This translation of the original Hungarian policy is provided for your convenience only. In case of any discrepancy between this translation and the original Hungarian policy, the Hungarian policy shall prevail. Translated with the help of AI.

I. INTRODUCTION OF THE CONTROLLER

The University of Óbuda (hereinafter referred to as: University, Controller, or "We") has created the following privacy and data protection notice to ensure the lawfulness of its internal data processing and to safeguard the rights of data subjects.

The Data Controller, as an institution of higher education, is an organisation established for the purpose of education, scientific research and artistic creation as a core activity, as defined in Act CCIV of 2011 on National Higher Education. The processing of personal data necessarily arises in the performance and execution of its public tasks.

The Data Controller processes personal data in accordance with all applicable laws, but in particular with the following:

• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the "Infotv."),

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: the Regulation). The Data Controller shall treat personal data confidentially and shall take all technical and organisational measures to ensure the security of the data, including all technical and organisational measures related to data storage and processing, to ensure secure data management.

Concepts

The terminology used in this Prospectus is identical to the interpretative definitions set out in Article 4 of the Regulation and, supplemented at certain points, to the interpretative provisions of Article 3 of the Infotv.

Where this notice refers to data or data processing, it is understood to refer to personal data or the processing thereof.

II. PURPOSE OF DATA MANAGEMENT: Management of cookies on the website

The University uses cookies on its website at https://www.kmooc.uni-obuda.hu/, the Carpathian Basin Online Education Centre of the University (hereinafter referred to as the "Website") to maintain and improve the services of the Website and to enhance the user experience.

What is a cookie?

Cookies are small text files placed on the user's device by the browser to identify and collect information. A cookie consists of a unique sequence of numbers and is used primarily to distinguish between computers and other devices that download a web page. Cookies have a variety of functions, including collecting information, remembering user preferences, allowing the website owner to learn about user habits to enhance the user experience.

For what purposes can we use cookies?

1. To ensure the proper, secure and high quality functioning of the website
2. To provide a login status for registered and logged in users

What cookies does the website use?

The website only uses the following cookies that are strictly necessary to achieve the above purpose:

The website uses only the above cookie. The information collected by the cookie will not be sold or rented by the website to third parties, except to the extent necessary to provide the services for which the data subject has previously and voluntarily provided this information.

What is the legal basis for the processing of data by cookies?

In the case of cookies, which are essential for the functioning of the website and thus for the performance of the public tasks of the University through the website, the processing is necessary for the performance of a public task carried out by the University, which in this case is specifically the provision of the website and, through it, the services provided to visitors to the website, and therefore the legal basis is Article 6(1)(e) of the Regulation.

How can you check and turn off cookies?

All modern browsers allow you to change your cookie settings. Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and will offer you the choice each time whether or not to allow cookies.

You can find out about cookie settings for the most popular browsers by following the links below:

Google Chrome

Firefox

Microsoft Edge

Microsoft Internet Explorer

Opera

Safari

III. THE DATA SUBJECT'S RIGHTS IN RELATION TO DATA PROCESSING

Right to information

The data subject has the right to be informed about the processing, which the Data Controller shall fulfil by providing this information.

Right of access

At the request of the data subject, the Controller shall at any time provide information on whether the processing of the data subject's personal data is in progress and, if so, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom or with which the controller has disclosed or will disclose the personal data, including in particular recipients in third countries or international organisations;
4. the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
5. the data subject shall also be informed of his or her right to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;
6. the right to lodge a complaint with a supervisory authority or to institute legal proceedings;
7. where the data have not been collected directly from the data subject by the Controller, any available information on the source of the data;
8. where automated decision-making is carried out, the fact of such processing, including profiling, and, at least in those cases, the logic used, i.e. the significance of such processing and the likely consequences for the data subject.

