Public Foundation for the Research of Central and East European History and Society
Data processing Guidelines
On data processing carried out in connection with the webshop of the House of Terror Museum
VALID FROM: 14 February 2020
1./ Aim and scope of the Guidelines
1.1./ The aim of these Guidelines is to duly inform you about the processing of the personal data you provided on the webshop of the House of Terror Museum on the webpage webshop.terrorhaza.hu (henceforth: Webshop) operated by the Public Foundation for the Research of Central and East European History and Society (henceforth: Public Foundation), as well as on your related rights, in line with Regulation (EU) 2016/679 of the European Parliament and of the Council (henceforth: Regulation), the Hungarian legal regulations and Act CXII of 2011 on informational self-determination and freedom of information (henceforth: Information Act).
1.2./ The scope of these Guidelines only covers the personal data you provided for the Webshop on the website webshop.terrorhaza.hu.
1.3./ These Guidelines and their amendments implemented from time to time shall be considered effective from the moment that they are published on the website webshop.terrorhaza.hu.
1.4./ Before you provide any data or information to us, please read the current version of the Guidelines, which shall always be accessible from webshop.terrorhaza.hu. Please note that you should only provide data or information to the Public Foundation at any time if you have read the current version of these Guidelines, and explicitly agree with their contents.
Data subject: natural persons who are explicitly defined or identified, or can explicitly or implicitly identified by the use of personal data.
Customer: data subjects who provide their personal data for the purpose of making a purchase from the Webshop at webshop.terrorhaza.hu, operated by the Public Foundation.
Personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject.
Data controller: natural or legal persons or organisations not having legal personality that (independently or jointly with others) may determine the purpose of the data processing, make and execute decisions regarding the data processing (including the devices used), or have their decisions executed by the data processor. In the context of these Guidelines, the Public Foundation is the data controller.
Data processing: all activities or the sum of activities carried out by the Public Foundation on the data provided by the users, including especially collecting, recording, organizing, storing, modifying, using, querying, transmitting, publishing, harmonising or interconnecting, locking, deleting and destroying the data, as well as preventing further use of the data.
Data breach: unlawful processing or handling of personal data, especially unauthorized access to the data, modifying, transmitting, publishing, deleting or destroying the data, as well as incidents where data is destroyed or corrupted by accident.
3./ Name and details of Controller
Name: Public Foundation for the Research of Central and East European History and Society
Registered seat: 1122 Budapest, Határőr út 35.
Registration number: 01-01-0007526 (Fővárosi Törvényszék (Court of Budapest))
Tax ID: 18237010-2-43
Phone number: +361/212-7140
Postal address: 1062 Budapest, Andrássy út 60.
4./ Legal basis for data processing
4.1./ The legal basis for processing by the Public Foundation regarding the Webshop is your consent on the one hand, (point (a) of Article 6(1)), and, on the other hand the fact that it is necessary in order to enter into and execute contracts regarding the Webshop (point (b) of Article 6(1)), furthermore, regarding invoicing, it is the fact that processing is necessary so the Public Foundation as Controller may comply with its legal obligations (point (c) of Article 6(1)).
4.2./ If, when registering on the website webshop.terrorhaza.hu, you give your express consent to have your personal data processed, the legal basis of processing based on consent is realised. If you place an order on the website webshop.terrorhaza.hu, the legal basis related to entering into and executing a contract is also realised.
5./ Processing related to registering and placing orders
5.1./ Short description of the data processing: If you wish to make use of the services of the Webshop, prior to placing an order you may register on the website webshop.terrorhaza.hu . You need to fill in the form under the Registration menu in order to register. The personal data you provide when registering or placing an order are processed by the software of the website webshop.terrorhaza.hu on the server rented by the Public Foundation, owned by PRAE.HU, and are made accessible to the employees responsible for executing the contracts entered into in the Webshop.
5.2./ Legal basis for data processing: By accepting the Data Processing Guidelines when registering on the website, you – by ticking the appropriate checkbox – accept the current provisions of these Data Processing Guidelines and give your express consent to have your personal data processed by the Public Foundation with regard to the Webshop. Thus the legal basis for data processing for this is Regulation point (a) of Article 6(1). If you place an order in the Webshop, a further legal basis for processing is added: processing is necessary in order to enter into and execute contracts regarding the Webshop (Regulation point (b) of Article 6(1)).
