This translation of the original Hungarian policy is provided for your convenience only. In case of any discrepancy between this translation and the original Hungarian policy, the Hungarian policy shall prevail. Translated with the help of AI.

I. INTRODUCTION OF THE CONTROLLER

Óbuda University (hereinafter referred to as: University, Controller, or "We") has created the following privacy notice to ensure the lawfulness of its internal data processing and to safeguard the rights of data subjects.

The Data Controller, as an institution of higher education, is an organisation established for the purpose of education, scientific research and artistic creation as a core activity, as defined in Act CCIV of 2011 on National Higher Education (hereinafter referred to as the Nftv.). In the performance and execution of its public tasks, the processing of personal data necessarily arises.

The Data Controller processes personal data in accordance with all applicable legal provisions, but in particular with the following legal provisions:

• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the "Infotv."),

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: the Regulation).

The Data Controller shall treat personal data confidentially and shall take all technical and organisational measures to ensure the security of the data, including all technical and organisational measures related to data storage and processing, to ensure secure data management.

Concepts

The terminology used in this information notice corresponds to the interpretative definitions set out in Article 4 of the Regulation and, supplemented at certain points, to the interpretative provisions of Article 3 of the Infotv.

Where this notice refers to data or data processing, it is understood to refer to personal data or the processing thereof.

II. PURPOSES OF PROCESSING

The main purpose of MOOCs, i.e. Massive Open Online Courses, is to make higher education courses accessible to a larger number of people. The public tasks of the University include -- in accordance with § 2 (5a) of the Nftv. -- to contribute to the social and economic development of its region by making the intellectual assets resulting from its core activities known to the community and by their economic exploitation. In order to fulfil this task, the University operates the so-called Carpathian-Mediterranean Online Education Centre (hereinafter referred to as K-MOOC) and its website at https://www.kmooc.uni-obuda.hu/ (hereinafter referred to as the website). K-MOOC's primary goal is to launch and disseminate online courses in Hungarian, primarily for Hungarians in the Carpathian Basin, but also for all native Hungarian speakers worldwide. On the one hand, K-MOOC provides a form of online education recognised by a credit or diploma for students of higher education institutions, faculties and departments in the Carpathian Basin who are studying in Hungarian, either in whole or in part, and on the other hand, it offers a new form of education for lifelong learning.

In addition to the University, other higher education institutions and even companies offer various online courses on the website, which operate in an asynchronous format, i.e. teaching is done through pre-recorded video and written material. Accountability is mainly through written tests and assignments (which can be video material recorded by the course participant, depending on the subject of the course). The content of the course itself and the form of the assessment will be determined in each case by the person who is responsible for the course and the accrediting institution, in consultation with the K-MOOC.

Courses are free of charge for all participants, whether they are students in higher education or external participants. To participate in the courses, you must register on the website. You can then register for each course separately.

The University provides information on the processing of personal data in connection with registration on the website and K-MOOC courses by means of the following privacy statement.

1. Data processing in connection with registration on the K-MOOC website

Purpose of processing

The purpose of the processing is to create a user account on the website.

An additional purpose of processing the email address is to enable the University to send system messages to the data subject (e.g. to inform him/her of successful registration, forgotten password, malfunction).

Personal data processed and legal basis for processing

When registering, the data subject is required to provide the following data:

1. name;
2. email address;
3. password (encrypted);
4. language set by the data subject on the website;
5. if he/she indicates that he/she is a student, the name of the institution where he/she is a student and his/her student ID within the institution (typically Neptun code).

The University also processes data relating to the date of registration.

After registration, it is also possible to provide additional personal data (e.g. place and date of birth), but this is only necessary if the data subject requests a credit certificate for the course(s) he/she has completed, so this processing is related to K-MOOC courses and within this, to the issuing of the credit certificate (see II.2).

The processing is necessary for the performance of a public task carried out by the University, which in this case is the creation of a user account on the website as a prerequisite for participation in the K-MOOC courses provided through the website, and therefore has its legal basis in Article 6(1)(e) of the Regulation.

Source of relevant data

The source of the personal data is the data subject.

Recipients of personal data provided

Only employees of the University whose job duties include the delivery of K-MOOC courses and the management of the website are entitled to access the personal data of the data subjects.

Transfers of personal data to third countries or international organisations

The University will not transfer personal data to any third country or international organisation.

Duration of processing of sensitive data

The data subject may request the deletion of his/her account at any time, in which case the data relating to his/her account will be anonymised.

Automated decision-making and profiling

Neither of these is carried out during the processing.

2. Data management related to enrolment and participation in K-MOOC courses

Purpose of processing

The purpose of data processing is the organisation and delivery of K-MOOC courses, including the registration and participation in courses. In this context, the email address is processed for the purpose of contacting the data subject in connection with the course and for sending the credit confirmation by email.

