I. The data controller (Service Provider)

Name of the Service Provider: Balatonfüred International Guitar Festival Foundation
Registered office and postal address: 2462 Martonvásár, Jókai u. 84.
Registering authority: Székesfehérvár Regional Court
Company registration number: Pk. 60.148/2005/4.
Tax identification number: 18498033-1-07
Email address: info@balatongitar.hu.hu
Website: www.balatongitar.hu
Phone: +36-30-2891239
Webhosting provider name: RackForest IT Trading Services and Consulting Ltd.
Webhosting provider address: 1132 Budapest, Victor Hugo utca 11., 5. emelet

II. The Company’s privacy policy

  1. As the data controller, the Service Provider undertakes to ensure that all data processing in relation to its activities complies with the requirements set out in this Policy and the applicable legislation.
  2. Information on the Service Provider’s data management is continuously available in the footer of the home page of the balatongitar.hu website.
  3. The Service Provider is entitled to unilaterally amend the Privacy Policy. In case of modification of the Privacy Policy, the Service Provider shall notify the User by publishing the changes on www.balatongitar.hu at least eight (8) days before the modification comes into force. The User accepts the amended Privacy Policy by using the Service after the effective date of the amendment.
  4. The Service Provider is committed to the protection of the User’s personal data, and considers it of the utmost importance to respect the right of informational self-determination of its customers. The Service Provider treats personal data confidentially and takes all security, technical and organizational measures to ensure the security of the data.
  5. The Service Provider’s data management principles are in compliance with the applicable legislation on data protection, in particular with the following:
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter the Data Protection Act);
  • Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Eker. tv.);
  • Act XLVIII of 2008 – on the basic conditions and certain limitations of economic advertising (Grt.).
  1. The Service Provider will use the personal data necessary for the provision of its services on the basis of the consent of the data subjects and only for the purposes for which they are intended.
  2. The Company undertakes to publish a clear, prominent and unambiguous notice informing Users of the manner, purpose and principles of the collection, recording and processing of any of their Personal Data. In addition, in all cases where the collection, processing or recording of data is not required by law, the Company shall draw the User’s attention to the voluntary nature of the provision of the data. In case of mandatory provision of data, the legal provision imposing the processing shall also be indicated. The data subject shall be informed of the purposes of the processing and of the persons who will process the Personal Data.
  3. In all cases where the Company intends to use the Personal Data provided for purposes other than those for which they were originally collected, the Company shall inform the User thereof and shall request his/her prior explicit consent or provide him/her with the possibility to prohibit such use.
  4. The Service Provider shall in any case comply with the restrictions laid down by law in the collection, recording and processing of data, and shall inform the data subject of its activities by electronic mail as requested. The Service Provider undertakes not to impose any sanctions on any User who refuses to provide the optional data.

III. Legal basis for data processing

  1. Personal data may be processed if the data subject consents to it or if it is ordered by law or, on the basis of a law, by a local government decree within the scope specified therein, for a purpose in the public interest. The legal basis for data processing is the voluntary consent of the data subject pursuant to Section 5 (1) a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Act on the Freedom of Information) and Section 13/A of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services.
  2. The declaration by an incapacitated minor or a minor with limited capacity to act requires the consent of his or her legal representative, except for those parts of the service where the declaration is intended for registration on a mass basis in everyday life and does not require any special consideration. The consent of the legal representative of a minor over the age of 16 is not required for the validity of the declaration of consent of the minor concerned.
  3. If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,
  4. a)to comply with a legal obligation to which it is subject, or
  5. b)for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject’s consent.

IV. Purpose of the processing and scope of the data processed, duration of the processing, persons entitled to access the data

  1. Personal data may only be processed for specific purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose. The processing of the Service Provider’s services is based on voluntary consent, however, in certain cases, the processing, storage and transmission of some of the data provided is required by law. The Service Provider does not use personal data for purposes other than those stated.
  2. Online service (advance purchase of tickets, season tickets)

The processing is based on the User’s voluntary and duly informed declaration, which is necessary for the use of the services on the website. The declaration is made by the User when using the service. The declaration contains the User’s express consent to the use of the personal data provided by him/her when using the site. The legal basis for the processing of the data is the voluntary consent of the data subject pursuant to Section 5 (1) (a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information and Section 169 (2) of Act C of 2000 on Accounting.