5.3./ The purpose of data processing: Creating a user account for persons registering on the website webshop.terrorhaza.hu for the purpose of purchasing, which is a legitimate basis of processing. The purpose of the data processing is the operation of the Webshop, the provision of the services available from the Webshop, operation of the related databases, fulfilment of orders submitted by customers, collection of the payments related to the orders, and especially:
- a) Processing the orders and financial transactions initiated by the Customer.
- b) Sending sales confirmations to the Customer.
- c) Documenting any benefits that a registered Customer may be eligible for.
- d) Responding to Customers’ requests, questions and complaints.
- e) Administering the user accounts.
5.4./ Scope of the data processed with regard to the Webshop:
- a) last name and first name,
- b) e-mail address,
- c) phone number,
- d) postal address (country, municipality, postcode, street name, house number, floor, door number),
5.5./ Duration of data processing: We process your personal data provided when registering or placing an order until you withdraw your consent or delete your personal account. The Public Foundation shall only process the personal data submitted by the Customer as long as the Customer has an active account, or until the Customer requests the deletion of their data, or the Customer withdraws their consent to the processing of their personal data. You may make such requests by emailing us on .
5.6./ Related IT systems: the software of webshop.terrorhaza.hu and the server owned and operated by PRAE.HU Kft. The software running on it and its contents are the property of the Public Foundation.
6./ Data processing related to invoicing
6.1./ Short description of the data processing: If you make a financial transaction/// regarding an order on the Webshop (you pay the price of the product by bank card or in cash), the Public Foundation shall issue a bill about the price of the order.
6.2./ The legal basis for data processing: processing is carried out for the purpose of complying with legal obligations pertaining to the Data Controller [subsection c) of section (1) of Article 6 of the Regulation]. Applicable law: Act CXXVII of 2007 on the Value Added Tax (VAT Act): Article 159 (on the obligation to issue invoices), Article 169 (mandatory content elements), Act C of 2000 on accounting (Accounting Act): Articles 166-169 (accounting documents, strict accountability documents, obligation to keep documents).
6.3./ The purpose of data processing is the support and documentation of the economic event (orders and their execution), which is a legitimate purpose for data processing.
6.4./ Scope of the processed data: The name, address, date and time of purchase of the customer (natural person).
6.5./ Duration of data processing: 8 years
6.6./ Relevant IT systems: Novitax,
7./ Obligations of the Customer
7.1./ By providing their e-mail address and other personal data, the Customer assumes responsibility for ensuring that only he or she shall provide data and submit orders from that e-mail address, and that the data provided shall always be correct. In light of this assumption of responsibility, the Customer who registered the specific e-mail address shall bear all liabilities related to the logins that were performed with that e-mail address. Customers please note that if you do not provide your own personal data, it is your responsibility to obtain the consent of the relevant data subject.
7.2./ The minimum age for Customers consenting to the processing of their personal data on the website is 18 years. If you are not yet 18 years of age, please do not provide your data on this website, and do not use the services.
8./ Data processing related to visitors of the website
8.2./ Legal basis for data processing: Consent as per point (a) of Article 6(1). By clicking the button “I accept” on the website you accept the processing. The consent of the data subject is not needed when the sole purpose of using cookies is to transfer information on an electronic telecommunication network, or if it is essential for the service provider to be able to provide the information society-related service expressly requested by the user.
8.3./ The purpose of data processing: In the case of registered users it is the identifying of users, making statistics, tracking visitors, in the case of customers it is the managing of the “shopping cart”.
8.4./ Scope of the processed data: unique ID numbers, dates, times.
8.5./ Duration of data processing: Session cookie: to identify the user for the login procedure, PHP session id: the system deletes it when the browser is closed.
8.6./ Related IT systems: the software of webshop.terrorhaza.hu and the server owned by PRAE.HU Kft and rented by the Public Foundation.
8.7./ Controllers authorised to access the data: the staff of the Public Foundation may process the personal data, respecting the above principles.
8.8./ Rights of data subjects regarding processing: data subjects may delete cookies under the appropriate menu of the browser they use.
Third party cookies
8.9./ Short description of the data processing: The site webshop.terrorhaza.hu uses third party cookies (by Facebook and Google) to monitor the activities of visiting users and transmit such data to the website owners, for the purpose of conducting visitor analysis and carry out marketing-related activities. Scope of data subjects: all data subjects who visit the website, regardless of the services actually used.
