Privacy Policy

Below you can read about how the Roots and Wings Foundation handles – in accordance with the law – your personal informationit gathers, how and for how long it is stored, how you can access it, and how you can make a complaint if you experience an anomaly.

Privacy Policy

on data management related to the operation of the https://gy-sz.hu/ website and the services provided by the Data Controller

Introduction

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter “the Regulation”) provides for the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46, that the Data Controller takes appropriate measures to provide the Data Subject with all information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and that the Data Controller facilitates the exercise of the Data Subject’s rights.

The obligation to inform the Data Subjectin advance of data collection is also prescribed byAct CXII of 2011 on Informational Self-Determination and Freedom of Information.

Chapter 1
Name Of Data Controller

The issuer of this information, who also acts as Data Controller (hereinafter referred to as “DC”), is:

Roots and Wings Foundation
Organisation Registration Number: 01-01-0011984
Organisational headquarters: 1092 Budapest, 32 Ráday Street, 3rd floor/door 3
Tax number: 18626166-1-43
E-mail: gysza@gy-sz.hu

Chapter 2
Data Management

The DC carries out data processing on the legal bases listed below for each data processing purpose.

We call data providers’ attention to the fact that, if they do not provide their own personal data, it is the duty of the data provider to obtain the consent of the Data Subject.

The Data Controller does not transfer any data to a third country.

Automated decision making is not used by the Data Controller.

Related To Data Processing

1. Making contact – under the “Support us” menu item
Categories of Data Subjects:
Personal data processed: name, email address
Legal basis of data processing: Voluntary consent of Data Subject
Recipients & categories of recipients: DC, his/her representatives & contractors
Place and method of storage: electronically
Deadline for deletion: 2 years from last contact
Data transfer: –

2. Making contact – under the “Our Programmes” menu item
Categories of Data Subjects: website visitor
Personal data processed: name, email address & phone number
Legal basis of data processing: Voluntary consent of Data Subject
Recipients & categories of recipients: DC, his/her representatives & contractors
Place and method of storage: electronically
Deadline for deletion: 2 years from last contact
Data transfer: –

3. Making contact – under the “Contact Us” menu item
Categories of Data Subjects: website visitor
Personal data processed: name, email address
Legal basis of data processing: Voluntary consent of Data Subject
Recipients & categories of recipients: DC, his/her representatives & contractors
Place and method of storage: electronically
Deadline for deletion: 2 years from last contact
Data transfer: –

4. Complaint handling: If you have made a complaint to us, data management and the provision of data is essential.
Categories of Data Subjects: complainant
Personal data processed: name, email address
Legal basis of data processing: Fulfilment of DC’s legal obligation
Recipients & categories of recipients: DC’s contractors & representatives
Place and method of storage: electronically
Deadline for deletion: Consumer Protection Act – cancellation deadline specified in the given legislation – 5 years
Data transfer: At the request of a consumer protection authority

Operation Related Data Management

5. Visitor data management on the company’s website – cookies – see more below
Categories of Data Subjects: website visitor
Personal data processed: See more: Table of Cookies
Legal basis of data processing: Explicit voluntary consent of Data Subject
Recipients & categories of recipients: DC, his/her representatives & contractors
Place and method of storage: electronically
Deadline for deletion: See more: Table of Cookies
Data transfer: –

6. Invoicing of the service – Számlázz.hu (https://www.szamlazz.hu/adatvedelem/)
Categories of Data Subjects: contracting party
Personal data processed: name, account number, tax number/tax identification number, email address, residential address/registered office
Legal basis of data processing: Voluntary consent of Data Subject
Recipients & categories of recipients: DC, his/her representatives & contractors
Place and method of storage: electronically and paper-based
Deadline for deletion: As prescribed by Law XXXVIII of 1992 on general government financing and Law C of 2000 on Accounting – 8 years
Data transfer: data transfer according to https://www.szamlazz.hu/adatvedelem/#adattovabbitas

7. Official Facebook pagehttps://www.facebook.com/policy.php
Categories of Data Subjects:
Personal data processed:
Legal basis of data processing: Explicit voluntary consent of Data Subject by clicking the “Like” button
Recipients & categories of recipients:
Place and method of storage: electronically
Deadline for deletion:
Data transfer:

Visitor Data Management on the Organisation’s website (Cookies)

Cookies are short data files that the website you visit places on your computer. The purpose of a cookie is to make the given infocommunications/Internet service easier and more convenient. There are many types of cookies, but they can generally be classified into two major groups. One is a temporary cookie that a website places on a user’s device only during a specific session (e.g. during the security authentication of an Internet bank), and the other type is a persistent cookie (e.g. a website’s language setting) that remains on the computer until the user deletes it. According to the guidelines of the European Commission, cookies (unless they are absolutely necessary for the use of the given service) may only be placed on the user’s device with the user’s permission.

