Guide to Personal Data Protection carried out by coordinating-beneficiaries relating to the LIFE programme

 

HERMAN OTTO INSTITUTE

DATA PROTECTION POLICY

 

prepared in the accordance with the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and of the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”)

 

Name:                                                              Herman Otto Institute Non-profit Ltd.

Registered office:                                           HU-1223 Budapest, Park utca 2. HUNGARY

Phone number:                                               +36 1 362 8100

E-mail:                                                              hermanottointezet [at] hoi.hu

Internet:                                                            www.hermanottointezet.hu

Name of the representative:                          Peter Bozzay, Executive Director

Name of the Data Protection Officer:          Dr. Brigitta Batka

Address:                                                           HU-1223 Budapest, Park utca 2. HUNGARY

Phone number:                                                +36 1 362 8100

(hereinafter referred to as the ‘Company’ or the ‘Controller’)

Personal data related to the LIFE17 IPE/HU/000017 project is managed by the Herman Otto Institute Non-profit Ltd. The purpose of this document is to give information on personal data and EU and national data protection laws.

The Company process data related to data subject only in a lawful, fair and transparent manner for a specified and legitimate purpose. The Company collect and process only the personal data that is necessary to fulfil that purpose, in line with the principle of data minimization. The Company use and store personal data for no longer than necessary for the purpose for which they were collected.

The Company is committed to use personal data on legitimate basis, in accordance with international and national data protection laws, in particular GDPR and Privacy Act, with respect for the private life of the data subject. 

The Company has identified security and protection of the personal data as one of its main policy priorities.

Pursuant to Article 4 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the repealing Directive 95/46/EC (General Data Protection Regulation, hereafter GDPR), the terms used in this Policy are defined as follows:

  • “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • “third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “supervisory authority”: means an independent public authority which is established by a Member State pursuant to Article 51.

 

Legal framework governing personal data processing

In particular, during data processing, the Controller must comply with the following legislation:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation
  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”)
  • Regulation (EU) No 1293/2013 on the establishment of a Programme for the Environment and Climate Action (LIFE) for the budgetary period 2014-2020.

 

What, how and why? – The purpose, legal basis, duration and legal obligation of the data processing

Personal data is processed by the controller to a different extent depending on the type and the existence of the legal relationship with the data subject. The data processing extends to the data processed during the fulfilment of administrative obligations towards the granting authorities, and extents to the data included in records and supporting documentation stored on the Controller’s site.

The following table describes the categories of personal data and the different circumstances of data processing.

When the data subject is one of the following: data controller, the partners, suppliers of any consortiums, persons acting on behalf of the owner of the consortium, or the ultimate beneficiaries of the project.

Categories of personal data concerned

Purposes of data processing

Legal basis for data processing

Duration of data processing

Is the data subject obliged to provide personal data?

identifiers and contact details of those data subjects included in the project documentation who have contractual relationship with the Controller

fulfilling administrative obligations related to grant implementation (for identification of data subjects included in the project and for communication)

contractual relationship

during the period of the contractual relationship

yes, pursuant to the contract

identifiers and contact details of those data subjects included in the project documentation who have an employment relationship with the Controller

fulfilling administrative obligations related to grant implementation (for identification of data subject included in the project and for communication)

appointment, contract of employment

during the period of the contract of employment

yes, under the employer’s instruction

identifiers and contact details of further data subjects included in the project documentation

fulfilling administrative obligations related to grant implementation (for identification of data subject  included in the project and for communication)

contribution

until consent is withdrawn

no

identifiers and contact details of the data subjects included in the supporting project

recording the implementation of the project and presenting the records and supporting documentation during completion of checks (in particular, but not exclusively: payroll, job description, employment contract, appointment, other type of work contract

Regulation (EU) No 1293/2013 on the establishment of a Programme for the Environment and Climate Action (LIFE programme) + Grant Agreement

31 December 2026,; or, if the contract is terminated at a later date, the  date of the expiry of the contract + 5 years data retention

There is no repeated data provision, the aim is to keep previously processed data

 

 

Data obtained from another controller

In the course of using EU funding, the personal data is collected by the Controller not only directly from the data subjects, but from its contractual partners as well. In this way, the Controller may obtain the data of its consortium partners and of the representatives or the contact points of its suppliers. In that case, it shall be up to the Controller to ensure that its contractual partners provide sufficient guarantees included in the written contract to process and share personal data lawfully. The table below shows the types of data and the circumstances of data processing.

When the data subjects are one of the following: the owner(s) of its contractual partners, persons acting on behalf of its contractual partner (representatives, contact persons, project managers), who are not the signatories to the contract

Categories of  data

Purpose of data processing

Legal basis of processing

Duration of data processing

Scope of personal data processed

Sources of data

The personal data of the data subject related to the contractual partner and included in the project documents

Recording the implementation of the programme, and presenting the records and supporting documents during completion of checks (for identification of data subject and for communication)

contractual relationship

the period of the contractual relationship

identifiers and contact details

data sent by the contractual partners of the Controller

Regulation (EU) No 1293/2013 on the establishment of a Programme for the Environment and Climate Action (LIFE programme) + Grant Agreement

31 December 2026,; or, if the contract is terminated at a later date, the date of the expiry of the contract

 

All data referred to above will be only sent to the competent EU grant authority in the order and manner specified in the Grant Agreement.

 

Other data management of the Company:

Facebook-site of the project

On the Facebook page of the project, https://www.facebook.com/LIFEIPHUNGAIRY/, visitors can make comments, send messages to the Company and provide personal data.

