Privacy Notice

Privacy Notice

I. DATA CONTROLLER INTRODUCTION

The University of Physical Education (hereinafter: “Data Controller”, “University”) creates this privacy notice to ensure the legality of its internal data processing procedures and to protect the rights of the data subjects.

Data Controller’s name:
University of Physical Education

Institutional identification number:
FI89399

Data Controller’s registered office:
1123 Budapest, Alkotás St. 42-48.

Data Controller’s electronic contact address:
info@tf.hu

Representative of the Data Controller:
Prof. Dr. Tamás Sterbenz, Rector

Contact details of the Data Protection Officer:
tf-adatvedelem@tf.hu

The Data Controller processes personal data in accordance with its internal regulations, as well as all applicable laws, primarily the following:

• Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter: “Act”)
• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “Regulation” or “GDPR”)

The Data Controller processes personal data confidentially and takes all necessary technical and organizational measures to ensure the secure storage, processing, and management of the data.

The Data Controller reserves the right to modify this notice at any time. If any circumstances change regarding the data processing, this notice will be amended within 30 days. The modifications will be published in a consolidated version of this notice.

Definitions

The conceptual framework of this Privacy Notice is consistent with the definitions provided in Article 4 of the Regulation, and in certain points, supplemented by the definitions in Section 3 of the Information Act.

When this notice refers to data or data processing, it refers to personal data and its processing.

---

CHARACTERISTICS OF THE SPECIFIC DATA PROCESSING PURPOSES

Cookie Management on the Website

The Data Controller uses cookies on the webshop operating at www.webshop.tf.hu (hereinafter: webshop) to maintain and improve its services.

What is a cookie?

Cookies are small text files placed on the user’s device by the browser that perform identification and information gathering functions. A cookie consists of a unique numeric code and is primarily used to distinguish between computers and other devices that download a webpage. Cookies have various functions, including collecting information, remembering user settings, and allowing the website owner to understand user habits to enhance the user experience.

For what purposes can we use cookies?

The Data Controller primarily uses cookies that are essential for the operation of the website. The purpose of these cookies is to ensure the proper and high-quality functioning of the website, facilitate the management of pages, and remember cookie preferences.

Marketing cookies on the website are provided by Google Ireland Ltd (Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland; Google privacy policy: https://policies.google.com/privacy?hl=en) based on the visitor’s consent.

Cookies beyond those that are strictly necessary can be managed by the data subject at their discretion through the website’s cookie manager.

What is the legal basis for the data processing conducted through cookies?

The Data Controller uses cookies that are essential for the website’s operation based on the legitimate interest specified in Article 6(1)(f) of the GDPR. Other cookies are used based on consent, as specified in Article 6(1)(a) of the GDPR.

How can you check and disable cookies?

The website includes a cookie manager, which is accessible not only during the first visit but can also be accessed anytime by clicking the icon located in the bottom left corner of the webpage, where you can modify previous settings.

In addition, all modern browsers allow users to change cookie settings. Most browsers automatically accept cookies by default, but these settings can typically be modified to prevent automatic acceptance, offering the option to accept or decline cookies each time.

Since cookies are intended to facilitate or enable the usability of the website and its processes, preventing or deleting cookies may result in users being unable to fully use the website’s features, or cause the website to function differently in the browser.

 

The most popular browsers’ cookie settings can be found at the following links:

Google Chrome:
https://support.google.com/accounts/answer/61416

Firefox:
https://support.mozilla.org/en/kb/cookies-information-websites-store

Microsoft Edge:
https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy

Microsoft Internet Explorer:
https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

Opera:
https://help.opera.com/en/latest/web-preferences/#cookies

Safari:
https://support.apple.com/en-us/guide/safari/sfri11471/mac

---

Webshop Operation

Purpose of Data Processing

The purpose of data processing is to ensure orders placed through the webshop on the Data Controller’s website, www.webshop.tf.hu, and to fulfill those orders. The webshop offers the ability to purchase university products, gifts, tickets for events organized by the University, and to register for certain courses.

