Politica de confidențialitate 2024

Politica de confidențialitate 2024

PRIVACY POLICY

for individuals participating in the Musicum Laude master class and gala concert combined with a voice competition impacted by data processing

2. Introduction

The Partium Christian University (hereinafter referred to as the “Data Controller“), the organizer of the Musicum Laude Masterclass and Voice Competition Gala Concert (hereinafter referred to as the “Event“), hereby informs the Data Subject (hereinafter referred to as the “Data Subject“) about the personal data processing carried out by the Data Controller, the principles and practices followed in the processing of personal data, the organizational and technical measures taken to protect personal data, and the ways and means of exercising the rights of the Data Subjects. The Data Controller shall treat the personal data collected confidentially and in accordance with EU and national data protection laws and recommendations, as set out in this Notice.

The Data Controller acknowledges the contents of this statement as binding on itself, but reserves the right to change the statement, provided that it notifies the Data Subjects of the changes in due time.

2. Data Controller’s Data

Name: Partium Christian University

Address: Primariei Street 36, Nagyvárad (Oradea)

Tax number: 24693826

Phone / Fax number: (+40)-259-418-244, (+40)-259-418-252

E-mail: musicum.laude@partium.ro

Website: https://www.partium.ro/hu

3. Legal, Regulatory Background

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter: General Data Protection Regulation or GDPR),
  • Act V of 2013 on the Civil Code (hereinafter: Civil Code),
  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as “the Freedom of Information Act”)
  • Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (in particular Article 13/A)
  • Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers;
  • Act XLVIII of 2008 – on the basic conditions and certain restrictions on commercial advertising (in particular § 6)
  • Act XC of 2005 on Freedom of Electronic Information
  • Act C of 2003 on Electronic Communications (specifically § 155)

Opinion No 16/2011 on the EASA/IAB Recommendation on best practice for behavioural online advertising

4. Definitions

For the interpretation of further terms used in this notice, the definitions in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter referred to as the General Data Protection Regulation or GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information shall apply.

–        Data protection: the set of principles, rules, procedures, instruments and methods of data management that ensure the lawful processing of personal data and the protection of the individuals concerned.

–        Data Subject/user: any specified natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;

–        Personal data: data which can be associated with the Data Subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the Data Subject, and the conclusions which can be drawn from the data concerning the Data Subject;

–        Special categories of personal data: personal data revealing racial or ethnic origin, political opinions or opinions, religious or philosophical beliefs, membership of an interest group, sex life, health, pathological or mental disorder and personal data concerning criminal offences;

–        Consent: a voluntary and freely given indication of the Data Subject’s wishes, based on adequate information, by which they signify their unambiguous agreement to the processing of personal data concerning them, either in full or in relation to specific operations;

–        Objection: a declaration by the Data Subject objecting to the processing of their personal data and requesting the cessation of the processing or the deletion of the data processed;

–        Data Controller: a natural or legal person or an unincorporated body which, alone or jointly with others, determines the purposes for which the data is processed, takes and implements decisions regarding the processing (including the means used) or has them implemented by a processor on its behalf;

–        Data processing: any operation or set of operations which is performed on the data, regardless of the procedure used, in particular collection, recording, organisation, storage, modification, use, consultation, disclosure, transmission, alignment or combination, blocking, deletion and destruction, as well as prevention of further use of the data, and transfer: making data available to a specified third party;

–        Data Subject’s rights: the Data Subject must be clearly informed of all the details of the processing before the processing starts and at any time at their request. The Data Subject may also request the rectification and, in certain cases, the deletion of their data, and may object to the processing of their personal data in cases specified by law.

–        Adequate information: the Data Subject must be informed before the processing starts whether the processing is based on their consent or whether it is compulsory, and must be informed clearly and in detail of all the facts relating to the processing of their data, in particular the purposes and legal basis of the processing, the identity of the Controller and the processor, the duration of the processing and the persons who may access the data.  The information shall also cover the rights and remedies of the Data Subject with regard to the processing.