Right to rectification of personal data

The data subject shall have the right at any time, upon request and without undue delay, to obtain from the Controller the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall also have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

In the case of a request for rectification (amendment) of data, the data subject must substantiate the accuracy of the data requested to be amended and must also certify that the person entitled to the rectification is the person who requests the amendment. Only in this way can the Data Controller assess whether the new data is accurate and, if so, whether it can amend the previous data.

The Data Controller also draws the attention of the data subject to the need to notify changes to his/her personal data as soon as possible in order to facilitate lawful processing and the exercise of his/her rights.

Right to erasure

At the request of the data subject, the Data Controller shall, without undue delay, erase personal data relating to the data subject where one of the following grounds applies:

1. the Controller no longer needs the personal data for the purposes for which it was collected or otherwise processed;
2. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
3. the personal data are unlawfully processed by the Controller;
4. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.

Right to restriction of processing

The data subject shall have the right to obtain from the Controller, at his or her request, the restriction of processing where one of the following conditions is met:

1. contests the accuracy of the personal data; in this case, the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
2. the processing is unlawful and he or she opposes the erasure of the data and requests instead the restriction of their use;
3. the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
4. the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

Right to object

Where the processing of personal data is necessary for the performance of a task carried out in the exercise of official authority vested in the controller [Article 6(1)(e) of the Regulation], the data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, including profiling based on the aforementioned provisions.

PROCEDURES TO ENFORCE THE RIGHTS OF THE DATA SUBJECT

The data subject may exercise the above rights by sending an electronic mail to jog@uni-obuda.hu, by post to the registered office of the controller or by visiting the registered office of the controller in person. The Controller shall investigate and act on the data subject's request without undue delay after receipt of the request. The Controller shall inform the data subject of the action taken on the basis of the request within 30 days of receipt. If the Controller is unable to comply with the request, it shall inform the data subject of the reasons for the refusal and of his or her rights of appeal within 30 days.

Within five years of the death of the data subject, the rights of the deceased as set out in this notice, which the data subject enjoyed during his or her lifetime, may be exercised by a person authorised by the data subject by means of an administrative arrangement or a declaration in a public or private document of full probative value made to the controller, or, if the data subject made several declarations to a controller, by a declaration made at a later date. If the data subject has not made a corresponding declaration, his or her close relative within the meaning of Act V of 2013 on the Civil Code may, even in the absence of such a declaration, exercise the rights under Articles 16 (right of rectification) and 21 (right of access) of the Regulation. (right to object) and, where the processing was unlawful during the lifetime of the data subject or the purpose of the processing ceased to exist upon the death of the data subject, to exercise the rights of the deceased during his or her lifetime under Articles 17 (right to erasure) and 18 (right to restriction of processing) of the Regulation within five years of the death of the data subject. The right to exercise the rights of the data subject under this paragraph shall be exercised by the next of kin who first exercises that right.

IV. RIGHT OF REDRESS IN RELATION TO DATA PROCESSING

In order to exercise his/her right to judicial remedy, the data subject may bring an action against the Controller if he/she considers that the Controller or a processor or a joint controller acting on our behalf or at our instructions is processing his/her personal data in breach of the requirements laid down by law or by a binding legal act of the European Union for the processing of personal data. The court will decide the case out of turn. The Tribunal has jurisdiction to hear the case. The lawsuit may also be brought before the court of the place of residence or domicile of the data subject or the court of the seat of the Data Controller (Metropolitan Court), at the choice of the data subject.

Anyone may initiate an investigation against the Data Controller by filing a complaint with the National Authority for Data Protection and Freedom of Information (NAIH), alleging that the processing of personal data has resulted in a violation of rights or an imminent threat thereof, or that the Data Controller is restricting the exercise of his or her rights in relation to the processing or is refusing to grant such rights. The notification can be made using one of the following contact details:

National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: 1363 Budapest, Pf. 9.

E-mail: ugyfelszolgalat@naih.hu

URL: http://naih.hu

Budapest, March 27th, 2024.