Művészetek Völgye Nonprofit Kft - Documents, reports
enter the Visitors Participation Rules
Please read carefully the following Terms and Conditions prior to the use of the website www.muveszetekvolgye.hu and the Művészetek Völgye application.
The Művészetek Völgye Nonprofit Limited Liability Company (Company Seat: 8294 Kapolcs, Kossuth u. 62., Registration Authority: Commercial Registry of Court of Veszprém, Company Registration Number: 19-09-517015; Tax Number: 24860248-2-19; individual representation rights: Ágnes Hegedűs and Natália Jakab, Executive Directors; hereinafter referred to as: Company) shall operate and edit the website available at www.muveszetekvolgye.hu related to the general art and cultural festival of Művészetek Völgye (Valley of Arts) (hereinafter referred to as: VoA Website) as well as the Valley of Arts application available through the Website, which is the official mobile framework application for Android and iOS of the Valley of Arts Festival Event, allowing for members of the audience to register, browse the programs of the Valley of Arts Festival, follow news and information related to the Festival, listen to the music of bands and performers booked for the Festival, create their own program plan for the Festival and use the map application related to the Festival, as well as image and video sharing (hereinafter referred to as the: VoA App).
The present General Terms and Conditions shall regulate the terms and conditions applicable to the purchase of the VoA Website and App services operated by the Company, including without limitation the purchase of tickets and season passes of Valley of Arts Festival. The present Terms and Conditions shall not apply to the Valley of Arts Festival, programs and events taking place thereat; those shall be regulated by individual contractual conditions .
By using the VoA Website and App, the users automatically without any further representation shall accept the following General Terms and Conditions (hereinafter referred to as: GTC):
The content downloaded by following the external links on the VoA Website is not influenced by the Company. Upon request of the authorized person, the Company shall delete or modify the links. The Company shall not assume any liability for damages or other claims arising from the use of other websites.
1. General Provisions:
The Company shall notify the users of the amendment of the GTC at least 8 days prior to the entry into force thereof on the home page of the VoA Website.
Should the user fail to object the amendment to the GTC in writing within 15 days from the date of publication, it shall be deemed as an implied consent thereto and the acceptance of the amendment to the GTC by the user,
Should the user expressly object to the amendment to the GTC and explicitly refuse the acceptance thereof, the user may request the cancellation of his registration.
The user of the VoA Website and App acknowledges that the Company shall not be liable towards the user or any third party for any damage caused by the modification of the VoA Website and App, the interruption or termination of the operation thereof, or any modification or destruction of data stored on its own user interface.
The Company shall be entitled to delete comments posted on the VoA Website and the content submitted by users without prior notice. The Company shall be entitled to do so without justification.
Upon registering, the user shall only provide correct, real, authentic, and relevant user data, user name, password, and a working email address. The user shall only be allowed to register on his own behalf at the VoA Website; registration on behalf and with personal data of other persons shall be prohibited.
Should the Company become aware that a user is using the VoA Website and App through the personal data of another person or non-existent person, or false or incorrect data that he provided during registration, the Company shall be entitled to delete the registration of the pertinent user without further notice, as well as to cease the access of the pertinent user to the VoA Website and services provided in connection therewith.
The user affirms that his personal data submitted at the VoA Website and App are true and authentic. The Company shall exclude any liability for any damages resulting from the provision of false, incorrect or untrue data or e-mail address upon registration, but may claim compensation from the user for any damage arising therefrom. The Company shall be responsible for the fulfillment and the issue of the invoice pursuant to the data provided by the user. Users may verify and modify their data at any time. The Company shall be entitled to delete obviously false or incorrect data, as well as to verify the authenticity of the user in case of doubt.
After logging in to the VoA Website and App, logged-in users shall also have the opportunity to use additional features, such as selecting their favorite radio station or creating a program book, the details of which shall also be stored at the VoA Website.
During registration at the VoA Website, the user shall also have the opportunity to subscribe to the newsletter of the Company.
Should the user subscribe to the newsletter of the Company, the Company shall send newsletters periodically at his own discretion. The user may restrict the use of data for such purpose by unsubscribing at any time. Regarding users subscribed to the newsletter, the Company shall be entitled to offer a customized event based on the likely interests pursuant to the place of residence, previous purchases and other specified data.
After logging in, the user has the opportunity to upload a profile picture, submit his name, date of birth, place of residence/mailing address; these data may only be used by the Company in order to maintain contact and to identify music interests.
