legal basis of processing
Participant's consent (Article 6 section 1 (a) of GDPR). The Participant's consent may be revoked by deleting the profile or the given personal data from his / her account. Withdrawal of consent shall not affect the lawfulness of the consent-based processing prior to withdrawal.
If the Participant’s data is used for a purpose other than the original data collection, we will inform the User and obtain his / her prior express consent, or provide him / her with the opportunity to prohibit the use (see Section 10.1).
4.3.1.3 Duration of processing
Until the Participant withdraws his or her consent (delete profile). In the absence of deletion of the profile, we store the data belonging to the Participant’s profile for 5 years following registration for the above purposes pursuant to Act V of 2013 on the Civil Code 6:22. § section 1.
4.3.1.4 Method of processing
In electronic form.
4.3.2 Use of the application
Use of our service by the Participants is possible after pre-registration. The details of these processing are described hereunder.
4.3.2.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing
Name of participant, nature of user account identification of the participant Fulfillment of the contract location data Getting to know the position of a participant during the competition Fulfillment of the contract e-mail adress Contact the Participant Fulfillment of the contract
4.3.2.2 Legal basis of processing
Processing is necessary for the fulfillment of the contract concluded in which the participant is one of the parties (Article 6 section 1 (b) of GDPR).
4.3.2.3 Duration of processing
In the application, the above data only identifies the Participant until the time of its use, otherwise for the storage period in accordance with 4.3.3.3. described in point.
4.3.2.4 Method of processing
In electronic form.
4.3.3 Registration for the competition, participation
During the organization of the competitions created by the Organizers, the Data Controller and the Organizer shall be considered as joint data controllers, information about this can be found in section
4.2.2 of this policy. and 11.4. in Annex. The details of data processing are the following:
4.3.3.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing
Name of participant, nature of user account, introductory text identification of the participant
Fulfillment of the contract,
in connection with introductory text: consent.
e-mail adress
Contact the Participant sending a notice about the competition of interest to the Participant Fulfillment of the contract
Consent When capturing images and videos, an identifiable image of the Participants on the recordings.
Documentation of the competition through images and videos, promotional activities by sharing images and videos from the event Consent / legitimate interest
Copy of the required certificate(permit to fly, certificate of registration, medical fitness test), balloon and participant, as well as the validity of the certificates Getting to know a participant's right to fly, sending a notification message related to the expiration of the validity of certificates
Fulfillment of the contract,in addition, Article 9 section 2 (a) of GDPR in relation to the medical certificate
4.3.3.2 Legal basis of processing
In the case of the Participant's name and e-mail address, as well as the image and video recording of the card, the data processing is necessary to fulfillment of the contract which the Participant is a party.
(Article 6 section 1 (b) of GDPR). This contract is concluded between the Participant and the Organizer. The writing of the Participant's introductory text is optional, the recording of the personal data contained therein is based on the Participant's consent (Article 6 section 1 (a) of GDPR. The consent may be revoked at any time and shall not affect the lawfulness of the processing carried out on the basis of the consent.
In the case of mass recordings, the legal basis for data processing is the data controller's legitimate interest in documenting the events (Article 6 section 1 (f) of GDPR).
In the case of individual (identifiable to the Participant) images and videos, the legal basis is based on the Participant's consent (Article 6 section 1 (a) of GDPR).
The consent may be revoked at any time andshall not affect the lawfulness of the processing carried out on the basis of the consent.
The sending of a notice of a competition of interest to a Participant is based on the Participant's consent (Article 6 section 1 (a) of the GDPR). The consent may be revoked at any time and shall not affect the lawfulness of the processing carried out on the basis of the consent.
If the Participant's data is used for a purpose other than the original data collection, we will inform the User thereof and obtain his / her prior express consent, or provide him / her with the opportunity to prohibit the use (see Section 10.1).
4.3.3.3 Duration of processing
The Organizer - excluding the image and video recordings - processes the data of the Participants related to the competition in our system until the end of the competition (at the end of the competition the personal data of the Participant related to the competition will not be available to the Organizer, however
we exclusively have access to it through our system). Thereafter, the Organizer is considered as an independent data controller. The image and video recordings are processed until the data controller withdraws the consent or fulfills the data subject's request based on the notification of the object.
4.3.3.4 Method of processing
In electronic form.
4.4 Processing concerning customer service
In order to answer questions or to inspect the circumstances our Users requested a complaint for, we operate customer service. The details of these processing are described hereunder.
