Data Processing Notice
Cabinet Office of the Prime Minister (registered seat: 1014 Budapest, Színház u. 1., tax number: 15833167-2-41), as the data controller (hereinafter: Data Controller) of the website available under the domain name www.miniszterelnok.hu (hereinafter: Website), hereby publishes the rules, data protection and data processing principles and information on data processing for visitors to the Website and users of the services available on the Website (hereinafter collectively: Data Subject).
In the context of the processing of data, the Data Controller hereby informs the Data Subjects of the personal data it processes on the Website, of its principles and practices applied to the processing of personal data, and of the ways and means of exercising the rights of the Data Subjects.
By voluntarily using the Website and in accordance with this Data Processing Notice, the Data Subject accepts the Data Processing Notice and consents to the processing of data necessary for the purposes set out in this Notice.
1. Applicable laws and definitions
1.1. Applicable laws:
The key laws governing the Data Controller’s data processing are the following.
— Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation or GDPR),
— Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Privacy Act).
Terms used in this Data Processing Notice and not specifically defined below have the meaning given to them in the GDPR.
— ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
— ‘personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
— ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
— ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
— ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
— ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
— ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
— ‘consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
— ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
— ‘data transfer’ means the making available of data to a specified third party.
If there is a change in any of the definitions, the Data Controller shall notify the Data Subjects thereof within the framework of this Data Processing Notice, with the understanding that in the absence of such change, the definition under the GDPR shall prevail.
2. Data of the Data Controller
|Name:||Cabinet Office of the Prime Minister|
|Registered seat:||1014 Budapest, Színház u. 1.|
|Registration number (PIR):||833163|
|Data Processing Notice:||https://kormany.hu/sutikezelesi-tajekoztato.pdf|
|Data Protection Officer of the Cabinet Office of the Prime Minister:||Dr. Kovács Péter|
|Email address of the Data Protection Officer:||firstname.lastname@example.org|
|Mailing address of the Data Protection Officer:||1357 Budapest, Pf.: 1.|
3. Legal ground of processing
3.1. Data Subjects can provide information and data about themselves in two ways on the Website:
— Personal data explicitly provided or made available when using the services of the Website.
— Information provided to the Data Controller in connection with the use of the Website, in connection with the visit to the Website and its use (see Section 3.2).
3.2. The legal ground for the processing is Article 6(1)(a) of the GDPR, i.e. the Data Subject’s voluntary consent.
The Data Subject has the right to withdraw his or her consent in writing from the Data Controller via one of the contact details provided in Section 10.1 or to request the erasure of his or her data.
4. Scope and source of personal data processed
4.1. This table summarises the reasons for the processing of the Data Subject’s personal data, the purposes for which they are processed, the duration of the processing and how the Data Subject can give his or her consent to the processing of his or her data.
|Title of processing|
Scope of data processed
Duration of processing
Purpose of processing
Legal ground of processing
How consent is given
The Data Controller shall process the data until the purpose of the processing persists or the Data Subject’s consent is withdrawn.
Contacting the Data Subject, if he or she contacts the Data Controller through the Website.
The purpose of the data processing in this case is therefore to reply and to make contact at a later stage in order to send or provide information.
Voluntary consent of the data subject.
By clicking on the “Contact Us” tab in the pop-up window and ticking the box to indicate consent to data processing.
The Data Controller shall process the data until the purpose of the processing persists or the Data Subject’s consent is withdrawn.
Building and maintaining the newsletter database, registering and differentiating the Data Subjects in it, keeping contact and managing other mailings, informing about updates.
Voluntary consent of the data subject.
Acceptance of the consent to data processing by placing a tick in the appropriate box when subscribing to the newsletter.
4.2. The Data Controller shall not and may not use the personal data provided for purposes other than those set out above. The disclosure of personal data to third parties or public authorities, unless otherwise required by law, is possible with the prior explicit consent of the Data Subject.
