Public Foundation for Research on Central and Eastern European History and Society

Data processing Guidelines

On data processing carried out in connection with the webshop of the House of Terror Museum

VALID FROM: September 1st 2019

1./ Aim and scope of the Guidelines

1.1./ The aim of these Guidelines is to duly inform you about the processing of the personal data you provided on the webshop of the House of Terror Museum on the webpage (henceforth: Webshop) operated by the Public Foundation for Research on Central and Eastern European History and Society (henceforth: Public Foundation), as well as on your related rights, in line with Regulation (EU) 2016/679 of the European Parliament and of the Council (henceforth: Regulation), the Hungarian legal regulations and Act CXII of 2011 on informational self-determination and freedom of information (henceforth: Information Act).

1.2./ The scope of these Guidelines only covers the personal data you provided for the Webshop on the website

1.3./ These Guidelines and their amendments implemented from time to time shall be considered effective from the moment that they are published on the website

1.4./ Before you provide any data or information to us, please read the current version of the Guidelines, which shall always be accessible from Please note that you should only provide data or information to the Public Foundation at any time if you have read the current version of these Guidelines, and explicitly agree with their contents.

2./ Definitions

Data subject: natural persons who are explicitly defined or identified, or can explicitly or implicitly identified by the use of personal data.

Customer: data subjects who provide their personal data for the purpose of making a purchase from the Webshop at, operated by the Public Foundation.

Personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject.

Data controller: natural or legal persons or organisations not having legal personality that (independently or jointly with others) may determine the purpose of the data processing, make and execute decisions regarding the data processing (including the devices used), or have their decisions executed by the data processor. In the context of these Guidelines, the Public Foundation is the data controller.

Data processing: all activities or the sum of activities carried out by the Public Foundation on the data provided by the users, including especially collecting, recording, organizing, storing, modifying, using, querying, transmitting, publishing, harmonising or interconnecting, locking, deleting and destroying the data, as well as preventing further use of the data.

Data breach: unlawful processing or handling of personal data, especially unauthorized access to the data, modifying, transmitting, publishing, deleting or destroying the data, as well as incidents where data is destroyed or corrupted by accident.

3./ Name and details of Controller

Name: Public Foundation for Research on Central and Eastern European History and Society

Registered seat: 1122 Budapest, Határőr út 35.

Registration number: 01-01-0007526 (Fővárosi Törvényszék (Court of Budapest))

Tax ID: 18237010-2-43

Phone number: +361/212-7140

E-mail address:

Postal address: 1062 Budapest, Andrássy út 60.

Contact information of the data protection officer: Public Foundation for Research on Central and Eastern European History and Society, 1062 Budapest, Andrássy út 60., phone: +361/374-2600, e-mail:

4./ Legal basis for data processing

4.1./ The legal basis for processing by the Public Foundation regarding the Webshop is your consent on the one hand, (point (a) of Article 6(1)), and, on the other hand the fact that it is necessary in order to enter into and execute contracts regarding the Webshop (point (b) of Article 6(1)), furthermore, regarding invoicing, it is the fact that processing is necessary so the Public Foundation as Controller may comply with its legal obligations (point (c) of Article 6(1)).

4.2./ If, when registering on the website, you give your express consent to have your personal data processed, the legal basis of processing based on consent is realised. If you place an order on the website, the legal basis related to entering into and executing a contract is also realised.

5./ Processing related to registering and placing orders

5.1./ Short description of the data processing: If you wish to make use of the services of the Webshop, prior to placing an order you may register on the website . You need to fill in the form under the Registration menu in order to register. The personal data you provide when registering or placing an order are processed by the software of the website on the server rented by the Public Foundation, owned by PRAE.HU, and are made accessible to the employees responsible for executing the contracts entered into in the Webshop.

5.2./ Legal basis for data processing: By accepting the Data Processing Guidelines when registering on the website, you – by ticking the appropriate checkbox – accept the current provisions of these Data Processing Guidelines and give your express consent to have your personal data processed by the Public Foundation with regard to the Webshop. Thus the legal basis for data processing for this is Regulation point (a) of Article 6(1). If you place an order in the Webshop, a further legal basis for processing is added: processing is necessary in order to enter into and execute contracts regarding the Webshop (Regulation point (b) of Article 6(1)).

5.3./ The purpose of data processing: Creating a user account for persons registering on the website  for the purpose of purchasing, which is a legitimate basis of processing. The purpose of the data processing is the operation of the Webshop, the provision of the services available from the Webshop, operation of the related databases, fulfilment of orders submitted by customers, collection of the payments related to the orders, and especially:

a) Processing the orders and financial transactions initiated by the Customer.

b) Sending sales confirmations to the Customer.

c) Documenting any benefits that a registered Customer may be eligible for.

d) Responding to Customers’ requests, questions and complaints.

e) Administering the user accounts.

