PRIVACY POLICY
Effective date: 1 January 2023
1 Introduction
This Privacy Policy is issued by the Hard Dog Race Kft. as data controller (hereinafter: “Data Controller”) to regulate his or her data processing activities. The Policy is updated regularly to ensure continued compliance with the current legislation of Hungary and the European Union. The currently up-to-date version of the Privacy Policy is available at http://harddograce.hu and at the registered office of the company, at the reception.
2 Data of the Data Controller
Name of the Data Controller: Hard Dog Race Kft. (hereinafter: “Data Controller”)
Registered office: 1036 Budapest, Lajos utca 78. 4. em. Phone: +36 (20) 385 2090
Email: info@harddograce.hu
Website: http://harddograce.hu
Company registration number: 01-09-291006
Tax number: 25820922-2-41
Data Processing Coordinator (Data Protection Officer): András Púza
3 Purpose of the Policy
The purpose of this Privacy Policy is to set out the most important regulations related to personal data processed by the Data Controller, and to record information and principles on data processing.
The Data Controller organizes obstacle course races in Hungary and in other countries of the European Union. These races are organized in cooperation with subcontractors; the Data Controller grants rights related to, and provides data and information about the race to those entitled by contract. The purpose of this Policy is to ensure that data is processed in a clearly defined manner transparent to all persons concerned, taking into account all relevant provisions.
The main purpose of this Privacy Policy is to ensure that the Data Controller complies with all provisions of current legislation on data processing, in particular but not exclusively with the provisions of
- Act CXII of 2011 on Informational Self-determination and the Freedom of Information;
- Regulation 2016/679 of the European Parliament and of the Council (27 April 2016) on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, repealing Directive 95/46/EC (General Data Protection Regulation (GDPR));
- Act XLVII of 2008 on the Prohibition of Commercial Practices that are Unfair to Consumers;
- Act CXXXIII of 2005 on the Protection of Persons and Property and on the Activity of Private Investigators;
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.
Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4 Definitions
- data processing: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Pursuant to this Policy the data controllers are:
The Data Controller: | |
Name: | Hard Dog Race Kft. |
Registered office: | 1036 Budapest, Lajos utca 78. 4. em. |
Company registration number: | Cg.01-09-291006 |
Tax number: | 25820922-2-41 |
General Manager: | András Púza |
Website: | harddograce.hu |
Email: | info@harddograce.hu |
Phone: | +36 (20) 385 2090 |
- data processing: performing technical tasks in connection with data processing operations, regardless of the method and means used for executing the operations, as well as the location where they are performed, provided that the technical task is performed on the data;
- data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller;
Pursuant to this Policy the data processors are:
As Organizer in the Czech Republic: | |
Name: | Hard Dog Race Kft. |
Registered office: | 1036 Budapest, Lajos utca 78. 4. em., Hungary |
Tax number: | 25820922-2-41 |
Email: | info@harddograce.hu |
Mobile: | +36 (20) 385 2090 |
As Co-organizer in Poland: | |
Name: | Kreacje Kornelia Radzikowska |
Registered office: | Warszawa, ul. Poligonowa 2/18 04-051 |
Tax number: | PL1132359448 |
Email: | radzikowska.kornelia@harddograce.pl |
Mobile: | +48 510 501 791 |
As Accountant: | |
Name: | AN-TOR Kft. |
Registered office: | 1173 Budapest 517. utca 1. |
Tax number: | 12081770-2-42 |
Email: | antor@antor.hu |
Mobile: | +36 30 824 49 66 |
As Website Operator: | |
Name: | Hard Dog Race Kft. |
Registered office: | 1036 Budapest, Lajos utca 78. |
Tax number: | 25820922-2-41 |
Email: | info@harddograce.hu |
Mobile: | +36 (20) 385 2090 |
Service provider storing accounting documents: | |
Name: | Szamlazz.hu – KBOSS.hu Kft. |
Registered office: | 1031 Budapest Záhony u. 7. |
Tax number: | 13421739-2-41 |
Email: | info@szamlazz.hu |
Service provider storing data: | |
Name: | Google LLC (aka Alphabet Inc.) |
Registered office: | 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA |
Service provider sending newsletters: | |
Name: | The Rocket Science Group, LLC |
Registered office: | 675 Ponce de Leon Ave NE (Mailchimp)
Suite 5000 |
- data destruction: complete physical destruction of the medium containing the data;
- data erasure: making any data unrecognizable in a manner that they cannot be restored;
- data transfer: making any data available to a specified third person;
Pursuant to this Policy the Data Controller performs data transfer as follows:
- Transferring the data of his or her employees for the purpose of payroll accounting. This data transfer includes all data related to employment, including the employee’s bank account number.
- Transferring the data of natural persons as buyers to the National Tax and Customs Administration of Hungary to fulfil statutory obligations, in the month following the purchase.
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- GDPR: Regulation 2016/679 of the European Parliament and of the Council (27 April 2016) on General Data Protection Regulation;
- consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- Privacy Act: Act CXII of 2011 on Informational Self-determination and the Freedom of Information
- personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- objection: statement made by the data subject objecting to the processing of his or her personal data and requesting the deletion or erasure of the data processed;
5 Scope of the Policy
5.1 Time scope This Policy is effective from 1 April 2019 until revoked.
5.2 Personal scope
The scope of this Policy includes the Data Controller, the Employees and Partners of the Data Controller, and all natural persons whose data is concerned by the data processing governed by this Policy.
5.3 Material scope
The scope of this Policy includes all data processing performed in any organizational unit of the Data Controller concerning personal data, whether performed electronically and/or on paper.
6 Information on data processing
The Data Controller shall inform the data subjects of the processing of their personal data.
The information on data processing included in the appendices form an integral part of this Policy. These informational materials contain the details of important information related to data procession, such as the description of data processing activities and their processes; the names of data subjects; the scope of information processed; the foreseeable duration of the retention of data; and the legal basis and purpose of data processing. The informational materials include the regulations applied in order to ensure data security, and the rights and available legal remedies of data subjects.
This Privacy Policy shall not be valid unless accompanied by these informational materials.
7 Principles of data processing
Personal data shall be:
- processed lawfully, fairly, and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). The controller shall be responsible for, and be able to demonstrate compliance with, the above (‘accountability’).
- Scope of the processed data:
- The Data Controller processes data in the following registration systems:
- – Employment records
- – Data of the competitors provided voluntarily and collected during the race
- – Data processed related to contractual and other partners
- – Occasional data processing
8 Responsibilities
The Data Controller maintains a record of his or her data processing activities, which contains per data purpose: data processing activities and all related information (name and purpose of the data processing activity; data subjects; data source; data types; the basis of the data processing, e.g. consent, the organization’s legitimate interest, legislation; the data storage period; the storage method; and the recipients of the data transfer (if any)). In the case of each data processing activity we have appointed a person in charge who is able to make substantive decisions regarding data processing. All data processing activities to be performed during our operations (informing data subjects, obtaining consent) were incorporated in our processes. Within the organization of the Data Controller only the employees of the specific organizational body dealing with the given case can learn and use the processed personal data, and only to the extent that and for as long as the personal data are necessary, provided that meaningful performance in the case requires learning personal data. The Hard Dog Race Kft. is responsible for all of his or her employees performing data processing knowing the provisions of this Policy. The compliance with the provisions of this Policy shall be verified regularly.
