PRIVACY NOTICE OF THE MEDIA SERVICE SUPPORT AND ASSET MANAGEMENT FUND FOR ITS ACTIVITIES ON WEBSITES, IN APPLICATIONS AND ON OTHER ONLINE
PLATFORMS
For the english version click HERE
INTRODUCTION:
The Media Service Support and Asset Management Fund (hereinafter: “Controller” or “MTVA”)
attaches great importance to respecting the right of informational self-determination of its
partners, customers and visitors. The Controller shall process personal data confidentially, in
accordance with the applicable European Union and national legislation and relevant data
protection (authority) practices, and shall take all security and organisational measures to
ensure the security, confidentiality, integrity and availability of the data.
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter:
“GDPR”) and Act CXII of 2011 on the Right to Informational Self-Determination and on
Freedom of Information (hereinafter: “Privacy Act”), the following information notice
(hereinafter: “Notice”) is published for the protection of personal data processed.
The public service media provider and MTVA shall be considered as independent controllers
in the course of supporting the performance of the tasks of the public media services, within
the framework of which MTVA shall perform its activities including content production on the
basis of its legal obligation and public task as defined in Sections 108(1), 136(1) and 137/A of
the Media Act. The Privacy Policy of the public service media provider can be found here:
https://dunamsz.hu/wpcontent/uploads/sites/18/2019/07/4_sz_vezig_ut_adatvedelmi_szabalyzat.pdf. The processing shall be carried out in accordance with the applicable legislation on data protection,
in particular the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation, “GDPR”); - Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of
Information (hereinafter: “Privacy Act”); - Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct
Marketing Purposes (“DM Act”); - Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information
Society Services (“E-Commerce Act”);
By registering on our website(s), sending us an email through our website(s) or subscribing to
our newsletter, you agree to the following terms and conditions.
By registering on the www.mediaklikk.hu website and/or in Médiaklikk or applications, you
accept the terms and conditions set out in this Privacy Notice and statement and give your
voluntary and explicit consent to the processing of your personal data by the controller in
accordance with this Privacy Notice and statement and to the transfer of your personal data to
a designated processor.
This Notice is effective from 29 November 2024 until withdrawn in relation to the processing of
personal data of data subjects concerned by the activities of the Controller.
The Controller reserves the right to unilaterally amend this Notice at any time. If the Notice is
amended, the Controller will inform the data subjects thereof.
DEFINITIONS:
The terms used in this Notice shall have the meanings given to them in the definitions in the
relevant legislation.
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Consent: any freely given, specific, informed and unambiguous indication of the user’s wishes by which he or she signifies clear agreement to the processing of personal data relating to him or her;
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data transfer: making data available to a specific third party;
Technical processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
Processor: a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller;
User: a person validly registered on the website and/or in the applications by name and e-mail address who is a data subject within the meaning of Article 4(1) of the Regulation;
Website: https://mtva.hu/, https://mediaklikk.hu/, https://hirado.hu/, https://m4sport.hu/, https://ridikul.hu/, https://radiomusic.hu/, https://media-akademia.hu/, https://sajtoszoba.mtva.hu/ and all the programme sites available on them;
Applications: an application (hereinafter: ‘app’) is software that can be used on a smartphone, tablet or computer for a specific purpose, such as reading news, listening to/watching radio or TV programmes, following sports events or listening to stories, including: hirado.hu, M4 Sport, Mediaklikk, Kossuth Rádió, Nemzeti Sportrádió, Szakcsi Rádió, Csukás Meserádió.
Profile: An account created by the user, with personalised settings (e.g. interests, saved
content).
Smart TV app: An application developed by Médiaklikk for television platforms (e.g. LG
webOS, Samsung Tizen, Android TV, etc.) that is only available to registered and logged-in
users. The Smart TV app makes it possible to view Médiaklikk content on the TV and use
personalised features (e.g., recommended content based on interests, resuming interrupted
viewing). You can log in to the app using a QR code or a generated login code.