4.3. In all cases where the Data Controller intends to use the data provided for purposes other than those for which they were originally collected, the Data Controller shall inform the Data Subject thereof and obtain his or her prior explicit consent or provide him or her with the opportunity to prohibit such use.
4.4. The Data Controller shall process the personal data until the purpose of the processing persists (at the end of which period the data relating to and provided by the Data Subject shall be deleted) or until the Data Subject requests the erasure of his/her data or withdraws his/her consent, which shall also lead to the erasure of the data.
5. Data processing related to the data of contact persons
5.1. The Data Subject may request the erasure of his or her data by the Data Controller at any time in connection with the contact by sending an email (email@example.com) or by post (1014 Budapest, Színház u. 1.). The data shall be erased within a maximum of one month from the date of receipt of the request, and the erasure shall be notified in accordance with the provisions of this Data Processing Notice.
6. Data collected in connection with the use of the Website
6.1. Cookie Notice
You can access the website’s Cookie Notice by clicking on the link below:
7. Data processing related to newsletter sending
7.1. In connection with the newsletter, the Data Subject may at any time request the erasure of his/her data by the Data Controller by email (firstname.lastname@example.org) or by post (1014 Budapest, Színház u. 1.). Data shall be erased as soon as possible, but no later than one month after receipt of the Data Subject’s request, and the erasure shall be notified in accordance with the provisions of this Data Processing Notice.
7.2. The Data Subject may unsubscribe from the newsletter by clicking on the unsubscribe link in any notification letter or newsletter sent to him or her.
8. Data processing
The Data Controller uses the following data processors in connection with the Website:
NISZ National Infocommunications Services Company Limited by Shares
1081 Budapest, Csokonai u. 3.
Company registration number:
Data Processing Notice:
https://nisz.hu/szolgaltatasok/ASZF (Adatkezelési tájékoztató)
Hosting service and website maintenance
TRITON Communications Szolgáltató Korlátolt Felelősségű Társaság
TRITON Communications Kft.
1123 Budapest, Nagyenyed utca 16.
Company registration number:
Website development and maintenance and content management.
The Data Controller uses the following data processor in connection with the Website:
We Talk Digital Korlátolt Felelősségű Társaság
We talk Digital Kft.
7090 Tamási, Szabadság utca 62. II. emelet 13.
Company registration number:
Data Processing Notice:
Social media platform manager (uploading content provided by the data controller to social media sites); Website manager
The Data Controller reserves the right to involve additional data processors, sub-processors in the future, of which it will inform the Data Subjects by amending this Notice.
9. Data transfer
The Data Controller shall disclose the Data Subject’s personal data to third parties if required by law or, in the absence thereof, only with the Data Subject’s explicit consent and subject to appropriate data security requirements.
10. Rights of the Data Subject
10.1. Means of redress
The Data Subject may exercise his or her rights by sending a request by email or by post to the contact details provided in this Section.
Data Subjects may exercise their rights by using the following contact details:
Cabinet Office of the Prime Minister
1014 Budapest, Színház u. 1.
The Data Subject may exercise the rights listed in Sections 10.3. to 10.7. of the Data Processing Notice only after having been properly identified. If the request is not made by the person entitled to make the request, or if the requesting party cannot be identified as the data subject, the Data Controller shall reject the request.
Where the Data Subject’s request is manifestly unfounded or excessive (in particular in view of its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to act. The burden of proof lies with the Data Controller.
10.2. Time limits for the execution of the request by the Data Subject
The Data Controller shall inform the Data Subject of the measures taken without undue delay, but in any event within a maximum of 1 (one) month of receipt of any request pursuant to Section 10. The date of receipt of the request does not count towards the time limit. If necessary, the Data Controller may, taking into account the complexity of the request and the number of requests, extend this time limit for a further two months. The Controller shall inform the Data Subject within one month of receipt of the request, stating the reasons for the delay. If the Data Subject has submitted the request by electronic means, the Data Controller shall provide the information by electronic means, unless the Data Subject requests otherwise.