9 Ensuring the rights of the data subject
Data subjects may exercise their rights by notification through the channels specified in the informational materials. Communication is received by the employee performing data processing. He or she shall include all persons in charge concerned with data processing into the process of fulfilling the request.
Data subjects receive information on the identity of the Data Controller and the Data Processor; the scope of processed data; the purpose of data processing; and their rights and the options to exercise them from the Data Processing Information issued by the Data Controller.
- right of access: The data subject shall have the right to access his or her personal data processed, and receive information on the purpose, legal basis, storage, and storage period of his or her data managed and processed. Right of information includes amending, deleting, and limiting the processing of, personal data, and receiving information on the option to submit a complaint to the supervising authority. The Data Controller shall not refuse to fulfil the data subject’s request to exercise his or her rights, unless the Data Controller proves that he or she is unable to identify the data subject. The Data Subject may be charged a reasonable administration fee for any additional copies by the Data Controller.
- right to rectification: The Data Subject shall have the right to obtain from the Controller the rectification of inaccurate or incomplete personal data concerning him or her by providing a supplementary statement.
- right to erasure (‘right to be forgotten’): the erasure of data by the Data Controller at the Data Subject’s request; but this does not impose an automatic obligation on the Data Controller. The Data Controller shall have the obligation to erase the Data Subject’s personal data where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the data processing is based, and there is no other legal ground for the processing;
- the data subject objects to the data processing, and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which the controller is subject.
Personal data processed by the Data Controller shall be deleted soon after the legal ground for the data processing ceased, including the revocation of consent in the case of data processing based on consent.
- right to blocking of data: The data controller shall block the personal data of the data subject instead of erasing it if the data subject so requires or if the available information suggests that the erasure would be contrary to the legitimate interest of the data subject.
Personal data blocked in this way may only be processed as long as the purpose of the data processing excluding erasure exists.
- right to restriction: If there is any possibility that the processed personal data related to the data subject is inaccurate, the processing is unlawful or unnecessary, or the data subject protests the data processing, the data subject can request that the Data Controller restricts the processing related to these data.
- right to data portability: The Data Subject shall have the right to receive the personal data provided by him or her in a machine-readable format (pdf, doc, excel, txt) in order to transmit those data to another controller.
- right to object Where personal data are processed for the purposes of the legitimate interests pursued by the Data Controller or by a third party; or where personal data are processed or transmitted for direct marketing purposes, public opinion polls, or scientific research; and in any other case specified by law, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes.
The Data Controller shall
- examine the protest as soon as possible after it was submitted, but within no later than 15 days,
- he or she shall make a decision on its grounds,
- and inform the submitter about his or her decision.
10 Data transfer
Personal data shall not be transferred to third parties without the data subject’s prior written consent. The Data Controller informs the Data Subjects about the identities of the Data Processors in Section 4, Point 4. Data transfers required by law (see: Chapter 4 Point 7/b).
The Data Controller strictly expects from his or her contractual processing partners when entering a legal relationship related to data processing that during the processing of personal data they strictly, but at least to the extent that it is guaranteed by this Policy, comply with the provisions of the Privacy Act, the GDPR, and the currently applicable data protection legislation. The Data Controller requests the consent of data subjects in each case when data is to be transferred to a country outside the EEA. Both the information provided and the declaration of consent shall include the specific identity of the data processor (name and address, or company name and registered office), the scope of data to be transferred, and the exact geographical location where the data is stored and processed.
The Data Controller, in order to verify the lawfulness of the data transfer, and to inform the data subjects, maintains records about all data transfers concerning substantial sets of data presenting a higher risk; these records shall include the time of the personal data transfer, the legal grounds and the recipient of the transfer, the definition of the scope of transferred personal data, and other data specified by the legislation on data processing.
11 Data security
The Data Controller ensures the safety and security of data during his or her daily operations by storing paper-based personal data in a locked cabinet accessible to only those employees who use them during their work.
Electronic data shall be stored in an encrypted from. The Data Controller uses encryption on all of his or her devices which store personal data. In the case of transferred personal data, all data shall be protected by an at least eight-character-long password containing both lower- and upper-case letters, numbers, and at least one special character. The Data Controller shall also confirm the identity of the recipient and forward the password via a different channel.
12 Managing and processing the personal data of employees
The Data Controller maintains employment records about employees in a contractual relationship with him or her, as required by law, and fulfils his or her contractual obligations through the employee’s data provision. For employment purposes the printed and signed copy of the employment contract shall be stored by the general manager(s) exercising the employers’ rights, in a locked location, not accessible to others. No electronic copy shall be prepared of the employee’s personal data or the employment contract. The employee’s consent to data processing shall be attached to the employment contract (Appendix No. 6), the execution of which is a condition of employment.
The employer may require the employee to prepare records of his or her working time, which record will then be forwarded to the Data Processor defined in Point 4.4 by the Data Controller or the employee. The data shall be forwarded in a way that no unauthorized person is able to read it (as a compressed and/or encrypted file or in an envelope that enables the verification of integrity when received by the recipient). The Data Processor shall not store personal data after processing (payroll accounting), and shall forward the data to be stored to the Data Controller in a way that no unauthorized person is able to read it or modify its contents before it is received (as a compressed and/or encrypted file or in such an envelope that enables the verification of integrity when received by the recipient). The Data Processor shall be responsible for such transmission of data.
The sender shall be responsible for the integrity of all documents containing personal data forwarded through post.
The Data Controller shall store all employment records and all related documents, e.g. payroll accounting, for the period required by law, and then destroy them. All personal data provided by the employee (e.g. bank account number) shall be stored by the Data Controller for six months following the termination of the employment relationship, and then deleted from the electronic system during the next annual review. Such personal data shall only be stored if required by law, e.g. in bank statements.
The Data Controller shall not store employment contracts containing personal data electronically. All employment contracts shall be stored in a locked cupboard as the original copy, accessible by only the general manager exercising employers’ rights. Employment contracts shall be stored by the Data Controller for ten years to comply with statutory obligations.
The Data Controller shall establish the rules of data processing regarding his or her employees in Appendix No. 1.
The Data Controller may provide a vehicle for occasional or exclusive use for work. The Data Controller sets out the rules for its use in its Company Vehicle Policy.
Due to the operations of the Data Controller certain positions require the recruitment of new employees. In these cases, the Data Controller obtains personal data from applicants in the form of CVs. These personal data are necessary in order to fill the position and to maintain normal business operation, on compelling legitimate grounds. The Data Controller shall not request special personal data. The Data Controller only requests data to be included in the CV that serves to describe the professional background, competence, and level of experience of the applicants, and their contact information in order to contact any chosen applicant.