–        Legal basis for processing: as a general rule, consent of the Data Subject or mandatory processing by law

–        Disclosure: making the data available to any person;

–        Transfer: making data available to a specified third party

–        Deletion: rendering data unrecognisable in such a way that it is no longer possible to retrieve it;

–        Data marking: the marking of data with an identification mark to distinguish it;

–        Data blocking: the marking of data with an identifier in order to limit their further processing permanently or for a limited period of time;

–        Data destruction: the total physical destruction of a data medium containing data;

–        Data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

–        Data processor means a natural or legal person or an unincorporated body which, under a contract with a Controller, including a contract entered into pursuant to a legal provision, processes data;

–        Data Controller means the public authority which produced the data of public interest which must be made public by electronic means or in the course of whose activities the data was generated;

–        Data provider: the public sector body which, if the Data Controller does not publish the data itself, publishes on a website the data supplied to it by the Data Controller;

–        Data set: the set of data managed in a single register;

–        Third party: any natural or legal person or unincorporated body other than the Data Subject, the Controller or the processor;

–        Data security: a set of technical and organisational arrangements to prevent unauthorised access, alteration and destruction of data.

–        Data management principles: the purpose limitation requirement (see below) and the data quality requirement.  The latter includes the need for accurate, complete and up-to-date data, as well as fair and lawful data collection and processing.

–        Purposeful processing: personal data may be processed only for specified purposes, for the exercise of rights and the performance of obligations.  At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful.  Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.  The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the Data Subject can be identified only for the time necessary for the purposes for which they are processed.

–        Freedom of information: the fundamental right to access and disseminate data of public interest, which promotes democratic control of the exercise of public authority and transparency of public institutions. 

–        Cookies: short data files placed on the user’s computer by the website visited. The purpose of the cookie is to make the given infocommunication, internet service easier and more convenient. There are several types, but they generally fall into two broad categories.  One is the temporary cookie, which is placed on the user’s device by the website only during a particular session, and the other is the persistent cookie (e.g. a website’s language setting), which remains on the computer until the user deletes it.  According to the European Commission’s guidelines, cookies [unless strictly necessary for the use of the service] can only be placed on the user’s device with the user’s permission. Cookies raise a number of privacy concerns, such as the possibility of tracking a user’s browsing habits.

5. Scope of personal data processed

–        name

–        email address

–        address

–        age group

–        telephone number

–        emergency contact details: name, telephone number

–        photo and audio/video recordings of the competition

–        name and address of the person having parental authority in the case of a person under 18 years of age

–        Technical data (payment method, date of registration, date of payment, IP address)

 

Please note that if you do not provide your own personal data, the Data Subject is obligated to inform you of the details of the processing and to obtain your consent to the transfer of the above data to the Data Controller for the purposes set out in this Notice.

 

5.1. Registration, Participation in the Competition

–        Data Subject: competitors registered on the website

–        Personal data processed: name, email address, address, age group, telephone number, emergency contact details: name, telephone number, name of the person exercising parental authority in the case of a Data Subject under 18 years of age, address, image and audio/video recordings of the competition, address, technical data (payment method, date of registration, date of payment, IP address)

–        Legal basis for processing: The Data Subject’s voluntary consent.

–        Purpose of processing: participation in the competition

–        Duration of processing: as set out in point 8.

 

5.2. Billing

–        Scope of personal data processed: name, address (zip code, city, street, house number)

–        Legal basis for processing: processing necessary for compliance with a legal obligation

–        Purpose of processing: to fulfil obligations under Act CXXVII of 2007 and Act C of 2000 on Accounting

–        Consequences of not providing the data: it is not possible to provide the service without the e-mail address: name, e-mail address, postal code, city, street, house number, telephone number, details of the product ordered IP address.

–        Duration of data processing: for the retention of personal data contained in the invoice, the Data Controller shall keep the personal data for 8 years from the date of issue of the invoice in accordance with the Accounting Act

–        The billing software used by the Data Controller is Clear Admin Software Kft., 1108 Budapest, Gőzmozdony u. 14.