10.3. Right to information and access
The Data Subject has the right to access his or her personal data held by the Data Controller and information relating to their processing, to request such information at any time, to check what data the Data Controller holds about him or her, and to have access to the personal data. The Data Subject shall submit his or her request for access to the data to the Data Controller in writing and the Data Controller shall provide the requested data in writing (electronically or by post), without providing any oral information in this context.
In case of exercise of the right of access, the information shall include the following data:
— the scope of the data processed: name, email address, depending on the service used,
— the purpose, time and legal grounds of the processing in relation to the scope of the data processed,
— data transfer: to whom the data have been or will be transferred,
— indication of the data source.
The Controller shall provide the Data Subject with a copy of the personal data free of charge for the first time. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject requests a copy electronically, the Data Controller shall provide the information to the Data Subject by email in a commonly used electronic format.
10.4. Right to rectify or supplement
Upon the Data Subject’s request (by sending a supplementary statement), the Data Controller shall, without undue delay, rectify inaccurate personal data specified by the Data Subject in writing or complete the incomplete data with the content specified by the Data Subject. The Data Controller shall inform any recipient to whom it has disclosed the personal data of the rectification or supplementation, unless this proves impossible or involves a disproportionate effort. It shall inform the Data Subject of the data of these recipients if he or she so requests in writing.
10.5. Right to restriction
The Data Subject shall have the right, upon written request, to obtain from the Data Controller the restriction of processing if:
— The Data Subject contests the accuracy of the personal data, in which case the restriction applies for the period of time that allows the Data Controller to verify the accuracy of the personal data,
— the processing is unlawful and the Data Subject opposes the erasure of the data and instead requests the restriction of their use,
— The Data Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims,
— The Data Subject objects to the processing, in which case the restriction applies for the period until it is established whether the legitimate grounds of the Data Controller override those of the Data Subject.
The Data Controller shall inform the Data Subject at whose request the processing has been restricted in advance of the lifting of the restriction of processing.
10.6 Right to erasure (right to be forgotten)
At the request of the Data Subject, the Data Controller shall erase the personal data concerning the Data Subject without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Controller; (ii) the Data Subject withdraws his or her consent on the basis of which the data are processed and there is no other legal grounds for the processing; (iii) the Data Subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for the processing; (iv) The Data Subject objects to the processing of personal data relating to him or her for direct marketing purposes, including profiling, where it is related to direct marketing; (v) the personal data are unlawfully processed by the Data Controller; (vi) the Personal Data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR; (vii) the personal data shall be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject.
The Data Subject may withdraw his or her consent at any time via any of the contact details provided in this Data Processing Notice, in which case his or her personal data will no longer be processed by the Controller for that purpose. Withdrawal of consent does not affect the lawfulness of the processing that took place before consent was withdrawn.
The Data Subject may not exercise his or her right to erasure or to be forgotten if the processing is necessary (i) for the exercise of the right to freedom of expression and information; (ii) on grounds of public interest in the field of public health; (iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the exercise of the right to erasure would make such processing impossible or seriously impair it; or (iv) for the establishment, exercise or defence of legal claims.
10.7 Right to data portability
Data portability allows the Data Subject to obtain and further use his or her “own” data in the Data Controller’s system for his or her own purposes and through different service providers. In all cases, the right is limited to the data provided by the Data Subject, there is no possibility to carry other data (e.g. statistics, transaction data, etc.)
The Data Controller shall, at the request of the Data Subject, disclose personal data relating to him or her which have been made available to the Data Controller:
— in a structured, widely used, machine-readable format, and
— is entitled to transfer them directly to another controller at the Data Subject’s request.
The Data Controller shall comply with a request for data portability only on the basis of a request sent by email or post. In order to comply with the request, the Data Controller is required to make sure whether the Data Subject who is entitled to exercise the right is indeed the Data Subject who wishes to exercise it. This requires the Data Subject to provide in his or her request the data that allow him or her to be identified. These data include at least: name, email address, telephone number. In the context of this right, the Data Subject may only request the portability of the data that he or she has directly provided in the course of using certain services as described in this Data Processing Notice. The exercise of this right does not automatically entail the erasure of the data from the Data Controller’s systems, therefore the Data Subject may continue to use the Data Controller’s services after exercising this right. Data will only be erased if the Data Subject explicitly requests it.
