1. Designation of the Controller
Name of the Controller: Budapest Festival Orchestra
Registered office: H-1034 Budapest, Bécsi út 126.
2. Rules of processing
Personal data may only be processed for the purpose of exercising rights or discharging obligations. The use of personal data processed by BFO for private purposes shall be prohibited. Processing shall always comply with the principle of purpose limitation.
BFO shall only process personal data for the purposes specified in Article 6(1) of the GDPR.
BFO shall, at all times before obtaining the data, inform the data subject about the requirements specified in Article 13(1) of the GDPR if the data are obtained from the data subject, or in Article 14(1) of the GDPR if the data are not directly obtained from the data subject.
Employees of the organizational units of BFO carrying out processing and employees of organizations involved in processing and carrying out any processing operations on behalf of BFO shall keep the personal data confidential. Persons who process and have access to personal data shall sign a confidentiality agreement.
If a person subject to the Policy becomes aware that personal data processed by the BFO are inaccurate, incomplete or not up-to-date, he or she shall rectify such data or request the person rectification from responsible for data recording.
The data protection obligations to which natural or legal persons or entities without legal personality engaged in processing activities on behalf of BFO as processors are subject shall be enforced under the agency contract concluded with the processor.
The managing director of the BFO defines the system of data protection taking into account the specific features of BFO, and assigns the powers and responsibilities related to data protection and related activities, and designates the person supervising the processing.
In the course of their work, the BFO's employees shall ensure that unauthorized persons are prevented from viewing personal data, and that the storage and placement of personal data is designed in such as a way as to prevent their unauthorized access, acquisition, alteration or destruction.
The BFO’s data protection system is supervised by the managing director through a data protection officer designated by him or her.
3. Exercising rights of data subjects
The data subject may request information on the processing of his or her personal data, as well as request the rectification of or, unless processing is required by law, the erasure of the data subject’s personal data, and the restriction of processing by contacting the BFO using the contact details provided here.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the BFO, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
The BFO shall transfer the received request or objection to the head of the organizational unit with processing powers and responsibilities, within three days from receipt.
The head of the organizational with the relevant powers and responsibilities unit will respond to the data subject’s request concerning the processing of his or her personal data within one month from the receipt, or to this or her objection within 15 days from the receipt, in writing and using clear and plain language.
At the request of the data subject, the Controller shall provide information on the data processed by the controller or processed by the processor engaged by the Controller, on the source of the data, the purpose, legal basis and duration of processing, the name, address and the processing activity of the processor, on the circumstances, implications of personal data breach and the measures taken to address it, and, in the case of transfer of personal data of the data subject, on the legal basis and the recipient of the data transfer.
As a rule, the information shall be provided free if charge if the person requesting the information has not yet submitted a request to the Controller for the same data in the relevant year. In all other cases, a fee to cover costs may be charged. The amount of the fee may also be set out in a contract between the parties. Any fee already paid shall be refunded if the data have been unlawfully processed or the request for information has resulted in rectification.
The head of the organizational unit processing the data shall rectify the inaccurate data if the necessary data and the substantiating public records are available, and shall take action to erase the processed personal data if the grounds set out in Article 17 of the GDPR apply.
Personal data shall be erased if
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
f) personal data have been collected in relation to the offer of information society services to children under the age of 18;
g) Where the Controller has made the personal data public and the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed, the Controller shall erase the data, and, taking account of available technology and the costs of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such Controller of any links to, or copy or replication of, those personal data.
The data subject shall have the right to object to the processing of his or her personal data;
- if the processing or transfer of personal data is only necessary for compliance with a legal obligation to which the Controller is subject or for the purpose of legitimate interests pursued by the Controller or by the recipient of the data or by a third party, except in the case of mandatory processing;
- if personal data are used or for direct marketing, public opinion polling or scientific research purposes; and
- any other instance specified by law.
The Controller shall review the objection, decide whether it is substantiated and notify the data subject in writing as soon as possible but within one month from the submission of the objection at the latest.
If the Controller finds that the objection of the data subject is substantiated, it shall discontinue the processing, including further data collection and transfer, restrict the data and inform about the objection and the measures taken in response, all persons to whom the personal data covered by the objection have previously been transmitted and who shall take measures to enforce the right of objection.
If the data subject disagrees with the Controller’s decision or if the Controller fails to meet that deadline, the data subject may bring an action within thirty (30) days from the communication of the decision or from the last day of the deadline.
If the recipient fails to receive the data necessary to exercise its right due to the objection of the data subject, the recipient may, within 30 days from the receipt of the notification, bring an action against the Controller to obtain the data. The Controller may also bring an action against the data subject.
If the Controller fails to send the notification, the recipient may request information from the Controller regarding the circumstances of the failure of data transfer, and such information shall be provided by the Controller within 8 days from the receipt of the recipient's request. In the event of requesting information, the recipient may bring an action against the Controller within 30 days from the date of providing the information but at the latest from the expiry of the deadline for providing the information. The Controller may also bring an action against the data subject.
The Controller may not erase the data of the data subject if the processing has been required by law. However, the data may not be transferred to the recipient if the Controller has agreed with the objection or the court has established that the objection is justified.
If, in the course of exercising the rights of the data subject, the assessment of a case is ambiguous, the head of the organizational unit processing the data may, by submitting the case file and his or her position on the case, request a position statement from the data protection officer, who shall comply with such request within three days.
The BFO shall pay compensation for damages caused to others by unlawful processing of personal data of the data subject or by the breach of data security requirements, pay grievance award for violation of rights relating to personality by the BFO or by the processor engaged by the BFO. The Controller shall be released from liability for damages and from paying grievance award if he or she can prove that the damage or the violation of the data subject’s rights relating to personality has occurred due to a reason outside the Controller’s control and beyond the scope of processing. Likewise, the Controller shall not compensate for damages if they were caused by the injured party’s willful misconduct or gross negligence.
The data subject may seek legal remedy or lodge a complaint with the National Authority for Data Protection and Freedom of Information (H-1055 Budapest, Falk Miksa u. 9-11.) or to the regional court having territorial jurisdiction over the domicile or place of residence of the data subject.
4. Processing through the use of the BFO’s website
The place of processing: The registered office of the BFO and the registered offices of the partners engaged by it.
4.1. Processing through the website
Anyone can access the BFO’s website without having to reveal his or her identity or provide personal data, or in the case of registration, by completing the mandatory data. Information can be obtained from the website and its linked pages freely and without limitation. Non-personally identifiable information about visitors is collected without limitation and automatically by the website through the use of so-called cookies. However, no personal data can be obtained from this information, so this data collection shall not constitute processing under the GDPR.
4.2. Processing relating to maintaining contact, registration, loyalty program (contact)
The BFO operates its own website by engaging third party(s), where visitors have the opportunity to make contact as well as maintain contact.
purpose of processing: to maintain contact the BFO
legal basis for processing: the consent of the data subject pursuant to Article 6(1)(a) of the GDPR, and to Section 13/A (3) of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services
scope of data processed: name, email address, and other personal data provided by the data subject upon registration
deadline for erasure of data: until the issue for contacting the BFO is resolved (achievement of the purpose)
means of data storage: electronic form
rights of individuals: as specified in the GDPR; right to access, right to rectification, right to erasure or restriction of processing, right to object, and right to data portability
5. The DPO’s contact details
Name: Csaba Boda
6. Issues not covered by this Notice and intellectual property rights
By giving his or her consent, the user agrees to the publication of the content as specified in this Notice in justified cases.
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR/General Data Protection Regulation)
Processing related to the Patrons’ Club and the loyalty program
Purpose of processing: making payment to the Controller, maintaining records of and differentiating payers, documenting the payment, fulfilling the accounting obligation, maintaining contact with the payer, providing the benefits of the loyalty program
Legal basis for processing: performance of the contract [Article 6(1)(b) of the GDPR] and Section 169 (2) of the Act on Accounting.
Types of personal data processed: ID number, date, time, name, address, telephone number, name of the members of the household, address, phone number, additional information about the Patrons’ Club and the loyalty program
Duration of processing: eight years as specified in Section 169 (2) of Act on Accounting.
In the case of payment by card, the bank card and card payment transaction details are processed by the bank of the relevant store.
Transfers of data:
In the event of payment by card, the payer's ID, as well as the amount, date and time of the transaction to the bank.
The financial institution and other legal entities connected to the Controller
A complaint can be lodged primarily with the Controller, or also with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Registered office: H-1055 Budapest, Falk Miksa u. 9-11..