4.4.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing name identification of the user consent e-mail address connecting with the user and providing information consent phone number connecting with the user and providing information consent
4.4.2 Legal basis of processing
We process the personal data we collect by the consent of the User (article 6 point (1) a) of GDPR).
If we intend to further process the personal data for a purpose other than that for which the personal data
were collected, we shall inform the User thereof, we shall acquire their prior and expressed consent thereto and ensure the possibility for them to object to such processing.
4.4.3 Duration of processing
We process your personal data until the withdrawal of the User’s consent.
4.4.4 Mode of processing
Personal data are collected manually, in electronic form.
4.5 Data processing concerning invoicing
During the cooperation with the Organizers, with regard to Act C of 2000 on accounting (hereinafter referred to as Accounting Act), we shall issue an accounting document. The details of such processing are described hereunder.
4.5.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing name on the invoice supporting the accounting treatment of the performance of the order (economic event) complying with legal obligation address/registered seat in case of sole proprietors (ZIP code, city, street name, house number together) supporting the accounting treatment of the performance of the order (economic event) complying with legal obligation tax number of the sole proprietor supporting the accounting treatment of the performance of the order (economic event) complying with legal obligation
4.5.2 Legal basis of processing
Processing is necessary for compliance with legal obligations (with regard to Article 6, Paragraph 1, Point f) of GDPR, Section 5, Subsection 1, Paragraph b) of Information Act and Section 166,Subsections 1 to 3 of the Accounting Act).
4.5.3 Duration of the processing
8 years after the issuance of the accounting document (with regard to Section 166, Subsection 6 of the Accounting Act, Section 169, Subsection 1 of the Accounting Act).
4.5.4 Mode of processing
Personal data are collected in electronic form.
By taking into account the provisions of the legal act on the rules of the digital archiving, the accounting document issued in electronic form shall be stored in a manner that the applied method shall ensure the provision and continuous readable form of all of the data of the document without delay and thatexcludes the possibility of subsequent modification.
4.5.5 Provision of personal data
Since we cannot perform our accounting obligations without knowing the concerning personal data, the provision of personal data is a statutory requirement.
4.6 Data Processing concerning products ordering or credit purchase
The User may purchase various products through the Website. The User may purchase a Credit through the website, with which he/she may participate in the competitions advertised on the Service Provider's website.
4.6.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing name during the fulfillment of the order, we can identify the customer of the product by providing the name
Fulfillmentof the contract address we can send the ordered product to the specified address.
Fulfillmentof the contract e-mail address contacting the customer and informing them about the details of the order
Fulfillmentof the contract
4.6.2 Legal basis of processing
Processing is necessary to fulfillment of the contract which the Participant is a party. (Article 6 section 1 (b) of GDPR).
4.6.3 Duration of the processing
For 8 years after the issuance of the accounting document based on the contract, subject to Section 166
(6) of the Act, Section 169 (1) of the Act
Personal data is not required for the fulfillment of accounting obligations - subject to Act V of 2013 on
the Civil Code (Ptk.) 6:22. § (1) - for the above purposes we store it for 5 years after the fulfillment of
the order.
4.6.4 Mode of processing
Personal data are collected in electronic form.
14
Balloon-tracking System
www.balloon-tracking.eu
4.7 Data processing concerning notifications of updates
The Service Provider shall ensure that the User is notified of and receives any updates to the digital
content or digital service, including security updates, that are necessary to maintain the compliance of the
digital content or digital service.
4.7.1 Processed personal data and purpose of processing
personal data purpose of processing legal basis of processing
e-mail address
contacting the customer and
informing them about the
updates
Fulfillment of the
contract
4.7.2 Legal basis of processing
Processing is necessary to fulfillment of the contract which the Participant is a party. (Article 6 section
1 (b) of GDPR).
4.7.3 Duration of the processing
We maintain data management until the user account is deleted.
4.7.4 Mode of processing
Personal data are collected in electronic form.
15
Balloon-tracking System
www.balloon-tracking.eu
5 What are the Users’ rights?
It is relevant to us that our data processing shall comply with the requirements of fairness, lawfulness and transparency. In light thereof, we shall present the rights of the data subjects in this Section, and thereafter we shall explain them in detail in Appendix 11.3. Our Users may request free information on the details of the processing of their personal data and in cases laid down in legal acts, they may also request the rectification, erasure or blocking thereof, or the restriction of such processing, and they may also object to the processing of such data. Our Users may address their request for information and the request indicated in this Section to our contact information set out in Section 3.