10.8 Right to complain and redress
Where the Data Subject considers that the Data Controller has infringed the applicable data protection requirements in the processing of his or her personal data, then
a) he or she may lodge a complaint with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1374 Budapest, Pf.: 603., email: email@example.com, website: www.naih.hu), or
b) he or she has the right to apply to courts, which will rule on the matter out of turn, in order to protect his or her data. In this case, the Data Subject is free to decide whether to bring an action before the courts having jurisdiction for the place of his or her domicile (permanent address) or residence (temporary address) or the place where the Data Controller is established. He or she can find the court having jurisdiction in his or her place of domicile or residence at http://birosag.hu/birosag-kereso. For the registered seat of the Data Controller, the Budapest-Capital Regional Court has jurisdiction.
11. Handling personal data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Data Controller shall keep records for the purposes of monitoring the measures taken in relation to the personal data breach, informing the supervisory authority and informing the Data Subject, including the scope of the personal data affected by the breach, the number and type of data subjects, the date of the breach, the circumstances, the effects and the measures taken to remedy the breach. Where the Data Controller considers that a data breach poses a high risk to the rights and freedoms of data subjects, the Data Controller shall inform the Data Subject and the supervisory authority of the data breach without undue delay, but within a maximum of 72 (seventy-two) hours.
The Data Controller is not responsible for the content, data and information protection practices of external websites accessible from the Website as a jump point. If the Data Controller becomes aware that the linked page or linking violates the rights of third parties or the applicable legislation, the link will be removed from the Website without delay.
13. Data security measures
The Data Controller undertakes to ensure the security of the data, to take technical and organisational measures and to establish procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require all third parties to whom it transfers or discloses data on the basis of the Data Subject’s consent to comply with data security requirements.
The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or erased by unauthorised persons. Only the Data Controller, its employees and its data processor(s) may access the processed data, and the Data Controller shall not disclose them to third parties not entitled to access the data.
The Data Controller shall make every reasonable effort to ensure that the data are not accidentally damaged or destroyed. The above commitment is also required by the Data Controller for its employees involved in the processing activities.
The Data Subject acknowledges and accepts that in the event of providing his or her personal data on the Website, despite the fact that the Data Controller has state-of-the-art security measures in place to prevent unauthorised access or disclosure, the data cannot be fully protected on the Internet. In the event of unauthorised access or disclosure despite our efforts, the Data Controller shall not be liable for any such acquisition or unauthorised access or for any damage suffered by the Data Subject as a result thereof. In addition, the Data Subject may also provide his or her personal data to third parties who may use it for unlawful purposes or in unlawful ways.
Under no circumstances will the Data Controller collect sensitive data, i.e. data revealing racial or ethnic origin, membership of national or ethnic minorities, political opinions or party affiliations, religious or philosophical beliefs, membership of representative associations, health, pathological addictions, sex life or criminal records.
14. Social media
In connection with the Website, the Data Controller actively uses the social media sites indicated below, with the understanding that the Data Controller does not process personal data in connection with these activities. At the same time, regarding the management of the following social media sites, the Data Controller draws attention to their data processing notices:
— Meta (Facebook): https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer
— Meta (Instagram): https://www.facebook.com/help/instagram/155833707900388/
— Tiktok: https://www.tiktok.com/legal/page/eea/privacy-policy/hu-HU
— Twitter: https://help.twitter.com/hu/rules-and-policies/twitter-rules
— YouTube: https://policies.google.com/privacy?hl=hu
— Pinterest: https://policy.pinterest.com/hu/privacy-policy
15. Other provisions
The Data Controller shall inform the Data Subjects of any amendments to this Data Processing Notice on the www.miniszterelnok.hu Website and also publish the amended Notice there.
This Data Processing Notice shall enter into force on 16 January 2023.