THE Colorful Erzsébetváros Association (hereinafter referred to as: service provider, data controller) submits itself to the following information.
In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation), we hereby provide the following information.
This data protection notice regulates the data protection of the following site and its related subsites: szineserzsebetvaros.hu (and its subsites and microsites)
THE DATA CONTROLLER AND ITS CONTACT DETAILS:
Name: Colorful Erzsébetváros Association
Headquarters: 1077 Budapest, Wesselényi Street 13.
E-mail: hello@szineserzsebevaros.hu
CONCEPT DEFINITIONS
PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The data controller is responsible for compliance with the above and must be able to demonstrate this compliance ("accountability").
DATA PROCESSING
DATA PROCESSING RELATED TO THE OPERATION OF THE SITE
Data processed: Last name and first name
Purpose of data processing: Keeping in touch
Data processed: Email address
Purpose of data processing: Keeping in touch
Data processed: Phone number
Purpose of data processing: Keeping in touch
Data processed: Date of registration
Purpose of data processing: Performing a technical operation.
Data processed: IP address at the time of registration
Purpose of data processing: Performing a technical operation.
7.1. Article 6(1)(b) of the GDPR,
7.2. Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (hereinafter: Elker Act) Section 13/A (3):
The service provider may process personal data for the purpose of providing the service that is technically indispensable for the provision of the service. All other conditions being the same, the service provider must select and in all cases operate the means used in the provision of the information society service in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even then only to the extent and for the period necessary.
7.3. In the case of issuing an invoice in accordance with accounting legislation, Article 6(1)(c).
7.4. In the event of enforcement of claims arising from the contract, the period of limitation is 5 years, pursuant to Section 6:21 of Act V of 2013 on the Civil Code.
§ 6:22 [Limitation]
(1) Unless otherwise provided by this Act, claims shall expire after five years.
(2) The limitation period begins when the claim becomes due.
(3) An agreement to change the limitation period must be in writing.
(4) An agreement excluding the limitation period is void.
DATA PROCESSORS REQUIRED
Hosting provider
Activity provided by the data processor: Hosting service
Name and contact details of the data processor:
Name: Hostinger International Ltd.
Registered office: 61 Lordou Vironos Street Larnaca 6023 Cyprus
Email address: gdpr@hostinger.com
Physical location of data processing: Data is stored on Hostinger servers in Lithuania (Europe), IP address: 45.84.207.176.
The fact of data processing, the scope of data processed: All personal data provided by the data subject.
Scope of data subjects: All data subjects using the website.
Purpose of data management: Making the website available, operating it properly, maintaining contact, sending newsletters.
Duration of data management: data management lasts until the termination of the agreement between the data controller and the hosting service provider, or until the data subject submits a deletion request to the hosting service provider.
The legal basis for data processing is Article 6(1)(c) and (f) and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
COOKIE MANAGEMENT
Cookies typical for websites are the so-called "password-protected session cookies", "shopping cart cookies" and "security cookies", the use of which does not require prior consent from the data subjects.
The fact of data processing, the scope of data processed: Unique identification number, dates, times
Scope of data subjects: All data subjects who visit the website.
Purpose of data processing: To identify users, to register the "shopping cart" and to track visitors.
Duration of data processing, deadline for data deletion:
The person of the potential data controller authorized to view the data: the data controller does not process personal data using cookies.
Description of the data subjects' rights regarding data processing: The data subject has the option to delete cookies in the Tools/Settings menu of the browser, usually under the settings of the Privacy menu item.
Legal basis for data processing: Consent from the data subject is not required if the sole purpose of using cookies is to transmit information via an electronic communications network or if the service provider absolutely needs it to provide an information society service explicitly requested by the subscriber or user.
USING GOOGLE ADWORDS CONVERSION TRACKING
The data controller uses the online advertising program “Google AdWords” and, within its framework, uses Google’s conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
When a User reaches a website through a Google ad, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.
Each Google AdWords customer receives a different cookie, so they cannot be tracked across AdWords customers' websites.
The information – obtained using conversion tracking cookies – is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. This allows customers to see the number of users who clicked on their ads and were redirected to a page with a conversion tracking tag. However, they do not receive any information that could be used to identify any individual user.
If you do not wish to participate in conversion tracking, you can refuse this by disabling the installation of cookies in your browser. You will then not be included in the conversion tracking statistics.
Further information and Google's privacy statement can be found on the following page: www.google.de/policies/privacy/
USING GOOGLE ANALYTICS
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are saved on your computer, to help the website operator analyze how users use the website.
The information generated by the cookie about the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will shorten the User's IP address beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area.