2. Payment Conditions through the VoA Website
Following the registration to the VoA Website or App, the user may purchase a ticket or a pass for the Valley of Arts Festival through making a payment by a credit card at the Website or the App.
After ordering the selected ticket or pass, the user may choose between two payment methods:
A) Should the user have ordered the ticket or pass through the App, he shall make a payment for the price of the tickets or passes by being redirected to the TIXA system on the payment platform of OTP Bank Nyrt. as specified in point B) below.
B) Should the user purchase the ticket or pass through the Website, he shall be automatically redirected from the VoA Website to the payment platform website of OTP Bank Nyrt., where the shall make a payment for the purchase price through a secure and encrypted transaction used by the bank. In this case, following the order of the ticket or pass on the VoA Website, the user shall select the "Payment by Credit Card" as the payment method, entering subsequently the card number and expiry date at the payment platform of OTP Bank Nyrt.
The Company shall not be liable for any errors that may occur during the credit card payment.
The automatic confirmation e-mail confirming the purchase shall be sent to the e-mail address provided by the user. The user shall be liable for any damages arising from the provision of an incorrect e-mail address.
The Company shall exclude any and all liability whatsoever for damages caused during the purchase process at the website of OTP Bank Nyrt. by any errors, defects or features of the transaction conducted, that may occur after leaving the VoA Website or App.
Data protection and information security constitute a part of operating the VoA Website and App.
The security measures of the Company shall ensure the protection of data processed thereby against manipulation, destruction and loss thereof, as well as against unauthorized persons or the unauthorized disclosure thereof.
However, due to the fact that the Internet is an open network that contains IT hazards, the Company shall not assume any liability for damages caused by the destruction, delayed transfer or other defects of data transmitted electronically.
Should the Company detect unauthorized access or attempts to access user data, it shall without undue delay, but by no later than 24 hours from the date of detection, restrict access to such data and notify the user thereof. Following that, the Company shall cooperate with the user, as well as provide any and all necessary data to the user and competent authorities, in order to investigate the unauthorized access.
Should the Company comply with the aforementioned obligation, it shall not be liable for damages incurred by the user that may arise from any unauthorized access or attempted access to the data, or as a result of such unauthorized access.
The Company hereby notifies the users of the VoA Website regarding their data processing practices, organizational and technical measures aimed at data protection, and the legal remedies available to users.
The Company shall act as the Controller.
1. Purpose, duration, scope of data processed and Data Subjects:
Please be advised that upon a user visiting the VoA Website, the server of the Company automatically recognizes the e-mail address (if possible) and IP address of the user.
The server of the Company automatically stores the IP address and, iif possible, the e-mail address of the user, information on the pages visited and logged into by the user, as well as user-specific information in relation thereto.
The server of the Company also stores the name of the Internet service provider of the user, the address of the website from which the user was directed to the VoA Website, websites visited from the VoA Website, as well as the date and duration of the visit.
The system automatically generates statistical data from the IP address of the user, websites visited thereby, data of the Internet service provider, as well as the date and duration of the visit. The Company shall not link such data with other personal data; it shall only be used in order to produce visitor statistics. Recording and storing these data is a feature of the operation of the VoA Website, with the processing thereof being technically essential and performed exclusively for statistical purposes.
The Company shall also store the following data provided during registration to the VoA Website:
- user name of the user;
- the custom password required by the user to use the VoA Website;
- e-mail address of the user.
In addition, thereto, the Company shall also process the following data provided voluntarily at the discretion of the user:
- picture of the user;
- favorite radio channel of the user;
- program book created by the user;
- place and date of birth of the user;
- residence and mailing address of the user.
The purpose of processing personal data provided by the Company is:
- to facilitate the user of the VoA Website and other services provided through the VoA Website by the Company,
- user identification,
- sending out newsletters, direct marketing or other advertising materials, offers, informations, notifications, program offers and other notifications to the user regarding the events and programs available at the VoA Website and organized by the Company, including but not limited to, in relation to the Valley of Arts Festival,
- aggregated, anonimised, statistical use of data; producing surveys, statistics, reports,
- registration to the network essential in order to access the services of service providers listed at the VoA Website, including but not limited to performers, hosts, craftsmen or accommodation providers,
- providing personalized access to music services,
- facilitating and securing credit card and other mobile payments,
- personalizing the display of the web page.
Personal data provided during registration shall remain confidential and not accessible to third parties. Should the password be lost or forgotten, the Company shall, upon request of the user, reproduce or modify the password.