The purpose of the processing is to ensure the provision of the ticketing service on the website. The purpose of the data processing is also to identify the User as a ticket purchaser and to fulfil the ordered service, to send notifications related to it, to register the Users and to distinguish them from each other. Data processed: first and last name, telephone number, e-mail address. Duration of processing: until revoked.

  1. Sign up, subscribe to the newsletter

When registering for an event or subscribing to a newsletter, the User is only required to enter his/her details once. The data provided will be processed by the Service Provider until such time as the User prohibits the use of the data for such purposes by unsubscribing. The data that may be provided at the User’s discretion are e-mail address, telephone number, name, place of residence/residence, date of birth, participation in the User’s master class, meal order. The processing of data is based on the User’s voluntary and duly informed declaration, which is necessary for the use of the services on the website. The declaration is made by the User when using the service. The declaration contains the User’s express consent to the use of the personal data provided by him/her when using the site. The legal basis for the processing of the data is the voluntary consent of the data subject pursuant to Section 5 (1) (a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information and Section 169 (2) of Act C of 2000 on Accounting.

The purpose of the processing is to provide the registration and subscription to the event on the website. Furthermore, the purpose of the processing is to identify the User as an applicant or subscriber and to provide the service ordered, to send notifications related to the service ordered, to register the Users, to distinguish them from each other, to notify them of the programmes of the event, of the next events (e-mail form), – to facilitate the User’s choice. Data processed: first and last name, telephone number, e-mail address, address, date of birth, masterclass, meal order. Duration of data processing: until cancellation, withdrawal.

  1. Electronic newsletter

We will only send you a newsletter if you have consented to receive our privacy notice or subscribe to it. If the User subscribes to the newsletter, the Data Controller may send him/her a newsletter at a frequency (but not more than twice a week) at its discretion, except in the case of.

The purpose of the processing is to send e-mail newsletters containing advertising to interested parties. Legal basis for processing: the data subject’s voluntary consent and Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities. Data processed: name, e-mail address, place of residence, data listed in the application form, data provided by the User.

Duration of data processing: until consent is withdrawn. You can unsubscribe by clicking on the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days of receipt of the request.

  1. Other data processing

Information about data processing not listed in this notice is provided at the time of collection. We inform our visitors that the court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the data protection commissioner or other bodies authorised by law may contact the Data Controller to provide information, to disclose or transfer data or to provide documents. The Service Provider shall only disclose personal data to the authorities to the extent and to the extent strictly necessary for the purpose of the request, provided that the authorities have indicated the exact purpose and scope of the data.

  1. The Controller does not verify the Personal Data provided to it. The person providing the data is solely responsible for the correctness of the data. By providing an e-mail address, each User also assumes responsibility for ensuring that only he or she uses the e-mail address provided. With regard to this assumption of responsibility, any liability for accessing the service from a given e-mail address shall be borne solely by the User who registered the e-mail address. If the User does not provide his/her own personal data, he/she is obliged to obtain the consent of the data subject.
  2. Employees who have an employment or agency relationship with the Service Provider and Data Processors are entitled to access personal data.

V. Transmission of Data, Identification of Data Processors

  1. The Service Provider does not transfer personal data to third parties. This does not apply to any transfers required by law or to the data processors indicated in this document.
  2. The Service Provider, as Data Controller, is entitled and obliged to transmit to the competent authorities any personal data available to it and stored by it in accordance with the law, which it is obliged to transmit by law or by a final and binding obligation of a public authority. The Controller shall not be held liable for such transfers and the consequences thereof.

