Data controller: “United for Adam” Foundation (“ÖSSZEFOGUNK ÁDIÉRT” ALAPÍTVÁNY)
Registration number: 15010002710
Registration court: Nyíregyháza Court
Registered office: 4557 Besenyőd, Petőfi utca 5. (Hungary)
Tax number: 19410414115
Telephone contact: 0630-754-5559
Email: vixy.1993@gmail.com; info@adiert.hu
Website: https://adiert.hu/
Purpose of the Data Management Notice:
The purpose of this data management notice is to provide information about the data protection and data management principles and rules concerning the processing of personal data by the Data Controller in relation to individuals who come into contact with it.
When drafting the provisions of this data management notice, the Data Controller paid particular attention to the provisions of the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), the Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Infotv.), and other applicable legal regulations.
The definitions used in the context of personal data processing are determined by the GDPR. For the sake of transparency and clarity, the Data Controller outlines the most important definitions in this section, as adopted from the GDPR:
“Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Special categories of data”: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. The processing of such data is generally prohibited.
“Data processing”: Any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Restriction of processing”: The marking of stored personal data with the aim of limiting their processing in the future.
“Data controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Data processor”: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
“Recipient”: A natural or legal person, public authority, agency, or another body to whom or which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in line with the purposes of the processing.
“Third party”: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, or persons authorized to process personal data under the direct authority of the controller or processor.
“Data subject’s consent”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
“Data protection incident”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Supervisory authority”: An independent public authority established by a Member State pursuant to Article 51 of the GDPR.
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Personal data may only be processed for specified purposes and legal grounds, for exercising rights and fulfilling obligations.
Data processing must at all times comply with the purpose of the data processing; the collection and handling of data must be fair and lawful. Only personal data that is essential for and suitable to achieve the purpose of the data processing may be processed.
Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
The Data Controller ensures that the data it processes is accurate and up-to-date. The Data Controller takes all reasonable steps to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
The Data Controller stores personal data in a form that permits the identification of data subjects only for as long as necessary for the purposes of the personal data processing, considering the retention obligations defined in applicable legislation.
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
The Data Controller is responsible for compliance with the above principles and must also be able to demonstrate compliance.
3.1. DATA PROCESSING RELATED TO CONTACTING AND COMMUNICATION
3.1.1. Contact via Email and Online Contact Form
Purpose of Data Processing:
The purpose of data processing is to establish and maintain communication with the data subject based on their inquiry. The Data Controller uses the data provided by the data subject exclusively for purposes related to the inquiry. Personal data will only be disclosed to third parties with the data subject’s prior and explicit consent, except where otherwise mandated by law.
Legal Basis for Data Processing:
Under Article 6(1)(a) of the GDPR, the data subject’s voluntary consent.
Data processing is based on the data subject’s voluntary and informed consent, provided by submitting the inquiry and the data contained therein. This consent enables the Data Controller to respond to the inquiry and address its content (e.g., providing information).
The data subject gives their consent by voluntarily providing the data and, in the case of an online form, by completing it and ticking the checkbox.
Scope of Personal Data Processed:
Name (first and last name)
Email address
Optionally, phone number
The Data Controller does not verify the personal data provided. The responsibility for the accuracy of the data lies solely with the person providing it..
The personal data provided will be processed for the purposes of establishing and maintaining communication:
Until the data subject withdraws their consent,
Or for a maximum of one year from the date the data is provided.
3.1.2 Contact via Telephone
Purpose of Data Processing:
The data subject can also contact the Data Controller via telephone. In such cases, the Data Controller will have access to the caller’s first and last name, as well as their phone number. The purpose of data processing is to establish and maintain communication with the data subject based on their inquiry.
During telephone contact, the Data Controller verbally informs the data subject about the availability of this data processing notice and emphasizes that personal data can only be processed if the caller confirms in writing that they have reviewed and accepted the content of this notice.
Legal Basis for Data Processing:
Under Article 6(1)(a) of the GDPR, the data subject’s voluntary consent.
Data processing is based on the data subject’s voluntary and informed consent, provided by submitting the inquiry and the data contained therein. This consent enables the Data Controller to respond to the inquiry and address its content.
The data subject gives their consent by voluntarily providing the required data.
Scope of Personal Data Processed:
Name
Phone number
The Data Controller does not verify the personal data provided. The responsibility for the accuracy of the data lies solely with the person providing it.