The user may request the erasure of personal data provided during registration. The Company may delete personal data provided by the user upon registration upon request of the user, or should the Company restrict the access and use of the VoA Website or services lister thereunder due to grave breach of law or breach of the present GTC.
Personal data provided by the users, as well as data automatically obtained due to technical operation, shall only be accessible to the employees of the Company.
By registering, users explicitly consent to the processing of their personal data by the Company as the Controller. Processing of personal data shall be performed on the basis of voluntary consent of the user granted in the knowledge of the present notification.
Any and all data is provided voluntarily at the website; data provided may be deleted at any time or, upon request of the user, deleted by the Company without undue delay.
In all cases, the Company shall process the personal data of users only to the extent necessary and in accordance with the applicable legal requirements.
The user may unsubscribe from the newsletter of the Company, should he indicate his intention thereof using the e-mail address indicated in Article 2 hereinunder.
2. Notification of Data Subject Rights in relation to processing, legal remedies:
The Company shall refrain from imposing any sanctions on any persons who refuses the provision of voluntary data.
The Company shall not transfer personal data processed thereby to third parties without the explicit written consent of the Data Subject thereto, unless obligated under the law.
The Company shall ensure that users may access and modify their personal data.
Upon request, the Company shall provide the users with the data they have voluntarily provided earlier and which are stored by the Company following the registration of the users.
Any observations or complaints regarding the use of their personal data shall be forwarded by the user to the following persons via the contact information as follows:
Name: Natália Oszkó-Jakab, Executive Director
Invalid data shall be corrected by the Company upon request of the user. Users may also report invalid data through via the aforementioned contact information.
3. Potential Controllers who may obtain data:
1. Natália Oszkó-Jakab and Ágnes Hegedűs, Executive Directors with individual representation rights
2. Company Employees
The present GTC shall be governed by the laws of Hungary and Hungarian law; the competent Hungarian authorities and courts shall enjoy jurisdiction over any disputes arising therefrom.
Concluded on: Place: In Budapest on March 14, 2014
I. Introductory Provisions:
The Művészetek Völgye Nonprofit Kft. shall organize an all-art festival for people purchasing tickets or passes at the www.muveszetekvolgye.hu Website or on site of the festival. In addition to the aforementioned activities, the Művészetek Völgye Nonprofit Kft. shall, upon visiting the website of www.muveszetekvolgye.hu,
ensure that the visitors of the website may access information in relation to the festival.
Furthermore, the Művészetek Völgye Nonprofit Kft. shall also ensure that following the "Login" to the Website of www.muveszetekvolgye.hu, visitors may use the Website with their personalized settings. The activities described hereinabove performed by the Művészetek Völgye Nonprofit Kft. hereinafter jointly referred to as: "Services".
The Művészetek Völgye Nonprofit Kft. (hereinafter referred to as: Controller) shall hereby notify persons purchasing tickets or passes through the Website of www.muveszetekvolgye.hu, visitors of the website, as well as persons entering the website regarding the applicable data processing practices. The scope of the present Policy shall extend over the processsing of personal data provided in order to access the Services at www.muveszetekvolgye.hu by the Controller, as well as any additional events where the Controller shall comply with the present Policy.
to unilaterally amend the present Policy, while informing the Data Subjects thereof. The amended provisions shall become effective as specified under the GTC. The Controller shall also be entitled to unilaterally amend the present Policy in the absence of amendments to the GTC, while informing the Data Subjects thereof. These amendments shall become effective in relation to the Data Subjects upon their first use of the Website following the publication.
II. Data Subject Rights, Enforcement of Data Subject Rights
Data Subject Rights: In relation to his personal data processed by the Controller, the Data Subject shall be entitled to
- (a) be informed about the conditions of data processing prior to the commencement of data processing (hereinafter referred to as "right to prior information");
- (b) be provided with his personal data and information related to the processing thereof by the Controller upon request (hereinafter referred to as "right to access");
- c) oblige the Controller to rectify or supplement his personal data upon request (hereinafter referred to as "right of rectification");
- d) oblige the Controller to restrict the processing of his personal data upon request (hereinafter referred to as "the right to restrict data processing");
- e) oblige the Controller to erase his personal data upon request (hereinafter referred to as "the right to erasure").