In the case of cookies that do not require the user’s consent, information must be provided during the first visit to the website. It is not necessary for the full text of the cookie information to appear on the website. It is sufficient for the website operators to briefly summarise the essence of the information and to indicate the availability of the full information via a link.

Purpose of data management: during the visit to the website, the service provider records the visitor data in order to assess the operation of the service, provide personalised services and prevent abuse.

Legal basis for data processing: legitimate interest of the Data Controller.

The codes of external service providers have not been placed on the website. The Organisation does not link the data generated during the analysis of log files to other information, and does not seek to identify the user.

Information on the Use of Cookies

In accordance with common Internet practice, our organisation uses cookies on its website. A cookie is a small file that contains a series of characters and is placed on a visitor’s computer when they visit a website. When the visitor visits that website again, the cookie allows the website to recognise the visitor’s browser. Cookies can also store user settings (e.g.language selected) and other information. Among other things, they collect information about the visitor and his device, memorise the visitor’s individual settings, and can be used when using online shopping carts, for example. Cookies generally make the use of the website easier, allowing it to provide a real web experience for users and be an effective source of information. They also help the website operator monitor the operation of the website, prevent abuse and provideserviceson the website smoothly and in an appropriate manner.

Acceptance and authorization of the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. Although most browsers automatically accept cookies by default, they can usually be changed to prevent automatic acceptance and offer a choice each time.

You can find information about the cookie settings of the most popular browsers at the links below

However, please note that certain website features or services may not work properly without cookies.

The cookies used on the website are not in themselves suitable for identifying the user.

Cookies used on the organisation’s website:

a) Technically essential cookies

CookieTypeDurationDescription
__stripe_midnecessary1 yearOur credit card payment service provider Stripe uses this cookie to remember the user and allow us to accept donations by credit card payment without storing card details on our servers.
__stripe_sidnecessary30 minutesOur credit card payment service provider Stripe uses this cookie to remember the user and allow us to accept donations by credit card payment without storing card details.
cookielawinfo-checkbox-analyticsnecessary11 monthsThis cookie is placed by the GDPR Cookie Consent. The cookie stores the user’s consent to the "Analytics" category of cookies.
cookielawinfo-checkbox-necessarynecessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policynecessary11 monthsThis cookie is placed by the GDPR Cookie Consent. The cookie stores that the user has viewed the Cookie Policy.

These cookies are necessary for visitors to browse the website and use its functions and the services available through the website smoothly and fully,including – among other things – remembering the visitor’s actions on those pages during a visit. The duration of the processing of these cookies only applies to the current visit of the user.This type of cookies is automatically deleted from your computer when the user session ends or the browser is closed.

The legal basis for this kind ofdata management is Article 13/A of Act CVIII of 2001 on E-commerce and Certain Issues Regarding Information Society Services (Paragraph 3).

The purpose of data management is to ensure the proper functioning of the website.

b) Cookies requiring consent:

CookieTypeDurationDescription
_gaanalytical2 yearsThis cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
_gat_UA-#analytical1 minuteThis cookie allows the counting of visits to our website as well as the traffic sources in order to measure and improve the website’s performance using Google Analytics.
_gidanalytical24 hoursThis cookie helps us count how many users have visited our site by tracking whether a user has visited our site before.

These cookies provide an opportunity for the Organisation to remember the user’s choices regarding the website. The visitor may prohibit this kind of data processing at any time before and during the use of the service. This data may not be linked to the user’s identification data and may not be passed on to third parties without the user’s consent.

Google Analytics cookies – Learn more here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Other Data Processing

Information on data processing not listed in this policy will be provided at the time of data collection.

Please be informed that courts, the prosecutor’s office, the investigating authority, the infringement authority, the administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorised by law, may request the Data Controllerto provide information, data or documents as requested.

The Data Controller shall provide personal data to the authorities – given the authority has indicated the exact purpose and the scope of the data requested- only to the extent that is strictly necessary to fulfil the request.

Chapter 3
Data Processors

Data Processor (hereinafter referred to as “DP”): any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller. (Article 4 (8) of the Regulation)

The use of a Data Processor does not require the prior consent of the Data Subject, but he/she must be informed about it. Accordingly, the following information is provided.