In the event the Data Controller finds any special data in the CV, he or she shall delete it immediately. The CVs shall be stored on the Data Controller’s own server for one year after the position was opened, in order to have suitable applicants if the applicant employed for the position proves to be incompetent professionally. This is in the legitimate interest of the Data Controller. After this period the Data Controller deletes all CVs and attached documents. CVs shall be accessible only to those employees who take part in the selection and recruitment process, and the access is essential for their work.
13 Closed circuit systems and their access
The Data Controller does not operate a closed-circuit camera system at his or her premises.
14 Personal data stored on IT and telecommunication devices, access to them, and the website
14.1 General method of data storage
The Data Controller operates server(s) and data storage unit(s) on which he or she stores personal data at his or her own premises. This is in the legitimate interest and, in certain cases, the statutory obligation of the Data Controller.
The scope of personal data stored on the servers and in cloud storage and the legal grounds for processing these data is included in Appendix No. 8.
Personal data stored on the server and in cloud storage are accessible to only those employees and subcontractors whose job or contractual obligations require work performed using such data. Access to these are granted and withdrawn by the General Manager of the Data Controller.
The IT systems of the Data Controller are monitored by the employees of the subcontractor of the Data Controller contracted therefor as an authorized person (4.4) through a remote monitoring system or personally. But the subcontractor is not authorized to access personal data either as data controller or as data processor.
The Data Controller protects the data content of the server with encryption, so that unauthorized persons cannot access its contents. Physical backup is always stored on encrypted storage units. The Data Controller ensures that all users change their access password every 90 days.
The Data Controller shall send personal data via email only after adequate identification of the recipient/addressee. In order to prevent unauthorized access to personal data sent and received via email, the Data Controller ensures that all users change their email access password every 90 days. Large amounts of personal data (payroll sheets or employee data) shall be sent as encrypted and/or password-protected files. Passwords shall be at least eight characters long, containing both lower- and upper-case letters, numbers, and at least one special character. Passwords shall be sent to the recipient through another channel.
14.1.1 Encryption of stored data
Data shall be stored in encrypted storage space on all computers provided by the Data Controller, and no personal data shall be stored at work stations (laptops or personal computers). Devices connected to the internal network shall be connected via MAC addresses.
14.2 Backups
The Data Controller performs backups regularly in order to guarantee his or her business operation and the safety of the data. This is in the legitimate interest of the Data Controller. These backups are stored at his or her premises, at an isolated location, accessible to only the general manager(s), and the authorized employees of Clicktech Bt. The instances of access are logged by the Data Controller, including the time and purpose of the access, the name of the person with access, all persons present, and the end of access.
The instances of access to the server are logged by the Data Controller, thereby ensuring that unauthorized accesses are identifiable. The server is in a locked room protected by an alarm at the registered office of the Data Controller. The server room shall be opened and closed by the Data Controller’s general manager appointed thereto, and the keys to the server room shall be stored at a secure location.
14.3 Softwares and systems used
The Data Controller stores the competitors’ data, ensures business continuity, and stores the data of buyers through Google’s system. The general manager of the Data Controller is responsible for granting and withdrawing access.
Regarding mobile phones and mobile communication devices, guidelines are provided in the Data Controller’s Mobile Phone and Landline Policy.
The Data Controller uses applications, programs, and softwares which store personal data and are essential for his or her operation extensively, the list of which is included in Appendix No. 9. In the case of certain positions, the Data Controller provides access to IT systems through mobile devices (mobile phones, tablets). On such devices the safety of the data is ensured by secure passcodes, and a separate password is required to access these softwares.
In order to comply with statutory provisions, the Data Controller uses external electronic document storage. These documents include invoices, contracts, and other financial and accounting documents. The Data Controller is responsible for the safety of these documents. Documents stored electronically shall only be accessible by the Data Controller’s employees who have authorization and whose job requires access. The Data Controller is responsible for the security of the data and its protection against unauthorized access. The Data Controller is not responsible for data loss or data theft due to the malfunction of any storage medium.
14.4 Wired and wireless office network
The Data Controller provides wired and wireless access at his or her registered office. The wired network is only accessible by authorized work stations. The wireless network is protected by WPA2 encryption, to which access is granted to the authorized persons by the general manager(s). Office networks are only accessible for work-related purposes.
14.5 WIFI network
The Data Controller operates a wireless, so-called guest network (guest WIFI) as well at his or her registered office, in order to provide internet access to guests. The server is not directly accessible through this guest network. Users can freely use he guest network. By using the guest network users accept the Guest WIFI Policy, a copy of which shall be displayed at the premises by the Data Controller. The Guest WIFI Policy is included in Point 10 of this Privacy Policy.
14.6 Website
The website at www.harddograce.hu is the property of the Data Controller. The Data Controller uses cookies on its website in order to ensure user experience and store statistical data. The Data Controller operates a webshop at his or her website. The Cookie and Webshop Policy of the Data Controller is included in Appendix No. 12, which is available on the website as well. The Data Controller offers the option for visitors of the website to accept or refuse cookies.
The website is operated by the Systems Administrator (4.4). The Data Controller is responsible for the security of the website.
Competitors can register and provide their personal data voluntarily on the website. Registration on this platform is possible only if the registering person accepts the Privacy Policy. Registration is voluntary. The registering person shall be responsible for the data and their accuracy. The data can be freely modified by the registered person at his or her discretion, and the account can be deleted. The Data Controller warns users who wish to register that if they do not accept the Privacy Policy, they should not register on the website.
14.7 Verification of devices connected to the network
The Data Controller regularly verifies his or her devices connected to the network in order to ensure their compliance to this Privacy Policy. The Systems Administrator is involved in this verification to perform software updates on the system regularly.
All further provisions regarding IT systems are set out in the IT Policy by the Data Controller.
15 Access control system
The Data Controller does not use an access control system at his or her registered office.
.
16 Processing photographs and video recordings
The Data Controller takes photographs and records videos at races for marketing and promotional purposes. These images and recordings are used for marketing and PR purposes on the Data Controller’s website, in emails, in printed form, on the Data Controller’s social media platforms, and particularly on youtube.com.
Photographs are taken and videos are recorded at the events of the Data Controller as well, which events participants can attend after filling a consent form pursuant to Appendix No. 11.
The Data Controller stores these recordings on his or her server without names, accessible to only authorized employees for work purposes.
All rights for the photographs taken at his or her premises and at his or her events are reserved by the Data Controller. They shall not be published without written consent.
The Data Controller also reserves the right to forward the images and recordings to third persons for data processing purposes. In these cases, the Data Controller exercises due care and ensures that the Data Processor acts and processes these data with appropriate care at least to the extent this Privacy Policy provides.
The Data Controller organizes races open to the press. Pursuant to Appendix No. 11 all competitors agree that at the races photographs and video recordings may be taken of them, which may later be shown to the general public repeatedly. The Data Controller shall not be held liable regarding images and recordings prepared by the press.