Enforcement of Data Subject Rights In order to facilitate the enforcement of Data Subject rights, the Controller shall take any and all appropriate technical and
organizational measures; including but not limited to, he shall
- a) provide any and all notices and information to the Data Subject in an easily accessible and readable form, with concise, clear and comprehensible content;
- b) shall assess the claim of rights submitted by the Data Subject in the shortest possible time from the submission thereof, by no later than in twenty-five days, and notify the Data Subject of his decision in writing, or should the request be submitted by electronic means, electronically.
The Controller shall perform his duties in relation to the exercise of the rights specified above for free. Should the Data Subject
- a) submit a repeated claim of rights in relation to the same scope of data as specified under points b) to e) as follows, and
- b) pursuant to such request, the Controller omits the rectification, erasure or restriction of processing the personal data in compliance with the law, the Controller may claim the reimbursement of expenses from the Data Subject that he incurred in relation to the repeated and unjustified claim of rights as specified under points a) and b) hereinabove.
Should it be reasonably assessed that the person submitting the claim of rights in relation to rights specified under points b) to e) hereinabove is not the Data Subject, the Controller shall assess the request following the verification of the identity of the applicant beyond reasonable doubt.
- a) Right to Prior Information
Within the scope thereof, the Controller shall provide information to the Data Subjects regarding: the name and contact information of the Controller; the name and contact details of the Data Protection Officer; the purpose of the planned data processing; Data Subject rights pursuant to Act No. CXII of 2011 including the method of enforcing thereof; as well as additional information.
1.) Name and Contact Information of the Controller:
Name: Művészetek Völgye Nonprofit Kft.
Contact Information: Company Seat: 8294 Kapolcs, Kossuth utca 62.
Delivery Address: 1023 Budapest, Lajos u. 28-30. 2. em.
e-mail address: email@example.com
Company Registration Number: 19-09-517015
Tax Number: 24860248-2-19
Phone Number: 6304690263
Data handled by the Controller may be accessed by the following persons having the following positions acting on behalf of the Controller:
Natáliab Oszkó-Jakab, Executive Director, with independent right of representation
Persons authorized to access the data processed to may perform the following processing operations:
Erasure, restriction, rectification, handling and obtaining of personal data. Any observations or complaints regarding the use of their personal data shall be forwarded by the Data Subject to the following persons via the contact information as follows:
Name: Natália Oszkó-Jakab, Executive Director
2.) Name and Contact Information of the Data Protection Officer:
Pursuant to the provisions of Article 37, Section (1) of the GDPR, the Controller shall not be obliged to appoint and use the services of a Data Protection Officer; therefore, the Controller has not appointed a Data Protection Officer.
3.) Purpose and Scope of Data Processing The Controller shall only handle personal data.
Scope of Data processed by the Controller
Personal data provided voluntarily by the Data Subject with the prior consent thereof upon entering the website of www.muveszetekvolgye.hu:
- Scope of Data Processing: e-mail address, user name, first name, last name, date of birth, country, password
- Purpose of Data Processing: Identifying, tracking and distinguishing of the Data Subject from other visitors; Contact purposes; Documentation and logging of statements and activities of Data Subjects; Complaint handling; Notification of Data Subjects; Blocking and banning of unauthorized persons; sending out newsletters, direct marketing or other advertising materials, offers, informations, notification, program offers and other notifications to the Data Subjects regarding the events and programs available at the VoA Website and organized by the Company, including but not limited to, in relation to the Valley of Arts Festival; Aggregated, anonymised, statistical use of data, production of surveys, statistics, reports; registration to the network essential in order to access the services of service providers listed at the VoA Website, including but not limited to performers, hosts, craftsmen or accommodation providers; Providing personalized access to music services; Personalization of page displaying; Data Subject participation in contests organized by the Controller.
Personal data voluntarily provided by the Data Subject during the purchase of a ticket or pass through the www.muveszetekvolgye.hu website by means of prior consent
- Scope of Data Processing: The Data Subject shall not provide personal data to the Controller and personal data shall not be handled by the Controller; the Data Subject shall only provide personal data directly to Tixa Hungary Kft.; Tixa Hungary Kft. shall, pursuant to the provisions stipulated under Article III of the present Policy, perform data transmission towards the Controller in order to allow for the Controller to issue an invoice for the tickets or passes purchased.
Personal data provided upon entering the website of www.muveszetekvolgye.hu shall remain confidential and not be accessed by third parties. Should the password be lost or forgotten, the Controller shall, upon request of the Data Subject, reproduce or modify the pertinent password.
