1. The objective of the Policy
With reference to the provisions in Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information (hereinafter: the Information Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council [GDPR], the objective of this Policy is to inform data subjects about the scope of their personal data processed by the controller specified in Section 2, the purpose and method of data processing, and all other facts relating to the processing of the data, including but not limited to their rights concerning the data processing and the legal remedies available to them.
2. Controller’s name, registered seat and representative
Name: BOBO FUN PARK Kft.
Registered seat: 8394 Alsópáhok, Fő utca 120.
Official representative: Csaba Baldauf, CEO
Contact person for data protection issues: Judit Nyírő
3. Name, contact information, legal standing and duties of Data Protection Officer (DPO)
Dr. Boldizsár Morvay – email@example.com
The legal standing of the DPO
The controller shall facilitate the involvement of the DPO, in an appropriate and timely manner, in all issues concerning the protection of personal data. The DPO shall be supplied with the resources necessary for accessing up-to-date information on data protection.
The DPO shall not accept instructions from anyone regarding the performance of duties. The controller and the data processor shall not have the right to lay off or sanction the DPO for reasons related to the discharging of such duties. The DPO shall be accountable directly to the top management of the controller or the data processor.
Data subjects may contact the DPO on any issue concerning the processing of their personal data and the exercising of their rights.
The DPO is bound by the obligation of secrecy regarding the performance of its duties and the confidentiality of the processed data.
The DPO may also perform other duties but conflicts of interest between such duties are not permitted.
The DPO’s duties
- Inform and advise the controller or the data processor, and the data processing employees;
- verify compliance with the internal rules of the controller or the data processor on the protection of personal data;
- on request, provide professional advice regarding the data protection impact assessment and monitor the execution of the impact assessment;
- cooperate with the supervisory authority.
4. Data processing legislation
- Basic Law of Hungary, Article VI;
- Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information (hereinafter: “Information Act”);
- Regulation (EU) 2016/679 EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
5. Terms used in this Policy
|data processor||a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller|
|processing, data processing||any automated or non-automated operation or set of operations performed on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, distribution or sharing in any form, alignment or combination, restriction, erasure or destruction.|
|controller (service provider)||a company or natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Union laws or regulations, the controller or the specific criteria for his/her nomination may be designated by national or Union law|
|personal data breach||a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed|
|biometric data||personal data developing from specific technical processing related to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data|
|recipient||a natural or legal person, public authority, agency or any other body to which the personal data are disclosed, regardless of the fact whether a third party or not. However, public authorities which may receive personal data within the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing|
|data subject||the natural person whose personal data are processed|
|data subject’s consent||any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her|
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)|
|third party||a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data|
|Information Act||Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information|
|employee||A person having an employment contract or other legal relationship for the performance of work (particularly including service and engagement contracts) with the Service Provider, and subcontractors and their agents.|
|profiling||any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements|
|personal data||any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person|
|special categories of personal data||personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation|
6. Data protection impact assessment
The controller shall be responsible for conducting an impact assessment of the sources, nature, particularity and severity of risks impacting the rights and freedoms of the natural persons. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR. If the data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation with the National Authority for Data Protection and Freedom of Information (DPIA) should take place prior to the processing. Should data protection impact assessments be required in the future in relation to high-risk data processing, open-source software published by the data protection authority of France (Commission Nationale de l'Informatique et des Libertés, hereinafter: CNIL) and recommended by the DPIA (original name: “PIA software”, hereinafter: impact assessment software) will be used to carry out such assessment.
The controller shall draw up a separate policy regarding the data protection impact assessment.
7. Balancing test – for data processing based on legitimate interest
The balancing test for data processing based on legitimate interest (Article 6 (1) (f) of the GDPR) is conducted in accordance with position statement no. NAIH/2015/3731/2/V of the DPIA. According to this, the balancing test is a multi-stage process, in which the controller’s legitimate interest must be identified along with the data subject’s balancing interest, the data subject’s fundamental rights; based on the completed balancing test, it is ultimately determined whether the processing of the personal data is permissible.
The steps of a balancing test:
Step 1 – assess whether data processing is necessary or if a workaround is available
Step 2 – define the legitimate interest as accurately as possible
Step 3 – identify the purpose of the data processing, what personal data will be processed and for how long
Step 4 – identify the perception of the data subjects
Step 5 – conduct the balancing test
The controller shall draw up a separate policy for the balancing test.
