Privacy Policy

PRIVACY POLICY AND DATA PROCESSING NOTICE

INTRODUCTION

1. LEGAL COMPLIANCE

Our data processing principles comply with applicable data protection laws, in particular the following:

2. PRINCIPLES OF DATA PROCESSING

 a.) LAWFULNESS, FAIRNESS, AND TRANSPARENCY

We process data fairly and lawfully, and at all times in accordance with the purpose of data processing. 

 b.) PURPOSE LIMITATION

Personal data is processed only for specified purposes, for the exercise of rights and fulfillment of obligations.

 c.) DATA MINIMIZATION

We only process personal data that is necessary for achieving the purpose and only for as long as required.

 d.) ACCURACY

We take measures to ensure that inaccurate personal data is corrected or deleted without delay.

 e.) STORAGE LIMITATION

Personal data is stored only for as long as necessary for achieving the purposes and only in a form that allows identification of the data subject for that period.

 f.) INTEGRITY AND CONFIDENTIALITY

We ensure appropriate security of personal data through suitable technical and organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

 g.) ACCOUNTABILITY

The Data Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

3. WHAT PERSONAL DATA DO WE PROCESS? 

What qualifies as personal data?

Personal data includes any information relating to an identifiable individual—particularly the person’s name, identification number, and any information relating to their physical, physiological, mental, economic, cultural, or social identity—as well as any conclusions drawn from such data.

We process personal data when the data subject has given their voluntary consent (consent-based legal basis). In certain cases, laws require the processing, storage, or transfer of specific data (legal obligation-based legal basis). Data processing necessary for the performance or preparation of a contract is permitted where the data subject is a party to the contract or has requested steps prior to entering into a contract.

Duration of data processing

The Association processes personal data only for as long as necessary for efficient performance of its activities. The duration of data processing lasts until the termination of the contract, withdrawal of consent, or the cessation of the purpose of processing.

After this period, the Association must delete personal data in a way that prevents further identification.

Scope, purpose, legal basis, and duration of data processing 

Purpose of data processing	Scpope of data	Legal basis	Duration
Maintenance of membership and contact	Name, position, email address, phone number of member representative/contact	Legitimate interest (GDPR Art. 6(1)(f))	Until membership ends or contact person changes
Membership fee invoicing	Számlázási név, cím, adószám, e-számlázási e-mail cím	Performance of legal obligation (GDPR Art. 6(1)(c), Accounting Act Section 169)	8 years from the issuance of the invoice
Newsletter subscription	Name, email address, employer name	Direct written consent (GDPR Art. 6(1)(a))	Until withdrawal (unsubscribe)
Event registration and participation	Name, email address, employer, position	Contract performance or pre-contract steps (GDPR Art. 6(1)(b))	30 days after the event (except billing data retained for 8 years)

Right to withdraw consent

In cases where the legal basis of data processing is your voluntary consent (e.g., subscription to a newsletter), you are entitled to withdraw your consent at any time without any restriction by sending an email to the specified address or by clicking the unsubscribe link found at the bottom of the newsletters. The withdrawal of consent shall not affect the lawfulness of data processing carried out based on consent prior to its withdrawal. Please note that in cases where data processing is based on the performance of a contract (e.g., event registration), the legitimate interest of the Data Controller, or a legal obligation (e.g., retention of invoices), withdrawal of consent is not an applicable legal basis, and the data will be processed until the end of the specified retention period.

Newsletter Subscription 

In our periodically issued newsletter, we provide professional information, updates on our current projects, information about our events, partner events, and funding opportunities to those who have given their consent to receive the newsletter or have requested its delivery.

Withdrawal of consent can be made by sending an email to hvca@hvca.hu. We deliver our newsletters to you via the MailChimp application. The application is committed to protecting personal data and places special importance on data protection. The application does not transfer data, lists, or email addresses to third parties. You can read the detailed privacy notice here.

4. DATA SECURITY

Personal data is handled with the utmost care, in strict confidence, only to the extent necessary for the use of services, and—where consent has been given—in accordance with any provisions specified by the data subject.

We ensure the protection of personal data and the minimization of risks related to data processing through IT, organizational, and administrative measures. These measures and rules are regularly reviewed and modified when necessary. In doing so, we ensure that the processed data:

• is protected against unauthorized access (confidentiality of data),
• is accessible to authorized persons (availability),
• its authenticity and the authentication of processing are ensured (authenticity of data processing),
• its integrity can be verified (data integrity).

5. RIGHTS OF DATA SUBJECTS

Users may exercise their rights by sending a letter to the Association (1124 Budapest, Csörsz u. 49–51.) or by sending a message to the Association’s email address (hvca@hvca.hu).

What rights do users have in relation to data processing?

DATA PORTABILITY

The data subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format, and has the right to transmit those data to another data controller, where the processing is based on consent or on a contract and is carried out by automated means.

INFORMATION AND ACCESS

The data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, where that is the case, has the right to access the personal data and the related information (e.g., the purposes of data processing, categories of data processed, recipients, duration of storage, the rights of the data subject, available legal remedies, and the source of the data).

RECTIFICATION

If personal data is inaccurate, its rectification may be requested via the contact details of the Data Controller. Where the accurate personal data is available, the personal data shall be corrected without undue delay.

DEADLINE FOR ACTION

The data subject shall be informed of the measures taken in response to their request within no later than one month of receipt of the request. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay.

OBJECTION

The data subject may object to the processing of their personal data and may request the termination of processing and the deletion of the processed data by submitting a written request to the Association via email sent to hvca@hvca.hu.