Any and all data is provided at the website voluntarily. In all cases, the Controller shall handle the personal data of the Data Subjects only to the extent necessary and in accordance with the applicable legal requirements. The Data Subject may immediately unsubscribe from the newsletters sent by the Controller by indicating his intention at the address of
4.) Data Subject Rights pursuant to Act No. CXII of 2011, Enforcement of Data Subject Rights
In order to enforce the rights thereof, the Data Subject may:
- a) request the National Media and Communications Authority (hereinafter referred to as: Authority) to conduct an investigation into the lawfulness of the measures of the Controller, should the Controller restrict the enforcement of Data Subject rights or refuse the request aimed at the enforcement of such rights, or
- (b) may request the Authority to initiate a data protection procedure, should he assess that the Controller has breached the provisions of laws of European Union laws on data processing during the processing of personal data pertaining to the Data Subject.
- The Data Subject may initiate court proceedings against the Controller, should he assess that the Controller has breached the provisions of laws of European Union laws on data processing during the processing of personal data pertaining to the Data Subject. The Controller shall carry the burden of proof to verify compliance with the provisions of laws of European Union laws on data processing during the processing of personal data pertaining to the Data Subject.
- The Data Subject may - at his discretion - initiate court proceedings at the court competent pursuant to the domicile or residence thereof. A party with otherwise no procedural capacity may also become a party to the procedure. The Authority may take part in the proceedings on behalf of the Data Subject.
Should the court uphold the claim, it shall be deemed as a proof on infringement; it shall oblige the Controller to
(a) terminate the unlawful processing operation;
(b) restore the lawfulness of data processing;
(c) stipulate a detailed conduct to be complied with by the Controller in order to ensure the enforcement of Data Subject Rights; the court may, as applicable, also decide on compensation claims or damages.
The court may order the publication of its decision - along with the disclosure of the identification data of the Controller -, should the decision pertain to a large number of persons or the breach of law justify such publication. Should the Controller breach the provisions of laws or European Union laws on data processing and cause damages thereby to other persons, he shall assume
liability for damages.
Should the Controller breach the provisions of laws or European Union laws on data processing and breach the privacy rights of other persons thereby, the persons affected by the breach of privacy rights may claim compensation from the Controller.
The Controller shall be exempt from liability for damages, should he be able to prove that the damage caused by unlawful conduct or breach of privacy rights have arised from a cause beyond the reasonable control of the scope of data processing.
The Controller shall be exempt from the liability for damages, should he be able to prove that during his data processing operations, he exercised compliance with the data processing obligations specified under the laws or European Union laws specifically applicable to Processors, and the
instructions of the Controller. Damages shall not be payable and compensation shall not be claimed, should the damages caused by unlawful conduct or breach of privacy rights arise from the intentional or gross negligence attributable to the entitled persons.
Enforcement of personal data rights following the death of the Data Subject:
In the period of five years following the death of the data subject, pursuant to the provisions of Act No. CXII of 2011, Article 14, points b) to e) and - concerning data processing operations covered by the GDPR - regulated under Articles 15 to 18 and 21 of the GDPR: rights attributable to the deceased during his lifetime shall be enforced by the Data Subject pursuant to an administrative order or a valid statement produced as a certified or verified deed of public record made at the Controller; upon several statements produced by the Data Subject at the Controller, the person entitled pursuant to the latest statement shall
enforce the pertinent rights.
If the data subject has not made a legal statement in accordance with the statement specified in the paragraph hereinabove, the close relative of the deceased, as determined by the Civil Code of Hungary, shall be deemed as the entitled person, even in lieu of such statement, pursuant to the provisions of Act No. CXII of 2011, Article 14, point c), concerning data processing operations covered by the GDPR and regulated under Articles 16 and 21 of the GDPR; should the data processing have been unlawful even during the lifetime of the deceased or should the purpose thereof have ceased with the death of the deceased; - pursuant to Article 14 point d) and e), concerning data processing operations covered by the GDPR and regulated under Articles 17 and 28 of the GDPR, the entitled person may enforce the rights within five year following the death of the deceased. Close relatives who first enforce such rights shall be entitled to enforce the rights of the Data Subject.
Persons enforcing the rights of the Data Subject pursuant to paragraphs (1) or (2) shall assume the rights and obligations pursuant to the provisions of Act No. CXII of 2011 applicable to the Data Subject - in particular regarding proceedings against the Controller and before the Authority or in court - upon the enforcement of Data Subject Rights.