8. Processing and protection of personal data
8.1. The controller’s duties, scope of authority and responsibilities
The controller responsible for primary data processing shall compensate for the damage any party may suffer due to the unlawful processing of the data subject’s data or the infringement of the technical requirements of data protection. The controller shall also be liable to the data subject for damage caused by the data processor. The controller shall be exempt from liability if it is able to prove that the damage was due to force majeure beyond the scope of data processing. No compensation is due for damage due to wilful or grossly negligent behaviour on the part of the injured party.
8.2. The data processor’s duties, scope of authority and responsibilities
The rights and obligations of the data processor relating to the processing of personal data are defined by the controller within the constraints of this Policy and applicable legislation. Within the scope of its operations and the frameworks defined by the controller, the data processor shall be responsible for the processing, modification, erasure, transmission and disclosure of personal data. The agreement with the data processor shall stipulate that, in performing its duties, the data processor may rely on other data processors only as instructed by the controller and that any infringement of data processing rules may serve as grounds for the cancellation of the agreement with immediate effect.
9. Principles and basic provisions
The principle of lawfulness, fairness and transparency
(The recording and processing of data shall be fair and lawful, and transparent to the data subject.)
The principle of purpose limitation
(Personal data as defined in the Information Act shall be processed only for predefined purposes, to exercise a right or meet an obligation. The data processing shall be appropriate to the purpose of data processing throughout all stages of the process. Personal data may be processed only if absolutely necessary and suitable for achieving the purpose of the data processing. The personal data shall be processed only to the extent and for the time necessary for achieving the purpose.)
The principle of data minimisation
(Pursuant to the principle of data minimisation, the controller may only process personal data that is essential for the achievement of the purpose of the data processing.)
The principle of accuracy
(The data processed by the controller shall be accurate and, where necessary, up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.)
The principle of storage limitation
(Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.)
The principle of integrity and confidentiality
(The personal data shall be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using adequate technical or organisational measures.)
The principle of accountability
(The controller shall be responsible for compliance with data processing principles and rules; furthermore, it shall be able to evidence its compliance.)
The principle of data security
(The controller shall design and implement data processing operations in a manner ensuring that the privacy of the data subjects is protected in the course of the implementation of the Information Act and other rules applicable to data processing. The controller shall safeguard the security of data, taking all the technical and organisational measures and developing all the procedural rules necessary for implementing the Information Act and other rules on protecting data security and confidentiality. The controller shall protect the data with appropriate measures especially against unauthorised access, modification, transmission, disclosure, erasure, intended or unintended destruction, damage, and any changes in the technology used that causes unavailability. In order to protect sets of data stored electronically in different databases, the controller shall employ an adequate technical solution to ensure that, unless permitted by law, the data in such records cannot be linked and associated to the data subjects. In order to maintain security and prevent data processing infringing the GDPR, the controller shall assess the risks arising from the nature of the data processing and apply measures, e.g. encryption, to mitigate such risks. These measures will provide the appropriate level of security (including confidentiality) adequate to the latest science and technology and the costs of implementation as determined by the risks and the nature of the personal data to be protected. When assessing data security risk, the risks inherent in the processing of personal data (such as the unintentional or unlawful destruction, modification or unauthorised disclosure of transferred, stored or otherwise processed personal data, or unauthorised access to the same) shall be assessed if they may lead to pecuniary or non-pecuniary damage.
10. The rights of data subjects
The right of access
(Data subjects have the right to learn from the controller whether their personal data are being processed and if so, in what data processing process; be granted access to their personal data, and be given information on the circumstances of the processing of such data. The controller shall inform the data subject without undue delay and no later than one month after receiving the request about the measures taken in response to the data subject’s request. If necessary due to the complexity of a request and the number of requests, this deadline may be extended with a further two months. The controller shall notify the extension of the deadline to the data subject within one month of receiving the request, and shall explain the reasons for such delay. If the data subject submitted the request electronically, the information shall also be given electronically, if possible, unless otherwise requested by the data subject.)
Right to rectification
(The data subject shall have the right to request the controller to rectify incorrect personal data about them without undue delay and to complement personal data if incomplete.)