 

5.3. Processing of technical data

–        Technical Data: technical data are data that are generated and recorded mostly automatically during the operation of the Controller’s systems. Some technical data are stored and, in some cases, automatically logged by the system without any specific declaration or action by the Data Subject. The technical data cannot be used to directly identify the Data Subject, but may be linked to user data, so that identification is in principle possible. Such links are not made by the Data Controller, except in certain cases where the Data Controller is required by law to do so. Technical data may only be accessed by the Controller and its Data Processors.

–        Data processed in the processing: IP address, date of subscription, date of registration.

–        Legal basis for processing: technically necessary for the provision of the service.

–        Purpose of processing: to provide the service.

–        Possible consequences of not providing the data: it is not possible to provide the service.

–        Retention period of the data processed in the processing: as defined in point 8

 

6. Purpose and legal basis of data processing

The Data Controller shall process personal data, in each case, for the purposes and on the basis of the legal basis specified in the processing, in accordance with the legal provisions listed in this notice. The processing is based on voluntary consent, contractual or legal obligations. The Data Subject is entitled to withdraw their voluntary consent at any time. The Data Controller is obligated, by law, in certain cases and under certain unconventional conditions, to process, transfer, transmit or store certain personal data in a different way from that described in the Data Processing. In such cases, the Data Controller shall ensure that the Data Subjects are notified, where this is permitted or not expressly prohibited by the relevant legal provisions.

 

6.1.   Purpose of processing:

–        processing of applications

–        modification of applications

–        deletion of applications

–        contact

–        to provide support services, including answering preliminary and follow-up questions about the application and events

–        where explicit consent is given for marketing activities: information on further events, opportunities

 

6.2.   Legal basis for processing:

The Data Controller processes personal data of Data Subjects on different legal bases depending on the purpose set out in section 6 above. The legal basis for the processing of personal data for the purposes of processing, modification, deletion of applications, provision of support services and marketing activities is the voluntary consent of the Data Subject (Article 6(1)(a) GDPR). The legal basis for the processing of personal data processed for the purposes of contacting the Data Subject is the legitimate interest of the Data Controller in maintaining business continuity (Article 6(1)(f) GDPR).

7. Data protection principles applied in data processing

The Data Controller shall act in an accountable manner in the processing of personal data of the Data Subject in accordance with the principles set out in the General Data Protection Regulation, thus ensuring the data management in its processing activities:

–        lawfulness, fairness and transparency,

–        purpose limitation,

–        accuracy,

–        limited storage,

–        integrity and confidentiality

 

a.     The processing of personal data must be lawful, fair and transparent for the Data Subject (“lawfulness, fairness and transparency”);

b.     Personal data shall be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’);

c.     Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimization’);

d.     Personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay (“accuracy”);

e.     Personal data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of Data Subjects (‘limited storage’);

f.      Personal data must be processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (‘integrity and confidentiality’), by implementing appropriate technical or organisational measures. The Controller is responsible for compliance with the above and must be able to demonstrate such compliance (‘accountability’).

g.     Personal data may be transferred to a Controller in a third country or to a processor in a third country if the Data Subject has given their explicit consent or if the conditions for processing set out above are met and the third country ensures an adequate level of protection for the personal data concerned during the processing of the data transferred. Transfers to EEA States shall be considered as transfers within the territory of Hungary.

8. Duration of processing

  • The Data Controller shall process personal data until the specific purpose of the processing is fulfilled or until it becomes impossible to process the personal data, except that certain obligations arising from legal provisions may require the retention of certain categories of personal data processed for a longer period.
  • Among the personal data processed, the name of the Data Subject will be kept by the Data Controller for 5 years after the purpose of the processing has been fulfilled (the occurrence of the Event) or has become impossible (notification of the failure of the Event), in accordance with the provisions of the V. Of the personal data processed, the email address and telephone number of the Data Subject will be processed by the Data Controller for contact purposes for 2 years after the termination of the Event.
  • The names and email addresses of Data Subjects who have given their explicit consent to marketing activities will be processed by the Data Controller until the Data Subject objects to such processing of their personal data or requests their deletion.