Persons enforcing the rights of the Data Subject shall prove the fact and time of death of the Data Subject by a death certificate or court order, and his own identity and, as applicable, his relative status by a public document. The Controller shall, upon request, inform the close relative of the Data Subject as determined by the Civil Code of any actions taken, unless the Data Subject explicitly prohibiting such notification under his statement.
5.) Provision of Additional Information:
In addition, the Controller shall provide information on the legal basis for data processing; the duration of the restriction of the personal data processed and the criteria for determining that period; the scope of recipients of the data transfer upon transmission or planned transmission of the processed personal data; as well as any further relevant facts relating to the circumstances of the data processing.
However, compliance with such information obligations may be delayed by the Controller in proportion to the purpose followed; content of the information may be restricted, or the information obligation may be omitted, should such action be essential to: investigations or procedures conducted by or in cooperation with the Controller to be
effective and efficient; effective and efficient investigation and prevention of criminal offences; enforcement of sentences and measures aimed against perpetrator of criminal offences; effective and efficient protection of public safety;
effective and efficient internal and external security of the country, in particular homeland security or national security; protection of basic rights of third parties.
5.1.) Legal Basis for Data Processing:
Personal data processed by the Controller may be processed even without further specific consent or following the withdrawal of consent, in order to fulfill the legal obligations of the Controller or to enforce the legitimate interests of the Controller or a third party, should the enforcement of such interest be proportionate to the restriction of the right to the protection of personal data. The Controller shall exercise a so-called test of proportionality in order to assess the performance of data processing stipulated under the present paragraph. The test of proportionality is a three-step process that identifies the legitimate interest of the Controller and the Data Subject, the fundamental right concerned, and finally, based on the balance thereof, whether personal data shall be processed.
5.2.) Storage period of personal data processed, criteria for establishing such period:
Handling of data as indicated in the aforementioned point may be discontinued upon erasure of data initiated by the Data Subject, termination of the service provided by the Controller, and the decision of courts or other authorities on the deletion of data and data desctruction entering into force. The Controller shall handle the personal data of the Data Subject for the purpose of delivering the service as described hereinabove up until the consent of the Data Subject is withdrawn.
5.3.) Upon transmission or planned forwarding of personal data, the scope of recipients shall be as follows:
5.3.1. Name and contact details of the Processor used by the Controller:
During the operation of the IT system of the Controller, in order to fulfill orders, provide invoicing services and data processing, the Controller shall use the services of the Processor entitled to handle personal data on his behalf as follows:
Tünde Tóth, Sole Entrepreneur (Company Seat: 8960 Lenti, Kossuth u.) 4. 3/44. Tax Number: 68054968-1-40)
Scope of data processed: last name, first name, user name, e-mail address, date of birth, country, password.
Purpose of data transfer:
Identification, tracing, differentiation of Data Subjects from other visitors.
- Documentation and logging of Data Subject statements and activities.
- Complaint Handling
- Sending notifications to Data Subjects.
- Blocking and banning of unauthorized persons.
- Newsletter sending.
- Ensuring the use of the Website and services provided by the Controller on the Website.
- sending out newsletters, direct marketing or other advertising materials, offers, informations, notification, program offers and other notifications to the Data Subjects
- regarding the events and programs available at the VoA Website and organized by the Company.
- Aggregated, anonymised, statistical use of data, production of surveys, statistics and reports.
- Registration to the network essential in order to access the services of service providers listed at the VoA Website, including but not limited to performers, hosts, craftsmen or accommodation providers.
- Personalized access to music services.
- Personalization of page displaying;
- Data Subject participation in contests organized by the Controller.
5.3.2. Data Transfer by Controller: The Controller shall disclose the personal data of the Data Subjects to third parties
for the purpose and within the scope as specified hereinunder:
By accepting the present Policy, the Data Subject acknowledges that the website of www.muveszetekvolgye.hu uses the following web analytics procedure to record and investigate the user activity on the Website for the purpose of developing the site and in order to achieve the objectives thereof.
Controller: A web analytics tool provided by Google LLC, which makes detailed statistics about visitors of the website. The main objective thereof is to assist the Controller in getting a more accurate view of the activities of visitors at www.muveszetekvolgye.hu by showing visitor movement on the Website, how much time they spend on the Website, and their geographical location.