CONTROLLER:
Name of the controller: Media Service Support and Asset Management Fund (hereinafter:
“MTVA”)
Registered office: 1037 Budapest, Kunigunda útja 64, Hungary
Tax number: 18091715-4-44
Group identifier: 17781176-5-44
Email address: adatvedelem”at”mtva.hu
Represented by: Dániel Papp, CEO
PROCESSORS:
Regarding the operation of the website:
The website is operated by HMSoft Zrt. (registered office: 1212 Budapest, Komáromi utca 43.,
postal address: 1133 Budapest, Visegrádi u. 81., company registration number: 01-10-047775,
represented by: László Gábor Mészáros, CEO), which processes the personal data provided
by users of the website during registration as a processor in accordance with the instructions
of MTVA and the applicable laws for the purpose of operating the website and fulfilling its
obligations under its contract with MTVA.
Regarding the development and operation of apps (Google Play and App Store):
Apps are developed by Appsters Mobiltartalom-fejlesztő Korlátolt Felelősségű Társaság
(registered office: 1023 Budapest, Lukács utca 4. 3. em. 8. ajtó, company registration number:
01-09-947838, tax number: 22988197-2-41, represented by: Áron Bubla, Managing Director),
which processes the personal data provided by users of the app as a processor in accordance
with the instructions of the Controller and the applicable laws for the purpose of operating the
app and fulfilling its obligations under its contract with the Controller.
PROCESSING OF DATA IN CONNECTION WITH APPLICATIONS TO APPEAR IN
PROGRAMMES PRODUCED BY THE CONTROLLER AND BROADCASTING:
Within the scope of its main activities, the Controller provides radio and television broadcasting
services, including broadcasting of both live and recorded programmes. In this context, it
processes the personal data of the data subjects appearing or participating in programmes as
follows:
Scope of the personal data processed:
- out of programme:
- first name, last name, nickname, other data provided by the data subject during the
programme.
o age: verification of compliance with the rules of the game, request for statutory
representation
o occupation: contact
o email address: contact
o phone number: contact
o place of residence (municipality): contact
o photo/video: player selection, programme production tasks
- first name, last name, nickname, other data provided by the data subject during the
- in programme: first name, nickname, other data provided by the data subject during
the programme - other: for a specific programme, the Controller may request a different set of data in
order to verify the suitability of the applicant.
In all cases, the Controller shall explicitly endeavour to ensure that the data subject cannot be
identified during the live broadcast, or can only be identified to a minimal extent. An exception
to this is if the data subject discloses information about himself or herself in the programme
which, for reasons through his or her own fault, makes the data subject identifiable.
Categories of data subjects: data subjects of any programme of the Controller, any natural person who contacts the Controller and wishes to participate in a programme advertised by the Controller by providing personal data.
Source of the personal data processed: the data subject.
Purpose of processing: providing the Controller’s services, conducting interactive programmes, ensuring the direct participation of data subjects in radio and television programmes, entertainment, casting players, establishing contact.
Legal basis for processing: explicit consent of the data subject pursuant to Article 6(1)(a) of the GDPR, with particular regard to Article 9(2)(a) of the GDPR. In the course of enforcing rights or claims, as well as when processing contact details, the Controller’s legitimate interest pursuant to Article 6(1)(f) GDPR.
Duration of processing: until the purpose is achieved. An exception to this is when the data subject or his or her representative submits a statement to the Controller requesting the erasure of his or her personal data (unsubscribing), which, if the request is justified, will be investigated and the data subject’s personal data will be erased immediately and irretrievably, and further exceptions to this are the enforcement of any right or claim or proceedings by a court, public prosecutor’s office, investigating authority, infraction authority, administrative authority, the National Authority for Data Protection and Freedom of Information, the National Media and Communications Authority or other bodies authorised by law.
Access: only authorised employees of the Controller and the Processor are entitled to access the data.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided for in the contract between the data subject and the Controller, or in the event of the enforcement of any right or claim, or proceedings by a court, public prosecutor’s office, investigating authority, infraction authority, administrative authority, the National Authority for Data Protection and Freedom of Information, the National Media and Infocommunications Authority or other bodies authorised by law. However, given the nature of radio broadcasting, the personal data and information presented by the data subject will be widely disclosed.