9. Transmission, processing, access to data

The Data Controller and its internal staff are the primary recipients of the data, to the extent permitted by the rules of eligibility, the system of eligibility and other internal regulations. The Data Controller may use third party Processors to perform certain operations and tasks related to the data.

 

9.1. Payment of the registration fee:

The registration fee can be paid by credit card.

 

Online payment:

  • Name and contact details of the Recipient: Euplatesc.ro
  • Address: Str. Ion Câmpineanu, no. 11, Bloc Union, 8th floor, room 803, sector 1, Bucharest, Romania, 010031
  • Contact: https://www.euplatesc.ro/
  • Data processed: billing data, name, e-mail address
  • Data Subjects: all Data Subjects who choose to pay on the website
  • Legal basis for processing: article 6 (1) (b) GDPR
  • Purpose of processing: to process online payments, to confirm transactions
  • Duration of processing: until the online payment is completed

 

If the entrant is among the winners of the competition, the personal data necessary for the payment of the prize will be kept for the period of time provided for by the legal obligation.

 

9.2. Accounting tasks

  • Data processed in data management: name, address, tax number or tax identification number
  • Legal basis for processing: processing necessary for compliance with a legal obligation
  • Purpose of processing: to fulfil obligations under Act C of 2000 on Accounting
  • Duration of processing: stored for 8 years pursuant to § 169 of Act C of 2000
  • The accounting tasks are performed by the Finance Department of the Partium Christian University.

 

9.3 Social networking sites (Facebook, Instragam, Youtube, Tik-tok)

  • The data processed and the Data Subjects concerned.
  • Legal basis for processing: article 6 (1) (b) GDPR
  • Purpose of the processing: to share or like certain content, products, promotions or the webshop/website/webpage itself on Facebook.com, Instragam.com, Tiktok.com or the website/webpage/home page itself
  • The data processing is carried out on the Facebook.com, Instagram.com, Tiktok.com websites, so the duration of data processing, the method of data processing, the possibility of deleting and modifying data are governed by the rules of the social networking sites.

 

9.4 The Organiser will provide live coverage of the Competition and the Gala Concert on Facebook and/or Youtube.

  • The Organiser will take photographs and audio and video recordings of the Competition and Gala Concert, which will be published in various formats (e.g. CD, DVD, radio and TV broadcasts, social media platforms, podcasts, films, advertisements, YouTube, Musicum Laude International Voice Competition portal) without any restrictions or remuneration. Due to the nature of internet technology, other media content providers may also receive, copy and publish it on their own media service platform. In addition, you may use the name, likeness, a summary of the images, audio and video of the performance or rehearsal, without any time limitation, in any media publication or any media appearance relating to the competition, or transmit it to the public in any way, or authorise third parties to do so, without any financial compensation.
  • The following data may appear on the internet: Name, Age, Place of residence (municipality), type of sound, category, status and result obtained.
  • The registrant may not exercise any copyright or other rights against the organiser in respect of the display of the above data, photos or video recordings.

All photographs and sound recordings of the competition are the exclusive property of the organiser. The organiser is entitled to use these photographs and sound recordings without any restrictions as to time, space or content, including reproduction.

10.Managing browser cookies

10.1. The role of cookies:

An HTTP cookie is a small data packet that is created by the server hosting the website you are browsing on the internet, using the client’s web browser, on the first visit, if enabled in the browser. Cookies are stored on the user’s computer in a predefined location, which varies according to the browser type. On subsequent visits, the browser sends the stored cookie back to the web server, together with various information about the client. Cookies allow the server to identify the user, collect various information about the user and analyse it.

  • The main functions of cookies are: to collect information about visitors and their devices; to remember visitors’ individual preferences, which are used, for example, when making online transactions, so that they do not have to be re-entered; to make the use of a website easier, simpler, more convenient, smoother; to make it unnecessary to re-enter data that has already been entered; and generally to improve the user experience.
  • Through the use of cookies, the Data Controller carries out processing of data, the main purposes of which are: identification of the user, identification of each session, identification of the means used to access the site, storage of certain data provided, storage and transmission of tracking and location information, storage and transmission of data for analytical measurements.
  • Data processed in the data management: user ID, session ID, device ID, date and time.
  • Legal basis for processing: the Data Subject’s consent.
  • Purpose of processing. Identification of the user, interest, possible orders/order and shopping cart registration and tracking of visitors.
  • Possible consequences of not providing data: less convenient browsing of non-customised content.
  • Cookie expiration date: Until the cookies are deleted from the Data Subject’s browser.