Duration of Data Processing:
The personal data provided will be processed for the purposes of establishing and maintaining communication:
Until the data subject withdraws their consent,
Or for a maximum of one year from the date the data is provided.
3.1.3. Contact via Social Media Platforms
Purpose of Data Processing:
The Data Controller operates a Facebook page (https://www.facebook.com/profile.php?id=61573422764233) and a YouTube page (https://www.youtube.com/@osszefogunk-adiert) to provide an online contact option, publish posts, and promote the foundation and its activities.
When users comment on posts related to the foundation, the Data Controller gains access to the commenters’ first and last names, as well as their comments, based on their consent.
On Facebook, Instagram, and TikTok, users also have the option to send messages. During message exchanges, the Data Controller gains access to the sender’s first and last names, based on their consent. In cases where contact is made through a Facebook, Instagram, or TikTok message, the Data Controller provides written information about the availability of this privacy notice and ensures that the sender acknowledges and accepts the content of the notice in writing before processing any personal data.
Legal Basis for Data Processing:
Under Article 6(1)(a) of the GDPR, the data subject’s voluntary consent.
Data processing occurs on the respective social media platform; therefore, the duration, methods, and options for modifying or deleting the data are governed by the regulations of the respective platform.
The privacy policies for the respective platforms are accessible at the following links:
Facebook and Instagram (Meta products): https://www.facebook.com/privacy/explanation
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/hu
YouTube: https://www.youtube.com/intl/ALL_hu/howyoutubeworks/policies/community-guidelines/
The Facebook page’s imprint (About/Privacy and Legal Information/Privacy Policy) contains a direct, clickable link to this privacy notice.
Scope of Personal Data Processed:
The name registered on the social media platform.
The user’s public profile picture (if applicable).
The Data Controller does not verify the personal data provided. The accuracy of the provided data is solely the responsibility of the individual providing it.
The personal data provided will be processed for the purpose of contact and communication until the data subject withdraws their consent.
If the data subject withdraws their consent, the Data Controller will immediately delete all data related to the contact based on the deletion options provided by Facebook, Instagram, and TikTok.
The data subject is not obliged to provide personal data. If the data is not provided, no publication will take place on the website.
Purpose of Data Processing:
If the data subject wishes to make a donation to the foundation, they can do so either via bank transfer or through online card payment on the website. In such cases, the processing of certain personal data is indispensable.
The donor’s name and donation amount, as well as the names of individuals supporting or promoting the foundation’s goals, are not public. However, if the Data Controller wishes to make an exception to this (e.g., due to the amount of the donation or for the purpose of expressing gratitude on the website), it can only be done with the prior, explicit consent of the data subject.
Legal Basis for Data Processing:
In the case of direct bank transfer or online card payment:
The data subject’s consent under Article 6(1)(a) of the GDPR.
Compliance with legal obligations under Article 6(1)(c) of the GDPR, in accordance with Section 169(1) of Act C of 2000 (necessary for fulfilling legal obligations applicable to the Data Controller).
In the case of storing or disclosing data of donors or individuals supporting or promoting the foundation’s goals:
The data subject’s voluntary consent under Article 6(1)(a) of the GDPR.
The processing of data is carried out based on the data subject’s voluntary, informed consent, which is provided by submitting their inquiry and the data contained therein to the Data Controller for the purposes of responding to the inquiry and managing the related tasks.
Categories of Personal Data Processed:
In the case of donations via bank transfer or online card payment:
Bank transfer data: donor’s name, bank account number, the name of the donor’s bank, the amount of the donation, date of the transfer, any personal data included in the payment message, and email address.
Online card payment data: donor’s name and email address.
In the case of storing data of donors or individuals supporting/promoting the foundation’s goals:
Name;
Optionally, phone number;
Optionally, email address.
Data Retention Period:
For donations: personal data related to the donation will be retained for 8 years following the approval date of the financial report containing the donation, in accordance with Section 169(1) of Act C of 2000.
For donors or supporters: personal data will be retained until the data subject withdraws their consent.
The purpose of data processing is to send letters aimed at promoting and providing information about the foundation’s goals to interested individuals (e.g., updates on the balance of collected donations, media appearances, events, or the health status of Ádin Kneifel).
The primary goal of the foundation is to support Ádin Kneifel, a beneficiary suffering from Duchenne muscular dystrophy (DMD). The secondary goal, subject to the availability of additional financial resources, is to support the medical treatment of children suffering from Duchenne muscular dystrophy within Hungary, improve their living conditions and quality of life, and increase their chances of recovery.