5.1 Right to access
Our User has the right to obtain confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the information regarding the details of processing.
5.2 Right to rectification
Our User has the right to obtain from us without undue delay the rectification of inaccurate personal data concerning him/her and to have incomplete personal data completed, including by means of providing a supplementary statement.
5.3 Right to erasure
At the request of our User, we shall erase personal data concerning him/her, if the processing of such data is no longer necessary, if the User has revoked his/her consent thereto, if the User objects thereto or if the processing is unlawful.
5.4 Right to be forgotten
If we made the personal data public and are obligated to erase the User’s personal data at request, we shall inform any such controller which was made aware of or could have made aware of the possibly published data of the User.
5.5 Right to restriction of processing
At the request of our User, we shall restrict data processing if the accuracy of the personal data is challenged, or the data processing is unlawful, or our User objects to the processing of data, or if we do not deem the provided personal data necessary in the future.
5.6 Right to data portability
Our User has the right to receive the personal data concerning him/her, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller.
5.7 Right to object
Our User has the right to object, on grounds relating to his/her particular situation, at any time to the processing of personal data concerning him/her based on the data processing purposes of legitimate interest (see Sections 4.1, 4.2., and 4.3.). In such a case, we no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. In case of objection, as a general rule, the personal data for such purposes may not be processed further.
5.8 Right to respond to requests
We shall examine the requests as promptly as possible following its submission to us, but not later than within 30 days, and in case of objections, within 15 days and we shall decide whether they are well founded, of which we shall notify the person submitting the request in writing. If we do not fulfil the request of our User, then we shall inform him/her of the factual and legal reasons for denying thereof in our decision.
5.9 Possibilities for redress
Protecting personal data is of utmost importance to us, and we shall also respect your right of informational self-determination, therefore we strive to respond to all requests and claims in a correct manner and within the deadlines. With respect thereto, we ask you to contact us before possibly pursuing your claim before authorities and courts, for the purposes of submitting your complaint or request to us, in order to have your possible objections resolved as soon as possible.
Should this be unsuccessful, our User may - pursue his/her rights and claims before the courts pursuant to Act V of 2013 on the Civil Code (the legal proceedings may be lodged before the regional court of our User’s domestic or habitual residence; the list and contact information of the regional court may be viewed in the following link: http://birosag.hu/torvenyszekek) and - turn to and submit a complaint to the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., telephone number: +36-1-391- 1400, facsimile: +36-1-391-1410, e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it., website: https://www.naih.hu/panaszuegyintezes-rendje.html, pursuing the claim online: https://www.naih.hu/online-uegyinditas.html, hereinafter referred to as NAIH) pursuant to the provisions of the Information Act.
6 Our procedure regarding requests for exercising rights
6.1 Informing recipients
We communicate any rectification or erasure of personal data or restriction of processing carried out, to each recipient to whom the personal data of the Users have been disclosed, unless this proves impossible or involves disproportionate effort. We also inform the User about these recipients at request.
6.2 Mode and deadline of notification
We provide information on actions performed at the request indicated in Section 5 within one month of the receipt of such request at the latest in electronic form, unless otherwise requested by the User. That period may be extended by an additional two months where necessary, taking into account the complexity and number of the requests. We inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
At the request of the User, an oral notification may also be granted, provided that the User offers an identification in any manner. If we do not take actions at your request, we inform you within one month of receipt of the request at the latest of the reasons for not taking actions and on the possibility of lodging a complaint at NAIH and seeking a judicial remedy (see point 5.9).
6.3 Monitoring
In exceptional cases, if we have reasonable doubts concerning the identity of the natural person submitting the request, we may request the provision of additional information necessary to confirm the identity of the data subject. This measure is required for the purposes of facilitating the confidentiality of data processing and preventing unlawful access to personal data as laid down in Article 5, Paragraph 1, Point f) of GDPR.
6.4 Costs of measures and notifications
We provide you information with regard to the requests concerning Section 5 and take the necessary measures to be carried out based thereon free of charge. If your requests are manifestly unfounded or excessive, in particular due to their repetitive nature, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or we refuse to act at the request.
7 Possible recipients of personal data, processors
7.1 During the operation of our website
Our website’s hosting provider (data processor) can have access to the personal data you provide while using the website. The data processor’s data are the following:
Name: Tárhely.Eu Szolgáltató Kft.
