Data Processing Policy
The Veszprém Festival Public-benefit Nonprofit Limited (‘Veszprémi Ünnepi Játékok Nonprofit Közhasznú Korlátolt Felelősségű Társaság’), registered seat: Hungary, 8200 Veszprém Óváros tér 22; Company Registration Number: 19-09-507051 (hereinafter: “Controller”), complies with the following policy (hereinafter: “Policy) when processing and protecting personal and other data.
The Controller undertakes the organisation of events and the selling of tickets for said events and related services; furthermore, Controller implements the events, manages visitor admission to the events, and provides access to services rendered by Controller and by its implementing partners.
For ticket purchases, admission to the events, using the services at the events, as well as for assessing future demands, Controller requires access to the personal data of ticket holders. The purpose of the displayed rules is that the rights, fundamental freedoms, and the right to protection of privacy is respected when processing the personal data of each person attending the events organised by Controller.
Controller declares that its data processing activities are carried out – by implementing appropriate internal policies and technical and organisational measures – at all times in conformity with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: “Regulation”) and with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”).
Controller may unilaterally amend the Policy, with any such amendments taking effect upon publication at the website.
2 Purpose of the Policy
The purpose of the Policy is to establish internal rules and to provide a foundation for measures that ensure fair and transparent data processing, compliance with relevant legislation, and the protection of personal and other data.
3 Scope of the Policy
The scope of this Policy extends to the processing of personal data concerning natural persons by the Company.
For easier identification we provide the meaning of the most important terms.
1 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7 ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8 ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
10 ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11 ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5 Basic principles of processing
Controller shall carry out processing in the following cases:
- in the course of purchasing tickets;
- in newsletter registrations;
- during the admission process.
Primary objectives of processing your personal data:
- to provide a process for ticket purchasing, to ensure uninterrupted compliance with legislation on the Controller’s part, including in particular Controller’s compliance with accounting and tax obligations prescribed by law;
- collecting statistical data for market research;
- sending information and/or newsletters about the Company’s products, services, terms and conditions, and discounts.
Secondary objectives of processing your personal data:
- ensuring that Controller is aware of its business partner’s identity when selling a ticket and/or other services to an event;
- maintaining contact by electronic means, telephone, SMS and mail;
- analysing website use and user patterns.
6 Processing for ticket purchase:
- Making a purchase in the web shop operated by Controller constitutes a contract in line with Article 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services and with Government Decree 45/2014. (II. 26.) on the Detailed Provisions of Contracts Concluded Between Consumers and Companies.
- Controller shall handle the personal data and address of natural persons registering and making purchases at the web shop for the purposes of drawing up the contract for the service, determining and modifying the contents thereof, monitoring the performance thereof, billing the charges arising therefrom as well as enforcing the claims related thereto on the legal basis of Subsection 13/A (1) of Act CVIII of 2001, and shall handle e-mail addresses and online identifiers by consent.
- For purchases in the web shop, the legal basis for processing in case of tickets purchased after 25 May 2018 is the contract. (With the entry into force of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.)
- Duration of the processing of personal data: for the duration of the registration/service, or until a withdrawal of consent (request for erasure) by the data subject, or in case of a purchase for 5 years following the purchase.
7 Statistical data collection for market research
- During registration, in addition to your address we also ask you to provide your date of birth. Providing this data is optional. The reason we ask for this data is to assess the age-related specifics of participants at an event when deciding on future programmes and performers. We handle your date of birth separately from other personal data and process it anonymously.
- The legal basis for processing your data is your consent; your data is processed until you withdraw your consent.
Dear Ticket Holders! Our ticket sales system is under development in this respect, and we strive to ensure compliance with GDPR and related provisions of Hungarian legislation as soon as possible. Thank you for your patience.
8 Special rules of processing related to the newsletter service
- If you would like to receive news from Jazz Picnic and other events organised by us, please grant your consent by checking the appropriate box for receiving regular emails and for having your data processed. You can unsubscribe from the newsletter any time through the “Unsubscribe” option or by a statement made in writing or by email, resulting in the withdrawal of your consent. In such cases we promptly erase all data of the person unsubscribing.
- The legal basis for processing your data is your consent; your data is processed until you withdraw your consent.