Processed Personal Data

Data required for placing an order:

• Name
• Email address
• Billing address
• Phone number (optional)
• Additional information provided by the data subject
• For payments via SimplePay, the order ID, email address, and payment-related details.

Order history, as well as data related to orders and necessary for delivery.

Legal Basis for Data Processing

The legal basis for processing personal data is the performance of the contract (obligation) formed by the purchase, as outlined in Article 6(1)(b) of the Regulation.

Source of Personal Data

The customer, and in case of card payments, OTP Mobil Ltd.

Access to Personal Data

Only employees of the Data Controller who are required to handle personal data as part of their job duties are authorized to process personal data.

Data Processors:

Impact Communications Tanácsadó Korlátolt Felelősségű Társaság (1165 Budapest, Koronafürt utca 21. fszt. 2a.) – Data processor providing IT support for the webshop.

For card payments, the necessary data will be transferred to OTP Mobil Ltd. (1138 Budapest, Váci út 135-139. B. ép. 5. em.; company registration number: 01-09-174466), as a data processor. The data provided by the Data Controller is the email address of the person performing the payment. The nature and purpose of the data processing activities carried out by the data processor can be viewed in the SimplePay Privacy Notice at the following link: SimplePay Privacy Policy.

The data processors may only process the personal data of the data subject in accordance with the purposes and instructions set out by the Data Controller, and they do not have independent decision-making authority regarding data processing. The data processors have committed to confidentiality obligations and contractual guarantees regarding the retention of personal data they have encountered during the fulfillment of their duties.

The data necessary for delivery will be transferred to the courier service, which acts as an independent data controller.

Transfer of Personal Data to Third Countries or International Organizations

The Data Controller does not transfer personal data to third countries or international organizations.

Retention Period of Personal Data

The Data Controller retains data related to orders for a period of 5 years, in accordance with the general limitation period. The retention period for the data on invoices is 8 years, as per Section 169(2) of Act C of 2000 on Accounting.

Automated Decision-Making and Profiling

Neither occurs during the data processing.

---

III. THE RIGHTS OF THE DATA SUBJECT IN RELATION TO DATA PROCESSING

Right to Information

The data subject has the right to receive information regarding data processing, which the Data Controller provides by making this notice available.

Data Processing Based on Consent

If the legal basis for data processing is the data subject’s consent, they are entitled to withdraw their consent at any time. However, it is important to note that the withdrawal of consent only applies to data processing for which there is no other legal basis. If there is no other legal basis for processing the data subject’s personal data, the Data Controller will delete the personal data permanently and irreversibly following the withdrawal of consent. The withdrawal of consent does not affect the lawfulness of data processing based on consent prior to the withdrawal.

Right of Access

Upon request, the Data Controller will provide information about whether the personal data of the data subject is being processed, and if so, will grant access to the personal data and the following information:

• The purposes of data processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, including particularly third-country recipients and international organizations;
• The planned duration of storage of the personal data, or, if not possible, the criteria used to determine this duration;
• The data subject’s right to request from the Data Controller the rectification, deletion, or restriction of processing of their personal data, and to object to the processing of such personal data;
• The right to file a complaint with a supervisory authority and to initiate legal proceedings;
• If the data has not been collected directly from the data subject, all available information about the source of the data;
• If automated decision-making occurs, including profiling, the fact of it and at least the logic involved, including the significance and the expected consequences of such processing for the data subject.

Right to Rectification of Personal Data

The data subject has the right to request the Data Controller to correct any inaccurate personal data relating to them without undue delay. Considering the purposes of processing, the data subject also has the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.

When requesting rectification (modification) of data, the data subject must support the accuracy of the data to be modified and must also prove that the request is made by the rightful person. The Data Controller can only assess whether the new data is accurate, and if so, whether the previous data can be modified.