8.10./ Legal basis for data processing: For the purpose of the data processing that facilitates visitor analysis and marketing activities, the legal basis for data processing is defined in Article 6 (1) (a) of the Regulation: the consent of the user. By clicking the “Yes, I understand” (OK, értettem) button on the website, you consent to the technical data collection and data processing activities related to visitor analysis and marketing.
8.11./ The purpose of data processing: The purpose of data processing is to provide a user-friendly experience for the visitors of the website, as well as to collect data regarding the use of the website for purposes of visitor analysis and marketing activities.
The information needed for the following activities cannot be directly linked to specific persons (only to the device used for accessing the website):
– Assessing how many visitors open the website, how often each pages of the website are accessed, how much time the users spend on each page – the purpose of which is to tailor the website to the needs of the Users.
– Capturing the physical place from where User (the device used for accessing the website) accesses the website – to provide a geographical distribution of the users interested in the services provided by the Data controller.
– Identifying the website from where the User opened the current page of the Website – to assess what topics may be of interest to the Users interested in the services provided by the Data controller, and to measure the performance of promotional activities regarding the services.
8.12./ Scope of the processed data: The pages visited during the visit to the website and the order in which they were accessed, as well as the IP address of the device used by the Users.
Data processed for the purpose of measuring the visitor number of the website:
– the pages visited during the visit to the website and the order in which they were accessed,
– the frequency with which each page of the website were viewed,
– other websites from which the User arrived from (only for websites where there is a link placed to the website assessed),
– the geographical location of the website visitors (based on information about the internet provider, approximate data on the location of the device used for accessing the website),
– the time the User opens the website,
– the time the User leaves the website,
– the duration which the User spent on the website.
8.13./ Duration of data processing: Regarding the data retention times, please see the data processing guidelines posted by Facebook and Google: https://policies.google.com/technologies/retention?hl=hu and https://hu-hu.facebook.com/privacy/explanation.
8.14./ Related IT systems: the software of webshop.terrorhaza.hu and the server owned by PRAE.HU Kft and rented by the Public Foundation.
To measure the relevant data, the IT system of the Data controller uses the tools provided by Google Analytics (Google Ireland Ltd.). When accessing websites which use Google Analytics tools, the cookies provided by Google record the preferences and information selected by the user, this method is also used to gather information used for tracking the visitor numbers of the website and to map the related browsing trends.
The cookies that the Data controller uses to facilitate access to its Facebook pages and to share and like the website via Facebook (Facebook button, Facebook Share button, Facebook Like button) are provided by Facebook Ireland Ltd., which means that Facebook Ireland Ltd. can access the data handled by these cookies.
8.15./ Controllers authorised to access the data:
Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland), the owner and operator of Google Analytics tools also has access to the data detailed above. Besides carrying out the analytical tasks mentioned above, Google Ireland Ltd. also uses the data outlined above to show targeted advertising to the users of its browser. Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), through the services provided also enjoys access to the data processed for the purpose of measuring the visitor numbers of the website and to map out the related browsing trends. Google and Facebooks connects the data and the IP address of the device used for accessing the website to assess the interests of the user based on browsing trends, and based on this information, shows targeted advertising on the device in question based. These service providers do not have access to any data not mentioned in these paragraphs. Further information:
8.16./ Rights of data subjects regarding processing: Data subjects may delete cookies under the appropriate menu of the browser they use, or use private/incognito browsing to access the site, which makes it impossible to connect their activities to their Facebook/Google profiles.
9./ Controllers, processors, data transfers
9.1./ By accepting these Data Processing Guidelines, the Customer acknowledges that the Public Foundation for the Research of Central and East European History and Society (registered seat: 1122 Budapest, Határőr út 35.) as the data controller will transfer the following personal data, provided by the Customer, stored in the user database of the site webshop.terrohaza.hu (as a point of sale) to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.) acting as the data processor. The data controller transfers the following personal data: email address and phone number of the Customer, details of the bill-to address, details of the shipping address.
You may find out more about the specifics and purposes of the data processing activities carried out by the data processor in the Data Processing Guidelines of SimplePay, which is available at the following address: http://simplepay.hu/vasarlo-aff
9.2./ The personal data submitted by users during the course of using the Webshop are processed by the accounting firm tasked with carrying out the accounting obligations of the Public Foundation, as well as those employees of the Public Foundation tasked with the fulfilment of orders submitted via the Webshop and monitoring the related payments. The personal data provided upon registration are stored by the software of webshop.terrorhaza.hu on a server owned by the Public Foundation and shall not disclose it to any third parties.