9 Processing during entry
During registration at the site of events implemented by Controller (that is when during the admission process we associate the wristband entitling for admission with the person making the purchase and we check eligibility for admission), the Controller’s authorised agent may request that you identify yourself with a photo ID.
10 Community platforms
- Controller manages a Facebook page for introducing and promoting its products and services.
- Questions posted on the Facebook page are not considered officially submitted complaints.
- The Company does not process the personal data disclosed by visitors at Controller’s Facebook page.
- In case of publishing unlawful or offensive content, Controller may ban the person from the group of members without prior notice and may delete the comment.
- Controller shall not be held responsible for unlawful data disclosures or comments by users and assumes no responsibility for any errors or malfunctions from Facebook’s operation or for issues arising from changes in system functions.
11 Processing related to organising promotional draws
- When we are organising promotional draws (Article 23 of Act XXXIV of 1991), we process your name, address, phone number, email address, and online identifier based on your consent. Participation in the game is voluntary.
- The purpose of processing your personal data is determining the winners of the draw, contacting and sending them their prize.
- The legal basis for processing is the consent of the person in question.
- Storage period for personal data: up to the dissolution of the promotional draw.
12 Data security
- In respect to data processing for all purposes and legal basis, to ensure the security of personal data, Controller shall take all technical and organisational measures and has implemented such procedural rules as necessary for the enforcement of relevant legal provisions.
- Controller shall apply appropriate measures to prevent accidental or unlawful destruction, loss, alteration, breach, unauthorised disclosure of, or access to, personal data.
- Controller shall use a firewall and antivirus protection to protect the information technology system.
- Controller shall classify and treat all personal data as confidential information. Data processed by Controller shall, as a rule of thumb, only be disclosed to those employees and agents of Controller that are engaged in implementing the data processing objectives specified in this Policy and whose contract of employment or contract of agency obliges them to confidentiality in respect to all data made known to them, in line with the legal regulations concerning their employment or by Controller’s instructions.
- Controller may use the data collected from Subjects for statistical purposes if such data is rendered anonymous – i.e., in such a manner that the data subject is not or no longer identifiable – in compliance with the governing legal provisions, and is entitled to publish and transfer such data to third parties.
- Controller shall carry out electronic processing and maintain records via computer software that conforms to the requirements of data security. The software shall ensure that access to data is under purpose limitation and supervision, available only to those whose tasks necessitate such access.
- In respect of automated personal data processing, Controller and processors shall implement additional measures designed to:
- prevent the unauthorized entry of data;
- prevent the use of automated data-processing systems by unauthorized persons using data transfer devices;
- ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data transfer devices;
- ensure that it is possible to verify and establish which personal data have been entered into automated data-processing systems and when and by whom the data were input;
- ensure that installed systems may, in case of malfunctions, be restored; and
- ensure that faults emerging in automated data-processing systems is reported.
- For the purpose of protecting personal data, Controller shall ensure that incoming and outgoing electronic communication is monitored.
- Data involved in ongoing projects and processing shall be available only to authorised employees and agents.
- Controller shall ensure adequate physical protection of data and their relevant data carriers and documents.
- Controller possesses adequate hardware and software tools and undertakes to implement technical and organisational measures ensuring the legality of processing and the protection of Subject’s rights
13 Rules pertaining to processing
Controller (Controller as data processor or the authorised data processor) shall:
- warrant that he shall implement the technical and organisational measures ensuring compliance with relevant legal provisions, in particular in expertise, reliability and resources, including processing safety.
- ensure that in the course of Controller’s activities, the persons authorised to access Subject’s personal data, unless compelled to maintain confidentiality by law, shall undertake confidentiality obligations in respect to the personal data disclosed to them.
- possess adequate hardware and software tools and shall undertake to implement technical and organisational measures ensuring the legality of processing and the protection of Subject’s rights.
14 Controller’s rights and obligations
- Taking into account the current state of science and technology and the costs of implementation, the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Controller shall implement appropriate technical and organisational measures to ensure data security in line with the relevant levels of risk.
- Controller shall take steps to ensure that any natural person acting under the authority of Controller who has access to personal data does not process them except on instructions from Controller, unless he or she is required to do so by Union or Member State law.
- Controller shall ensure that stored data is accessible via the internal system or by direct access only to those duly authorised, and only in relation to the purpose of processing.