For those who wish to receive a credit certificate for the completion of a course, the additional purpose of the processing is to issue this credit certificate.

Personal data processed and legal basis for processing

In addition to the data provided during registration, the University also processes data relating to course registration and participation in the course, including submissions made by the data subject during the course (which may include video material in which the data subject appears), comments made on the course forum(s) and the marks obtained by the data subject.

If the data subject requests a credit certificate, he/she will be required to provide the following additional information in his/her profile data:

1. the name of the institution where you are a student and your student ID within the institution (typically a Neptun code), if you did not provide it earlier during registration;
2. educational identifier;
3. place and date of birth.

In the case of the University's own students, the University will also check the above data against the data in its academic system (Neptun system) to verify the accuracy of the data.

The processing of data is necessary for the performance of the public task carried out by the University, which in this case is the organisation and delivery of K-MOOC courses and through this the performance of its public task pursuant to Article 2 (5a) of the Nftv., i.e. the contribution to the social and economic development of the region by the promotion of the knowledge and economic exploitation of the intellectual values derived from its core activities for community purposes, and accordingly the legal basis is Article 6 (1) (e) of the Regulation.

Source of relevant data

The source of the personal data is the Neptun system of the University.

Recipients of personal data made available

The University's employees whose job duties include the delivery of K-MOOC courses and the management of the website are the only persons who are entitled to know the personal data of the data subjects.

The instructor of the course taken by the data subject, whether employed by the University or by another institution in the case of a course offered by another institution, has access to the course-related data of the students taking the course and to the following data: the name and email address of the student, the name of the institution to which the student belongs and the student's institution identifier (Neptun code).

The name of the profile data is public to other users of the course. Also public to the students of the course is the content of the posts made in the forum(s) of the course.

Although the University has a data reporting obligation in relation to K-MOOC courses, this is in all cases only statistical data and no personal data is transmitted.

Transmission of personal data to third countries or international organisations

The University will not transfer personal data to third countries or international organisations.

Duration of processing of personal data

The data subject may request the deletion of his/her account at any time, in which case the data relating to his/her account and therefore to the courses he/she has completed or taken will be anonymised.

In the case of students of the University, credit certificates are kept for a period of eighty years from the date of notification of termination of student status in accordance with Annex 3, point 1/B.3 of the Nftv. As far as additional students are concerned, credit certificates are kept by the University for a period of limitation.

Automated decision-making and profiling

Neither of these is carried out during the processing.

3. Send newsletter

Users registered on the K-MOOC interface, either during registration or afterwards, have the possibility to subscribe to the University's K-MOOC course newsletter, which will inform them about the course start date, deadlines and any changes to deadlines, as well as other important information concerning these courses. Subscription to the newsletter is voluntary, it is not a condition of registration or participation in K-MOOC courses, and the subscriber may unsubscribe at any time.

Users who are not registered on the website will not be able to subscribe to this newsletter.

Purpose of data processing

The purpose of the data processing is to inform the subscribers to the K-MOOC newsletter about the courses, deadlines and possible changes of deadlines, as well as other important information concerning these courses.

Personal data processed and legal basis for processing

The University processes the email address and first name of the data subject, as well as data relating to the time of subscription to the newsletter and data relating to the giving of consent.

The legal basis for processing is the prior consent of the data subject, i.e. Article 6(1)(a) of the Regulation.

Source of relevant data

The source of personal data is the data subject.

Recipients of personal data made available

Only employees of the University whose job duties include sending information messages (newsletters) about K-MOOC courses are entitled to receive personal data of the data subjects.

Transmission of personal data to third countries or international organisations

The University will not transfer personal data to third countries or international organisations.

Duration of processing of sensitive data

The University will process personal data until the data subject's consent is withdrawn.

The data subject has the right to withdraw his/her consent and to unsubscribe from newsletters at any time. The latter can be done by clicking on the "unsubscribe" button at the bottom of the emails, or by setting the option in the profile information, or otherwise by exercising the right to withdraw consent as set out in this notice.

Automated decision-making and profiling

Neither of these is carried out during the processing.

III. THE DATA SUBJECT'S RIGHTS IN RELATION TO DATA PROCESSING

Right to information

The data subject has the right to be informed about the processing, which the Data Controller shall fulfil by providing this information.

Contractual processing

If the legal basis for a processing operation is the data subject's consent, he or she has the right to withdraw his or her consent to the processing operation at any time. It is important to note, however, that the withdrawal of consent may only relate to data for which there is no other legal basis for processing. If there is no other legal basis for the processing of the personal data concerned, the Controller will permanently and irretrievably erase the personal data following the withdrawal of consent. Withdrawal of consent under the Regulation shall not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.