10.2. Session cookies

The purpose of these cookies is to enable visitors to browse the website of the Data Controller, use its functions and the services available therein without any problems. The validity period of this type of cookie lasts until the end of the session (browsing), and when the browser is closed, this type of cookie is automatically deleted from the computer or other device used for browsing.

  • Data processed: user ID, session ID, device ID, date and time
  • Legal basis for processing: consent of the Data Subject.
  • Purpose of processing: convenient, personalized browsing of the website by the user.
  • Possible consequences of not providing the data: browsing of less convenient, non-customised content.
  • Cookie expation date: Until the cookies are deleted from the Data Subject’s browser.
  • Third party analytics cookies – only for https://musicumlaude.hu/, https://musicumlaude.hu/ does not contain Google Analytics cookies. The Data Controller also uses Google Analytics, third party cookies on its website. By using Google Analytics for statistical purposes, the Controller’s server collects information about how visitors use the website. The data are used to improve the website and the user experience. These cookies will also remain on the visitor’s computer or other browsing device, their browser, until they expire or until they are deleted by the visitor.
  • The data processed in the processing are: user ID, session ID, device ID, date and time
  • Legal basis for processing: consent of the Data Subject.
  • Purpose of data processing: to measure the number of visits to the website
  • Possible consequences of not providing the data: browsing less convenient, non-customised content.
  • Expiry date of cookies: until the cookies are deleted from the Data Subject’s browser.
  • Possibility to disable cookies, set cookie-related rules.

The Data Subject has the possibility to set rules for certain types of cookies, e.g. not to use cookies, to disable cookies, etc., by using the appropriate settings in the browser used. Information on how to selectively or generally disable cookies can be found in the “Help” menu of the relevant browser. These can help you to: block cookies generally; set the way cookies are accepted (automatic acceptance, ask for them one by one, etc.); block them one by one; delete them one by one or in groups; perform other operations related to cookies.

11. Method of data storage, security of data processing

  • The Controller shall process and store personal data in compliance with the data protection legislation in force at any given time. All electronic and paper-based data filing systems used and applied by the Data Controller in the handling, processing and recording of personal data shall be accessible only to persons authorised to process the data.
  • The Data Controller shall take all necessary measures and shall have in place all technical, organizational, and other technical conditions necessary to minimisze the risks that may arise in the course of the processing activities to ensure that the personal data processed are not subject to unlawful disclosure, unauthorised disclosure, access, modification or destruction. In accordance with the above, the integrity and confidentiality of the data processed by the Data Controller is fully ensured.

Hosting Provider (Data Processor):

  • Company name: THE MARKETING, CREATIVE & WEB AGENCY KFT.
  • Location: Müller László 33, 1st floor, office #1, Csíkszereda
  • Company registration number: J19/344/2019, RO40975373,
  • Tax number: RO40975373
  • E-mail address: hello@themarketive.com
  • Website: https://themarketive.com
  • Privacy and Data Security Policy: https://themarketive.com/adatvedelmi-nyilatkozat/
  • Activity of the data processor: hosting and domain provision of websites operated by the Data Controller, storage and transmission of data communicated by Data Subjects to the Data Controller.
  • Definition of the data concerned by the processing: the processing concerns all the data indicated in this notice.
  • Purpose of the processing: to ensure the functioning of the website in an information technology sense by processing the data through the necessary information technology operations.
  • Duration of processing: the same as the processing periods indicated for the processing operations governed by the purposes of the processing of each category of data in this notice.
  • The processing of the data is limited to the technical operations necessary for the operation of the website in the IT sense.

12. Data Subject’s Rights

The Data Subject may request information from the Data Controller about the processing of his/her personal data and may request the rectification, deletion or restriction of the processing of their personal data.