- Controller shall ensure the necessary and regular maintenance and development of the equipment used. The device storing the data shall be kept in a closed room with adequate physical protections where Controller shall ensure physical protection thereof.
- Controller is obliged to only engage persons with appropriate skills and expertise to carry out the tasks specified in the contract. Furthermore, Controller shall ensure that the persons thus engaged are trained in the applicable legal regulations on data security, the obligations described herein, and the purpose and method of data collection.
- Controller undertakes to engage another processor only under the terms specified in the relevant legal regulations. Controller hereby grants general permission to Processor to engage other processors (subcontractors). Prior to engaging another processor, Processor shall duly notify Controller about the other processor’s identity and the planned activities to be carried out by the other processor. In case Controller, based on the above information, raises objections against engaging the other processor, Processor shall only be entitled to engage the other processor if the requirements specified in the objection are met.
- Where a processor engages another processor for carrying out specific processing activities on behalf of Controller, they shall conclude a contract in writing where the contract shall apply the same data protection obligations as set out in this contract concluded between Controller and the processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
15 Principal’s (Controller’s) rights and obligations in case of authorising a data processor
- The Company shall conclude a written contract with Principal [Processor???] for the processing activities.
- Controller is entitled to inspect that activities carried out by Processor conform to the terms of the contract.
- Controller shall be held liable for the legitimacy of his instructions concerning the tasks specified in the contract; however, Processor shall promptly notify Controller if Controller’s instructions or the implementation thereof is against the law.
- Controller shall be held liable for informing the natural persons in question about the processing work under this contract, and to obtain their consent if so required by law.
16 Requesting information, your rights and options for legal remedy
- In case of any questions or comments exceeding those contained in this Policy, Controller requests that you contact them at the following number or email address:
- phone: Dániel Sánta
- email: firstname.lastname@example.org
- You may request information about the processing of your personal data anytime. Upon your request Controller shall provide detailed information concerning the data relating to you (Subject), including those processed by a data processor on its behalf, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and – in case of data transfer – the legal basis and the recipients.
- Controller must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at your request within not more than thirty days, mailed to the contact address (postal address) listed by you, provided that such an address was listed in the request. Failing that, the thirty-day time limit prescribed for Controller shall only be considered expired after you have provided your address to Controller in a verifiable manner.
- Furthermore, you may request the rectification or erasure of your personal data anytime – except data processing prescribed by law –, while Controller is entitled to refuse admission to the event concurrently with the erasure of such data.
- Controller informs you that Controller is obliged to erase the data in the following cases:
- if data are unlawful;
- if requested by the client (subject);
- if data are incomplete or inaccurate and lawful rectification is not possible;
- if the purpose of processing has ceased;
- if ordered by court or by the National Authority for Data Protection and Freedom of Information.
- Instead of erasure, Controller may block personal data if so requested by the subject, or if it is assumed based on the available information that erasure is likely to violate the subject’s lawful interests. Personal data thus blocked may only be processed for as long as the purpose for processing that prevented the erasure exists. However, Controller informs the client that in case of an erasure of data, Controller can no longer provide its services to the given client.
- You may object to such processing of your personal data in accordance with the provisions of the applicable law. Controller shall review your objection – concurrently with suspending the processing – as soon as possible, but not later than within fifteen days of the objection and shall notify the client in writing at the contact address (postal address) listed by client, provided that such contact address had been listed in client’s request. Failing that, the fifteen-day time limit prescribed for Controller shall only be considered expired after client has provided his address to Controller in a verifiable manner. In case the objection is justified, Controller shall cease data processing, including all further data recordings and transfers, and shall block the data, and notify all parties about the objection and the measures taken on that basis to whom such objected data had been transferred and who are obliged to act to enforce the right to object. If the client finds the decision made by Controller in response to the objection questionable, Client may bring action at a court within thirty days of having learned of the decision.
- You may seek ruling from a court if your rights concerning the processing of your personal data have been violated. The case shall be given priority at the court. Action may be brought, as per your choice, at the court of Controller’s registered seat or at the court of your (the subject’s) domicile (residence).
- You have the right to transparent information, which we seek to provide with this Policy.
- Processing is carried out by Netpositive Számítástechnikai Szolgáltató és Kereskedelmi Kft (Company Registration Number: 13-09-104997; Tax Number: 12643565-2-13; registered seat: HU-2021 Tahitótfalu, Pataksor u. 48).