Right of access

At the request of the data subject, the Data Controller shall at any time inform the data subject whether or not personal data concerning him or her are being processed and, if so, provide access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom or with which the controller has disclosed or will disclose the personal data, including in particular recipients in third countries or international organisations;
4. the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
5. the data subject shall also be informed of his or her right to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;
6. the right to lodge a complaint with a supervisory authority or to institute court proceedings;
7. where the data have not been collected directly from the data subject by the Controller, any available information on the source of the data;
8. where automated decision-making is carried out, the fact of such processing, including profiling, and, at least in these cases, the logic used, i.e. the significance of such processing and the likely consequences for the data subject.

Right to rectification of personal data

The data subject shall have the right at any time, upon his or her request and without undue delay, to obtain from the Controller the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall also have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

In the case of a request for rectification (amendment) of data, the data subject must substantiate the accuracy of the data requested to be amended and must also certify that the person entitled to the rectification is the person who requests the amendment. Only in this way can the Data Controller assess whether the new data is accurate and, if so, whether it can amend the previous data.

The Data Controller also draws the attention of the data subject to the need to notify any change in his/her personal data as soon as possible in order to facilitate lawful processing and the exercise of his/her rights.

Right to erasure

At the request of the data subject, the Controller shall delete personal data relating to the data subject without undue delay where one of the following grounds applies:

1. the Controller no longer needs the personal data for the purposes for which they were collected or otherwise processed;
2. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
3. the personal data are unlawfully processed by the Controller;
4. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.

Right to restriction of processing

The data subject shall have the right to obtain from the controller, at his or her request, the restriction of processing if one of the following conditions is met:

1. disputes the accuracy of the personal data; in this case, the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data
2. the processing is unlawful and he or she opposes the erasure of the data and requests instead the restriction of their use;
3. the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
4. the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

Right to object

If the processing of personal data is necessary for the performance of a task carried out in the exercise of official authority vested in the controller [Article 6(1)(e) of the Regulation], the data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, including profiling based on those provisions.

Right to data portability

The data subject shall have the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and the right to have those data transmitted by the controller to another controller if:

1. the processing is based on the data subject's consent or on a contract within the meaning of Article 6(1)(b) of the Regulation; and
2. the processing is carried out by automated means.

THE PROCEDURES FOR ENFORCING THE RIGHTS OF THE DATA SUBJECT

The data subject can exercise the above rights by sending an email to jog@uni-obuda.hu, by post to the Data Controller's headquarters or by visiting the Data Controller's headquarters in person. The Controller shall investigate and act on the data subject's request without undue delay upon receipt of the request. The Controller shall inform the data subject of the action taken on the basis of the request within 30 days of receipt. If the Controller is unable to comply with the request, it shall inform the data subject of the reasons for the refusal and of his or her rights of appeal within 30 days.

Within five years of the death of the data subject, the rights of the deceased as set out in this notice, which the data subject enjoyed during his or her lifetime, may be exercised by a person authorised by the data subject by means of an administrative arrangement or a declaration in a public or private document of full probative value made to the controller, or, if the data subject made several declarations to a controller, by a declaration made at a later date. If the data subject has not made a corresponding declaration, his or her close relative within the meaning of Act V of 2013 on the Civil Code may, even in the absence of such a declaration, exercise the rights under Articles 16 (right of rectification) and 21 (right of access) of the Regulation. (right to object) and, where the processing was unlawful during the lifetime of the data subject or the purpose of the processing ceased to exist upon the death of the data subject, to exercise the rights of the deceased during his or her lifetime under Articles 17 (right to erasure) and 18 (right to restriction of processing) of the Regulation within five years of the death of the data subject. The right to exercise the rights of the data subject under this paragraph shall be exercised by the next of kin who first exercises that right.

IV. RIGHT OF REDRESS IN RELATION TO DATA PROCESSING

In order to exercise his/her right to judicial remedy, the data subject may bring an action against the Controller if he/she considers that the Controller or a processor or a joint controller acting on our behalf or at our instructions is processing his/her personal data in breach of the requirements laid down by law or by a binding legal act of the European Union for the processing of personal data. The court will decide the case out of turn. The Tribunal has jurisdiction to hear the case. The lawsuit may also be brought before the court of the place of residence or domicile of the data subject or the court of the seat of the Data Controller (Metropolitan Court), at the choice of the data subject.

Anyone may initiate an investigation against the Data Controller by filing a complaint with the National Authority for Data Protection and Freedom of Information (NAIH), alleging that the processing of personal data has resulted in a violation of rights or an imminent threat thereof, or that the Data Controller is restricting the exercise of his or her rights in relation to the processing or is refusing to grant such rights. The notification can be made using one of the following contact details:

National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: 1363 Budapest, Pf. 9.

Email: ugyfelszolgalat@naih.hu

URL: http://naih.hu

Budapest, April 24th, 2024.