Availability: https://tarhely.eu/
7.2 During issuing invoices
During issuing invoices, our data processor dealing with invoicing may gain access to the personal data of the Users collected for invoicing. The data processor’s data are the following:
Name: KBOSS.hu Kft.
Availability: https://www.szamlazz.hu/
7.3 During payment
The User can choose from the following payment methods when purchasing a credit or ordering a product: Simple Pay, PayPal.
Name: SimplePay (OTP Mobil Szolgáltató Kft.); PayPal
Availability: https://simplepay.hu/; payapal.com
7.4 During delivery of products
In order to deliver the ordered products, we use courier companies as a data processor.
7.5 Other cases
The system generates a digital track from the route of the Participants’ air balloon, which is available for public in the website. Participants may decide to make their own track route anonimus.
All the photos and videos recorded during the competeitions as well as the introduction texts of the Participants are available for public.
Participants may see each others name during the competition. In condition that the leader of a group of Participants (Captain) decides to, the location data of his or her group’s Participants may be shared with an other specific group of Participants.
8 Data security
Our employees and the employees of the data processors have the right to get acquainted with the personal data of the User, to the extent necessary, for the performance of the tasks which belong to their job. We make all security, technical and organizational measures that guarantee the security of the data.
8.1 Organizational measures
We provide access to our IT systems with personalized rights. The “necessary and sufficient rights” principle applies to the allocation of accesses, consequently all employees may use our IT systems and services only to the extent necessary for the performance of their duties, with the appropriate rights and for the required time. Access to IT systems and services may only be granted to a person who is not restricted for security or other reasons (e.g. conflicts of interest) and who has the professional, business and information security knowledge required to use it securely.
We and the data processors undertake strict confidentiality rules in a written statement, and we are obligated to act in accordance with these confidentiality rules during the course of our activities.
8.2 Technical measures
We protect our internal network with multi-level firewall protection. In all cases, a hardware firewall (border protection device) is located at the entry points of the applied public networks. The data is stored redundantly, that is, in several places, so it is protected from destruction, loss, damage, or illegal destruction due to the failure of the IT device. Our internal networks are protected from external attacks with a multi-level, active protection against complex malicious code (e.g. virus protection). The external access to the IT systems and databases is operated by us via an encrypted data connection (VPN). We take steps to ensure that the IT tools and softwares continuously to comply with the generally accepted technological solutions in the market.
We develop systems, during our development, in which logging can be used to control and monitor the operations performed, and to detect incidents, such as unauthorized access. Our server is protected and closed, located on the dedicated servers of the hosting provider. By taking into account the recommendation of NAIH on the data protection requirements with respect to data processing on the website of political parties, we use https protocol on the website, which offers a higher level of security than the http protocol.
9 Cookies
In order to the proper functioning of our websites, we have placed smaller data files in the Users’ computer devices in certain cases, similarly to most of the modern websites.
9.1 Cookies in general
Cookies are small text files, which the website places to the computer device (including mobile phones) of the User. Consequently, the website is able to “remember” the settings of the User (such as: applied language, letter size, design, etc.), therefore, it is not necessary to set it each time the User visits our website.
These cookies may be deleted, blocked, however in such cases, the Website may not function appropriately.
We do not use cookies to identiy Users. We exclusively use cookies for the purposes above.
9.2 Google Analytics
1. The Google Analytics is the web analysis service of Google Inc. („Google”). Google Analytics uses so-called “cookies”, text files, which are saved to the computers of the Users, thereby facilitating the analysis of use of the website visited by the User.
2. The information generated by the cookies with respect to the website used by the User are generally placed to and stored in one of the servers of Google in the USA. By activating IP anonymization on the website, Google previously shortens the IP address of the User within the Member States of the European Union or in other countries that are party to the treaty on the European Economic Area.
3. Only in exceptional cases shall the full IP address be transferred to the Google server in the US and abridged there. On behalf of us, Google shall use these information to assess how the User used the specific website and to make reports pertaining to the activity regarding the website for us, furthermore, to perform additional services with respect to the use of the internet and the website.