17 Management of personal data breaches
17.1 Definition of personal data breach
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed.
17.2 Procedure in case of personal data breach
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material, or non-material damage to natural persons. Such damage includes the loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, etc.
17.2.1 Notification
As soon as the Data Controller becomes aware that a personal data breach has occurred, the Controller shall notify the personal data breach to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. If the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, no notification needs to be made.
17.2.2 Notification
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subjects without undue delay in order to perform the necessary precautions. The information provided to the Data Subject shall contain all information described in Point 17.2.1 in an easily comprehensible language regarding the notification to be sent to the NAIH.
Data subjects shall be notified as soon as reasonably feasible and in close cooperation with the supervising authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.
Data Subjects shall be informed using the form set out in Appendix No. 4. The Data Controller is not obliged to inform the Data Subject on the personal data breach if any of the following conditions are met:
- the Data Controller has implemented appropriate technical and organizational safety measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access them, such as encryption;
- the Data Controller took subsequent measures following the personal data breach which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize;
- the information would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
17.2.3 Responsibilities
All employees of the Data Controller who detect a personal data breach shall immediately inform the Data Protection Officer.
The Data Protection Officer ensures that all tasks described in Point 17.2.1 are performed, and prepares a record of the incident (Appendix No. 5).
The Data Protection Officer also takes immediate action so that the Data Controller’s relevant employees take all necessary steps to guarantee the restoration of the security and the lawful processing of the personal data affected.
18 Application, revision, and validity of the Privacy Policy
The Data Controller makes his or her Privacy Policy available at his or her premises in Hungarian. The Privacy Policy is issued on the day it is executed by the General Manager of the Data Controller. The scope of the Privacy Policy includes all employees and partners. The Data Controller reviews all of his or her contracts pursuant to the Policy, and notifies the Data Subjects of its application.
The Data Controller may prepare excerpts of this Privacy Policy, which excerpts are then made available for the Data Subjects.
The Data Controller reserves the right to amend this Privacy Policy without prior notification.
The Data Controller makes the application of this Privacy Policy obligatory for all of his or her employees, ensures that employees know its contents, and takes all necessary stepts in order to ensure the employees’ compliance.
This Privacy Policy shall be revised, amended if necessary, and re-issued at least once every year. The General Manager of the Data Controller shall store all issued Privacy Policies for the period required by law.
Budapest, 1 April 2019
András Púza
General Manager
Appendix No. 1
Regulations on Data Processing for Employees
All employees of the Hard Dog Race Kft. (1036 Budapest, Lajos utca 78. 4. em. Tax number: 25820922-2-41, CG: 01-09-291006, represented by: András Púza) as Employer and Data Controller (hereinafter: Data Controller) shall pay particular attention during their work to comply with the provisions of the Privacy Policy issued by the Data Controller.
All employees of the Data Controller shall comply with the provisions of the Privacy Policy. Failure to comply constitutes negligence.
The employee is responsible for damages suffered by the Data Controller caused by the employee’s negligence.
Employees shall pay particular attention when dealing with personal data stored by the Data Controller. Paper or electronic copies of personal data shall not be made unless for the purpose of work and performing obligations.
No copies serving purposes outside the scope of work shall be made, including storing personal data stored be the Data Controller on a device over which the Data Controller has no control, e.g. private cloud storage service (private Google Drive, iCloud, etc.), pendrive, private computer. Such data shall not be forwarded to any private email address for further processing.
Employees who, through the course of their work, process, transfer, or store personal data, shall pay particular attention to appropriate security measures. They shall not leave their computer unattended, and they shall lock it every time they leave their place of work. They shall not leave paper documents unattended, and they shall store them in a secure place, ensuring that no unauthorized person has access.
In the event they witness that a colleague does not perform the necessary security measures, they shall take all necessary steps in order to ensure that no unauthorized person has access to personal data.
All employees shall take appropriate measures to keep their own personal data secure. These include personal identification cards, driver’s licenses, employment contracts, wage slips, and working time records.
The Data Controller stores, processes, and transfers the Employees’ personal records pursuant to the Privacy Policy, therefore the Employees themselves shall act in accordance with the same:
- They shall transfer employment data only to authorized employees or to the Data Processor.
- They shall have their salary transferred only to the bank account number provided by them in writing.
- For the purpose of receiving tax credits personal data of their children and spouse shall only be transferred to the employee appointed thereto or to the Data Processor.
This Policy shall be given to all Employees, their contents shall be acknowledged after reading, and one (1) signed copy shall be kept with the employment records.
In the case of newly employed persons this policy shall be handed over separately from the employment contract.
This Policy takes effect on the day of its execution.
Budapest, 1 April 2019
András Púza
Hard Dog Race Kft.
General Manager
Appendix No. 2
PROCESSING THE PERSONAL DATA OF PARTNERS
The Hard Dog Race Kft. (1036 Budapest, Lajos utca 78. 4. em. Tax number: 25820922-2-41, CG: 01-09-291006, represented by: András Púza) as Data Controller (hereinafter: Data Controller) shall not request personal data from his or her partners pursuant to the Privacy Policy.
The Data Controller informs his or her business partners that personal data of his or her employees shall only be transferred if a contract requiring so was executed.
Data of the employees transferred by the Data Controller, e.g. phone number, address, and email address, are the addresses and email addresses of the Data Controller, therefore these do not constitute personal data associated with a private individual.
The Data Controller transfers personal data only if there is a contract requiring so, and only if consent was given by the data subjects. The partners are responsible for any personal data received from the partners.
Budapest, 1 January 2023
Appendix No. 3
PROCESSING THE PERSONAL DATA OF APPLICANTS
Name: ___________________________________________
Date of birth: ____________________________________
Place of residence: _______________________________________
Email address: ______________________________________
I hereby give my consent that the
Hard Dog Race Kft.
Company registration number: 01-09-327595
Name of registering authority/court: Budapest Metropolitan Court as Court of Registration
Tax number: 25820922-2-41
Registered office: 1036 Budapest, Lajos utca 78. 4. em.
as Data Controller
processes the personal data provided by me as follows:
- The Data Controller provided me with a detailed Privacy Policy before I made this statement. I have read, understood, and acknowledged the content thereof.
- I hereby declare that I provided my data voluntarily, and I explicitly give consent to the data processing pursuant to Point 4.
- All employees and contractual partners of the Data Controller whose operations are necessary for the purpose of data processing are entitled to access and process my personal data provided.
- The purpose of processing my personal data:
The activities of the Data Controller are aimed specifically at using my personal data (and my CV and other related documents containing my personal data) to ascertain whether I am qualified for the open position.
I hereby give my consent to data processing as marked below:
◻ Selection and recruitment aimed at filling a certain position
◻ Storing my data to use them for another job application at a later time
◻ I hereby give my consent to the Data Controller contacting me using the contact information provided by me, regarding job offers, events, and presentations related to seeking employment.