The foundation aims to contribute to the treatment of the beneficiary and children suffering from Duchenne muscular dystrophy. Additionally, it seeks to raise funds through donation and support campaigns to finance therapeutic activities related to Duchenne muscular dystrophy and to cover all direct costs associated with the medical treatments.
Legal Basis for Data Processing:
Under Article 6(1)(a) of the GDPR – the voluntary consent of the data subject.
The voluntary, informed, and explicit consent of the data subject, which is provided by the data subject through their subscription (by ticking the checkbox).
Processed Personal Data:
Last Name and First Name;
Email Address.
Duration of Data Processing:
Until the withdrawal of the data subject’s consent, which can be done by clicking the unsubscribe link at the bottom of the newsletter, or for a maximum of one year from the date of subscription.
Data Processing Related to Photos and Videos
Purpose of Data Processing:
To promote and disseminate the foundation’s objectives broadly by publishing photos and videos taken at events or activities organized by the foundation, or with public figures and influencers, on the Controller’s website and social media platforms (Facebook, Instagram, TikTok).
Legal Basis for Data Processing:
In crowd recordings, large groups of people are visible, and individuals are not depicted as distinct persons but as part of the crowd. If the focus is not on individuals but on the group as a whole, the recording qualifies as a crowd recording.
Data processing is based on the voluntary consent of the data subject under Article 6(1)(a) of the GDPR and Section 5(1)(a) of the Hungarian Info Act.
For recordings that focus on specific individuals, the consent of the data subject is required for creating and using such recordings. The same applies to highlighting individuals from a crowd—whether using recording techniques (e.g., telephoto lens, zoom) or through post-editing to individualize the image. In such cases, consent is required for the creation and use of the likeness.
Categories of Processed Personal Data:
Duration of Data Processing:
The Controller processes the recordings (on its internal platform, website, social media platforms, etc.) only as long as they remain relevant or of interest. Once they lose their relevance, they are deleted. Recordings are also deleted if the data subject withdraws their consent.
Persons Authorized to Access the Data, Data Transfers, and Data Processing:
The data may only be accessed by the internal staff members of the Controller who are in contact with the data subject or whose job responsibilities require them to access and process the data.
Data Processors:Stripe Inc.
Székhelye: 510 Townsend Street, San Francisco, CA 94103, USAE-mail címe: support@stripe.com ; Weboldala: https://stripe.com
online fizetés teljesítése
Adatkezelési tájékoztatója: https://stripe.com/en-hu/privacy
PayPal
Székhelye: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, LuxemburgWeboldala: https://www.paypal.com/hu
online fizetés teljesítése
Adatkezelési tájékoztató: https://www.paypal.com/hu/webapps/mpp/ua/privacy-full
MBH Bank Nyrt.
Székhely: 1056 Budapest, Váci u. 38.
Cégjegyzékszám: 01-10-040952.
Adószám: 10011922-4-44.
Átutalásos fizetés teljesítése
Rights of the Data Subject
The data subject has the following rights:
a) The data subject may request information regarding the processing of their personal data and access to such personal data.
b) The data subject may request the rectification of their personal data.
c) The data subject may request the erasure of their personal data.
d) The data subject may request the restriction of processing of their personal data.
e) The data subject may object to the processing of their personal data.
f) The data subject may exercise their right to data portability.
g) The data subject may exercise their right to legal remedies.
The data subject may file a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as “NAIH”) or may turn to the competent court as specified at the end of this notice.
Rights of the Data Subjects in relation to Data Processing
The Data Controller ensures that the rights of the data subjects are upheld as follows.
The Data Controller provides the data subject with the opportunity to submit a request regarding the exercise of their rights via any of the following methods and through the contact details provided in this notice: (i) by post, (ii) by email, (iii) by phone.
Phone: +36 30 754 5569
Email: info@adiert.hu
Mailing address: 4557 Besenyőd, Petőfi Street 5.
The Data Controller will fulfill the data subject’s request without undue delay, and in any case, within 30 days from the receipt of the request. The Data Controller will provide information in a concise, transparent, intelligible, and easily accessible form, clearly and understandably. If the request is denied, the Data Controller will decide within the same timeframe and inform the data subject of the refusal, the reasons for it, and the data subject’s rights to legal remedy in connection with the refusal.
