Privacy statement
Data Protection Policy Statement of the World Science Forum as organised by the Secretariat of the Hungarian Academy of Sciences
Part I
General provisions
The Secretariat of the Hungarian Academy of Sciences as the Controller is committed to the protection of the personal data of the data subjects (all registered participants of World Science Forum) and fully respects the right of information self-determination of the data subjects. The Controller ensures that the processing of data is carried out in such a manner as to safeguard privacy and will take all security, technical and organisational measures that guarantee the security of data.
The Controller processes personal data and data of public interest in compliance with the Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Infotv) and the position statements issued by the President of the National Authority for Data Protection and Freedom of Information, in line with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR).
This Statement lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
By supplying their personal data, the data subjects affected by processing accept the terms and conditions of this Statement.
1. Controller and processor(s)
The Controller
The Secretariat of the Hungarian Academy Sciences (registered office: 1051 Budapest, Nádor utca 7; hereinafter: Controller), as Controller, declares that it considers itself legally bound by this Statement. During all processing activities related to its operation, the Controller shall make sure that processing complies with the requirements laid down in this Statement and in the relevant laws and regulations in force at the time of data processing.
The Processor
The Controller also involves a Processor in its activities relating to the processing of personal data. Processor contracted by the Controller: Netrix Kft. (1027 Budapest, Horvát utca 14-24.)
2. Disclosure
This Statement of the Controller may be consulted any time online at https://worldscienceforum.org/contents/privacy-statements-110015 (hereinafter: website or homepage).
3. Modification and scope of this Statement
The Controller reserves the right to alter this Statement unilaterally, without any limitation in time. It shall inform the data subjects affected by processing of any such change in due time and manner. This Statement may need to be modified primarily in order to comply with the law. Data subjects shall have the right to object to any modification which is not based on the law and which establishes unfavourable conditions for them.
This Statement shall be valid until withdrawn and its scope covers the visitors of the website as well as all data subjects whose personal data are processed by the Controller for the purposes defined in this Statement.
4. Definitions
The terms defined in Article 4 of the GDPR and in Section 3 of the Infotv shall be used during the application of this Statement.
Part II
Processing of personal data
The Controller shall perform the following activities with regard to the Data Subjects:
1. Registration for the events of World Science Forum
The Controller organises events within the framework of the World Science Forum series. Participants of World Science Forum are bound to register in advance to the events.
Processed personal data | Legal title (legal ground) | Objective | Duration of processing |
name and title, country of nationality, email address, mobile and office phone, name and address of affiliated organisation, position in organisation, dietary preference | performance of a task carried out in the public interest Based on Section 3 (1) j) of Act XL of 1994 on the Hungarian Academy of Sciences (Article 6 (1) e) of GDPR e)); consent of the data subject | Verification of the right to participate in the event, prior calculation about the number of participants, preparation for satisfying the requirements. | Following the particular event, the supplied personal data shall be erased or, with the consent of the data subject, stored exclusively to issue future invitations to the events of World Science Forum |
dietary preference | performance of a task carried out in the public interest Based on Section 3 (1) j) of Act XL of 1994 on the Hungarian Academy of Sciences (Article 6 (1) e) of GDPR Article) | preparation to satisfy participants’ special dietary needs. | Following the particular event, the supplied personal data shall be erased |
CV of max. 2500 characters, portrait photo | performance of a task carried out in the public interest Based on Section 3 (1) j) of Act XL of 1994 on the Hungarian Academy of Sciences (Article 6 (1) e) of GDPR) | Verification of the right to participate in the event, prior calculation about the number of participants, preparation for satisfying the requirements. Making the profile of participants available on the website (voluntary).
| Following the particular event, the supplied personal data shall be erased |
date of birth, passport number | performance of a task carried out in the public interest Based on Section 3 (1) j) of Act XL of 1994 on the Hungarian Academy of Sciences (Article 6 (1) e) of GDPR)
| security clearance by the State protocol, compliance with requirements for visa applications of participants | Following the particular event, the supplied personal data shall be erased. |
2. Disclosure of the list of participants on the website
In relation to the events organised by the Controller within the framework of the World Science Forum, the lists of participants and speakers of the individual programme components (sessions) shall be disclosed on the Controller’s website.
| Processed personal data | Legal title (legal ground) | Objective | Duration of processing |
| name, country of nationality, CV, photo | consent of the data subject (Article 6 (1) a) of GDPR) | Disclosure on the website of WSF | The list of names is public information for the visitors of the website until it is withdrawn. |
3. Photos and videos recorded at the event
During the events organised by the Controller, the Controller may record images and videos of the speakers, of the venue and of the data subjects present, and may publish such photos and video recordings on its website and the website of WSF. During each event the Controller shall inform the data subjects about the relevant provisions of this Statement, particularly about the purpose of the processing of their personal data and shall explain to them the appropriate legal ground.
| Processed personal data | Legal title (legal ground) | Objective | Duration of processing |
| Images of the data subject | processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 (1) f) of GDPR) | Publication of details of the event through disclosure on the website of WSF and on the Controller’s own website. | Following the event, the photos and videos constitute public information for the visitors of the website until they are withdrawn. Prior to that, upon explicit request from the data subject, the Controller shall make it impossible to recognise a data subject on images objected to by using the pixel technology or shall delete the image objected to from the website concerned. |
The personal data specified in this point must be provided for processing for the purposes defined therein. If the data are not provided, the data subject may not use the service (that is, he or she may not participate at the conference).