Processing technique: The Controller processes the personal data of data subjects
electronically.
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights to
withdrawal of consent, access, rectification, erasure, restriction of processing and data
portability.
PROCESSING IN APPS:
The Controller also operates mobile applications (iOS, Android and Huawei platforms) related
to the www.mediaklikk.hu website, which process the personal data of data subjects for the
purposes of registration, login, profile management and personalised content delivery.
The Controller shall process personal data as follows:
Scope of the personal data processed: name, email address, password (encrypted), interests,
favourites, own list, interrupted viewings, newsletter subscription, last login date, application
version, list of devices logged in, push notifications enabled, password reset tokens.
Categories of data subjects: natural persons who download and use the apps and have a
personal profile.
Source of the personal data processed: the data subject (data provided during registration,
profile settings, and use of the application).
Purpose of processing: identifying the user, ensuring login, displaying personalised content
based on interests, managing saved content (favourites, own list), continuing interrupted
content, sending push notifications (if enabled), sending newsletters, maintaining contact,
customer support, maintaining and improving the operation and security of the application.
Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
The processing of technical data (e.g. error logs, detection of unauthorised access) is based
on legitimate interest pursuant to Article 6(1)(f) GDPR.
Duration of processing: until the registration is deleted or for a maximum of 2 years from the
last active use. Up to 1 month in the case of interrupted viewings. Up to 24 hours for password
recovery links.
Access: primarily, the Controller and its appointed Processors may access the personal data.
Administrative access and user management:
The Controller processes users’ personal data through an internal administration system
(CMS). The system enables the secure storage, viewing, modification or deletion of registered
users’ data in accordance with data protection rules.
Only authorised staff members of the Controller may access user data, and access is logged
and restricted.
The CMS system ensures, among other things:
– viewing user profile information (e.g. name, email, registration date);
– resending password reset and registration emails;
– the export of user data (e.g. in case of a data protection request);
– the permanent deletion of user accounts.
All of these operations comply with the principles set out in Article 5 of the GDPR: data are
processed securely and transparently, only to the extent necessary for the purposes for which
they are processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: The Controller processes the personal data of data subjects
electronically.
Profiling: a content recommendation system is in place based on interests and user activities,
but no decision-making is performed solely through automated decision-making and no
profiling with legal effect is performed.
Data subject rights: data subjects may request access to their data, rectification, erasure,
restriction of processing and data portability. They can object to the processing and withdraw
their consent at any time.
PROCESSING IN THE MÉDIAKLIKK SMART TV APP:
The Controller also operates the Médiaklikk Smart TV app, which is only available to registered
and logged-in users. To start the app, the user must be registered and logged into their profile.
You can log in using a QR code or a generated code.
The Controller shall process personal data as follows:
Scope of the personal data processed: email address, name (optionally first and/or last name),
password (encrypted), interests, QR code pairing identifier, generated login code, favourites,
own list, unfinished views, application version, last login date.
Categories of data subjects: natural persons who register and log in to the Médiaklikk Smart
TV app.
Source of the personal data processed: the data subject (data provided during registration and
login on a TV device).
Purpose of processing: providing login based on registered profile (e.g. QR code or code
identification), providing personalised content offer, saving and reloading interrupted viewings
and favourites, device pairing, troubleshooting, feedback, maintaining the secure operation of
the application.
Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
Duration of processing: until the deletion of the user profile or for a maximum of 2 years from
the last use. Up to 24 hours in the case of QR code pairing IDs and generated codes. Up to 1
month in the case of interrupted viewings.
Access: primarily, the Controller and its appointed Processors may access the personal data.
Administrative access and user management:
The Controller processes users’ personal data through an internal administration system
(CMS). The system enables the secure storage, viewing, modification or deletion of registered
users’ data in accordance with data protection rules.
Only authorised staff members of the Controller may access user data, and access is logged
and restricted.
The CMS system ensures, among other things:
– viewing user profile information (e.g. name, email, registration date);
– resending password reset and registration emails;
– the export of user data (e.g. in case of a data protection request);
– the permanent deletion of user accounts.