 

12.1 Data Subject’s access rights: (Article 15 GDPR)

The Data Subject shall have the right to obtain from the Controller information as to whether or not their personal data are being processed and, if so, the right to obtain the following information:

  • the purposes and legal basis of the processing;
  • personal data relating to the Data Subject processed by the Controller;
  • the recipients to or with whom the personal data are or will be disclosed by the Controller;
  • the envisaged storage period of the personal data;
  • the rights of rectification, deletion, restriction of data processing and objection;
  • the right to file a complaint with a supervisory authority;
  • the source of the personal data (where the personal data have not been provided by the Data Subject to the Controller);
  • the fact of automated processing, the information relating thereto and the significance of such processing and its likely consequences for the Data Subject;
  • further information relating to the processing.

 

The Data Controller shall provide the Data Subject with 1 copy of the personal Data Subject to processing. For additional copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject has submitted the request by electronic means, the Controller shall provide the information in a commonly used electronic format, unless the Data Subject requests otherwise, within a maximum of 30 days from the date of submission.

 

12.2 Right to rectification of personal data of the Data Subject: (Article 16 GDPR)

The Data Subject may request the correction of inaccurate personal data relating to them processed by the Controller and the completion of incomplete data.

 

12.3 Right of the Data Subject to deletion of personal data: (Article 17 GDPR)

The Data Subject shall have the right to obtain, at their request, the deletion of personal data relating to them where the processing is unlawful, in particular where:

  • the processing is contrary to the principles governing the processing laid down in the GDPR,
  • the purpose of the processing has ceased or further processing is no longer necessary for the purposes for which the data were processed,
  • the period laid down by law, an international treaty or a legally binding act of the European Union has expired, or
  • its legal basis has ceased to exist and there is no other legal basis for the processing of the data,
  • the deletion of the data has been ordered by law, an EU legal act, a supervisory authority or a court.

The Controller is not obliged to delete the personal data of the Data Subject if:

  • the processing is ordered by law for a purpose in the public interest,
  • processing is necessary and proportionate for the protection of the vital interests of the Data Subject or of another person or for the prevention or elimination of an imminent danger to life, limb or property of a person.

 

12.4. The Data Subject’s right to restriction of processing: (Article 18 GDPR)

In order to exercise the right to restriction of processing, the Controller shall, at the request of the Data Subject, restrict processing if one of the following conditions is met:

  • the Data Subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the accuracy of the personal data to be verified;
  • the processing is unlawful and the Data Subject opposes the deletion of the data and requests instead the restriction of their use;
  • the Controller no longer needs the personal data for the purposes of the processing but the Data Subject requires them for the establishment, exercise or defence of legal claims; or
  • the Data Subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.

Where processing is restricted, the Controller may process personal data, except for storage, only in the following cases:

  • with the Data Subject’s consent,
  • For the purposes of pursuing the legitimate interests of the Data Subject,
  • Where the Data Subject has a legitimate interest for the purposes of the processing of personal data,
  • to protect the rights of another natural or legal person,
  • for reasons of important public interest of the European Union or of a Member State.

The Controller shall inform the Data Subject in advance of the lifting of the restriction on processing.

 

12.5 Right of Data Subject to data portability: (Article 20 GDPR)

The Data Subject shall have the right to receive personal data concerning them which they have provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another Controller.

 

12.6 Right to object (Article 21)

The Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data, including profiling based on the aforementioned provisions. In this case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests or rights of the Data Subject or for the establishment, exercise or defence of legal claims.

 

12.7 Automated decision-making in individual cases, including profiling (Article 22)

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

 

12.8 Right of withdrawal (Article 7(3))

The Data Subject has the right to withdraw their consent to the processing of their personal data at any time.

 

12.9. The Data Subject has the right to file a complaint with a supervisory authority if they consider that the processing is unlawful (Article 77 GDPR).