- Among the personal data provided by me special personal data
◻ are included – and I hereby explicitly consent to their processing.
◻ are not included.
- In the event there is any change is my data, I notify the Data Controller as soon as possible.
Dated: …………………, … … 2023
……………………………
signature
Appendix No. 4
NOTIFICATION ABOUT PERSONAL DATA BREACH
The Hard Dog Race Kft. as Data Controller (registered office: 1036 Budapest, Lajos utca 78. 4. em., tax number: 25820922-2-41, Phone: +36 (20) 385 2090, Email: info@harddograce.hu, Represented by: András Púza
hereby informs you about the following: on …………………….. an incident affecting your personal data occurred.
Description of events: | |
The categories and the number of data subjects concerned: | |
The categories and the approximate number of data records concerned: | |
The likely consequences of the personal data breach: | |
Measures taken or proposed to be taken by the Data Controller to address the incident: |
Dated: ……………………..
…………………………….. signature
Appendix No. 5
Person responsible for maintaining the register: the current Data Protection Officer
Personal Data Breach Register
Date of the incident | Description of the incident | Categories of data subjects | Consequences of the incident | Measures taken | Notification date (NAIH) | Notification date (data subjects concerned) |
Appendix No. 6
Declaration of Consent for Employees
PROCESSING THE PERSONAL DATA OF EMPLOYEES
The undersigned ______________________ (mother’s full name at birth: __________________; place and date of birth: __________________; address: ___________________________________) as an employee of the Hard Dog Race Kft. (Employer), I hereby give my consent to the processing of my personal data by the Employer pursuant to the Privacy Policy. I hereby declare that I have understood the Employer’s Privacy Policy and its appendices.
I consider the provisions of the Privacy Policy binding on myself.
I was handed the Privacy Policy for Employees, I have read it, understood its contents, and consider it binding on myself.
I hereby give my consent to the processing of my bank account number by the Employer in order to transfer my salary:
Yes No
I hereby give my consent to videos being recorded of me by security cameras during my working hours by the Employer, and to the Employer using the recordings pursuant to the Privacy Policy:
Yes No
I have read the Mobile Phone and Landline Policy and understood its contents.
I have read the Company Vehicle Policy and understood its contents.
I hereby give my consent to the storage of the personal data of my minor children (name, mother’s name, place and date of birth, tax identification number, social insurance number) by the Employer:
Yes No*
I hereby give my consent to the storage of my private email address:
Yes** No
I hereby give my consent to the storage of my private phone number:
Yes** No
By executing this document, I acknowledge that my consent to the data processing is voluntary, and is a condition of my employment.
Budapest, __ __ ____
_____________________
Employee
*in the event I do not give my consent, I acknowledge that I cannot receive any benefit or allowance after my children from my employer.
**The purpose of consent is only to maintain contact with the Employer; the data shall only be transferred to third parties after receiving prior written consent.
Appendix No. 7
Personal data processed by contractual partners, and confidentiality
The Hard Dog Race Kft. (1036 Budapest, Lajos utca 78. 4. em. Company registration number: 01-09-291006, Tax number: 25820922-2-41, Represented by: András Púza) as Data Controller
and the
___________ Kft. (address, company registration number, tax number, representative) as Data Processor,
hereinafter collectively: ‘Parties’.
The Data Controller operates the website harddograce.hu, and organizes dog-friendly obstacle course races in Hungary and in the European Union.
The Data Controller requests personal data from the competitors in order to store and document their results, and to use them for subsequent races.
The Data Processor and the Data Controller entered into an agreement on ___________ regarding __________ for the purpose of organizing the competition. In this regard the Data Processor shall have access to the competitors’ personal data.
The Data Processor acknowledges and accepts the Data Controller’s privacy policy regarding personal data, where the Data Processor may only access the data provided during data processing in order to fulfil his or her contractual obligations.
The Data Processor shall not store or copy the personal data; they may only be accessed and used on the Data Controller’s server or within the cloud storage provided by the Data Controller.
In the event the Data Processor downloads files from the Data Controller’s server or the cloud storage provided by the Data Controller, the Data Processor shall delete the files from his or her own computer after processing.
The Data Processor during the course of his or her work, during the period he or she is actively logged in, shall not leave his or her work station unattended, and shall only use his or her mobile phone and other mobile communication devices protected by a numerical code or a password of at least eight characters (containing both lower and upper case, numbers, and at least one special character), or by biometric identification as a substitute. The Data Processor shall ensure that the data storage medium of his or her computer used to access the data is encrypted.
The Data Processor shall manage all accesses provided by the Data Controller with a level of security so that unauthorized persons cannot access it. The Data Controller shall be immediately notified by the Data Processor of any unauthorized access, and the Data Processor shall take all necessary steps in order to minimize the risks posed by the unauthorized access.
The Data Processor has financial liability for damages caused by unauthorized access.
The Data Processor also has financial liability for damages caused by inadequate storage of the obtained data.
The data shall not be transferred to any third party without the written consent of the Data Controller.
The Data Processor shall not provide data to the press, and shall not make statements in the name of the Data Controller. The Data Processor is financially liable for all damages caused by such a conduct.
The Data Controller grants access to the Data Processor to the data of the races organized by the Data Controller, which is the Data Controller’s intellectual property.
The Parties agree that all knowledge and experience (know-how) generated throughout their cooperation is the property of the Data Controller.
The Data Processor is financially liable for all data loss and data theft occurring due to negligent and/or intentional non-compliance.
Budapest, 1 January 2023
András Púza
General Manager
Hard Dog Race Kft.
Appendix No. 8
Personal Data Stored on Servers And in Cloud Storages
The Hard Dog Race Kft. (1036 Budapest, Lajos utca 78. 4. em. Company registration number: 01-09-291006, Tax number: 25820922-2-41, Represented by: András Púza) as Data Controller stores the following personal data on the server operated at his or her registered office:
About competitors:
Username
Email address
Name
Gender
Place and date of birth
Mother’s full name at birth
Address
Phone number
License plate number
Clothing size
Dog’s name
Chip number
Number of vaccination records / Passport number
Dog’s owner
Dog’s gender
Dog’s breed
Dog’s behavior
About employees:
Name
Address
Mother’s full name at birth
Place and date of birth
Phone number
Email address
Bank account number
Tax identification number
Social insurance number
Children’s name, social insurance number, tax identification number, place and date of birth
Spouse’s name
Name of spouse’s mother
Spouse’s place and date of birth
Spouse’s tax identification number
The employees of the Data Controller shall only have access to the stored data for the purpose of work.
All data is stored on the server in an encrypted form.
Budapest, 1 January 2023
András Púza
General Manager
Hard Dog Race Kft.
Appendix No. 9
List of companies whose softwares are used by the Data Controller for the purpose of storing personal data
Google Inc. 600 Amphitheatre Parkway Mountain View, CA 94043
Innvoice Ügyviteli Szoftver Kft. 1025 Budapest, Muraközi utca 12/B 8
Budapest, 1 January 2023
András Púza
General Manager
Hard Dog Race Kft.