All of these operations comply with the principles set out in Article 5 of the GDPR: data are
processed securely and transparently, only to the extent necessary for the purposes for which
they are processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: the Controller stores the data of the Smart TV app electronically and
securely within its IT systems, using encrypted communication and access control.
Profiling: there is no automatic decision-making with legal effect in the Smart TV app, but
content recommendations are made based on interests and user activities.
Data subject rights: the data subject may request access to, rectification, erasure, restriction
of processing or portability of his or her personal data and may withdraw his or her consent at
any time.
PROCESSING ON SOCIAL MEDIA PLATFORMS:
The Controller operates social media platforms to inform the public about its activities, most
important news and services for the purpose of promoting its services, in the course of which
it processes the personal data of the data subjects visiting and following the platforms.
The Controller shall process personal data as follows:
Scope of the personal data processed: Social media profile data, title, first name, last name,
username, profile picture, cover picture, other data provided by the data subject.
Categories of data subjects: visitors of any social media platform of the Controller (Facebook,
Instagram, YouTube, TikTok).
Source of the personal data processed: the data subject.
Purpose of processing: promoting the services of the Controller, maintaining a community
space, reaching groups of visitors, publishing content, providing information.
Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
In the course of enforcing rights or claims, as well as when processing contact details, the
Controller’s legitimate interest pursuant to Article 6(1)(f) GDPR.
Duration of processing: following the investigation of a statement made by the data subject or
his or her representative to the Controller requesting the erasure of his or her personal data
(unsubscribing), the personal data of the data subject will be erased immediately and
irrevocably, provided that the request is justified. Exceptions to this include the enforcement of
any right or claim, and proceedings by a court, public prosecutor’s office, investigating
authority, infraction authority, administrative authority, the National Authority for Data
Protection and Freedom of Information, the National Media and Infocommunications Authority
or other bodies authorised by law.
Access: primarily the Controller has access to the personal data processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: The Controller processes the personal data of data subjects
electronically.
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights to
withdrawal of consent, access, rectification, erasure, restriction of processing and data
portability.
PROCESSING OF DATA IN CONNECTION WITH THE PRODUCTION AND PUBLICATION
OF IMAGES AND SOUND RECORDINGS:
In the course of its main activity, the Controller may make image and/or sound recordings
qualifying/not qualifying as mass recordings, as well as image and/or sound recordings and
written summaries of public figures. As a general rule, processing is based on the data
subject’s explicit consent after prior information. The Controller shall endeavour to process
only the necessary personal data.
Subject to the data subject’s consent, the Controller may publish news, posts, images and/or
audio recordings on its website and social media platforms to publicise and promote its
services.
At any time during the period of processing, the data subject may request the erasure of such
personal data and acknowledges that their removal may be carried out at any time at the
unilateral decision of the Controller.
The Controller shall process personal data as follows:
Scope of the personal data processed: first and last name, title, image, image and sound
recording, location.
Categories of data subjects: data subjects having a contractual relationship with the Controller.
Source of the personal data processed: the data subject.
Purpose of processing: publishing images and sound (video) recordings made in the course
of the Controller’s main activity.
Legal basis for processing: explicit consent of the data subject pursuant to Article 6(1)(a) of
the GDPR and in accordance with Article 9(2)(a) of the GDPR.
In the course of enforcing rights or claims, as well as when processing contact details, the
Controller’s legitimate interest pursuant to Article 6(1)(f) GDPR.
Duration of processing: following the investigation of a statement made by the data subject or
his or her representative to the Controller requesting the erasure of his or her personal data,
the personal data of the data subject will be erased immediately and irrevocably, provided that
the request is justified. Exceptions to this include image and sound recordings classified as
mass recordings, the enforcement of any right or claim, and proceedings by a court, public
prosecutor’s office, investigating authority, infraction authority, administrative authority, the
National Authority for Data Protection and Freedom of Information, the National Media and
Infocommunications Authority or other bodies authorised by law.
Access: primarily the Controller has access to the personal data processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: the Controller processes the personal data of data subjects
electronically.
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights to
withdrawal of consent, access, rectification, erasure, restriction of processing and data
portability.