 

12.10. Objection to the processing of personal data

Pursuant to the Info. law, the Data Subject may object to the processing of their personal data if the processing or transmission of the personal data is necessary solely for the fulfilment of a legal obligation to which the Data Controller is subject or for the purposes of the legitimate interests pursued by the Data Controller, the data recipient or a third party, unless the processing is required by law; the use or transmission of the personal data is for direct marketing, public opinion polling or scientific research; in other cases specified by law. The Controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether it is justified and inform the applicant in writing of its decision. If the Data Controller finds that the Data Subject’s objection is justified, the Data Controller shall terminate the processing, including further recording and transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object. If the Data Subject does not agree with the decision taken by the Data Controller, and if the Data Controller fails to comply with the above time limit, the Data Subject may appeal against the decision to the courts within 30 days of its notification. The Data Subject may also take legal action in the event of a breach of their rights. The court shall rule on the matter out of turn. The tribunal shall have jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the court of the place where they reside or is domiciled.

13. Procedure rules

  • The Data Subject may exercise their rights in writing through the contact details of the Data Controller indicated in point 2.
  • The Data Controller shall, within the shortest possible period of time from the date of the submission of the request by the Data Subject to exercise the rights to which they are entitled, but not later than one month, examine the request and notify the Data Subject of its decision in writing or, if the Data Subject has submitted the request by electronic means, by electronic means.

In order to meet data security requirements and to protect the Data Subject’s Data Subject rights, the Data Controller shall verify the identity of the Data Subject and the identity of the person who wishes to exercise the right of access, and to this end, the provision of information, access to or copying of the data shall be subject to the identification of the Data Subject.

14. Data processors

The Data Controller does not use any data processor for the purposes of data processing.

15. Automatic decision-making and profiling

The Data Controller does not perform any automated decision-making or profiling of the Personal Data of the Data Subject in the course of processing.

16. Enforcement possibilities in relation to data processing

 

  • In the event of a breach of your rights, please contact us at the following contact details:

Name: Partium Christian University

Address: Primariei Street 36, Nagyvárad (Oradea), 

Phone / Fax Number: (+40)-259-418-244, (+40)-259-418-252

E-mail: musicum.laude@partium.ro

 

  • If the Data Subject considers that their rights have been infringed by the Data Controller, they have the right to apply to the competent court under the Civil Code.

 

  • They may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH):

The Data Subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information as supervisory authority regarding the processing of their personal data by the Controller, as follows:

  • Name: National Authority for Data Protection and Freedom of Information
  • Address: Falk Miksa utca 9-11., Budapest, 1055
  • Phone: 0613911400
  • Fax: 0613911410
  • E-mail: ugyfelszolgalat@naih.hu
  • Website: http://www.naih.hu

 

Right to apply to the courts

The Data Subject may bring a civil action in the event of unlawful processing that they experience. In such a case, the Data Subject may bring the action before the competent court of their permanent address/residence or the Metropolitan Court.

 

Damages and compensation

If the Data Controller causes damage to another person by unlawful processing of the Data Subject’s data or by breaching data security requirements, the Data Controller must compensate the damage. Where the Controller infringes the Data Subject’s right to privacy by unlawfully processing their data or by breaching data security requirements, the Data Subject may claim damages from the Controller. The Controller shall be liable to the Data Subject for the damage caused by the processor and the Controller shall also pay the Data Subject the damages due to the Data Subject in the event of a personal data breach caused by the processor. The Controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the Data Subject’s personality rights was caused by an unavoidable cause outside the scope of the processing. No compensation shall be due and no damages shall be payable where the damage or injury to the personality rights of the Data Subject was caused by the intentional or grossly negligent conduct of the Data Subject.

17. Individuals entitled to access Data Subjects’ data within the Data Controller’s organisation

Access to the personal data of the Data Subject shall be granted to those employees of the Controller whose job duties include the performance of the tasks which are the subject of the processing, and thus the processing of the personal data of the Data Subject.

18. Other

The Data Controller may be obliged or required to disclose data in the event of a request from a public authority or other body based on other legal obligations. In such cases, the Controller shall endeavour to disclose only such personal data as is strictly necessary for the purposes of the obligation to disclose.

Musicum Laude