The right to erasure
(The data subject shall have the right to request the controller to erase their personal data if any one of the following reasons applies:
- a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
- b) the data subject revokes under Article 6 (1) (a) or Article 9 (2) (a) of the GDPR their consent constituting the basis for the data processing and the data processing has no other legal basis;
- c) the data subject objects to data processing based on Article 21 (1) of the GDPR and there is no overriding reason for the data processing, or the data subject objects to the data processing pursuant to Article 21 (2) of the GDPR;
- d) if the personal data have been processed by the controller unlawfully;
- e) if the personal data must be erased due to a provision of law;
- f) the personal data were collected in connection with the provision of information society services referred to in Article 8 (1) of the GDPR (conditions applicable to a child’s consent).
The controller will not erase the data in case the processing is necessary for any of the following reasons:
- a) to exercise the right to freedom of expression and information;
- b) to comply with a legal obligation of processing the personal data;
- c) or to establish, exercise or defend legal claims.)
The right to the restriction of processing
(The data subject has the right to request that the controller ask for the restriction of the data processing if any one of the following applies:
- a) the data subject disputes the accuracy of the personal data, in which case the restriction will apply for a time period sufficient to allow the controller to verify the accuracy of the personal data;
- b) the data processing is unlawful but the data subject prefers a restriction of use to the erasure of the data;
- c) whereas the controller no longer needs the personal data for data processing purposes, the data subject does, for presenting, enforcing or protecting legal demands; or
- d) the data subject has objected to the data processing; in such a case, the restriction will apply to the time period while it is being established whether the controller’s legitimate interests prevail over the data subject’s legitimate interests. If data processing is restricted, the restricted personal data may be stored but processing is permitted only if the consent of the data subject is available or if it is required for presenting, enforcing or protecting legal claims, for protecting the rights of any other natural or legal person, or on important grounds of public interest in the Union or any Member State. The controller shall inform the data subject in advance of the releasing of a restriction.)
The right to object
(The data subject shall have the right to object at any time, for reasons relating to their own situation, to the processing of their personal data based on Article 6 (1) (e) or (f) of the GDPR, including profiling based on the aforementioned provisions. In such a case, the controller shall not have the right to continue processing the personal data, unless it is able to prove that the data processing is justified by compelling legitimate reasons that override the interests, rights and freedoms of the data subject, or which are connected to presenting, enforcing or protecting legal claims.)
Right to data portability
(The data subject shall have the right to receive their personal data in a structured, commonly used machine-readable format, and the right to forward these data to another controller without this being prevented by the controller to whom they had provided such personal data if: a) the data processing is based on consent as defined in Article 6 (1) (a) or Article 9 (2) (a) of the GDPR or a contract as referred to in Article 6 (1) (b) of the GDPR; and b) the data processing is automated.)
11. Detailed rules of data processing
11.1. Information about the data processing
Data subjects have the right to receive concise, transparent, easily accessible, clear and understandable information about the processing of their personal data. If the personal data are collected from the data subject, the data subject shall also be informed whether it is obligatory to disclose such personal data and what consequences a failure to supply the data would have. Information on the processing of the data subject’s personal data shall be given to the data subject at the time of collecting the data; if the data are obtained from a resource other than the data subject, this information shall be provided within a reasonable timeframe, taking the specific circumstances into account. If the personal data may be lawfully disclosed to other recipients, the data subject shall be informed upon the first time they are shared with such recipient. If the controller wishes to process personal data for a purpose other than that for which they were collected originally, then, prior to the continued processing of data, the data subject shall be notified of this different purpose and everything else they need to know.
The information shall contain the following:
- the person and the contact information of the controller
- the contact information of the DPO
- the purpose of processing the personal data and the legal basis for data processing
- in the case of data processing based on legitimate interest, these legitimate interests
- the recipients of the personal data
- the planned duration of the data processing
- the rights of the data subject
- whether supplying the data is a precondition for contracting and what possible consequences a failure to provide the data may have
- any automated decision-making, including profiling.
