This document is published in both the Hungarian and the English language. The following English translation serves information purposes only. Therefore, if there are any differences between the Hungarian language version and the English language version of this document, the Hungarian language version shall prevail.
The Government Debt Management Agency Ltd. (in Hungarian: Államadósság Kezelő Központ Zrt., hereinafter: ÁKK Zrt.) hereby publishes its data protection and data handling principles, which it considers binding on itself in the course of operating its web pages.
When drawing up these rules, ÁKK Zrt. took into account in particular the provisions of Act No. LXIII of 1992 on the protection of personal data and publicity of data of public interest, and of Act No. VI of 1998 on the promulgation of the Agreement on protecting individuals in the course of computerised processing of personal data signed in Strasbourg on 8 January 1981, as well as the recommendations of the Online Privacy Alliance.
The purpose of this communiqué is to ensure each and every individual that his/her rights, and within that, fundamental freedoms (particularly the right to privacy) are respected in the course of computerised processing of their personal data in the course of the operation of ÁKK Zrt.’s web pages, regardless of their nationality or place of residence.
ÁKK Zrt. has reported data handling and the Ombudsman for Data Protection registered this data handling activity under no. 01018-0001 based on Article 28 of Act No. LXIII of 1992.
II. Terms and definitions
2.1 For the purposes of this communiqué:
personal data: data that may be connected to a given natural person (hereinafter: person concerned or visitor), conclusions that may be drawn from the data in respect of the person concerned. Personal data shall be deemed to be personal data in the course of data handling as long as its relationship to the person concerned may be restored;
special data: personal data revealing
a) racial origin, nationality, belonging to an ethnic minority or ethnicity, political opinion or party support, religious or other beliefs,
b) health condition, addictions, sexuality and/or previous criminal records.
data handling: regardless of the procedure used, the collection, registration, storage, processing, utilization (including transmission and publication) and safeguarding of personal data. Changing data and prevention of their further use shall also be deemed to be data handling;
data processing: performance of data handling operations and technical tasks, regardless of the method and tools used to perform the operations, and the place of their application;
data transmission: making some data accessible for a defined third party;
publication: making some data accessible for anybody;
data handler: the natural or legal person or entity without legal personality who or which determines the purpose of handling personal data, makes the decisions concerning data handling and carries out such decisions or may assign a data processor to carry out such decisions. In case of mandatory data handling, the purpose of and conditions for data handling and the person to handle the data are defined by the law or local municipality decree that orders the data handling;
data processor: a natural or legal person or entity without legal personality who or which performs processing of personal data on assignment from the data handler;
data deletion: rendering data unrecognizable in a way so that they cannot be restored;
automated data file: a series of data to be processed automatically;
automated processing: includes the following operations if they are performed partly or completely by automated means: data storage, logical or arithmetic operations performed with data, changing, deleting, retrieving and distribution of data.
III. General requirements applicable to handling personal data, major principles – applied also by ÁKK Zrt. – related to the handling of personal data
3.1 Data may be acquired and processed only in a fair and lawful manner.
3.2 Data may be stored only for defined and lawful purposes and may not be used in any other manner.
3.3 The data must be proportional to the purpose of their storage and must correspond to such purpose, and may not extend beyond that scope.
3.4 Data must be accurate and timely, if necessary.
3.5 The method of storing data must be such that allows for identifying the data subject only for the period necessary for the purpose of storing the data.
3.6 ÁKK Zrt. will not request and not process special data by either automated or other means.
3.7 Appropriate security measures shall be taken to protect personal data stored in automated data files to prevent accidental or unauthorised deletion, accidental loss, and unauthorised access, change or distribution.
3.8 ÁKK Zrt. assumes the obligation to publish a clear and unambiguous alert prior to recording, registering and handling any data of visitors, informing the visitors about the method, purpose and principles of data registration. In addition, in all cases where data recording, handling and registration are not required by law, ÁKK Zrt. shall warn visitors about the voluntary nature of data provision. For mandatory data provision, the legal rule ordering the handling of data must also be specified. The person concerned must be informed about the purpose of data handling and about who will handle or process data. Information about data handling is deemed to take place also by legal requirement of recording data by transmission from existing data handling or combination.
3.9 In all cases where ÁKK Zrt. wishes to use already provided data for a purpose that differs from the purpose of the original data registration it shall inform the persons concerned about this and obtain their express prior consent, or grant an opportunity for them to prohibit data use.
3.10 ÁKK Zrt. assumes the obligation not to impose any detrimental consequences on visitors who refuse to provide data that is not mandatory.
IV. Handling of personal data
4.1 Personal data may be handled only if
a) the person concerned consents to it, or
b) it is required by law or - based on an authorisation granted by law and within the scope defined therein - by a decree of a local municipality. Laws may order the publication of personal data – by expressly specifying the scope of data – for the public interest. In all other cases, publication requires the concerned person’s consent, and for special data, a written consent from the person concerned. In case of doubt it shall be presumed that the person concerned has not given his/her consent. The consent of the person concerned shall be deemed to be given in respect of data disclosed by that person in a public appearance or data delivered by him/her for the purpose of publication.