Appendix No. 10
Guest WIFI Privacy Policy and Terms of Use
The Hard Dog Race Kft. (1036 Budapest, Lajos utca 78.4. em. Company registration number: 01-09-291006, Tax number: 25820922-2-41, Represented by: András Púza) provides wireless internet access free of charge to his or her employees and guests at his or her registered office (Guest WIFI: ID: )
Through this WIFI network users can freely access all contents on the internet, access their emails and social media platforms.
When connecting to the network, the name, IP address, and MAC address of the connected device, the date of the connection, and the amount of data traffic is logged.
The Hard Dog Race Kft. logs and stores these data for security and technical reasons, for up to 30 days.
The Hard Dog Race Kft. does not log further details of the network usage or the accessed contents.
No content violating the laws of the Hungarian Republic shall be accessed through the Guest WIFI network. No illegal content shall be uploaded or downloaded during the use of the network, and all undeclared and unauthorized acts aimed against the Hard Dog Race Kft. or other companies, organizations, or government bodies are prohibited, e.g. hacking or denial-of-service attacks.
The Hard Dog Race Kft. reserves the right to terminate or modify the Guest WIFI network, or to amend the terms of use without prior notice. The Hard Dog Race Kft. does not take responsibility for damages caused thereby, or for providing continuity of service.
The Hard Dog Race Kft. does not take responsibility for unauthorized access to personal data stored on connected devices, and damages caused thereby.
If you do not wish to accept the above, do not connect to the WIFI network.
The Privacy Policy of the Hard Dog Race Kft. is available at his or her registered office in printed format.
Budapest, 1 January 2023
András Púza
General Manager
Hard Dog Race Kft.
Appendix No. 11
DECLARATION OF CONSENT REGARDING DATA PROCESSING
The undersigned, | |||
Place and date of birth: | |||
Address: | |||
Number of valid official document with photograph as proof of identity (personal identification card, passport, driver’s license): |
as a Competitor of the HDR race organized on ___ (day) ____________ (month) _______ (year) (hereinafter: Race) by the Hard Dog Race Kft. (registered office: 1036 Budapest, Lajos utca 78. 4. em.; company registration number: 01-09-291006;
hereinafter: Race Organizer) by signing this statement I give my explicit consent to my personal data necessary for participating in the Race recorded during registration (namely: name, place and date of birth, mother’s full name at birth, email address, phone number, dog’s name, chip number, number of vaccination records or dog passport, bank account number) to be recorded and processed by the Race Organizer as Data Controller, and to be used for the following purposes: Organizing and conducting the Hard Dog Race competition and sending newsletters to me if I gave my consent thereto during the registration process.
I am aware that I can request the deletion of my personal data recorded from the Data Controller via email sent to the address info@harddograce.hu, and I can delete my data myself on the entry module platform. I acknowledge that the deletion of my data over the duration of the Race results in my disqualification from the Race, because the Race Organizer cannot provide for my participation in the Race without said data.
I am aware that the Race is a public event; and the Race Organizer can take photographs thereof, on which images I may appear in an individually identifiable manner. By participating in the Race and signing this Declaration I give my consent to photographs being taken of me, and I further give my consent to said images or parts of them, in cropped or edited versions, to be used and published by the Race Organizer without a time limit as follows: on the website, Facebook page, YouTube channel, promotional videos, and press coverages of the race. I do not require any compensation for this usage and these publications. I acknowledge that images taken may be used by the Race Organizer after more than one (1) year for marketing purposes. I am aware that I can later revoke my consent at any time, but the Race Organizer does not tag me by name on the images, therefore my subsequent identification on images is limited, and I am not entitled to any compensation for damages.
Dated: ____________________, ______ (day) ____________ (month) _________ (year)
______________________
Declarant |
Before us as witnesses:
Name: | |||
Address: | |||
Number of valid official document with photograph as proof of identity
(personal identification card, passport, driver’s license): |
|||
Signature: |
Name: | |||
Address: | |||
Number of valid official document with photograph as proof of identity
(personal identification card, passport, driver’s license): |
|||
Signature: |
SUPPLEMENTARY DECLARATION FOR DECLARATION OF LIABILITY FOR PARENTS – HARD DOG RACE
I, the undersigned hereby acknowledge and agree, and by signing this declaration give my explicit consent that
Name: | Data of the person accompanying the child | |||||
Place and date of birth: | ||||||
Mother’s full name at birth: | ||||||
Address: | ||||||
Number of valid official document with photograph as proof of identity (personal identification card, passport, driver’s license): |
together with my minor child
Name: | Data of the child | |||||
Place and date of birth: | ||||||
Mother’s full name at birth: | ||||||
Address: | ||||||
Number of valid official document with photograph as proof of identity (personal identification card, passport): |
can participate in the HDR race organized on the ____ day of __________ (month) _______ (year) by the Hard Dog Race Kft. I have made a declaration of liability for parents regarding the participation of my child in the race, and I acknowledged the contents thereof. I acknowledge that pursuant to Point 1.2.2 of the Race Rules __________________________ (name of person accompanying the child) exercises all of my rights in my place.
Dated: ____________________, ______ (day) ____________ (month) _________ (year)
Name: | Data of parent giving consent | |||||
Place and date of birth: | ||||||
Mother’s full name at birth: | ||||||
Address: | ||||||
Number of valid official document with photograph as proof of identity (personal identification card, passport, driver’s license): | ||||||
Signature: |
Before us as witnesses:
Name: | |||
Address: | |||
Number of valid official document with photograph as proof of identity
(personal identification card, passport, driver’s licence): |
|||
Signature: |
Name: | |||
Address: | |||
Number of valid official document with photograph as proof of identity
(personal identification card, passport, driver’s license): |
|||
Signature: |
Appendix No. 12
Excerpt of the Privacy Policy published on the website
The Hard Dog Race Kft. (Registered office: (1036 Budapest, Lajos utca 78. 4. em., Company registration number: 01-09 -291006) hereinafter: Data Controller (organizer of the Race) and Data Processor pursuant to Act CXII of 2011, both acknowledge the contents of this Privacy Policy binding on themselves, and undertake that all their data processing activity related to their services comply with the provisions of this Policy and the relevant legislation.
The Data Controller pays particular attention to the protection of the personal data of his or her clients and partners, and to respecting their right to informational self-determination, therefore he or she undertakes to process all personal data provided to him or her confidentially, and to take all necessary steps to ensure the security of these data.
This Privacy Policy excerpt is available at all times at the website harddograce.hu/ nevezes/adatvedelmi-szabalyzat, but the Data Controller reserves the right to amend this Privacy Policy excerpt at any time. All persons concerned are notified of any changes through a notification published on the service provider’s website.