5.4./ Scope of the data processed with regard to the Webshop:

a) last name and first name,

b) e-mail address,

c) phone number,

d) postal address (country, municipality, postcode, street name, house number, floor, door number),

5.5./ Duration of data processing: We process your personal data provided when registering or placing an order until you withdraw your consent or delete your personal account. The Public Foundation shall only process the personal data submitted by the Customer as long as the Customer has an active account, or until the Customer requests the deletion of their data, or the Customer withdraws their consent to the processing of their personal data. You may make such requests by emailing us on .

5.6./ Related IT systems: the software of and the server owned and operated by PRAE.HU Kft. The software running on it and its contents are the property of the Public Foundation.

6./ Data processing related to invoicing

6.1./ Short description of the data processing: If you make a financial transaction/// regarding an order on the Webshop (you pay the price of the product by bank card or in cash), the Public Foundation shall issue a bill about the price of the order.

6.2./ The legal basis for data processing: processing is carried out for the purpose of complying with legal obligations pertaining to the Data Controller [subsection c) of section (1) of Article 6 of the Regulation]. Related legal regulations: Act CXXVII of 2007 on value added tax (VAT Act), section 159 (obligation to issue invoices), section 169 (obligatory content elements of invoices), Act C of 2000 (Accounting Act) sections 166-169 (accounting documents, strict accountability documents, document retention obligation).

6.3./ The purpose of data processing is the support and documentation of the economic event (orders and their execution), which is a legitimate purpose for data processing.

6.4./ Scope of the processed data: The name, address, date and time of purchase of the customer (natural person).

6.5./ Duration of data processing: 8 years

6.6./ Relevant IT systems: Novitax

7./ Obligations of the Customer

7.1./ By providing their e-mail address and other personal data, the Customer assumes responsibility for ensuring that only he or she shall provide data and submit orders from that e-mail address, and that the data provided shall always be correct. In light of this assumption of responsibility, the Customer who registered the specific e-mail address shall bear all liabilities related to the logins that were performed with that e-mail address. Customers please note that if you do not provide your own personal data, it is your responsibility to obtain the consent of the relevant data subject.

7.2./ The minimum age for Customers consenting to the processing of their personal data on the website is 18 years. If you are not yet 18 years of age, please do not provide your data on this website, and do not use the services.

8./ Data processing related to visitors of the website

8.1./ Short description of the data processing: The Public Foundation uses cookies on the website Typical cookies are ones for password-protected sessions, cookies for the implementation of the shopping cart and safety cookies, the use of which is not subject to the prior consent of data subjects. Scope of data subjects: all data subjects who visit the websites of the Public Foundation.

8.2./ Legal basis for data processing: Consent as per point (a) of Article 6(1). By clicking the button “I accept” on the website you accept the processing. The consent of the data subject is not needed when the sole purpose of using cookies is to transfer information on an electronic telecommunication network, or if it is essential for the service provider to be able to provide the information society-related service expressly requested by the user.

8.3./ The purpose of data processing: In the case of registered users it is the identifying of users, making statistics, tracking visitors, in the case of customers it is the managing of the “shopping cart”.

8.4./ Scope of the processed data: unique ID numbers, dates, times.

8.5./ Duration of data processing: Session cookie: to identify the user for the login procedure, PHP session id: the system deletes it when the browser is closed.

8.6./ Related IT systems: the software of and the server owned by PRAE.HU Kft and rented by the Public Foundation.

8.7./ Controllers authorised to access the data: the staff of the Public Foundation may process the personal data, respecting the above principles.

8.8./ Rights of data subjects regarding processing: data subjects may delete cookies under the appropriate menu of the browser they use.

9./ Controllers, processors, data transfers

9.1./ By accepting these Data Processing Guidelines, the Customer acknowledges that the Public Foundation for the Research of Central and East European History and Society (registered seat: 1122 Budapest, Határőr út 35.) as the data controller will transfer the following personal data, provided by the Customer, stored in the user database of the site (as a point of sale) to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.) acting as the data processor. The data controller transfers the following personal data: email address and phone number of the Customer, details of the bill-to address, details of the shipping address.

You may find out more about the specifics and purposes of the data processing activities carried out by the data processor in the Data Processing Guidelines of SimplePay, which is available at the following address:

9.2./ The personal data submitted by users during the course of using the Webshop are processed by the accounting firm tasked with carrying out the accounting obligations of the Public Foundation, as well as those employees of the Public Foundation tasked with the fulfilment of orders submitted via the Webshop and monitoring the related payments. The personal data provided upon registration are stored by the software of on a server owned by the Public Foundation and shall not disclose it to any third parties.

9.3./ By completing the Registration process and submitting their orders, the Customer consents to the persons defined in Section 9.1. and 9.2. controlling and processing their data.

