I. INTRODUCTION OF DATA CONTROLLER

In order to ensure the legality of its internal data protection processes and the rights of the data subjects, Óbudai Egyetem (hereinafter: University, Data controller, We/Us) formulates the following privacy notice. 

Name of data controller: Óbudai Egyetem  

Ministry of Education ID nr.: FI12904

Headquarters of Data controller: 1034 Budapest, Bécsi út 96/B

Electronic address of Data controller: jog@uni-obuda.hu

Representative of Data controller: Prof. Dr. Kovács Levente rector 

Data protection officer: Bovard Kft. (info@bovard.hu)

As an institution for higher education the data processor is an organisation founded with the core activities of education, scientific research, and artistic creation – as set forth in Act CCIV of 2011 on National Higher Education. This obligatory data processing is necessary for the University to guarantee its lawful operation and to ensure the realization of the educational goals set forth in relevant law.

The personal data of the data subjects are managed in accordance with the requirements of all effective laws, but primarily in accordance with the requirements of the following laws:

• Act CXII of 2011 on the right of informational self-determination and the freedom of information (hereinafter: Infotv.),
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR).

The University keeps personal data confidential and employs technical and organizational measures relating to the storage of processing of said data in order to ensure its safety.

Definitions

The conceptual framework of this Privacy Notice is identical to that described in Article 4 of the GDPR, and in some points supplemented by the interpretative provisions of Section 3 of the Infotv.

When the Privacy Notice mentions data or data processing/controlling it refers to personal data and the processing/controlling of personal data.

*****

II. DATA PROCESSING PURPOSE: Management of cookies on the website

On its website located at http://www.soberproject.eu/ (hereinafter: website), the University employs so-called cookies in order to provide and improve the services of the website, and to enhance the user experience.

What is a cookie?

Cookies are small files installed on the user’s device that process small text-based identification and collect data. The cookie consists of a unique numerical value and is primarily used to distinguish between computers and other devices visiting the website. Cookies have multiple functionalities, among other things they collect information, store user settings and enable the website’s owner to monitor user behaviour in order to enhance the user experience.

Why do we use cookies?

1. Ensuring the intended and high-quality functionality of the website
2. Measuring the number of visitors
3. Preparing web analytics, and analysing the ways visitors use the website
4. Displaying advertisements to the visitors, creating Google Ads campaigns

What cookies do we use?

We provide detailed information on cookies used by the website through the cookie manager. Data connected by cookies are not sold or leased to third parties except to the extent necessary to provide the services for which the data subject has provided this information in advance and voluntarily.

What is the legal basis of the data processing carried out by cookies?

In the case of cookies that are necessary for the operation of the website and to carry out the University’s public tasks through the website, the data processing is necessary for the performance of public tasks by the University, which in this case specifically providing the operation of the website and the services offered on the website to its visitors, therefore its legal basis is Article 6 Paragraph (1) point (e) of the GDPR. The legal basis of using other cookies is Article 6 Paragraph (1) point (a) of the GDPR, thus the data subject’s consent, which the data subject can provide through the cookie manager.

How to check and turn off cookies

Beyond the cookie manager, all modern browsers allow the user to manage the settings of cookies. Most browsers accept cookies by default but this setting can be changed in order to prevent automatic enabling of cookies, giving the user the option to choose whether they want to enable them or not.

Because the purpose of using cookies is to ensure the website’s usability and enable its functions, it is possible that preventing the loading of cookies or deleting them may cause the users to be unable to fully use the website, or it may work differently than intended.

You can find information about default cookie settings of the most popular browsers at the following links:

Google Chrome 

Firefox 

Microsoft Edge

Microsoft Internet Explorer

Opera

Safari

III.  THE RIGHTS OF THE DATA SUBJECT

In relation to the processing of the personal data covered by this notice, the data subject has the rights set out in Articles 15-21 of the Regulation, which are further described below. The enforceability of these rights also depends on the legal basis for the processing indicated above, which is summarized in a table below:

Rights of the data subject Legal basis	Right of access	Right to rectification	Right to erasure	Right to restriction of processing	Right to data portability	Right to object
Consent	✔	✔	✔	✔	✔	✖
Performance of a contract	✔	✔	✔	✔	✔	✖
Compliance with a legal obligation	✔	✔	✔	✔	✖	✖
Protection of a vital interest	✔	✔	✔	✔	✖	✖
Performance of a task carried out in the public interest	✔	✔	✔	✔	✖	✔
Legitimate interest	✔	✔	✔	✔	✖	✔

Right to be informed

The data subject has the right to be informed with regard to the data processing, which right is observed by the Data controller by providing this privacy notice.