Terms and Definitions:
Pursuant to Section 3 of the Privacy Act and Article 4 of the Regulation, terms used in this Privacy Policy have the following meaning:
Data Subject: any specified natural person identified or identifiable directly or indirectly by personal data (Section 3(1) of the Privacy Act); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier personal data, or to one or more factors specific to the identity of that natural person (Article 4, Point (1) of the Regulation);
Personal data: any information relating to a data subject; in particular an identifier such as a name, an identification number, location data, online identifiers provided by their devices, applications, tools and protocols (such as internet protocol addresses, cookie identifiers) or other identifiers such as radio frequency identification tags (RFID) (Point (30) of the Preamble of the Regulation), or one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject (Section 3(2) of the Privacy Act, Article 4 Point (1) of the Regulation);
Data Controller: the natural or legal person, or business entity without legal personality, which, alone or jointly with others, determines the purposes of the processing of personal data; makes decisions relating to the data processing (including the tools of such processing) and executes them, or has the data processor execute them (Section 3(9) of the Privacy Act, Article 4 Point (7) of the Regulation);
Data Processing: any operation or set of operations which is performed on personal data or on sets of personal data, regardless of the applied means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; as well as the prevention of further use, audio or video recordings, and the recording of physical characteristics suitable for the identification of a person (finger or palm prints, DNA sample, iris imaging) (Section 3(10) of the Privacy Act, Article 4 Point (2) of the Regulation);
Data Control: performing technical tasks in connection with data processing activities, regardless of the methods and tools used for executing the operations, or the location where they are performed, provided that such technical tasks are performed on data (Section 3(17) of the Privacy Act);
Pursuant to this Privacy Policy the data processors are:
Data Processor: a natural or legal person, or organization without legal personality, public authority, agency or other body which processes personal data on the grounds of a contract with the Data Controller, including contracts concluded pursuant to legislative provisions; processes personal data on behalf of the Controller (Section 3(18) of the Privacy Act, Article 4 Point (8) of the Regulation)
Data Processors: | |
As Accountant: | |
Name: | T Plusz T Partner Bt. |
Registered office: | 1039 Budapest, Kolozsvár utca 30. |
Tax number: | 22561118-1-41 |
Email: | romaikonyvelo@gmail.com |
Mobile: | +36-30 991 20 60 |
As Website Operator: | |
Name: | Kft |
Registered office: | |
Tax number: | |
Email: | @ |
Mobile: | +36- |
Systems Administrator: | |
Name: | Kft |
Registered office: | |
Tax number: | |
Email: | @.hu |
Mobile: | +36 |
Service provider storing accounting documents: | |
Name: | Innvoice Ügyviteli Szoftver Kft. |
Registered office: | 1025 Budapest, Muraközi utca 12/b 8 |
Tax number: | 13172167-2-18 |
Email: | hello@invoice.hu |
Phone: | +36 30 7529 768 |
Service provider storing data: | |
Name: | Google LLC (aka Alphabet Inc.) |
Registered office: | 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA |
Third Party: any natural or legal person, or organization without legal personality other than the data subject, the Data Controller, or the Data Processor (Section 3(22) of the Privacy Act), or persons who, under the direct authority of the Data Controller or the Data Processor, are authorized to process personal data (Article 4 Point (10) of the Regulation);
Consent: a voluntary and express wish of the party concerned, based on having received prior information, by which the party concerned gives his or her unambiguous consent to the comprehensive or limited management of his or her personal data;
Data Transfer: making any data available to a specified third party (Section 3(11) of the Privacy Act);
Data Erasure: making any data unrecognizable in a way such data may no longer be restored (Section 3(13) of the Privacy Act);
Objection: statement made by the data subject objecting to the processing of his or her personal data and requesting the deletion or erasure of the data processed (Section 3(8) of the Privacy Act);Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Rules on Processing Personal Data and on Data Provision
Purpose of data processing: The Data Controller and the Co-organizer only process the personal data of the data subject regarding the Race for the purpose of organizing the Race and complying with statutory obligations.
Scope of the processed personal data: data provided by the Competitor on the entering website: name; place and date of birth; mother’s full name at birth; address; email address; phone number; name and phone number of emergency contact; data of the dog: name, chip number, number of vaccination records or passport number; and any further data for the payment of potential taxes or other public fees payable by the Organizer; and data necessary for issuing an invoice.
All data provided during registration are confidential; they are processed and may be used by the Co-organizer performing data processing only for the purpose of organizing the Race. The data is only accessible to them and the Data Controller, namely the Organizer.
The Data Subject is responsible for the correctness of the data provided, which do not infringe the individual rights of third parties.
By participating, the participants automatically acknowledge and accept the Race Rules and the Privacy Policy of the Race, and acknowledge the following:
- data provision is voluntary; data processing is based on their consent given by providing the data; the participant gives his or her consent to data processing by participating in the Race, entering the Race, and providing personal data voluntarily;
- their data is processed by the Co-organizer;
- the Organizer uses the personal data and personal information of the participants free of charge, for the purpose of organizing and documenting the Race;
- by accepting the Policy, the participant gives his or her consent to newsletters and information about the next race being sent by the Data Controller or the Co-organizer to the email address provided during entering the race;
- the Organizer, as the Data Controller of the Hard Dog Race competitions, offers the opportunity to the Competitors to store their data until the next race, so they do not need to provide them again for each individual race. In the event the Competitor does not wish to use this opportunity, he or she can request the complete deletion of his or her data after the conclusion of the given Race.
- the Organizer, as the Data Controller of the Hard Dog Race competitions, transfers the provided personal data to his or her franchise partner contracted with the Organizer for the given Race; in this respect the franchise partner is considered a Data Processor as well.
Pursuant to Section 5(1)a) of the Privacy Act and Article 6 Point (1)a) of the Regulation, the legal basis of data processing is the consent of the data subject.
Duration of data processing: Until withdrawn by the Data Subject, for a maximum of five years.
Newsletters:
The Data Controller provides newsletter service (targeted mail for advertising purposes). The Data Controller provides the opportunity for the Data Subjects to receive newsletters about his or her services and related news.
The purpose of data processing is the notification of the Data Subjects by delivering newsletters to the Data Subjects, and to ensure the possibility of contact for this purpose. The Data Controller sends to the subscribers of the newsletter online newsletters with information on new developments, news, and offers, and delivers direct marketing messages electronically.
Legal basis of the data processing: the consent of the Data Subject pursuant to Section 5(1)a) of the Privacy Act, Section 6(1) of the Advert Act, Section 13/A(4) of the E-Commerce Act, and Article 6 Point (1)a) of the Regulation.
Pursuant to Section 6(1) of the Advert Act, sending newsletters requires the unambiguous and explicit consent of the visitor of the website. The Data Subject gives his or her consent to being sent newsletters for marketing purposes by signing the Data Controller’s paper-based Declaration of Consent for Marketing Activities, or, on electronic platforms (website, mobile application, webshop), by accepting the Privacy Policy by checking the relevant box, and clicking the “Subscribe” (“Feliratkozás”) button. During electronic subscription the Data Subject receives feedback about the successful subscription.