Data used by Google Analytics (GA):
184.108.40.206. protocol data received through the HTTP(S) protocol that is collected in connection with the use of GA for technical reasons, such as operating system and browser program data, as well as the website (link) preceding the access to the website, and the date and time of the visit;
220.127.116.11. data stored by GA for cookies stored on the device of the user, in particular the unique visitor identifier, which is used in order to recognize returning visitors;
18.104.22.168. data stored under user profiles created and anonymized by the GA analysis tool. This shall include data related to the use of the Website, such as visitation, frequency and duration of visit, all of which are independently generated data.
The GA shall use the aforementioned information on behalf of the operator of the www.muveszetekvolgye.hu Website and the Controller to evaluate the use of the website, compile reports on the activities performed thereupon, and to provide additional services related to the activities and use of the Website. GA shall use the data of the operating system and the browser program of the operating system of the Data Subject to ensure service protection and identify the geographical position of the visitors.
These data are usually stored anonymously on a United States Google server. Google shall act as a Processor during the pertinent procedure. Headquartered in the USA and classified by the EU-US Privacy Shield (Privacy Shield): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
The EU Commission Compliance Decision as effective in relation to the Privacy Shield: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016D1250
Browser and operation system data of the Data Subject shall be anonymised at the server of the operator, that is, the Controller, prior to being forwarded to Google. In some cases, browser and operation system data of the Data Subject may be transferred to the Google server, where it shall be anonymised.
The storage period of data specified under point 22.214.171.124) is 14 months. See section "Cookies" for the storage period of the data specified under point 126.96.36.199. The storage period for the data specified under point Section 188.8.131.52. is also 14 months.
Legal basis for such data processing is constituted by Article 6 (1) (a) of the GDPR. Data Subjects may disable the storage of cookies by appropriate settings in his browser. However, the Controller hereby notifies the Data Subject that upon disabling the storage of cookies, some features of the www.muveszetekvolgye.hu Website may not be fully accessible. Click on the link below to disable data collection by GA. By following this link, an unsubscribe cookie shall be placed on Your device, that shall disable data collection upon Your next visit to the Website: http://tools.google.com/dlpage/gaoptout?hl=de.
5.4. Additional relevant facts pertaining to the conditions of data processing:
5.4.1. Notification on Security Measures: Software and hardware protection shall ensure the security of your personal data.
The Controller shall use a firewall to prevent the access of unauthorized persons. Personal data shall be protected by security measures taken by the e-mail provider of the Data Subject. In addition, the www.muveszetekvolgye.hu Website shall use https communication. Accordingly, personal data provided by the Data Subject shall be encrypted by the Controller, thus becoming untraceable.
The Controller server shall store the name of the internet browser of the data subject, the address of the website from which he visited the Website of www.muveszetekvolgye.hu, the websites he visited from www.muveszetekvolgye.hu, the e-mail address of the data subject, as well as the date and
duration of the visit.
The Controller shall automatically generate statistical data from the websites visited by the data subject, the data of the Internet service provider and the date and duration of the visit. The Controller shall not link such data with other personal data; these shall only be used to generate Website traffic statistics. Recording and storing these data is a feature of the operation of the website and is technically essential for statistical purposes only.
(b) Right of Access: Upon request of the Data Subject, the Controller shall provide information to the Data Subject regarding the data handled thereby, their source, the purpose of data processing, the legal basis and duration thereof, the name and address of the Processor and his activities related to data processing. Courts, the Prosecutor's Office, investigative authorities, infringement authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information or other bodies may, on the basis of statutory jurisdiction, request the Controller to provide information, communicate or transfer data, or disclose documentation.
The Controller shall provide the requesting authority with the personal data essential for the purpose of the request, provided that the exact purpose and scope of the data are indicated. The Data Controller shall, upon request submitted by the Data Subject, assess the request for rectification or information in the shortest possible time from the submission of the request, but by no later than within 25 days, in a comprehensible form and in writing.
c) Right to Rectification: Upon the data handled by the Controller being incorrect, false or incomplete, the Controller shall -
in particular upon request of the Data Subject - rectify or correct such data without undue delay, or rectify them with any additional personal data provided by the Data Subject or rectify such data pursuant to a relevant statement produced by the Data Subject (hereinafter jointly referred to as "rectification").
The Controller shall be exempt from the aforementioned obligation in cases as follows:
(a) personal data that are accurate, correct and complete are not available or not submitted by the Data Subject;
(b) the authenticity of the personal data provided by the Data Subject is verifiably beyond doubt.