The Data Controller will generally fulfill the data subject’s request via email unless the data subject requests otherwise. Telephone information may only be provided at the data subject’s request if the data subject’s identity has been verified. The Data Controller will not use the data subject’s postal address or phone number for any other purposes.
The Data Controller will not charge any fee or reimbursement for fulfilling the data subject’s requests as detailed below. However, if the data subject submits an unjustified, excessive request within one year following the fulfillment of a previous request for the same set of data, the Data Controller reserves the right to establish a reasonable fee corresponding to the workload involved in fulfilling the request or to refuse the request, providing a reasoned explanation.
Right to Information and Access
The Data Controller will, at the request of the data subject, provide information about the following in a concise, transparent, intelligible, and easily accessible form:
Whether personal data is being processed by the Data Controller;
The name and contact details of the Data Controller;
The personal data concerning the data subject and its source;
The purpose of processing the personal data and the legal basis for processing;
The duration of data processing;
The recipients or categories of recipients to whom the personal data has been or will be disclosed;
The rights of the data subject;
The circumstances, impacts, and measures taken to mitigate any potential data protection incidents.
Right to Rectification
The Data Controller will, at the data subject’s request, rectify any inaccurate personal data concerning the data subject.
The Data Controller will inform any recipients of the personal data about the rectification, except where it is impossible or would require a disproportionate effort. At the data subject’s request, the Data Controller will also inform the data subject about the recipients of the personal data.
Right to Erasure (“Right to be Forgotten”)
At the data subject’s request, the Data Controller will erase the personal data concerning the data subject if any of the following conditions apply:
The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
The data subject objects to the processing;
The personal data has been unlawfully processed;
The personal data must be erased in order to comply with a legal obligation under EU or Hungarian law.
The Data Controller will inform any recipients of the personal data about the erasure, except where it is impossible or would require a disproportionate effort. At the data subject’s request, the Data Controller will also inform the data subject about the recipients of the personal data.
Right to Restriction of Processing
At the data subject’s request, the Data Controller will restrict the processing of personal data if any of the following conditions are met:
The data subject contests the accuracy of the personal data – in this case, the restriction applies for the period necessary for the Data Controller to verify the accuracy of the personal data;
The processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
The Data Controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims.
The Data Controller will inform any recipients of the personal data about the restriction, except where it is impossible or would require a disproportionate effort. At the data subject’s request, the Data Controller will also inform the data subject about the recipients of the personal data.
Right to Data Portability
At the data subject’s request, the Data Controller will provide the personal data concerning the data subject in a structured, commonly used, and machine-readable format. The Data Controller will also ensure that the data subject can transmit the personal data to another data controller without hindrance.
Right to Legal Remedy
If the data subject believes that the Data Controller has violated their rights to the protection of personal data during the data processing, they may seek remedy through the competent authorities according to applicable laws, such as filing a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) at the following contact details:
Address: H-1055 Budapest, Falk Miksa Street 9-11. Postal address: 1363 Budapest, P.O. Box 9. Website: www.naih.hu Email: ugyfelszolgalat@naih.hu Phone: +36-1/391-1400
Alternatively, the data subject may also turn to the competent court.
The Data Controller commits to cooperate fully with the court or NAIH during these proceedings and will provide all necessary data regarding the data processing to the court or NAIH.
The Data Controller also commits to compensating for any damages caused by the unlawful processing of the data subject’s personal data or by the violation of data security requirements. In case of an infringement of the data subject’s personal rights, the data subject may seek compensation for non-material damage. The Data Controller will be exempt from liability if the damage is caused by an unavoidable external factor or if the damage or violation of the personal right stems from the data subject’s intentional or grossly negligent behavior.
Data Security Measures
The Data Controller ensures the security of the data. The Data Controller has taken the necessary technical and organizational measures and established procedures to ensure that the collected, stored, and processed data is protected, and to prevent its destruction, unauthorized use, and unauthorized modification. Additionally, the Data Controller advises third parties to whom the data of the data subject has been transferred that they are required to comply with data security requirements.
The Data Controller ensures that unauthorized persons cannot access, disclose, transfer, modify, or delete the processed data.
The Data Controller takes all reasonable steps to prevent the data from being damaged or destroyed. This commitment is also imposed on employees and partners involved in the data processing activities, including data processors acting on behalf of the Data Controller.