The Data Controller also reminds the data subject to promptly report any changes to their personal data, facilitating the lawful processing and the enforcement of their rights.

Right to Erasure

Upon the data subject’s request, the Data Controller is obliged to erase personal data relating to the data subject without undue delay if any of the following grounds apply:

• The Data Controller no longer needs the personal data for the purposes for which they were collected or otherwise processed;
• In case of data processing based on consent, the data subject withdraws their consent, and there is no other legal basis for processing;
• The data subject objects to the processing of the data, and there is no overriding legitimate reason for the processing, or objects to processing for direct marketing purposes;
• The personal data has been processed unlawfully by the Data Controller;
• The personal data must be deleted to comply with a legal obligation under EU or member state law applicable to the Data Controller;
• The personal data was collected in connection with offering services related to the information society.

Right to Restriction of Processing

The data subject has the right to request the Data Controller to restrict processing if any of the following applies:

• The accuracy of the personal data is contested; in this case, the restriction applies for the period allowing the Data Controller to verify the accuracy of the personal data;
• The processing is unlawful, and the data subject opposes deletion, instead requesting restriction of its use;
• The Data Controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
• The data subject has objected to processing; in this case, the restriction applies for the period during which it is determined whether the Data Controller’s legitimate grounds override those of the data subject.

Right to Object

If the legal basis for processing personal data is the legitimate interest of the Data Controller (Article 6(1)(f) of the Regulation), or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e) of the Regulation), the data subject has the right to object to the processing of their personal data at any time on grounds related to their particular situation, including profiling based on those provisions.

Right to Data Portability

The data subject has the right to receive the personal data they have provided to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller, if:

• The processing is based on the data subject’s consent or on a contract as per Article 6(1)(b) of the Regulation; and
• The processing is carried out by automated means.

PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT

The data subject can exercise their rights by sending an electronic letter to the email address tf-adatvedelem@tf.hu, by sending a postal letter to the Data Controller’s registered office, or by visiting the Data Controller’s office in person. The Data Controller will begin examining and fulfilling the request without undue delay after receiving it. The Data Controller will inform the data subject about the actions taken in response to the request within 30 days of receipt. If the Data Controller is unable to fulfill the request, the data subject will be informed of the reasons for the refusal and their rights to seek legal remedies within 30 days.

In the case of the death of the data subject, the rights of the deceased during their life, as specified in this notice, may be exercised by a person authorized by the data subject through an administrative directive, a public document, or a private document of full evidentiary value. If the data subject has made multiple declarations at a data controller, the latest declaration applies. If the data subject has not made such a legal declaration, a close relative, as defined by the Civil Code, is entitled to exercise the rights specified in Articles 16 (right to rectification), 17 (right to erasure), 18 (right to restriction of processing), and 21 (right to object) of the Regulation, within five years after the data subject’s death. The close relative who first exercises this entitlement is authorized to enforce the data subject’s rights.

---

RIGHT TO REMEDY IN RELATION TO DATA PROCESSING

To exercise the right to judicial remedy, the data subject may turn to a court if they believe that the Data Controller, or a data processor acting on their behalf or in accordance with their instructions, is processing their personal data in violation of the relevant regulations or mandatory legal acts of the European Union. The court will handle the case on an expedited basis. The court with jurisdiction over the case is the regional court. The lawsuit may be filed at the court of the data subject’s place of residence or habitual residence, or at the court of the Data Controller’s registered office.

https://birosag.hu/birosag-kereso

Anyone can file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) if they believe that their rights have been infringed or are at direct risk, or if the Data Controller has restricted or rejected their request to exercise their rights related to the processing of personal data. The complaint can be submitted to the following contact details:

National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: 1363 Budapest, Pf. 9.
Address: 1055 Budapest, Falk Miksa Street 9-11.
Email: ugyfelszolgalat@naih.hu
Website: http://naih.hu

Budapest, […]