4. In the scope of Google Analytics, the IP address transferred by the web browser of the User shall not be combined with other Google data. By appropriate configuration of the User’s browser, you may prevent these cookies from being stored, nevertheless, we shall point out that in this case you may not be able to fully use all functions of this website. Furthermore, you have the option to prevent the collection of the Users’ data generated by the cookies and related to the use of the website (including your IP address) by Google as well as processing this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=h
9.3 How can the cookies be processed?
The cookies placed by our website are stored on your computer, therefore you may erase them at any time. For the erasure of the cookies, the following guidelines may offer you assistance: in case of Mozilla Firefox web browser: (https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torleseszamito), In case of Chrome web browser: (https://support.google.com/chrome/answer/95647?hl=hu&ref_topic=7438325), In case of Microsoft Edge web browser (https://privacy.microsoft.com/hu-hu/windows-10-microsoftedge-and-privacy).
10 Other provisions
10.1 Processing for different purpose
If we intend to further process the personal data for a purpose other than that for which the personal data were collected, we shall inform the Users thereof, we shall acquire their prior and expressed consent thereto and ensure the possibility for them to object to such processing.
10.2 Record of processing
To comply with Article 30 of GDPR, we maintain a record of processing activities (record of processing activities) which we are liable for.
10.3 Data breaches
Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, we are obligated to act according to Articles 33 and 34 of GDPR. We shall record data breaches by indicating the facts pertaining to data breaches, their effect and the measures taken to remedy them.
10.4 Amendments
We are entitled to unilaterally amend this Privacy Policy.
Effective as of: 22th of December 2022
PEVIKTERA Consulting Kft.
Data controller
11 Appendixes
11.1 The relevant legal acts
In the course of drafting this Privacy Policy, the Controller has taken into account the relevant effective legal acts and the international recommendations, with special regard to the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
- Act CXII of 2011 on the right of informational self-determination and on freedom of information (Information Act);
- Act V of 2013 on the Civil Code (Civil Code);
- Act CXXX of 2016 on the Code of Civil Procedure (Pp.);
- Act C of 2000 on accounting (Accounting Act);
- Act CLV of 1997 on consumer protection (Consumer Protection Act);
- Act CVIII of 2011 on electronic commerce and on information society services (Electronic Commerce Act).
11.2 Definitions with regard to the processing of personal data
- ‘controller’ means the legal person, which determines the purposes and means of the processing of personal data;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘data transfer’ means making accessible of the data for a third person;
- ‘data erasure’ means making the data unrecognisable in a manner that the recovery of the data is no longer possible;
- ‘marking of data’ means the provision of an identification mark for the data for the purposes of differentiation;
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘destruction of data’ meansthe entire physical destruction of the data carrier containing the data;
- ‘processor’ means the legal person, which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
- ‘cookie’ means the small data package (text file) sent by the web server and placed for a definite time on the User’s computer, which the server, depending on its nature, may complement at the time the website is visited again, that is, if the web browser sends back a previously saved cookie, then the service provider processing such cookie has the possibility to combine the User’s current visit with the previous one, but only with respect to its own content;
- ‘data subject/User’ means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ‘IP address’ means the IP address, that is, an identification number of server machines in every network that uses the TCP/IP protocol for communication, which enables the identification of the specific devices through the network. It is well-known that each computer device connected to the network has an IP address, by which it may be identified;
- ‘personal data’ means any information relating to the data subject;
- ‘objection’ means the statement of the data subject, by which he/she objects to the processing of his/her personal data and requests the termination of data processing or the erasure of the processed data.
11.3 The rights o the data subject
Right to access
The User is entitled to receive access to the personal data being processed by us, at his/her request, submitted to any address as indicated in our contact details. In the scope thereof, the User may be informed of the following:
- whether his/her personal data are being processed;
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed,
- where possible, the envisaged period for which the personal data will be stored,
- his/her rights
- the possibility for redress
- information in relation to the source of data.
The User may request a copy of his/her personal data that is subject to the processing of data. In this case we shall provide the personal data in a structured, commonly used and machine-readable format (PDF/XML) and on paper, in a printed format. Requesting the copy is free of charge.
Rectification
Based on a request submitted to any address as indicated in our contact details, the User is entitled to request the rectification of the inaccurate personal data concerning him/her and to have the incomplete data completed. If we do not have the necessary information for the correction and completion of the incorrect information, we may request the provision of such supplementary data and the certification of the accuracy of the data. In the absence of such supplementary information, we shall restrict the processing of the relevant personal data and we shall temporarily suspend the measures carried out thereon with the exception of storing until such a time that the correction and completion of data may be performed.
Erasure
Based on a request submitted to any address as indicated in our contact details, the User is entitled to request the erasure of the personal data concerning him/her and processed by us, provided that any of the following conditions are met:
- we no longer need the provided personal data;
- the User expresses concern with regard to the lawfulness of his/her data being processed by us.