PUBLIC RELATIONS: PROCESSING OF DATA IN CONNECTION WITH REQUESTS,
COMMENTS, COMPLAINTS:
The Controller allows data subjects to request information, write letters, make complaints or
comments to the Controller (on its website, by post or email) by providing the following details.
In this context, the Controller processes the personal data of data subjects as follows:
Scope of the personal data processed: the complainant’s first and last name, contact details
(email address, phone number), the content of the request, other personal data provided by
the complainant in relation to the complaint.
Categories of data subjects: data subjects requesting information from the Controller, sending
letters/complaints/comments to the Controller.
Source of the personal data processed: the data subject.
Purpose of processing: responding to requests for information, investigating
letters/complaints/comments, remedying issues.
Legal basis for processing: voluntary consent of the data subject pursuant to Article 6(1)(a) of
the GDPR.
Duration of processing: until the purpose is achieved. Exceptions to this include the
enforcement of any right or claim, and proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Access: primarily the Controller may access the personal data processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: the Controller processes the personal data of data subjects
electronically and manually (on paper).
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights of
access, rectification, erasure, restriction of processing and objection.
PARTICIPATION IN GAMES ORGANISED BY THE CONTROLLER:
Scope of the personal data processed:
name: identification
phone number: contact
email address: contact
social media account details: identification
for the winner: name, address, mother’s name, ID number, tax identification number for paying
the prize tax
Categories of data subjects: Any natural person who wishes to participate in games organised
by the Controller by providing their personal data
Source of the personal data processed: the data subject.
Purpose of processing: The Controller usually organises various games on the platforms it
operates (websites, social networking sites, etc.) related to the public service media provider’s
programmes or other media content, in which certain personal data are required to participate
and to draw the prize. Each game organised by the Controller is accompanied by a game
description and a privacy policy.
Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
Duration of processing: 5 years general limitation period or until the purpose is achieved.
Exceptions to this include the enforcement of any right or claim, and proceedings by a court,
public prosecutor’s office, investigating authority, infraction authority, administrative authority,
the National Authority for Data Protection and Freedom of Information, the National Media and
Infocommunications Authority or other bodies authorised by law.
Access: primarily the Controller and the authorised employees of the Processor may access
the personal data processed. The activities of the Processor in relation to data processing are
regulated in the rules of the game concerned.
Data transfer: regulated in the rules of the game concerned.
Processor: specified in the rules of the game concerned.
Processing technique: servers of the Controller and the Processor located in a locked room.
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights of
access, rectification, erasure, restriction of processing and objection.
PROCESSING OF DATA IN THE COURSE OF SENDING NEWSLETTERS:
Subject to the data subject’s prior, unambiguous and explicit consent, the Controller will send
newsletters to the data subject by email about its activities, most important news, services and
discounts for the purpose of promoting its services.
Subscribing on the website:
The data subject may subscribe to the newsletter electronically on the website of the Controller,
on condition that he or she has read and accepted this Privacy Notice.
The Controller shall not be liable in any form for any errors or damages resulting from incorrect
or false data; all liability arising therefrom shall be borne by the Subscriber. The Controller shall
delete any subscriptions made with incorrect or false data immediately upon becoming aware
of them.
The Controller shall ensure that the data subject can unsubscribe from the newsletters at any
time free of charge.
Subscribing in apps (mobile apps and Smart TV)
It is also possible to subscribe to newsletters via the mobile application(s) operated by the
Controller and the Smart TV application. During the registration or profile setting, the data
subject can give his or her consent to receive newsletters by ticking a check box. In the Smart
TV app, registration is not done directly on the TV: the user can complete the registration
process on a website, where they can either manually enter the link or scan a QR code with
their phone.
The user can modify or withdraw their consent at any time in the profile settings of the
application, and can unsubscribe from newsletters by using the link at the bottom of the
newsletters.
The Controller shall process personal data as follows:
Scope of the personal data processed: first name, last name, email address.
Categories of data subjects: data subjects requesting newsletters.
Source of the personal data processed: the data subject.
Purpose of processing: sending electronic messages (emails) containing advertisements to
the data subject, providing information about current news, products, promotions and new
features.
Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
In the course of enforcing rights or claims, as well as when processing contact details, the
Controller’s legitimate interest pursuant to Article 6(1)(f) GDPR.
Duration of processing: following the investigation of a statement made by the data subject to
the Controller requesting the erasure of his or her personal data (unsubscribing), the personal
data of the data subject will be erased immediately and irrevocably. Exceptions to this include
the enforcement of any right or claim, and proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Access: primarily the Controller has access to the personal data processed.
Data transfer: personal data will not be transferred to third parties, unless otherwise provided
for in the contract between the data subject and the Controller, or in the event of the
enforcement of any right or claim, or proceedings by a court, public prosecutor’s office,
investigating authority, infraction authority, administrative authority, the National Authority for
Data Protection and Freedom of Information, the National Media and Infocommunications
Authority or other bodies authorised by law.
Processing technique: The Controller processes the personal data of data subjects
electronically on the Controller’s servers located in a locked room.
Profiling: the Controller shall not make decisions based solely on automated processing in
relation to the data subject and shall not profile the data subject using the available personal
data.
Data subject rights: in the context of processing, data subjects may exercise their rights to
withdrawal of consent, access, rectification, erasure, restriction of processing and data
portability.
PROCESSING OF DATA DURING VISITS TO WEBSITES OPERATED BY MTVA:
Anyone can access the websites of the Controller without revealing their identity and providing
their personal data, and can obtain information and view uploaded content freely and without
restriction on the website and the pages linked to it. Non-personally identifiable information is
automatically collected from visitors by the website in order to ensure the proper functioning of
the pages.
Scope of the personal data processed: IP address, time of visit, pages visited, type of
browser, operating system, data voluntarily provided by the data subject (e.g. name, email
address, phone number, message content, etc. provided through a contact form).
Indirect data collection (log files):
Log files: the server operated by MTVA automatically stores the following data of visitors to
the website:
- browser type
- time of access to the site
- time of leaving the site
- IP address of the visitor
The above data are logged for the purposes of generating website traffic data, monitoring the
secure operation of the website and ultimately for the purposes of detecting and responding
to unlawful external attacks that may compromise or threaten the integrity of the website.
The log files are updated daily, statistics are compiled and the monthly log files are stored on
the MTVA server for one year.
Categories of data subjects: data subjects visiting the websites of the Controller who access
the site or fill in a contact form.
Source of the personal data processed: the data subject.
Purpose of processing:
During the visit of the website, the Controller records visitor data to monitor the functioning of
the services, to facilitate and enhance the functions of the website, to provide personalised
service and to prevent misuse, and uses necessary session and functional cookies. These
include, for example, session identifiers or cookies that may be used for statistics, and cookies
that are necessary for serving and customising content. These are deleted when the session
is finished.
By registering on the website, by sending us emails through the website or by subscribing to
our newsletter, the data subject has consented to us using his or her personal data for the
following purposes:
- communicating with the Data Subject,
- fulfilling an order,
- data processing and market research for the publication of questions asked via the
website or sent via the email addresses indicated on the website.
By ticking the box that appears when you register on the website to consent to online
marketing activities, you consent to the processing of your personal data for the following
purposes:
- regular information through our newsletters,
- organising online press conferences,
- sending information material by post or telephone, information about MTVA,
- use of the data subject’s name, address and email address for direct marketing and
market research purposes, - sending newsletters, advertisements and other information by electronic means to your
email address, telephone/mobile phone.
We process the Data Subject’s data exclusively by means of computerised data processing.
Legal basis for processing: explicit consent of the data subject pursuant to Article 6(1)(a) of
the GDPR and in accordance with Article 9(2)(a) of the GDPR, and pursuant to a statutory
authorisation, in the manner and to the extent provided by law (in order to comply with a legal
obligation applicable to MTVA), and pursuant to Section 13/A(3) of the E-Commerce Act. The
data subject gives his or her consent to each data processing operation by using the website,
registering, or by voluntarily providing the data in question.