The types of data processed: the data is voluntarily provided by the data subject by sending a comment or message.

The purpose of data processing: managing the reactions of the partners, answering questions.

The legal basis of processing: the consent of the data subject based on point (c) of Article 6(1) of GDPR and on point (a) of Section 5(1) of the Privacy Act.

The duration of data processing: until the request of the relevant data subject to delete his/her personal data, with a requirement that personal data can be erased by the Controller after the day of 31 December 2031, after the last day of the retention period.

 

Method of sharing Data Subjects’ data, transferring data to other organisations  

During processing, personal data can pass through various different individuals or organisations. The Controller is entitled or obliged to transmit or make available certain personal data related to data subjects to another controller, processor, or recipient (separate system) where one of the following applies:

  •  fulfil a contractual obligation;
  •  satisfy a legal obligation;
  •  based on the concern of the data subject.

In some cases, the Controller may need to disclose certain personal information to other recipients. The processing of such data by those recipients shall be in compliance with the data protection principles, the provisions of this Data Protection Policy and the applicable data protection rules. We may
share your personal data with the following recipients:

  • processors acting on behalf of the Controller (proposal writers, advisers, project managers);
  • the European Commission and its executive agencies, in particular EASME and NEEMO EEIG.

 

Enforceable rights for data subjects

It is important for the Controller to guide you through your rights as data subject, under the GDPR. For this purpose, in accordance with the applicable rules, the data protection rights that can be exercised by the data subject are listed below:

  • Right to withdraw consent (Art. 7 GDPR): You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent given before such withdrawal.
  • Right of access (Art. 15 GDPR): You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the relevant information of the processing, and have the right to receive a copy of your personal data undergoing processing.
  • Right to rectification (Art. 16 GDPR): You have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.
  • Right to data portability (Art. 20 GDP): You have the right to receive the personal data concerning you which you have provided to the Controller and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided.
  • Right to object (Art. 20 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning your processing if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party. In such case, the Controller reviews the request, and subject to this, shall no longer process the personal data.
  • Right to erasure (Art. 17 GDRP): You have the right to obtain from the Controller the erasure of your personal data where one of the following grounds applies:
  • your personal data is no longer necessary in relation to the purpose for which it was collected or otherwise processed;
  • you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
  • you object to processing; and there are no overriding legitimate grounds for the processing;
  • your personal data have been unlawfully processed;
  • your personal data must be deleted in order to comply with a legal obligation.

In such case, the Controller will examine your request, and, if deletion of the data is possible, will not only erase your data in its records, but will also forward your request to the individuals and organisations to whom the personal data has been disclosed and where the data available in a rational and expected way for such individuals and organisations.

 

Right to restriction of processing (Art.18 GDPR): You have the right to obtain from the Controller the restriction of processing where one of the following applies:

  • the accuracy of your personal data is contested by you, for a period enabling the Controller to verify the accuracy of the personal data;
  • in the light of Article 21(1) you have exercised the right to object; for a period enabling the Controller to verify whether the legitimate grounds of the Controller override those of the data subject;
  • the processing is unlawful or the purpose of processing is ceased, and you oppose the erasure of your personal data and requests the restriction of their use instead;
  • the Controller no longer needs the personal data for the purpose of processing, but you require them for the establishment, exercise or defence of legal claims.

Where processing has been restricted, such personal data shall, with the exemption of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You will be always informed by the Controller before the restriction of processing is lifted. Your request for restriction will be forwarded by the Controller to the individuals and organisations to whom the personal data has been disclosed and where the data is available in a rational and expected way for such individuals and organisations.

 

Data security

The Herman Otto Institute Non-profit Ltd. has installed the following organisational and technical safeguards to ensure the security of the personal data:

  • according to the Company’s internal rules and regulations, only designated employees are authorized to access personal and only when processing of personal data is essential for their work;
  • internal rules regarding possible paper-based processing of personal data;
  • electronic security measures for data stored electronically, such as firewalls, antivirus software and logging systems, which allows retrieving who and when had access to personal information. These solutions help to prevent cybercrime;
  • personal data is stored in the Company’s internal IT system on the Company’s site;
  • ensuring the physical protection of servers storing personal data to by technical and organisational measures.

 

How to submit your request

You may contact the Company to exercise your rights under the GDPR (rights of access, rectification, erasure, portability, restriction, objections) electronically, and send your request to the Data Protection Officer. The process requires your identification and communication with you. Therefore, personal information will be required to your identification. Identification can be only based on data that the Controller has already processed. We will keep your request accessible in our email account until a resolution is found.

 

Further remedies

If you think your data protection rights have been breached, you can take legal action against the Company, or lodge a complaint with the national data protection authority, National Authority for Data Protection and Freedom of Information (hereinafter referred as the ‘Supervisory Authority’).

Office of the Supervisory Authority:                              1125 Budapest, Szilágyi Erzsébet fasor 2/c.

Supervisory Authority’s postal address:                        1530 Budapest, Pf.:5.

Supervisory Authority’s phone number:                        +36 1 391 1400

Supervisory Authority’s fax number:                             +36 1 391 1410

Supervisory Authority’s email address:                         ugyfelszolgalat [at] naih.hu

Supervisory Authority’s website:                                    www.naih.hu

 

Review of the Data Protection Policy

This Data Protection Policy shall be reviewed at least once a year. When necessary, the Controller will update it. The persons of concern shall always be informed about the modification of the Data Protection Policy. To the determination the manner of communication, the Controller shall take into consideration the significance of the modification, the scope of data subjects and the scope of data affected by the change.