Should we determine based on the User’s request that we are obligated to erase the personal data processed by us, we shall cease the processing of such data and we shall destruct the previously processed personal data. Besides that, we are also obligated to erase the personal data upon the revocation of consent, the exercising of the right to object and based on our obligations laid down in legal acts.
Restriction of data processing
Based on a request submitted to any address as indicated in our contact details, the User is entitled to request the restriction of the personal data concerning him/her processed by us in the following cases:
- the User expresses concern with regard to the lawfulness of the data concerning him/her, being processed by us and restriction is requested instead of erasure;
- we no longer need the provided data, but they are required for the establishment, exercising or defending of the User’s claims.
We automatically restrict the processing of personal data if the User challenges the accuracy of the personal data and the User exercises its right of objection. In this case, the restriction shall extend to such a time period which enables the checking of the accuracy of the personal data and, in case of objection, the determination of the fact whether the prerequisites of the data processing are met. During such restriction, the data processing measures of the indicated personal data may not be carried out, only the storage thereof. In case of the restriction of data processing, the personal data may only be processed in the following cases:
- based on the consent of the data subject
- for the submission, enforcement and protecting of legal claims;
- for the protection of the rights of other natural or legal persons;
- for important reasons of public interest.
We shall inform the Users of the lifting of the restrictions in advance.
Data portability
Based on a request submitted to any address as indicated in our contact details, the User is entitled to request the provision of personal data concerning him/her, and processed by us to further use determined by the User. Besides that, the User may also request that we transfer the personal data to another controller indicated by the User.
This right only covers the personal data provided by the User and processed for the performance of the contract. There is no possibility for the portability of other data. We shall provide the personal data to the User in a structured, commonly used and machine-readable format (PDF/XML) and on paper, in a printed format.
We inform the User that the exercising of this right does not automatically involve the erasure of such personal data from our systems. Besides that, the User is entitled to contact us and keeping in contact with us again, even following such data portability.
Objection
Based on a request submitted to any address as indicated in our contact details, the User is entitled to object to the processing of his/her/its personal data for the purposes indicated in Sections 4.1, 4.2. and 4.3. of this Privacy Policy. In this case, we shall examine whether the data processing is justified by such mandatory legal reasons which take precedence over the interests, rights and freedoms of the Useror which are pertaining to the submission, enforcement or protection of legal claims. Should we determine that such reasons exist, we shall continue processing the personal data. In failure thereof, weshall not process the personal data in the future.
11.4 Arrangement of joint controllership
Peviktera shall be liable for every processing of personal data performed prior to transferring personal data to the Organizer. Organizer shall be liable for every processing of personal data performed after the obtaining of personal data from Peviktera. Peviktera shall be liable for the legality of transferring the jointly processed personal data to the Organizer (see section 4.2.2. of the privacy policy). Each partly is separately liable for every processing of personal data in cases where they determine the purposes and means of the processing of personal data alone.
Peviktera shall be liable for the fulfilment of duties referred in Article 13 and 14 of GDPR regarding every processing of personal data performed prior to transferring personal data to the Organizer.
Organizer shall be liable for the fulfilment of duties referred in Article 13 and 14 of GDPR regarding every processing of personal data performed after the obtaining of personal data from Peviktera.
Peviktera applies the current privacy policy for the fulfillment of the duty of communication referred in GDPR, whereas Organizer applies its own rule of competititon for this purpose.
Peviktera shall be liable for the performance of data subject requests it receives referred in Article 15- 22 of GDPR. Organizer shall be liable for the performance of data subject requests referred in Article 15-22 of GDPR after the obtaining of personal data from Peviktera.
Each party shall implement appropriate technical and organisational measures to protect the jointly processed personal data (see section 4.2.2. of the privacy policy) from accidental or unlawful destruction, loss, alteration, unauthorised disclosure and misuse, or any other processing of personal data breaching the data protection regulations.
Each party undertakes to notify the other party without delay, if it
- becomes aware of a data breach regarding the jointly processed personal data;
- becomes aware of a data subject request regarding the jointly processed personal data;
- becomes aware of an investigation or administrative procedure proposed by the Hungarian
National Authority for Data Protection and Freedom of Information or other supervising authority regarding the jointly processed personal data.
21st of August 2023
PEVIKTERA Consulting Kft.