The full IP address will only be transmitted to a Google server in the USA and shortened there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the user uses the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
Within the framework of Google Analytics, the IP address transmitted by the User's browser will not be merged with other data held by Google. The User can prevent the storage of cookies by setting their browser accordingly, but please note that in this case not all functions of this website may be fully usable. You can also prevent Google from collecting and processing the data generated by cookies and relating to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link.
COMMUNITY SITES
The fact of data collection, the scope of data processed: your name registered on the social networking sites Facebook and Instagram and the fact of identification by Facebook.
Scope of data subjects: All data subjects who have registered on the social media sites Facebook and Instagram and visited the website.
Purpose of data collection: Identification of activity on social media sites, activity with certain content elements of the website, or activity with the website itself.
Duration of data management, deadline for data deletion, possible data controllers authorized to view the data and description of the data subjects' rights related to data management: The data subject can find out about the source of the data, its management, the method of transfer and its legal basis on the given social media site. Data management is carried out on social media sites, so the duration, method of data management and the possibilities for data deletion and modification are subject to the regulations of the given social media site.
Legal basis for data processing: the data subject's voluntary consent to the processing of their personal data on social media sites.
RIGHTS OF THE DATA SUBJECTS
Right of access
You have the right to receive feedback from the controller as to whether your personal data is being processed and, if such processing is taking place, you have the right to access the personal data and the information listed in the regulation.
The right to rectification
You have the right to request that the controller rectify inaccurate personal data concerning you without undue delay. Taking into account the purpose of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary statement.
The right to erasure
You have the right to request that the controller erase your personal data without undue delay, and the controller is obliged to erase your personal data without undue delay under certain conditions.
The right to be forgotten
Where the controller has made the personal data public and is obliged to erase them, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that you have requested the erasure of links to the personal data in question or of copies or replications of those personal data.
Right to restriction of data processing
You have the right to request that the data controller restrict data processing if one of the following conditions is met:
• You contest the accuracy of the personal data, in which case the restriction shall apply for a period of time that allows the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the data and instead request the restriction of its use;
• the data controller no longer needs the personal data for the purposes of data processing, but you require them for the establishment, exercise or defense of legal claims;
• You have objected to the processing; in this case, the restriction applies for a period of time until it is determined whether the legitimate grounds of the controller override your legitimate grounds.
The right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided (…).
The right to protest
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data (…), including profiling based on the aforementioned provisions.
Objection to direct marketing
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling, insofar as it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for such purposes.
Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The previous paragraph shall not apply if the decision:
• Necessary for the conclusion or performance of a contract between you and the data controller;
• it is permitted by Union or Member State law applicable to the controller, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• Based on your express consent.
ACTION DEADLINE
The data controller will inform you of the measures taken in response to the above requests without undue delay, but in any case within 1 month of receipt of the request.
If necessary, this can be extended by 2 months. The data controller will inform you about the extension of the deadline within 1 month of receipt of the request, indicating the reasons for the delay.
If the controller does not take action on your request, it shall inform you without delay, but no later than one month from the date of receipt of the request, of the reasons for the failure to take action and of the possibility of lodging a complaint with a supervisory authority and of exercising your right to a judicial remedy.
SECURITY OF DATA PROCESSING
The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk, taking into account the state of the art and the costs of implementation, the nature, scope, circumstances and purposes of the processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons, including, where appropriate:
INFORMING THE DATA SUBJECT ABOUT THE DATA PROTECTION INCIDENT
If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data breach without undue delay.
The information provided to the data subject must clearly and intelligibly describe the nature of the data protection incident and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the data protection incident; describe the measures taken or planned by the data controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
The data subject does not need to be informed if any of the following conditions are met:
• the controller has implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data breach, in particular measures – such as the use of encryption – that make the data unintelligible to persons not authorised to access the personal data;
• the data controller has taken additional measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future;
• the provision of information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly published information or a similar measure should be taken to ensure that the data subjects are informed in a similarly effective manner.
If the data controller has not yet notified the data subject of the data breach, the supervisory authority may, after considering whether the data breach is likely to involve a high risk, order the data subject to be informed.
REPORTING A DATA PROTECTION INCIDENT TO THE AUTHORITY
The controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.
COMPLAINT POSSIBILITY
A complaint against a possible violation of the data controller can be filed with the National Data Protection and Freedom of Information Authority:
National Data Protection and Freedom of Information Authority
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, PO Box: 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
THE POSSIBILITY OF CHANGE
Our data management solutions and circumstances may change. Therefore, we reserve the right to modify this data management information at any time. We will provide information about the modification on our website.
Budapest, June 1, 2025.