VI. Data security measures

  1. The Service Provider shall exercise the utmost care in the processing and storage of personal data. In the area of IT security, the Service Provider uses the most efficient and up-to-date tools and procedures reasonably available.
  2. The Controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of the data subjects.
  3. The data controller and the data processor shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the provisions of the GDPR and other data protection and confidentiality rules.
  4. In particular, appropriate measures shall be taken to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.
  5. In order to protect the electronically managed data files in the different registers, an appropriate technical solution should ensure that the data stored in the registers cannot be directly linked and attributed to the data subject, except where permitted by law.
  6. The controller and the processor should take into account the state of the art when defining and implementing measures to ensure data security. The choice between several possible processing solutions should be made which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.
  7. The Service Provider shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data:
  8. a) accessible to authorised persons (availability);
  9. b) authenticity and verification (authenticity of data processing);
  10. d) be protected against unauthorised access (data confidentiality).
  11. The Service Provider shall ensure the security of data processing by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with data processing.
  12. In the course of data processing, the Service Provider shall retain
  13. a) confidentiality: it protects information so that only those who are entitled to it have access to it;
  14. b) integrity: protects the accuracy and completeness of the information and the method of processing;
  15. c) availability: ensuring that the rightful user has access to the information he or she needs, when he or she needs it, and that the means to do so are available.
  16. The Service Provider’s IT system and network are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and denial of service attacks. The Service Provider shall ensure security through server-level and application-level protection procedures.
  17. Electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.) are vulnerable to network threats that could lead to fraudulent activity or to the disclosure or modification of information. The Service Provider will take all reasonable precautions to protect against such threats. It will monitor systems to ensure that any security discrepancies are recorded and provide evidence of any security incidents. However, the Internet is not, as is well known to Users, 100% secure. The Service Provider shall not be liable for any damage caused by an unprotected attack, despite the utmost care.

VII. Rights of data subjects and their enforcement, objection to processing of personal data, judicial redress and compensation

  1. A change in personal data or a request for the deletion of personal data may be communicated by means of a written statement in a private document with full probative value sent to the registered e-mail address or by post. In addition, changes to certain Personal Data may be made by editing the personal profile page. Once a request for deletion or modification of Personal Data has been fulfilled, the previously (deleted) data can no longer be restored.

Users may request information about the processing of their personal data. Requests for information sent by e-mail shall be considered authentic by the Data Controller only if they are sent from the registered e-mail address of the User. At the request of the data subject, the controller shall provide information on the data processed by the data subject or by a processor to whom the data subject has delegated the processing, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, and, in the case of transfer of the data subject’s personal data, the legal basis and the recipient of the transfer. The request for information should be sent by e-mail to info@balatongitar.hu. The Service Provider shall provide the information in writing in an intelligible form, as soon as possible after the request has been made, but not later than 30 days after the request has been made, at the request of the data subject.

The information described above is free of charge if the person requesting the information has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a rectification.

The data controller may refuse to provide the data subject with information only in the cases specified in the GDPR. In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of this Act on the basis of which the information was refused. In the event of refusal to provide information, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority). The controller shall notify the Authority of any refused requests annually by 31 January of the year following the year in question.

  1. The data subject may request the controller to rectify his or her personal data and to erase or block his or her personal data, except for mandatory processing.
  2. For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, which shall include the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.
  3. If the personal data is not accurate and the accurate personal data is available to the controller, the controller shall correct the personal data.
  4. Personal data must be deleted if
  5. a)treatment is unlawful;
  6. b)the person concerned requests – as provided for in the Avtv.;
  7. c)it is incomplete or incorrect – and this condition cannot be lawfully remedied – provided that cancellation is not precluded by law;
  8. d)the purpose of the processing has ceased or the statutory time limit for storing the data has expired;
  9. e)it has been ordered by a court or the Authority.

In the case referred to in point (d) of the above paragraph, the obligation to erase shall not apply to personal data whose data medium is subject to archival custody pursuant to the legislation on the protection of archival material.