4.2 The requirements related to data handling and protection of personal data of visitors shall apply only to natural persons, considering that personal data may be construed only in respect of natural persons (based on Article 2 Section 1 of Act No. LXIII of 1992 on the protection of personal data and publicity of data of public interest), so this communiqué is binding only in respect of handling personal data of natural persons.
4.3 Data processing shall be automated in general.
4.4 At the time when the purpose of data handling is fulfilled, data deletion must be conducted in accordance with legal requirements.
V. Data handling linked to a purpose
5.1 Personal data may be handled only for a specific purpose, in order to exercise a right or fulfil an obligation. Data handling must correspond to this purpose in all its stages. Only personal data that are indispensable for implementing the purpose of data handling and suitable for achieving this purpose may be handled, and the data handling may take place only to the extent and for the period necessary for implementing the purpose.
5.2 Unless otherwise required by law, personal data may be handled only if the visitor consents.
5.3 The – mandatory or voluntary – nature of data provision must be explained prior to data recording. In case of mandatory data provision the legal rule that orders data handling must be specified.
5.4 In addition to the purpose of data handling, clear information shall be provided about who will handle and/or process the data.
5.5 Data storage must be implemented in a way that is proportional to the purpose of data handling, for the period necessary for the purpose of data provision, and in a secure manner.
5.6 ÁKK Zrt. requests elementary demographic data (age, sex, qualification, occupation, marital status, place of residence) in the course of registration required for using certain services of the web page (e.g. newsletter mailing). ÁKK Zrt. uses such data and/or any other data provided for analysis purposes, and on the other hand, for improving and developing the quality of services offered on the web page, and to promote the provision of services that are suitable for meeting all needs of visitors, and shall not disclose such data to third parties.
5.7 If ÁKK Zrt. asks its visitors to register on certain web pages it will always indicate what pieces of data it wishes to be provided on a “mandatory” basis, for what purpose and under what conditions. In this case, the phrase “mandatory” does not imply that data registration is mandatory; it means that there are fields which, if left incomplete, prevent successful registration, so leaving certain fields blank or completing them wrong will (may) lead to a rejection of registration or rejection of service. However, the data requested as “mandatory” will be requested in such a generalised form and the data made available shall be processed in a way so that they cannot be suitable for identifying the person in any way.
VI. Data transmission, linking of data handling
6.1 Data may be transmitted and different data handling operations may be linked only if the person concerned gave his/her consent or the law allows it, and if the conditions of data handling are fulfilled in respect of each individual piece of personal data.
VII. Data security
7.1 ÁKK Zrt. assumes the obligation to ensure data security, and will take technical and organisational measures and develop procedural rules, which ensure that the data recorded, stored and/or handled are protected to the extent required for enforcing the applicable laws and prevent any damage to, destruction, deletion, unauthorised use, disclosure and unauthorised modification of the data. Furthermore, ÁKK Zrt. assumes the obligation to warn any third parties to whom it may transmit or provide data to fulfil the same obligations.
VIII. Granting a choice (subscribing and un-subscribing)
8.1 ÁKK Zrt., in observance of the applicable laws, agrees to send any message or newsletter to its visitors only based on a prior request from customers, and will always grant a possibility for terminating communications services of this kind.
8.2 Visitors who, at any time after ordering the newsletter service offered on ÁKK Zrt.’s web pages, decide they do not wish to continue receiving newsletters, may cancel their respective newsletter orders by visiting the registration page or may cancel this service by sending an e-mail message. (The e-mail address can be found on the same web page where the given service can be ordered.)
IX. Additional guarantee provisions in protection of the data subject
9.1 Visitors may request information and/or verify the contents of their data at any time during data handling.
9.2 Visitors may modify or revoke their consent given to data handling at any time.
9.3 The persons concerned have the right to
a) be informed about the automated file of personal data, the main purposes of such a file, as well as the identity and usual place of residence or registered office of the person handling the data file;
b) be informed about whether their personal data are stored in an automated data file and to be informed about such data in a form comprehensible for them at regular intervals and without excessive delay or cost;
c) have such data corrected or deleted in justified cases, in the simplest and most quickly feasible way;
d) legal remedy if their information requests or, in justified cases, communication, correction or deletion requests are not fulfilled.
9.4 On the request of the person concerned, the data handler shall provide information about the data handled by him or the data processed by a data processor assigned by the data handler, the purpose, legal basis and duration of data handling, the name and address (registered office) of the data processor and the data processor’s activities related to data handling, and about who received or receive the data and for what purpose.
The data handler must provide the information in writing, in an easily understandable form, within the shortest time from submitting the request but no later than within 30 (thirty) days. If the rights of the person concerned are infringed he may bring action before a court against the data handler.
The data handler must indemnify other persons for damage caused to them by the unauthorised handling of data of a person concerned or violating the requirements of technical
data protection. The data handler shall be liable to the person concerned for damage caused by the data processor as well. The data handler shall be released from liability if he proves that the damage was caused by an inevitable reason outside of the scope of data handling. No indemnification shall be paid to the extent that the damage was caused by the aggrieved party’s wilful misconduct or gross negligence.