Consent of the data subject, conditions
Processing subject to consent requires an affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of data, such as by a written statement, including by electronic means, or by an oral statement. It shall also constitute consent to processing if the data subject ticks a respective box while viewing the Internet website. Silence, pre-ticked boxes or inactivity may not constitute consent. It shall also constitute consent if a user makes technical settings while using electronic services or issues a declaration or performs and act which, in the particular context, clearly indicates the consent of the data subject to the processing of their personal data. Where processing is based on consent, the Controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters. The data subject shall have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Minors
No minors may register or attend WSF events.
Part III
Security of processing
The Controller shall make sure that the data of data subjects are kept securely, and it shall protect them against unauthorised or unlawful processing, accidental loss, destruction or damage, which also includes maintaining the confidentiality, integrity, availability and resistance, of the information systems and tools used for processing personal data with adequate technical and organisational measures that are commensurate with the degree of the risks. To that end, the Controller shall use IT tools, including especially firewalls, encryption and physical protection devices in its systems and shall provide physical protection at all sites where data are accessible. In determining the measures to ensure the security of processing, the Controller shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the Controller.
Personal data breach
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud.
Any unlawful control or processing of personal data must be notified to the Supervisory Authority. The Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware thereof, notify the Supervisory Authority of the personal data breach, unless the personal data breach is unlikely to result in a risk adversely affecting the rights and freedoms of natural persons.
Data transfer
When describing the various types of processing, the Controller shall list the recipients of transferred data and their categories, as and when necessary.
The Controller is entitled and obliged to transfer any personal data which it has access to and which it lawfully stores to the competent authorities if the Controller is obliged by law or by a definitive decision of a competent authority to transfer such data. The Controller may not be held liable for such data transfer or any consequences thereof.
The Controller shall not transfer personal data to any Controller registered in a third country (that is, a non-EEA state).
Part IV
Rights of the data subject, legal remedies
The data subjects may exercise the rights granted to them in this Statement or by law, by using any of the contact details of the Controller indicated in this Statement.
Rights of the data subject
1. Right to request information (right of access)
Any data subject may request information from the Controller as to whether or not their personal data are being processed and the categories of personal data concerned, the legal ground, the purposes of the processing, the source of data, the envisaged period for which the personal data will be processed; the recipients of the data transfer, its date, the underlying legal regulations and the categories of personal data in relation to which access was granted, or the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries and international organisations.
The information thus requested must be sent immediately, but at any rate within 30 days at the latest, using the provided contact details.
2. Right to rectification
Any data subject may request the modification or completion of any data. When requested, the information must be sent immediately, but at any rate within 30 days at the latest, using the contact details provided.
3. Right to erasure (right to be forgotten)
Any data subject may request their data to be erased when a) the personal data are no longer necessary in relation to the purposes for which they were processed by the Controller; b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; c) the data subject objects to the processing and there are no other legitimate grounds for the processing; d) the Controller has processed their personal data unlawfully; e) the personal data have to be erased for compliance with a legal obligation to which the Controller is subject; f) the personal data have been collected in relation to an offer of information society services to children.
When requested, it must be done immediately, but at any rate within 30 days at the latest and the data subject must be notified using the contact details he or she has provided.
4. Right to blocking and restriction of processing
Any data subject may request their data to be blocked when a) the accuracy of the personal data is contested by the data subject, in which case the blocking/restriction applies for a period during which the Controller verifies the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing, in which case the restriction applies until it has been verified whether the legitimate grounds of the Controller override those of the data subject.
Blocking lasts as long as the indicated reason makes data storage necessary. When requested, it must be done immediately, but at any rate within 30 days at the latest and the data subject must be notified using the contact details he or she has provided.
5. Right to object
Any person may object to processing based on legitimate interest, using the provided contact details. In this case the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The objection shall be assessed within the shortest possible time but at any rate within 15 days following the submission of the request, a decision shall be adopted as to its merits and notification shall be sent thereof using the provided contact details.
6. Right to data portability:
The data subject shall have the right to receive the personal data concerning them, which they have provided for the Controller, in a structured, commonly used and machine-readable format and shall also have the right to transfer those data to another Controller when processing is based on the consent of the data subject or on a contract and processing takes place in an automated manner. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.
The Controller shall comply with the data subject’s request within no more than 30 days and shall inform the data subject about it in a letter sent to the address provided by the data subject.
Law enforcement options relating to processing:
Supervisory authority:
National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, PO Box: 5
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL https://naih.hu
coordinates: N 47°30'56''; E 18°59'57''
In the event of any infringement of their rights, the data subject may bring proceedings before a court against the Controller. The court shall hear such cases in priority proceedings. Based on the choice of the data subject, the litigation may be instituted before the tribunal having competence at the place of either permanent or temporary residence of the data subject.
The Controller shall provide information on action taken for the data subject without undue delay and in any event within no more than one month of receipt of the request. This period may be extended with an additional period of two months where necessary, taking into account the complexity of the request and the number of requests. The information obligation may be fulfilled by operating a safe online system through which the data subject can have easy and fast access to the required information.
Done at Budapest, on 26 July 2019.