  1. Instead of erasure, the controller shall block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that erasure would harm the data subject’s legitimate interests. Personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data continues to exist.
  2. The controller shall mark the personal data it processes where the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
  3. Rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not undermine the legitimate interests of the data subject having regard to the purposes of the processing.
  4. If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, communicate in writing the factual and legal grounds for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.
  5. The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.
  6. The data subject must be informed clearly and in detail of all facts relating to the processing of his or her data before the processing begins, in particular the purpose and legal basis of the processing, the person authorised to process and process the data, the duration of the processing, if the controller processes the personal data of the data subject pursuant to Paragraph (5) of Article 6 of the Data Protection Act, and who may access the data. The information shall also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the information referred to in the above paragraph.
  7. The data subject may object to the processing of his or her personal data,
  8. a)where the processing or further processing of personal data is necessary solely for compliance with a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in cases of mandatory processing;
  9. b)if the personal data are used or disclosed for direct marketing, public opinion polling or scientific research purposes; and also
  10. c)in other cases specified by law.

The controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision.

If the controller establishes that the data subject’s objection is justified, the controller shall cease the processing, including further collection and further transfer of data, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data subject to the objection has previously disclosed the personal data subject and who are obliged to take measures to enforce the right to object.

If the data subject disagrees with the decision taken by the controller or if the controller fails to comply with the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, take the matter to court in accordance with Article 22 of the GDPR.

If the data subject does not receive the data necessary to exercise his or her rights due to the data subject’s objection, he or she may, within 15 days of the notification, take legal action against the controller in order to obtain access to the data, as provided for in Article 22 of the Data Protection Act. The controller may also bring legal proceedings against the data subject.

If the controller fails to give notice, the recipient may request clarification from the controller of the circumstances surrounding the failure to disclose the data, which the controller shall provide within 8 days of the receipt of the recipient’s request for such clarification. In the event of a request for clarification, the data subject may bring an action against the controller before a court within 15 days of the date on which the clarification was provided, but no later than the time limit for the provision of clarification. The controller may also bring legal proceedings against the data subject.

The controller may not delete the data of the data subject if the processing is required by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or if the court has ruled that the objection is justified.

  1. In the event of a breach of the data subject’s rights and in the cases specified in Article 21 of the Data Protection Act, the data subject may take the data controller to court. The court shall rule on the matter out of turn.

The controller must prove that the processing is in compliance with the law. In cases pursuant to Article 21 (5) and (6) of the GDPR, the data recipient shall prove the lawfulness of the transfer of data to him or her.

The court has jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the court of the place of residence or domicile of the person concerned.

A person who does not otherwise have legal capacity to sue can also be a party to the lawsuit. The Data Protection Authority may intervene in the lawsuit in order to ensure that the data subject is successful.

If the court grants the application, the data controller shall be obliged to provide the information, rectify, block or erase the data, annul the decision taken by automated data processing, take into account the right of objection of the data subject, or release the data requested by the data recipient as defined in Article 21 of the Data Protection Act.

If the court rejects the data subject’s application in the cases specified in Article 21 of the Data Protection Act, the controller shall erase the data subject’s personal data within 3 days of the notification of the judgment. The data controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit specified in Article 21(5) or (6) of the GDPR.

The court may order the publication of its judgment, with the publication of the data controller’s identification data, if the interests of data protection and the rights of a larger number of data subjects protected by this Act so require.

  1. The controller must compensate the damage caused to others by the unlawful processing of the data subject’s data or by the breach of data security requirements. The controller is also liable to the data subject for damage caused by the processor. The controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the processing. No compensation shall be payable in so far as the damage resulted from the intentional or grossly negligent conduct of the data subject.

VIII. Enforcement options:

If you have any questions or comments, please contact the Service Provider at jegy@jegy.hu. The User may exercise his/her rights of enforcement before the courts in accordance with the Data Protection Act and the Civil Code. Legal remedies and complaints can be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5.

Address: 1125 Budapest Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

URL https://naih.hu