If the Data Controller detects an event or action (hereinafter referred to as a “data protection incident”) that results in the accidental or unlawful destruction, loss, alteration, unauthorized transmission, or disclosure of the personal data it has transmitted, stored, or otherwise processed, or unauthorized access to such data, the Data Controller is obligated to proceed according to Articles 33-34 of the GDPR. The Data Controller must report the data protection incident to the relevant and competent data protection authority (hereinafter referred to as the “NAIH”) and inform the data subject(s) of the incident if it is likely to result in a high risk to the rights and freedoms of natural persons.
A person who notices a data protection incident related to personal data transmitted, stored, or otherwise processed by the Data Controller, as described above, can report it to the Data Controller through the following contact details:
Phone: +36 30 754 5569
Email: info@adiert.hu
The person reporting the incident must provide the following information, along with the subject of the data protection incident:
Name of the reporter;
Contact details of the reporter: phone number and/or email address;
Whether the incident affects the software, and if so, which part or service of it.
The Data Controller will, at the latest, within one working day, if it deems the incident to be severe, immediately investigate the report and – if necessary – request additional information from the reporter. Within 72 hours of the incident report, the Data Controller will provide data to the NAIH.
The data report must include the following:
The nature of the data protection incident, including the categories and approximate number of data subjects affected, as well as the categories and approximate number of data affected by the incident;
The name and contact details of the contact person providing further information;
The likely consequences of the data protection incident;
The measures taken or planned by the Data Controller to remedy the incident, including, where applicable, measures to mitigate any adverse consequences of the data protection incident.
If the data protection incident requires further investigation, the Data Controller will take the necessary steps to involve the appropriate experts to assess the real and potential impacts of the data protection incident during the investigation. The invited experts will prepare a report, which must include recommendations for security measures needed to address the data protection incident.
The Data Controller will decide on the measures to be taken.
If the Data Controller believes that the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller will promptly inform the data subject(s) of the data protection incident without undue delay.
In the notification, the Data Controller will clearly and understandably explain the nature of the data protection incident, highlighting the following:
The name and contact details of the contact person providing further information;
The likely consequences of the data protection incident;
The measures taken or planned by the Data Controller to remedy the incident, including, where applicable, measures to mitigate any adverse consequences of the data protection incident.
The Data Controller will not inform the data subject(s) if:
Appropriate technical and organizational protective measures have been implemented, and these measures have been applied to the data affected by the data protection incident, especially those measures (e.g., encryption) that make the data unintelligible to unauthorized persons;
After the data protection incident, further measures have been taken to ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize;
The notification would require disproportionate effort, meaning that the data subjects are so numerous that the Data Controller could only inform them with unreasonable effort. In this case, the Data Controller will ensure that the relevant information is made publicly available.
The Data Controller maintains a record of data protection incidents.
The following information must be recorded in the register:
The scope of the affected personal data,
The category and number of data subjects affected by the data protection incident,
The date of the data protection incident,
The circumstances and effects of the data protection incident,
The measures taken to remedy the data protection incident,
Any other data as specified by the legal regulations governing data processing.
The Data Controller is required to retain the data relating to data protection incidents in the register for 5 years in the case of incidents involving personal data, and for 20 years in the case of incidents involving sensitive data.
Right to Remedy
Any questions or remarks related to data processing can be addressed to the Data Controller via the contact details provided in this notice.
Additionally, complaints or appeals can be made to the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Headquarters: H-1055 Budapest, Falk Miksa Street 9-11.
Mailing Address: 1363 Budapest, P.O. Box 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Website: www.naih.hu
Email: ugyfelszolgalat@naih.hu
In case of a violation of the rights of the data subject, the data subject may turn to the court against the Data Controller. The court will handle the case as a priority. The Data Controller is required to prove that the data processing complies with the legal regulations. The trial is within the jurisdiction of the court of first instance. The lawsuit – at the discretion of the plaintiff, i.e., the data subject – may be initiated at the court of the plaintiff’s residence or place of stay.
The Data Controller undertakes to fully cooperate with the court or the NAIH during these proceedings and to provide the relevant data related to the data processing to the court or the NAIH.
The Data Controller also undertakes to compensate for any damage caused by the unlawful processing of the data subject’s personal data or by violating the data security requirements. In the case of a violation of the data subject’s personality rights, the data subject may demand compensation. The Data Controller will be exempt from liability if the damage was caused by an unavoidable external factor outside the scope of data processing or if the damage or violation of personality rights was caused by the data subject’s intentional or grossly negligent behavior.
The Data Controller reserves the right to modify this notice at any time.