The scope of personal data processed: A name and an email address needs to be provided to subscribe to the newsletter The name is required for initiating contact, the email address for keeping in contact.
The Data Subject is responsible for the correctness of the data provided, which do not infringe the individual rights of third parties.
Duration of the data processing: Data processing is performed until consent is withdrawn, for a maximum of 5 years. The Data Controller maintains records on those persons who gave their consent to receiving newsletters. In the event the Data Subject revokes his or her consent regarding data processing for the purpose of sending newsletters, the Data Controller deletes the personal data of the Data Subject from his or her records and its newsletter records, if any. The option to unsubscribe is provided in each newsletter in the form of a direct link, and the Data Controller’s website has the same option.
Regarding sending newsletters the Organizer is the data controller, and the Co-organizer and the franchise partners contracted for the given race are the data processors.
Management of consents
Below you can manage your consent given to your subscriptions and related to the HDR account itself (as a contact channel with all contact information associated with it) by each data management purpose (direct marketing, marketing based on profiling, sending offers of third parties contracted with the Hard Dog Race Kft., market research, and opinion polls).
If you wish to manage your consent related to all data processing purposes, relevant subscriptions, and all further data linked to the HDR account itself uniformly, for your convenience we provide the opportunity to do so with a single click. Your consent can be withdrawn at any time related to any data processing purpose, any piece of information, or related to the HDR account itself. Furthermore, you can modify the data on record in the event of any changes.
I hereby give my consent to all data processing for all data processing purposes listed (direct marketing, marketing based on profiling, sending offers of third parties contracted with the Hard Dog Race Kft., market research, and opinion polls) regarding all data listed above, and all further data linked to my HDR account.
Before giving your consent regarding any of the data processing purposes, please read the following information on data processing carefully:
- Based on consent to direct marketing the User gives his or her voluntary and informed consent to his or her identification data; data on consumer habits; contact information; data related to races; and location data being processed by the Organizer for direct marketing purposes (including calls by automated calling systems or operators). Consent can be withdrawn at any time.
- Based on consent to market research and opinion polls the User gives his or her voluntary and informed consent to his or her identification data; data on consumer habits; contact information; data related to races; and location data being processed by the Organizer for market research and opinion polling purposes (including calls by automated calling systems or operators). Consent can be withdrawn at any time.
- Based on consent to receiving offers from third parties in contractual relationship with the Hard Dog Race Kft. the User gives his or her voluntary and informed consent to his or her identification data; data on consumer habits; contact information; data related to races; and location data being processed by the Organizer for the purpose of sending offers from third parties in contractual relationship with the Hard Dog Race Kft. (including calls by automated calling systems or operators). Consent can be withdrawn at any time.
The data shall only be transferred to any third person based on the declarations of the data owner (Competitor) above, with the exception of cases set out in the relevant legislation.
The Organizer guarantees that the data processing is performed in accordance with the provisions of the current legislation. The rights of the Data Subject regarding data processing and the rules of legal remedy are set out in Act CXII of 2011 on Informational Self-determination and the Freedom of Information (hereinafter: Privacy Act) and in Regulation 2016/679 of the European Parliament and of the Council (27 April 2016) on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Pursuant to the legislation listed above the Competitor can request the rectification of his or her personal data and the limitation of data processing, can object to the deletion of processed data, and can request information on the processing of his or her data. The data subject shall have the right to receive the personal data related to him or her in a machine-readable format, and to transmit these data to another data controller or data processor, if the data processing is being performed based on consent and by automated means. If a Competitor wishes to have his or her data deleted or modified in the database, the Competitor can make a request at any time, without limitation or providing any reason, free of charge, at the email address info@harddograce.hu, or in a letter sent to the Organizer by post. The subject of the mail/letter shall in both cases be: Hard Dog Race competition date of the relevant race deletion of data. The Competitor acknowledges that the deletion of his or her data over the duration of the Race results in his or her disqualification from the Race, because the Organizer cannot provide for his or her participation without said data.
Cookie management: A cookie is a small text file sent by websites to your computer and stored on the hard drive of your computer. This file is stored and sent back by your browser to the website while you are browsing the website. There are cookies which are deleted when the browser is closed, and there are cookies which are returned each time you visit the same website again, which deposited the file on your computer. The cookie contains the name of the website, the name and value of the cookie, and its expiration date. You can change the permissions and settings regarding accepting cookies in the settings of your browser.
Certain cookies need to be used by the Data Controller’s website, especially when you log in to the website. If you disable cookies, this and similar functions built on cookie management will not be available. If you gave permission in your browser to accept cookies, the Data Controller interprets that as consent to use the sent cookies. If you do not wish to give your consent thereto, disable the use of cookies.
For the benefit of statistics and advertisements appearing on the Data Controller’s website, third parties (e.g. Google) may place cookies on your computer while you are browsing the Data Controller’s website. The purpose of this can be to show advertisements tailored to your interests, or for the Data Controller to prepare statistics of the visitors of the website and their browsing habits.
You can read more on how Google uses cookies on partner websites here: /policies.google.com/technologies/cookies?hl=hu
Contact details of the Data Controller:
Name of the Data Controller: Hard Dog Race Kft.
Registered office of the Data Controller: 1036 Budapest, Lajos utca 78. 4. em.
Contact information of the Data Controller (regularly used email address for contact): info@harddograce.hu
Company registration number: 01-09-291006
Tax number: 25820922-2-41
Registering authority: Budapest Metropolitan Court as Court of Registration
Phone: +36 20 529 2110
Data protection registration number: NAIH-112808/2017.
The Organizer undertakes to fulfil all of his or her obligations set out in Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing.
The Competitor has the right to object to the processing of his or her personal data. The Organizer shall examine the protest as soon as possible after it was submitted, but within no later than 15 days; the Organizer shall make a decision on its grounds, and inform the submitter about his or her decision.
The Data Subject’s right to legal remedy:
If the Data Subject disagrees with the decision made by the Data Controller, the Data Subject shall have the right to turn to court within 30 days following the last day of the deadline.
Legal remedy may be requested from and complaints may be submitted to the National Authority for Data Protection and Freedom:
Name: National Authority for Data Protection and Freedom of Information
Email: ugyfelszolgalat@naih.hu
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Phone: 36 (1) 391-1400
Website: naih.hu
In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (NAIH), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subjects without undue delay.
The Organizer notified the data processing pursuant to the Race Rules to the National Authority for Data Protection and Freedom of Information, which document was registered by the Authority under No. NAIH-112808/2017.
With this Privacy Policy the Hard Dog Race Kft. fulfils his or her obligations of prior notification pursuant to Act CXII of 2011 on Informational Self-determination and the Freedom of Information.
This Privacy Policy has been prepared in Hungarian, English, Polish, Czech, and German.
In case of any dispute of interpretation the Hungarian version shall prevail.
Budapest, 01. January 2023.
Hard Dog Race Kft.
Data Controller