The law may order the disclosure of personal data in the public interest, by expressly specifying
the scope of the data. In all other cases, disclosure requires the consent of the data subject,
or in the case of sensitive data, his or her explicit written consent. In case of doubt, the data
subject shall be presumed not to have given his or her consent. The consent of the data subject
shall be deemed to be given in respect of the data communicated by him or her in the course
of his or her public activities or transmitted by him or her for the purpose of disclosure.
Duration of processing: until the end of the browsing session or, in the case of statistics, until
the end of the day. Exceptions to this include the enforcement of any right or claim, and
proceedings by a court, public prosecutor’s office, investigating authority, infraction authority,
administrative authority, the National Authority for Data Protection and Freedom of Information,
the National Media and Infocommunications Authority or other bodies authorised by law.
Access: primarily the Controller and secondarily the Processor may access the personal data
processed.
Data transfer: the following data will be transferred to web analytics providers: ID number, date,
time, address of the page visited, data related to the user’s operating system and browser, IP
address of the user’s computer (except for the last section). Other personal data will not be
transferred to third parties, unless otherwise provided for in the contract between the data
subject and the Controller or in the event of the enforcement of any right or claim, or
proceedings by a court, public prosecutor’s office, investigating authority, infraction authority,
administrative authority, the National Authority for Data Protection and Freedom of Information,
the National Media and Infocommunications Authority or other bodies authorised by law.
Processing technique: the Controller and the Processor process the personal data of data
subjects electronically on their servers located in a locked room.
PRINCIPLES OF PROCESSING:
MTVA shall process personal data only for specific purposes, for the exercise of a right and
the performance of an obligation, in accordance with the principles of data minimisation,
accuracy and storage limitation. The processing shall be in line with this purpose at all stages
of processing. Furthermore, MTVA shall only process personal data that is essential and
suitable, and only to the extent and for the period necessary, for the implementation of the
objective of the processing.
DATA SECURITY:
The Controller and, within the scope of its activities, the Processor shall ensure the security of
the data by implementing appropriate technical and organisational measures and shall
establish the necessary procedural rules to enforce the GDPR and other data protection and
confidentiality rules. MTVA shall protect the data in particular against unauthorised access,
alteration, disclosure or deletion, as well as damage or destruction.
The Controller and the processors shall have the right to access the personal data of the data
subject only to the extent necessary for the performance of their tasks.
The Controller shall transfer personal data in a uniform, pre-audited and secure manner,
informing the data subject, avoiding redundant data transfer or data disclosure on different
registration platforms.
In the interests of data security, the Controller shall assess and record all data processing
activities carried out by it.
On the basis of the records of processing activities, the Controller shall perform a risk
assessment to evaluate the conditions under which each processing operation is carried out
and the risk factors that may cause harm or a potential personal data breach during processing.
The risk assessment must be carried out on the basis of the actual data processing activity.
The purpose of the risk assessment is to define security rules and measures that effectively
ensure the adequate protection of personal data in line with the performance of the Controller’s
activities.
Taking into account the nature, scope, context and purposes of processing as well as the risks
of varying likelihood and severity for the rights and freedoms of natural persons, the Controller
shall implement appropriate technical and organisational measures to ensure and to be able
to demonstrate that processing is performed in accordance with the GDPR. This includes, in
particular, where applicable:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services; - the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident; - a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks
that are presented by processing, in particular from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to personal data transmitted, stored or
otherwise processed.
The Controller shall implement appropriate technical and organisational measures for ensuring
that, by default, only personal data which are necessary for each specific purpose of the
processing are processed. That obligation applies to the amount of personal data collected,
the extent of their processing, the period of their storage and their accessibility. In particular,
such measures shall ensure that by default personal data are not made accessible without the
individual’s intervention to an indefinite number of natural persons.
In the event of damage or destruction of personal data, attempts must be made to replace the
damaged data as far as possible from other available data sources. The fact that the data have
been replaced must be indicated on the replaced data.
The Controller shall take the utmost care to ensure that its IT tools and software continuously
comply with the technological solutions generally accepted in the market.