RESTRICTION

The data subject has the right to obtain restriction of processing where one of the following applies:

• the data subject contests the accuracy of the personal data; in this case, the restriction applies for the period enabling the verification of the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims;
• the data subject has objected to processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.

ERASURE

Personal data must be deleted where:

• its processing is unlawful;
• the data subject requests the deletion of their personal data, except where mandatory data processing applies;
• the data is incomplete or incorrect, and this condition cannot be lawfully remedied, provided that deletion is not excluded by law;
• the purpose of data processing has ceased or the storage period has expired, except where the data must be transferred for archival purposes;
• deletion has been ordered by a court or authority.

The data subject may initiate erasure by submitting a written request to the Association or by sending an email to hvca@hvca.hu. In such cases, the data concerned shall be permanently deleted without undue delay.

6. DATA PROCESSORS

A data processor is any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

Data may be transferred either with the consent of the data subject or on the basis of legal authorization, provided that the conditions for such transfer are met with respect to each individual item of personal data. The data processed by the Data Controller may be transferred to parties who, on behalf of the Data Controller, perform invoicing, claims management, distribution management, or customer information services, as well as to bodies authorized by law to resolve disputes concerning invoicing and distribution. On the basis of legal obligations, the Data Controller may also transfer data to competent national security bodies, investigative authorities, courts, and, in accordance with the provisions of the Act on judicial enforcement, to enforcement officers, for the purposes of protecting national security, national defense, public security, investigating publicly prosecuted criminal offenses, and preventing or prosecuting unauthorized or unlawful use of data. Entities receiving data as described above are subject to the same confidentiality and data protection obligations as the Data Controller.

Data processing is carried out on the basis of a contract concluded with the data processor and in compliance with the data protection guarantees contained therein.

Data processor of the Association’s website hosting:

DotRoll Kft. (registered office: 1148 Budapest, Fogarasi út 3–5.; company registration number: 01-09-882068; tax number: 13962982-2-42; represented by: Zsolt György Komáromi, Managing Director acting individually)

Developer of the Association’s website:

Across Média Kft. (registered office: 2000 Szentendre, Vörösgyűrű sétány 12.; tax number: 14253287-2-13; represented by: Rudolf Kampas),

IT maintenance provider of the Association:

Tellum Informatikai és Szolgáltató Kft. (registered office: 2473 Vál, Petőfi Sándor u. 88.; tax number: 10594946-2-07; represented by: András Grépály)

Mailchimp:

The Rocket Science Group LLC d/b/a Mailchimp

675 Ponce de Leon Ave NE, Suite 5000

Atlanta, GA 30308 USA

Data Protection Officer can be contacted at dpo@mailchimp.com.

Transfer of data to a third country (Mailchimp)

For the purpose of sending newsletters, the Data Controller uses The Rocket Science Group LLC (d/b/a Mailchimp) as a data processor. The transfer of data to the United States of America is based on the adequacy decision of the European Commission (EU–U.S. Data Privacy Framework), which ensures that the service provider provides a level of protection equivalent to that of the European Union standards when processing personal data.

7. THE ASSOCIATION’S WEBSITE

Information collected by the Association

Visitors to the website are not required to provide personal data when using the public interface of the website.

The Association collects and processes information related to visitors’ browsing activities. This information may be analyzed and may be used to provide visitors with specific information following their visit to the website.

The following cookies are used on the website:

Necessary cookies – Some cookies on the website are essential to enable visitors to navigate the site and use its features.

Performance cookies – Some cookies collect information about how visitors use the website, such as which pages are visited most frequently.

Google Analytics tracking code: Cookies managed by Google Analytics help measure website traffic and other web analytics data.The information collected by these cookies is transmitted to and stored on external servers operated by Google.

IP addresses

When a visitor accesses the website, the Association’s server records the visitor’s IP address along with the date, time, and duration of the visit. The IP address is an assigned numerical identifier that enables a computer to communicate on the internet. It allows the Association to determine which organizations have visited the website.

The Association may use this information to compile statistical data on website usage in order to monitor how users navigate the website and to evaluate and improve the website.

Security

The Association uses up-to-date data storage and security technologies to protect personal data against unauthorized access, improper use or disclosure, unauthorized modification, unlawful destruction, or accidental loss. Employees of the Association and third parties entrusted with processing personal data are required to respect the confidentiality of your data.

8.  DATA BREACH

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. In the absence of appropriate and timely measures, a data breach may cause physical, material, or non-material harm to natural persons, including, among others, loss of control over their personal data or limitation of their rights, discrimination, identity theft, or identity fraud. A data breach must be reported to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless it can be demonstrated, in accordance with the principle of accountability, that the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The data subject must be informed without undue delay if the data breach is likely to result in a high risk to the rights and freedoms of natural persons, in order to enable them to take the necessary precautionary measures. The person designated for reporting data breaches: Ibolya Pintér, Executive Secretary.

9. COMPLAINTS AND LEGAL REMEDIES

In connection with data processing, the data subject may lodge a complaint directly using the contact details provided.

Further legal remedies regarding data processing include notifying the authority at the following contact details:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: 1363 Budapest, P.O. Box 9

Address: 1055 Budapest, Falk Miksa utca 9–11

Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: www.naih.hu

CONTACT DETAILS OF THE ASSOCIATION / DATA CONTROLLER

Name: Magyar Kockázati és Magántőke Egyesület

Registered office and postal

address: 1124 Budapest, Csörsz u. 49–51

Phone number: +36 30 411 8152

Email address: hvca@hvca.hu

Tax number: 19676236-2-43

Registration number: 01-02-0004030