- the legal remedies available to the data subjects
11.2 The lawfulness of processing
The processing of personal data shall be lawful if the controller has any one of the following legal bases for processing:
- the data subject has consented to the processing of their personal data
- processing is necessary for the performance of a contract in which the data subject is one of the parties
- processing is necessary for compliance with a legal obligation of the controller
- processing is necessary for the protection of a vital interest of the data subject
- processing is necessary for carrying out a task in public interest
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
11.3 The range of personal data processed by the controller and the purpose and legal basis of the data processing are set out in the register of processing activities, which constitutes Annex 1 to this Policy; the controller publishes this register on its website.
The data processing register contains:
- the purpose of processing,
- the type of data,
- the legal basis for processing,
- the range of data subjects,
- the source of the data,
- the type, recipient and legal basis of data transmission, if applicable,
- the deadline for the erasure of the given type of data,
- if data are processed by a data processor, the details of the data processor, the processing location, and the data processor activities in relation to the processing.
Separate privacy notices have been drawn up regarding the types of data processing included in the data processing register; these constitute Annexes 1 to 12 to the register.
11.4. Data processing period
Data shall be stored for the shortest possible period. To determine the length of this period, the controller’s reason for the data processing shall be taken into consideration, along with the legal obligations concerning the retention of data for a specific period of time.
11.5. Internal data transfer
The controller may transfer personal data within its organisation only if adhering to the principle of purpose limitation and grant the access to the data only for appropriate purposes.
11.6. Transfer of data to third parties
Personal data may be transferred to third parties only on the basis of the law or with the consent of the data subject, provided that the conditions of data processing apply to each piece of personal data. Prior to the data transfer, the controller shall assess whether its legal conditions apply; after the data transfer, it shall check whether the conditions of data processing are complied with in the case of all the personal data. Prior to transferring the data of a specific data subject to the same controllers and with the same purpose, the DPO shall be involved in the assessment of the lawfulness of the data transfer. A separate assessment shall not be necessary during the subsequent data transfer. The DPO shall keep a data transfer register of the transfer of data, and shall store it in line with the applicable rules. The data transfer register shall be retained until the end of the fifth year from receiving and/or transferring the data (or twenty years in the case of sensitive data).
The data transfer register shall contain:
- the time of data transfer by the transferor of the data,
- the scope of data transferred,
- the legal basis for the transfer of data and its recipient (name, address, registered seat),
- the name and telephone number of the person responsible for the data transfer.
11.7 Transfer of data abroad or to a third country
Prior to the data transfer, the controller shall assess with the help of the DPO whether its legal conditions apply; after the data transfer, it shall check whether the conditions of data processing are complied with in the case of all the personal data.
11.8 The controller does not process sensitive data, including biometric data.
12. Personal data breach
The GDPR defines personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
12.1 Reporting a personal data breach
The controller should notify personal data breaches to the competent supervisory authority (DPIA) without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification.
12.2 Investigation and handling of personal data breaches
The DPO shall examine the report and request information from the reporting person, who shall supply the same without undue delay but within no more than 2 working days.
The data supplied shall include
- the time and place of the breach
- the description, circumstances and impacts of the breach
- the data involved in the breach, the quantity of such data
- the range of persons to whom the data belong
- a description of the actions taken to remedy the breach,
- a description of the actions taken to prevent and mitigate the damage.
The DPO shall propose the necessary measures. The actions taken to remedy the personal data breach shall be reported to the DPO by the person responsible for the data processing procedure, who shall do so within 2 working days of implementing the measures.
12.3 Register of personal data breaches
The controller shall keep a register of personal data breaches. In accordance with the GDPR, the controller shall adopt appropriate technical and organisational measures so that it can identify and evaluate vulnerabilities and security incidents. In addition to documenting personal data breaches, the controller shall employ appropriate processes and measures in order to identify and manage personal data breaches in a timely manner.
13. The entry into force of, and amendments to, this Policy
This Policy shall enter into force on 31 March 2021. The controller shall have the right to amend this Policy at its discretion at any time, as long as such amendment is compliant with prevailing law. This Policy is available for viewing on the premises of the controller’s registered seat.
Alsópáhok, 31 March 2021
BOBO FUN PARK Kft.
Csaba Baldauf, Managing Director
Related privacy notices:
- Website visitor data, cookies
- Newsletter, direct marketing messages
- Ordering gift vouchers
- Photography, video
- Visitor questionnaire