RIGHTS AND LEGAL REMEDIES:
If, despite your objection, your rights have been harmed in relation to the processing of your
personal data, you have the following legal remedies:
You may request information about the processing of your personal data and request the
rectification of your personal data by sending an email to adatvedelem@mtva.hu. At your
request, we will provide you with information about the data we process or the data processed
by a processor on our behalf, the purpose, legal basis and duration of the processing, the
name and address (registered office) of the processor and its activities related to the
processing, as well as the persons who receive or have received the data and for what
purpose. At your request, we will provide you with the personal data we process in a commonly
used and readable digital format.
You may request the erasure of your personal data, unless the processing is necessary
- for MTVA to comply with its legal obligations or to perform a contract with you;
- for the establishment, exercise or defence of legal claims;
- for the performance of a task to be carried out in the public interest;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
If the foregoing is not the case, we will erase your personal data without undue delay if the
processing is unlawful, the data are incomplete or inaccurate, the purpose of the processing
has ceased or the storage period has expired, or if a court or public authority has ordered it,
or if the erasure is necessary to comply with a legal obligation applicable to MTVA.
Please note that you can withdraw your consent to the processing of your personal data at any
time. Unless there is no other legal basis for the processing (e.g. mandatory processing as
defined by law), we will erase your personal data affected by the withdrawal of consent as
soon as possible. Please note that by withdrawing your consent given during registration, you
will no longer be able to use the services of the website that require registration, and by
withdrawing your consent to the marketing activities, MTVA will no longer provide you with its
services of sending newsletters, information and offers, and organising online press
conferences.
We will notify you of the rectification and erasure and all those to whom we have previously
transferred the data for processing. Notification may be omitted if this does not harm the
legitimate interests of the data subject having regard to the purpose of the processing.
You may object to the processing of your personal data at any time if
(a) the processing or transfer of personal data is necessary for reasons of public interest or for
the purposes of the legitimate interests pursued by the controller, the recipient or a third party,
except where the processing is required by law;
(b) the personal data are used or disclosed for direct marketing, public opinion polling or
scientific research purposes.
Following your legitimate objection, MTVA shall no longer process your personal data, unless
it demonstrates compelling legitimate grounds for the processing which override your interests,
rights and freedoms or for the establishment, exercise or defence of legal claims. In the latter
case, you will be informed in detail in MTVA’s response to your objection.
We shall restrict the processing of your personal data if
- you contest the accuracy of the personal data, for a period enabling us to verify the
accuracy of the personal data; - the processing is unlawful and you oppose the erasure of the data and request the
restriction of their use instead; - MTVA no longer needs your personal data for the purposes of processing, but you
require them for the establishment, exercise or defence of your legal claim; or - you object to the processing of your data on grounds of public interest or on the basis of
the legitimate interests of MTVA or a third party.
During the restriction period, MTVA may not use the personal data for any purpose other than
storage.
If you exercise the rights set out above, MTVA will examine your request without undue delay
and take the necessary measures. MTVA will inform you of the measures taken, the legitimate
reasons for not taking them and the remedies available to you within one month of receiving
your request.
If you disagree with the decision made by MTVA, you can appeal against it in court. The court
shall handle the case as a matter of priority. The case falls under the material jurisdiction of
the Budapest-Capital Regional Court, which is the court with territorial jurisdiction for the
registered office of MTVA. You may, at your own discretion, bring the action before the regional
court with territorial jurisdiction for your place of domicile or, in the absence thereof, place of
stay (for a list of courts and their contact details, see http://birosag.hu/torvenyszekek; for
information on their territorial jurisdiction, see http://birosag.hu/ugyfelkapcsolatiportal/illetekessegkereso).
In addition to the judicial remedy, a complaint may be lodged with the National Authority for
Data Protection and Freedom of Information using one of the following contact details:
National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11, Hungary
Mailing address: 1363 Budapest, Pf.: 9, Hungary
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Further information: http://naih.hu
Please note that we cannot erase your data if the processing is required by law. However, the
data may not be transferred to the recipient if the controller has agreed to the objection or if
the court has ruled that the objection is justified.
The Privacy Policy of MTVA can be found HERE.
If you find any unlawfulness or malpractice in MTVA’s internal processes, data flows or any of its data processing operations, you can send an email to adatvedelem[at]mtva[dot]hu or you can submit it anonymously using the form below: