General information
In accordance with the provisions of Act XXV of 2023, the Budapest Festival Orchestra (hereinafter: “BFO”) introduced a whistleblowing system with effect from 17 December 2023.
What does it mean?
A whistleblowing system is an organizational mechanism that allows employees, business partners and other affected persons (e.g. trainees) to report incidents they have experienced which they believe to be unlawful. There can be many types of reportable violations, such as financial misuse, workplace misconduct, corruption, environmental abuse, violation of sexual self-determination, fraud, professional misconduct, etc. To summarize, any incident or act related to the operation of the BFO that is considered by the general public to be harmful to legitimate private interests or public interests may be reported.
How can I make a whistleblowing report?
A whistleblowing report can be made using the Whistleblowing Reporting Form on the website, or in person during working hours, as follows:
- By filling in the Whistleblowing Reporting Form, which you can send to visszaelesbejelentes@bfz.hu.
- In person with the current Chief Financial Officer; see the staff list. In the event of possible involvement of the Chief Financial Officer, with the current Executive Director; see the staff list.
About the internal investigation
A report submitted on the form shall be investigated by the designated person within 30 days, possibly with the involvement of an external expert (e.g. a lawyer or forensic expert), and the outcome of the investigation will be communicated to the whistleblower. If necessary as a result of the investigation, the BFO may take appropriate action (e.g. reprimand by the employer, sanction under labor law or a, report to the police).
If you have any questions about the procedure, please contact us at the email address provided.
2. Whistleblowing Reporting Form
The content of the form may contain confidential information. If you have received it in error, please delete it immediately and notify the sender of the erroneous delivery and the fact of its deletion. You can download the form here.
| PERSONAL INFORMATION | |
|---|---|
| NAME: | |
| CONTACT: | |
| PHONE: | |
| EMAIL ADDRESS: | |
| POSTAL ADDRESS: | |
| DETAILS OF ABUSE | |
| WHISTLEBLOWER CATEGORY: | |
| [ ] Employed (e.g. employee, contract worker, trainee, etc.) | |
|
[ ] Contractual partner (e.g. supplier) |
|
| [ ] Other (please specify): | |
| TYPE OF ABUSE | |
| [ ] Financial misuse | |
| [ ] Workplace irregularities | |
| [ ] Environmental abuse | |
|
[ ] Violation of sexual self-determination |
|
|
[ ] Violation of the Code of Ethics |
|
| [ ] Other (please specify): | |
|
A BRIEF, CONCISE AND ACCURATE DESCRIPTION OF THE ABUSE: (PLEASE PROVIDE AS MUCH INFORMATION AS POSSIBLE ABOUT THE ABUSE, INCLUDING SPECIFIC EVENTS, DATES AND PARTIES INVOLVED) MAX. 1000 CHARACTERS |
|
|
NAMES AND CONTACT DETAILS OF POSSIBLE WITNESSES (IF THERE ARE PERSONS WHO WITNESSED THE ABUSE, PLEASE PROVIDE THEIR NAMES AND CONTACT DETAILS IF POSSIBLE) MAX. 1000 CHARACTERS |
|
|
COMMENTS AND/OR OTHER RELEVANT ADDITIONAL INFORMATION (HERE THERE IS AN OPTION TO ADD ANY ADDITIONAL INFORMATION THAT THE WHISTLEBLOWER CONSIDERS RELEVANT.) MAX. 1000 CHARACTERS |
|
|
I DECLARE THAT THE INFORMATION I HAVE PROVIDED IS, TO THE BEST OF MY KNOWLEDGE AND BELIEF, ACCURATE AND RELIABLE. I AM AWARE THAT PROVIDING FALSE OR MISLEADING INFORMATION MAY HAVE SERIOUS DISCIPLINARY, EMPLOYMENT, CIVIL, COMPENSATORY AND/OR CRIMINAL CONSEQUENCES. PLEASE MARK WITH AN “X” IF YOU AGREE WITH THIS STATEMENT. |
[ ] Yes |
| I HAVE READ THE PRIVACY NOTICE. | [ ] Yes |
|
I CONSENT TO THE PROCESSING OF MY DATA IN ORDER TO FACILITATE THE CONDUCT OF THE WHISTLEBLOWING INVESTIGATION. (IF YOU ANSWER “NO”, YOUR REPORT WILL BE CONSIDERED AS A REPORT FROM AN UNKNOWN PERSON.) |
[ ] Yes [ ] No |
| DATE: | |
|
SIGNATURE (ONLY IF YOU SUBMIT A SCANNED DOCUMENT) |
3. Privacy notice
On processing data when operating the whistleblowing system
(1) Introduction
In accordance with the provisions of data protection legislation, we would like to provide the employees and business partners of the Budapest Festival Orchestra (hereinafter: “BFO”) and other data subjects with accurate information on the data processing that is carried out in accordance with the obligations set out in Act XXV of 2023.
(2) Who processes your data during the whistleblowing procedure?
Name of the Controller: Budapest Festival Orchestra Foundation
Registered office: H-1034 Budapest, Selmeci utca 14–16.
Tax number: 18005488-2-41
Data Protection Officer: Dr. Tamás Barabás
Contact: adatvedelem@bfz.hu
(3) What is considered personal data?
As defined in the data protection laws, personal data means any information/data relating to an identified or identifiable person. A person can be identified directly or indirectly, such as by name, an identification number, location (GPS) data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. As part of human dignity, data protection law safeguards the informational self-determination of individuals so that personal data about us can only be processed on the basis of legal grounds set out in the law. For this reason, protecting your personal data is a top priority for the BFO. Please note that if you do not consent to the processing of your whistleblowing report, your report will be treated as a report from an unknown person, which may prevent us from conducting an investigation.
(4) How will we process your personal data after your report?
|
Scope of processing |
purpose of processing |
scope of data processed |
legal basis |
duration of processing |
|---|---|---|---|---|
|
operation of the whistleblowing system (for online reporting) |
to process personal data generated, submitted and processed in the course of reporting, in order to conduct the investigation effectively |
Personal information (optional): name, contact, phone, email, postal address; details of abuse: Whistleblower category, type and description of abuse, witnesses, comment, submission date |
Subject to the provisions of Sections 16 to 29 of Act XXV of 2023, with reference to the legal obligation under Article 6(1)(c) of the GDPR as the legal basis |
5 years from the date of the report or until the final conclusion of the relevant legal proceedings |
|
operation of the whistleblowing system (for personal reporting) |
to process personal data generated, submitted and processed in the course of reporting, in order to conduct the investigation effectively |
Personal information: name, contact, phone, email, postal address; details of abuse: Whistleblower category, type and description of abuse, witnesses, comment, date, signature of whistleblower, signature of person recording the report |
Subject to the provisions of Sections 16 to 29 of Act XXV of 2023, with reference to the legal obligation under Article 6(1)(c) of the GDPR as the legal basis |
5 years from the date of the report or until the final conclusion of the relevant legal proceedings |
|
transfer of personal data in cases of suspected criminal or administrative offences |
to investigate an offence under the Criminal Code or Act C of 2000 on Accounting (Sztv.) |
the information contained in the report |
Subject to the provisions of Section 6(4)c of Act XXV of 2023, with reference to the legal obligation under Article 6(1)(c) of the GDPR as the legal basis |
until the final conclusion of the relevant legal proceedings |
(5) About processors
A processor is an organization, company or person that processes personal data on behalf of or under the instructions of the Controller (Budapest Festival Orchestra).
Please note: Transfers of data between the Controller and the contracted processor(s) may only take place under the terms of the data processing agreements. With regard to processors, persons authorized to process personal data may act in their pre-defined job role or carry out processing operations under an obligation of confidentiality as set out in a contract. The Controller and the processor(s) shall apply strict work organization and IT security measures during data transfers in order to protect personal data (guarantee confidentiality, integrity and availability of data).
| Data processing device | Processor contact details | Privacy Notice |
|---|---|---|
|
Microsoft 365 cloud-based application to register and investigate reports |
Microsoft Ireland Operations Limited, Attn: Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Phone: +353 1 706 3117. |
https://www.microsoft.com/hu-hu/trust-center/privacy/gdpr-overview |
(6) Data transfer to third countries
The Controller shall not transfer personal data to countries outside the EU/EEA or to international organizations. If the Controller uses the services of an online cloud provider, it shall at all times follow the principles of built-in and default data protection to ensure that, in selecting the relevant service provider, it cooperates with enterprises registered in the EU/EEC so that data storage and processing takes place on servers and by service providers located within the EU/EEC.
(7) Data security measures
The BFO ensures the protection of the personal data processed with measures appropriate to the operational risks. These include information security measures (e.g. password protection, firewall etc.), as well as organizational measures (employees involved in the processing may work under a confidentiality agreement). If you become aware of a data breach (e.g. you receive messages of dubious authenticity purportedly from us), please let us know immediately. In providing its services, the Controller does not use algorithmic user profiling without human intervention or decision-making without human intervention.
(8) What rights do you have as a data subject?
Below is a brief summary of the rights you may exercise as a data subject. For a more detailed information, please feel free to contact our data protection officers using the contact details above.
At any time after your whistleblowing via the website or in person, you may request information about the processing of your personal data, and you may request the rectification of your personal data if you find that your personal data have been inaccurately recorded during the whistleblowing process.
If you no longer want personal data related to you to be processed by us, you may exercise your right to erasure. Even if you have previously consented to the processing, you may withdraw your consent at any time. However, this may lead to the termination of the whistleblowing investigation. Please note that the Controller cannot erase data required to be processed by law (e.g. information relating to a criminal offence to protect the public interest) or necessary to enforce the rights of a third party (e.g. information that may be used in civil or criminal proceedings). If you consider it necessary, you may request to restrict the processing relating to you, known as the right to restriction.
You shall have the right to receive the personal data concerning you, which you have provided to the BFO, in an electronically captured format (right of access) and have the right to transmit those data to another controller. This can be done free of charge once a year. In the whistleblowing procedure, however, the possibility to do so is limited.
You also have the right to lodge a complaint and seek judicial redress or, if you are not satisfied with our response, you may refer the matter to the data protection authority as set out in Section 9.
You can send a request for exercising your rights as a data subject to the notification address specified in this Notice. Your request will be investigated and reviewed within one month. Where appropriate, and once proper information has been provided, we may require an additional two months to complete our investigation.
(9) Complaints handling and contact details of the supervisory authority
Please do not hesitate to contact us if you have any questions regarding processing. If we have not been able to provide an appropriate response to your request, or if you wish to contact the authority directly, you can do so at the following address:
National Authority for Data Protection and Freedom of Information
Registered office: H-1055 Budapest, Falk Miksa utca 9-11.
Postal address: H-1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Central email address: ugyfelszolgalat@naih.hu
URL of the website: www.naih.hu
You can also take the controller to court if your (data subject’s) rights to information self-determination have been infringed. You can find public information about the competent courts HERE.
(10) Availability of the service
If you choose not to provide your personal data on the basis of this Privacy Notice, we will respect your decision. The Controller’s whistleblowing service is available even if you do not provide your personal data (name, contact details), but the Controller may reject such requests without further investigation.
(11) Legislation
- - Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”)
- Act XXV of 2023 on Complaints, Notifications of Public Interest and the Rules for Whistleblowing
Date: 17 December 2023
Valid until amended or withdrawn.