Data Processors are summarised by data management purpose in the table below for ease of transparency:

DP related to providing a service

  1. Name of representative required to implement the programme
    name: Bardócz és Partnere Bt.
    seat: 1092 Budapest, 32 Ráday Street 3rd floor 3.
    representative: Bardócz Iván
    tax number: 20546274-1-43
  2. Name of representative required to implement the programme
    name: Hámori György E.V.
    seat: 1031 Budapest, 8 Torma Károly Street
    tax number: 56768970-1-41
  3. Name of representative required to implement the programme
    name: Komáromi Mátyás E.V.
    seat: 1138 Budapest, 3 Forgách Street 2nd floor 8.
    tax number: 66513678-1-41
  4. Name of representative required to implement the programme
    name: Koncz Krisztina E.V.
    seat: 2254 Szentmártonkáta, 11 Liget Street
    tax number: 55417255-1-33
  5. Name of representative required to implement the programme
    name: PROCESS 123 Társadalomtudományi Bt.
    seat: 1093 Budapest, 46 Lónyay Street 4th floor 5.
    representative: Benedek Gabriella
    tax number: 24840381-1-43
  6. Name of representative required to implement the programme
    name: Public.pdf Bt.
    seat: 1106 Budapest, 17 Gyakorló Street
    representative: Kovács Edit
    tax number: 22303088-1-42
  7. Name of representative required to implement the programme
    name: Simay Dóra E.V.
    seat: 1133 Budapest, 12 Esztergomi Road
    tax number: 69679045-1-41
  8. Name of representative required to implement the programme
    name: Scsaurszki Tamás E.V.
    seat: 1092 Budapest, 30 Ráday Street 3th floor 1.
    tax number: 76244810-1-43

DP required for operation

  1. Accounting & payroll
    Name: Éva Kanda, PaMaVi Balance Tax Bt.
    Seat: 1164 Budapest, 2 Bányász Street 2. attic 3.
    Tax number: 20541633-2-42
  2. Hosting provider:
    Name: EV2 Internet Kft.
    Seat: 1149 Budapest, 120-122 Róna Street
    Company registration number: 01-09-987250
    Tax number: 13335072-2-42
  3. Newsletter service:
    Name: The Rocket Science Group, LLC (MailChimp)
    Address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA
    https://mailchimp.com/legal/
  4. Website traffic data analysis:
    Name: Google Ireland Limited
    Registration number: 368047
    Seat: Gordon House, Barrow Street, Dublin 4, Írország
    https://www.google.com/analytics/terms/en.html
  5. Cloud service:
    Google Drive for Nonprofits
    Name: Google Ireland Limited
    Registration number: 368047
    Seat: Gordon House, Barrow Street, Dublin, 4, Ireland
    https://policies.google.com/terms
  6. Credit card payment:
    Name: Stripe Technology Europe Ltd.
    Seat: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
    https://stripe.com/ie/privacy

Chapter 4
Data Storage & Data Management Security

The Data Controller’s computing systems and other data storage facilities are located at the Roots and Wings Foundation’s organisational headquarters in electronic form (NAS server) and in Google Drive’s cloud service for Nonprofits.

The Data Controller selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the managed data:

  1. is accessible to those entitled to it (availability);
  2. its authenticity and authentication are ensured (authenticity of data management);
  3. its integrity can be demonstrated (data integrity);
  4. is protected against unauthorised access (data confidentiality)

The Data Controller shall protect the data by appropriate measures, in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage or inaccessibility due to changes in the technology used.

In order to protect the electronically managed data files in its various registers, the Data Controller shall ensure, by means of an appropriate technical solution, that the stored data is not directly linked and attributed to the Data Subject, unless permitted by law.

In view of the current state of the art, the Data Controller shall ensure the protection of the security of data management with technical, organisational and organisational measures that provide a level of protection that is proportionate to the risks related to data management.

During data management, the Data Controller shall retain

  1. confidentiality: it shall protect the information so that only those entitled can have access to it can access it
  2. integrity: it shall protect the accuracy and completeness of the information and the method of processing
  3. availability: it shall ensure that, when the authorised user needs it, he/she has effective access to the information required and that the means to do so are available.

The IT system and network of the Data Controller and its partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer hacking and denial-of-service attacks. The operator ensures security through server-level and application-level protection measures.

We inform users that electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that lead to unfair activity, contract disputes, or the disclosure or modification of information. To protect against such threats, the Data Controller shall take all the precautionary measures required. It shall monitor the systems to record any security breaches and provide evidence of any security incidents. System monitoring also makes it possible to supervise the effectiveness of the precautions taken.

Chapter 5
Information On The Rights Of The Person Concerned

Right to prior information

The Data Subject shall have the right to receive information about the facts and information connected to data processing before commencement of data processing.
(Articles 13 to 14 of the Regulation)

Right of access by the Data Subject

The Data Subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal dataand related information specified in the Regulation.
(Article 15 of the Regulation).

Right to rectification

The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(Article 16 of the Regulation).

Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where any of the grounds specified in the Regulation applies.
(Article 17 of the Regulation)

Right to restriction of processing

The Data Subject shall have the right to obtain from the controller restriction of processing where one of the conditions specified in the Regulation are met.
(Article 18 of the Regulation)

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the Data Subject about those recipients if the Data Subject requests it.
(Article 19 of the Regulation)

Right to data portability

Under the conditions set out in the Regulation, theData Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
(Article 20 of the Regulation)

Right to object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) (necessary for the performance of a task in the public interest or in the exercise of public authority) or point (f) (data management is necessary to enforce the legitimate interests of the Data Controller or a third party) of Article 6 of the Regulation.
(Article 21 of the Regulation)

Automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(Article 22 of the Regulation)

Restrictions

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22.
(Article 22 of the Regulation)

Communication of a personal data breach to the Data Subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the Data Subject without undue delay.
(Article 34 of the Regulation)

Right to lodge a complaint with a supervisory authority (Right to official remedy)

The Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes this Regulation.
(Article 77 of the Regulation)

Right to an effective judicial remedy against a supervisory authority

Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or where the supervisory authority does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged.
(Article 78 of the Regulation)

Right to an effective judicial remedy against a controller or processor

Each Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
(Article 79 of the Regulation)

Chapter 6
Handling The Data Subject’s Request
Measures By The Data Controller

The Data Subject may request information on the handling of his or her personal data, as well as request the correction or – with the exception of mandatory data processing – the deletion or blocking of his or her personal data at the Data Controller’s registered office or at this email address: gysza@gy-sz.hu

Data controller shall without undue delay, but not later than within one month of receiving the request, inform the Data Subject of the measures taken regarding the request. If necessary, taking into consideration the complexity of the request and the number of requests, the term may be extended by a further two months. The Data Controller shall inform the Data Subject of any extension of the term by indicating the reasons thereof within onemonth of receiving the request.

In case the Data Subject submitted their requestelectronically, any reply to such request is to be given electronically, unless otherwiserequested by the Data Subject.

In the event the Data Controller chooses to take no measures in reply to the request submitted, they shall notify the Data Subject without undue delay or within one month of receiving the request of the reasons for not taking any actions, as well as of data subject’s rights to submit a complaint to any of the supervisory authorities and to seeking legal remedy at court.

The Data Controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and the information on the rights of the Data Subject (Articles 15-22 and 34 of the Regulation)free ofcharge. If the request of the Data Subject is obviously unfounded, or – especially due to its repetitive nature -excessive, the Data Controller may with respect to the administrative costs related to providing the requestedinformation or taking the requested action refuse to take the requested action. However, it is the obligation of the Data Controller to prove that the request is obviously unfounded or excessive.

If the Data Controller has reasonable doubts about the identity of the individual submitting therequest, further information may be requested, to confirm the Data Subject’s identity.

In exercising the right to data portability, the Data Subject shall have theright to have the personal data transmitted directly from one controller to another, where technically feasible.

As a data controller, the Data Controller shall provide information on the data processed by it or processed by the processor, their source, purpose, legal basis, duration, name, address and activities related to data processing, and, in case of data transfer, its legal basis and recipient. The controller shall provide the information in writing as soon as possible after the submission of the request. This information is free of charge if the person requesting the information has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, the Data Controller will determine a reimbursement.

The Data Controller may not delete the data of the Data Subject if it is based on a contract, fulfilment of a legal obligation or the legitimate interest of the Data Controller.

In the case of data processing based on a legitimate interest, the Data Subject has, according to Article 21 of the Regulation, the right to object, which means that he or she may object to the data processing at any time. In suchcases, the controller may not further process the personal data unless the controller demonstrates that the processing is justified by overriding legitimate reasons which take precedence over the interests, rights and freedoms of the Data Subject or which relate to the submission, enforcement or defense of legal claims.

The Data Controller shall compensate the damage caused to others by the unlawful processing of the Data Subject’s data or by violating the data security requirements. The data controller is released from liability if the damage was caused by an unavoidable cause outside the scope of data processing. It does not compensate for the damage to the extent that it resulted from the intentional or grossly negligent conduct of the injured party.

Remedies and complaints can be lodged with the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority
Seat: 9-11 Falk MiksaStreet, 1055 Budapest, Hungary
Mailing Address: 1363 Budapest, Pf. 9.
Website: http://www.naih.hu
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu

In the event of a breach of his or her rights, the Data Subject may also take legal action against the Data Controller. The court is acting out of turn in the case.

Updating this Privacy Policy & Following Changes in Legislation

Thispolicy is constantly reviewed and updated by the Data Controller in accordance with changes in the legal environment and official expectations. You can find the current policy under the “Privacy Policy” section of the website.

Budapest, 3 June 2021