Data processing based on consent

In case the legal basis of any data processing is the consent of the data subject, they have to right to withdraw their consent to the data processing at any time. However, it is important to note that withdrawing the consent involves only the data whose processing has no other legal basis. In case there are no other legal bases, we delete the personal data finally and irrevocably after the consent is revoked.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right of access by the data subject

The data subjects shall have the right to obtain from the Data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the planned period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the data subject is informed about their right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected directly from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to rectification

The data subjects shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a request is made to rectify (modify) personal data then the data subject needs to prove the authenticity of the data to be modified. Additionally, the data subject must verify that the person requesting rectification is authorised to do so. This is the only way for the data controller to verify the authenticity of the new data before modifying it.

Please report any changes in your personal data to the Data controller as soon as possible, facilitating the legality of data processing and the enforcement of your rights.

Right to erasure (‘right to be forgotten’)

The data subjects shall have the right to obtain from the Data controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data for direct marketing purposes;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services.

Right to restriction of processing

The data subject shall have the right to obtain from the Data controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
4. the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to object

If the processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller (point (e) of Article 6(1) of the GDPR), the data subjects shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, including profiling based on the relevant provisions.

Right to data portability

The data subjects shall have the right to receive the personal data concerning them, which he or she has provided to the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

1. the processing is based on consent of the data subject or on a contract according to Article 6 Paragraph (1) Point b) of the GDPR; and
2. the processing is carried out by automated means.

PROCEDURES FOR ENFORCING THE RIGHTS OF DATA SUBJECTS

The above rights can be exercised by data subject by sending an electronic mail to this e-mail address: jog@uni-obuda.hu, or regular mail to the seat of the Data controller or in person at the seat of the Data controller. The data subject shall be informed about the measure taken in response to the request within 30 days. If we are unable to fulfil the request, we inform the data subject about the reasons of the rejection and the administrative and judicial redress rights of the data subject.

The rights of the deceased data subject may be enforced within five (5) years by an authorized person who possesses administrative provisions, or a statement towards the Data controller included in a public document or full probative private document. If multiple such statements exist at the same Data controller, then the statement made the latest will prevail. If the data subject has made no such legal statement, then a close relative – as defined in Act V of 2013 on the Civil Code – is still able to enforce certain rights of the deceased within five (5) years of death. These rights are defined in Article 16 (right to rectification) and Article 21 (right to object), as well as – if the data processing was unlawful during the life of the data subject, or the purpose of data processing has ceased with the death of the data subject – Articles 17 (right to erasure) and 18 (right to restriction of processing) of the GDPR. The close relative who exercises their right first will be entitled to enforce rights of the data subject as set forth in this Paragraph.

*****

IV. THE RIGHT TO LODGE A COMPLAINT AND TO AN EFFECTIVE JUDICIAL REMEDY

In order to exercise their right to judicial remedy, the data subjects may seek legal action against the Data controller if the data subject considers that the Data controller or a data processor acting on behalf of or under the instructions of the Data controller is processing the personal data in breach of the provisions of laws on the processing of personal data or of binding legal acts of the European Union. According to Article 79 (2) of the GDPR proceedings against the data controller shall be brought before the courts of the Member State where the data controller has an establishment, i.e., before the Budapest-Capital Regional Court (Hungary). The court shall deal with the case as a matter of priority. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has habitual residence. 

Without prejudice to judicial remedy, according to Article 77 (1) of the GDPR every data subject shall have the right to lodge a complaint with the supervisory authority, in particular in the Member State of data subject’s habitual residence, place of work or place of the alleged infringement (i.e. in Hungary), alleging that the processing of personal data by the Data Controller has resulted in a violation of rights or an imminent threat thereof, or that the Data Controller is restricting the exercise of rights related to the processing of personal data or is refusing to exercise such rights. 

The claim can be filed at the Hungarian supervisory authority at one of the below addresses:

National Authority for Data Protection and Freedom of Information (NAIH) 

Mailing address: 1363 Budapest, Pf. 9. 

Address: 1055 Budapest, Falk Miksa utca 9-11.  

E-mail: ugyfelszolgalat@naih.hu 

URL: http://naih.hu 

Budapest, 19 May 2023