 9.4./ Except for the cases detailed in sections 9.1. and 9.2., we shall not transfer your personal data to any third parties unless compelled to do so by law or a final court ruling or public decree.

9.5./ We do not provide personal data to other natural or legal persons for the purpose of carrying out marketing activities related to their products or services.

10./ Data security measures

10.1./ The Public Foundation provides protection to the data by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique. In determining the measures to ensure security of processing, the Public Foundation shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.

10.2./ Personal data provided by the user is protected during their transfer and after their arrival to the databases of the data controller. However, there are no completely safe methods for transferring data online and storing data electronically. We implement industry-standard solutions for the protection of personal data, however, their absolute safety cannot be guaranteed.

10.3./ The IT system of the Public Foundation is located in a server stored in the purpose-built secure room of Magyar Telekom Nyrt.

10.4./ The operator has put into service several safety and security procedures to safeguard the IT systems and networks of the Public Foundation, among them the following:

a) The Customer is only able to access their user profile with the password and user ID that they provided. The password is stored in an encrypted state. The use of a strong, alphanumeric password (one that contains both letters and numbers) is required, and the user is not allowed to share the password with others.

b) Your personal data are stored on a secure server. The secure servers are only accessible to certain employees of the Public Foundation, and are password-protected,

c) We back up the data to avoid data loss,

d) Physical protection: The server is found in a data center protected by a fence, CCTV surveillance, armed guards and multi-step access control,

e) Software protection:  On the one hand, Magyar Telekom Nyrt. continuously monitors any external threats against their machines; on the other hand, it provides a “firewall” for its users; on top of this, we also protect our server with our own “firewall”. Accessing the server with system administrator rights is only possible from specific external locations (IP addresses).

11./ Rights and remedies available to the data subjects

11.1./ According to the wording of the Regulation, “data subject” is a natural person who can be identified, directly or indirectly by reference to relevant information or personal data.

11.2./ Please note that prior to the fulfilment of claims regarding the enforcement of rights, the Public Foundation is obliged to identify the person submitting the request. Where the Public Foundation has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the requestor.

11.3./ You may contact the Public Foundation or the data protection officer any time in order to exercise your rights below:

a) you have the right to ask for more information regarding the handling of your personal data, and to request a copy of your data that the Public Foundation handles and processes (right of information, right of access – Regulation Art.15, Information Act section 15).

b) you have the right to request the rectification of incorrect or incomplete data (right to rectification – Regulation Art.16, Information Act section 17).

c) You are entitled to request the deletion of your personal data, and if your data are published publicly, you may request that the Public Foundation forward your deletion request to other data controllers (right to erasure – Regulation Art.17, Information Act section 17, subsection (2)).

d) You have the right to request the restriction of processing (right to restriction of processing – Regulation Art.18).

e) you are entitled to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability – Regulation Art.20).

f) You have the right to object against the data processing activities (right to object – Regulation Art.21, Information Act section 21).

g) When your data is processed based on consent, you have the right to withdraw your consent any time. Your withdrawal does not affect the legality of the processing activities carried out before the withdrawal (right to withdraw consent – Regulation Art.7(3)).

h) You have the right to lodge a complaint with a supervisory authority, if you believe that our processing activities are in conflict with any law in force (right to lodge complaints with a supervisory authority – Regulation Art.77).

11.4./ Any requests under 11.3 shall be sent via e-mail to the following address in every case: or by mail to the following address: 1062 Budapest, Andrássy út 60. of the Public Foundation.

11.5./ The Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) shall provide legal remedies, and receives the complaints of the users:

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság

Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, Pf.: 5.

Phone: 06.1.391.1400

Fax: 06.1.391.1410



11.6./ If the Public Foundation refuses to comply with your (the data subject’s) request, the factual and legal reasons on which the decision for refusing the request is based shall be communicated in writing or, subject to your consent, electronically within 25 (twenty-five) days of receipt of the request. If your request is refused, the Public Foundation shall inform you of the possibilities for seeking judicial remedy or lodging a complaint with the Authorities.

11.7./ If you disagree with the decision taken by the Public Foundation, or if the Public Foundation fails to meet the deadline, you shall have the right to turn to court within 30 (thirty) days of the date of delivery of the decision or from the last day of the time limit. You may, at your discretion, start a lawsuit either at the court in the Public Foundation’s registered seat or your domicile. The competent court based on the seat of the Public Foundation is the Municipal Court of Budapest.

12./ Miscellaneous

12.1./ The Public Foundation as the data controller, with a view to control measures relating to personal data breaches and to inform data subjects – shall keep records containing the personal data affected, the personal scope affected by the data incident, the time, circumstances and effects of the personal data breach and measures taken to eliminate it as well as other information required by law.

12.2./ In matters not regulated by these Data Processing Guidelines, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act V of 2013 on the Civil Code as well as other relevant acts shall apply.

Budapest, 27/08/2019.