Should the Controller rectify the personal data handled thereby, he shall inform the Data Subject to whom the personal data pertains, as well as the recipient who has recevied such data, of the fact of rectification.
d) Right to Restriction:
- a) should the Data Subject dispute the accuracy, correctness or completeness of the personal data handled by the Controller and the accuracy, correctness or completeness of the personal data processed cannot be verified beyond doubt: data processing may be restricted for the period needed for verification;
- b) where the erasure of the data would be allowed, but pursuant to a written statement by the Data Subject or information available to the Controller it may reasonably be assessed that such erasure would be contrary to the legitimate interests of the Data Subject, data processing may be restricted for the period needed for verification of such legitimate interest contrary to the erasure;
- c) where the erasure of the data would be allowed, but requires the retention of data as evidence in the course of legal investigations or proceedings, in particular criminal proceedings, carried out by or with the participation of the Controller or other public authority: for the period until the final and legally binding decision on such investigation or procedure.
- d) where the erasure of data would be allowed, but the retention of data was necessary for the purpose of fulfilling documentation obligations: processing of data recorded in the register of the Controller and the Processor, and the electronic log, shall be restricted for a period of ten years following the deletion of the data processed; in order to enforce data restriction rights, the Controller shall limit data processing to the operations as follows: During the restriction period of data processing, th Controller may carry out any other data processing operations beyond as indicated only for the purpose of enforcing the legitimate interest of the Data Subject either by law, an international treaty or a mandatory act of the European Union. Upon termination of the data processing restriction specified under point (a), the Controller shall inform the Data Subject in advance regarding of such termination of restriction of data processing.
- e) Right to Erasure: In order to enforce the right to erasure, the Controller shall immediately delete the personal data of the Data Subject upon:
a) the data processing being unlawful, especially if the processing
aa) breaches the principles stipulated under Article 4 of Act No. CXII of 2011,
ab) the purpose thereof has ceased to exist or the further processing of the data is no longer necessary for the purpose of the data processing;
ac) the period stipulated under law, international treaty or mandatory act of the European Union has expired, or
ad) the legal basis has ceased to exist and there is no other legal basis for the data processing;
b) the Data Subject withdraws his consent or requests the erasure of his personal data;
c) the erasure of data becomes mandatory pursuant to provisions of law or acts of the European Union, or the decision of the Authority or court, or
d) the period stipulated under Article 19, paragraph (1), points b)-d) has expired.
The Data Subject may request the erasure of the personal data provided by him. The Controller may delete the personal data provided by the Data Subject upon the request thereof, or should the use or access of the Data Subject to the Website be prohibited by the Controller due to a grave breach of law or
breach of the GTC pertaining to the use of the Website by the Data Subject. Concerning personal data automatically collected by the Controller, statistics about the log files are created and log files are stored for up to one year on the server of the Controller. The Controller shall be entitled to erasure the personal data of the Data Subject by virtue of sanctions or due to inactivity.
The Controller shall also erase the personal data of the Data Subject upon: the processing being unlawful; the purpose of data processing has ceased to exist; the statutory storage period has expired; pursuant to a decision rendered by court or the National Authority for Data Protection and Freedom of Information; or upon data processing being incomplete or incorrect - and such conditions cannot be legally remedied - provided that such erasure is not excluded by law.
Upon the termination of the Service provided by the Controller, the Controller shall delete the personal data of the Data Subject handled in connection with the Service, except for the data required for the fulfillment of statutory (e.g. accounting) obligations. Renaming and transformation of Services,
or merging with other services shall not constitute the termination of services. Instead of erasure, the Controller may restrict the personal data upon request of the Data Subject, or if the available information suggests that the erasure would violate the legitimate interests of the Data Subject. Data restricted in this way shall be handled by the Controller only unti the existence of a processing purpose that excludes the erasure of personal data.
III. Activities of external service providers:
In order to settle accounts with the Data Subject (in order to issue an invoice), TIXA Hungary Kft. shall transmit data to KBOSS.hu Kft. (www.szamlazz.hu), transferring the last name, first name, company name or address/registered office of the Data Subject provided during the purchase of the tickets or passes.
Following the data transfer, KBOSS.hu Kft. shall transmit the received data to the following Controller: FTA Control Limited Liability Company, represented by dr. Zoltán Pályi, Executive Director (Company Seat: 7623 Pécs Megyeri tér 1.B. ép. fszt.9., Company Registration Number: 02-09-081719, Tax Number: 25348071-2-02) for the purpose of accounting electronic invoices issued.
Concluded on: In Budapest on February 21, 2019
Művészetek Völgye Nonprofit Kft.
Represented by: Natália Oszkó-Jakab, Executive Director