9.3./ By completing the Registration process and submitting their orders, the Customer consents to the persons defined in Section 9.1 and 9.2. controlling and processing their data.
9.4./ Except for the cases detailed in sections 9.1. and 9.2., we shall not transfer your personal data to any third parties unless compelled to do so by law or a final court ruling or public decree.
9.5./ We do not provide personal data to other natural or legal persons for the purpose of carrying out marketing activities related to their products or services.
10./ Data security measures
10.1./ The Public Foundation provides protection to the data by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique. In determining the measures to ensure security of processing, the Public Foundation shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.
10.2./ Personal data provided by the user is protected during their transfer and after their arrival to the databases of the data controller. However, there are no completely safe methods for transferring data online and storing data electronically. We implement industry-standard solutions for the protection of personal data, however, their absolute safety cannot be guaranteed.
10.3./ The IT system of the Public Foundation is located in a server stored in the purpose-built secure room of Magyar Telekom Nyrt.
10.4./ The operator has put into service several safety and security procedures to safeguard the IT systems and networks of the Public Foundation, among them the following:
- a) The Customer is only able to access their user profile with the password and user ID that they provided. The password is stored in an encrypted state. The use of a strong, alphanumeric password (one that contains both letters and numbers) is required, and the user is not allowed to share the password with others.
- b) Your personal data are stored on a secure server. The secure servers are only accessible to certain employees of the Public Foundation, and are password-protected,
- c) We back up the data to avoid data loss,
- d) Physical protection: The server is found in a data center protected by a fence, CCTV surveillance, armed guards and multi-step access control,
11.1./ According to the wording of the Regulation, “data subject” is a natural person who can be identified, directly or indirectly by reference to relevant information or personal data.
11.2./ Please note that prior to the fulfilment of claims regarding the enforcement of rights, the Public Foundation is obliged to identify the person submitting the request. Where the Public Foundation has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the requestor.
11.3./ You may contact the Public Foundation or the data protection officer any time in order to exercise your rights below:
- a) you have the right to ask for more information regarding the handling of your personal data, and to request a copy of your data that the Public Foundation handles and processes (right of information, right of access – Regulation Art.15, Information Act section 15).
- b) you have the right to request the rectification of incorrect or incomplete data (right to rectification – Regulation Art.16, Information Act section 17).
- c) You are entitled to request the deletion of your personal data, and if your data are published publicly, you may request that the Public Foundation forward your deletion request to other data controllers (right to erasure – Regulation Art.17, Information Act section 17, subsection (2)).
- d) You have the right to request the restriction of processing (right to restriction of processing – Regulation Art.18).
- e) you are entitled to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability – Regulation Art.20).
- f) You have the right to object against the data processing activities (right to object – Regulation Art.21, Information Act section 21).
- g) When your data is processed based on consent, you have the right to withdraw your consent any time. Your withdrawal does not affect the legality of the processing activities carried out before the withdrawal (right to withdraw consent – Regulation Art.7(3)).
- h) You have the right to lodge a complaint with a supervisory authority, if you believe that our processing activities are in conflict with any law in force (right to lodge complaints with a supervisory authority – Regulation Art.77).
11.5./ The Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) shall provide legal remedies, and receives the complaints of the users:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
11.6./ If the Public Foundation refuses to comply with your (the data subject’s) request, the factual and legal reasons on which the decision for refusing the request is based shall be communicated in writing or, subject to your consent, electronically within 25 (twenty-five) days of receipt of the request. If your request is refused, the Public Foundation shall inform you of the possibilities for seeking judicial remedy or lodging a complaint with the Authorities.
11.7./ If you disagree with the decision taken by the Public Foundation, or if the Public Foundation fails to meet the deadline, you shall have the right to turn to court within 30 (thirty) days of the date of delivery of the decision or from the last day of the time limit. You may, at your discretion, start a lawsuit either at the court in the Public Foundation’s registered seat or your domicile. The competent court based on the seat of the Public Foundation is the Municipal Court of Budapest.
12.1./ The Public Foundation as the data controller, with a view to control measures relating to personal data breaches and to inform data subjects – shall keep records containing the personal data affected, the personal scope affected by the data incident, the time, circumstances and effects of the personal data breach and measures taken to eliminate it as well as other information required by law.
12.2./ In matters not regulated by these Data Processing Guidelines, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act V of 2013 on the Civil Code as well as other relevant acts shall apply.
Budapest, 14 February 2020.