in effect from 15th March 2019

 

KRS Events Kft. operates the website  www.classic-days.hu (hereinafter referred to as the: „Website”), and shall be considered as the controller (hereinafter referred to as the “Controller”). The Controller operates the online regsitration process on the Website, with regards to the prevailing regulations on data protection – particularly the Act CXII. of 2011 on Informational Self-determination and Freedom of Information (hereinafter referred to as: „Information Act.”)  and Regulation No. 2016/679/EU of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). The Controller processes the data of the Data Subjects confidentially, and ensures the safety of such data by taking all necessary technical and organizational measures and implement such procedural rules that ensure the compliance with the GDPR and other data-, and confidentiality regulations.

 

1. The Controller: KRS Events Kft. (1121 Budapest, Zugligeti út 41., tel: +36 1 275 2785, e-mail:, krs@classic-days.hu, web: classic-days.hu, a hereinafter referred to as „Controller”)

 

2. Scope of data processed, purpose, duration

 

The Data Subject may use the Services offered by the Controller by filling out the application form on the Website.

 

The Controller does not process sensitive data.

 

 

Activity	Data Subject	Processed data	Purpose	Duration	Legal Basis
A. Acquiring contact data, keeping contact, online registration	a)      applicant (driver), b)     navigator, c)      contact person	a)       name, telephone number, e-mail address of the applicant (driver) b)       name, telephone number, e-mail address of the c)       e-mail address of contact person d)       communication language	identification of the Data Subject and keeping contact	until the time the consent is withdrawn, but the Controller will erase data after 5 years according to Section 22 of Book 6 of the Civil Code.	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject
B. Submitting data of the vehicle	owner and the recognizable people on the photo of the vehicle	e)       vehicle data (automotive brand, model, license plate number, year of manufacturing, engine cylinder volume, fuel, engine power) f)        vehicle history, g)       photo of the vehicle h)       facial image of the recognizable people on the photo of the vehicle	identification of the vehicle, publishment of the vehicle photo on the Website and KRS Classic Days’ Facebook page	until the time the consent is withdrawn, but the Controller will erase data after 5 years according to Section 22 of Book 6 of the Civil Code.	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject
C. Ordering the service	customer	a)       billing name b)       billing data (city, zip code, street and address)	identification of the customer, providing service, documentation of the purchase and the payment, issuing invoice	The Controller will erase data after 5 years according to Section 22 of Book 6 of the Civil Code. In case the Controller is obligated to hold on to the data according to the Act on Accounting, it will erase them only after 8 years after issuing the invoice, regardless of the consent of the Data Subject.	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject  and Section b) of Paragraph 1 of Article 6 of the GDPR, performance of a contract
D. Making photo and video footage of the event	applicant, navigator, passenger(s)	photo and video footage of the event	Publishing on the Website www.classic-days.hu and KRS Classic Days Facebook page for promotion purposes	The Controller will erase the data 5 years after publishment on the Website and KRS Classic Days Facebook page, or within 48 hours upon request of the Data Subject.	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject
E. Customer Service	Anyone who sends personal data to the contacts on the Website	personal data sent to the contacts on the Website (e-mail address, name, address (country,city, zip code, street and address), telephone number) and other personal data received by e-mail, along with the further circumstances of the matter	Investigation and documentation of the matter, or documentation of the telephone conversation with the customer service in order to keep record of the questions and notes regarding the Controller’s activity. E-mail communication will be archived, thus in case any questions or disputes the original information will be accessible, and the Controller may get in contact with the Data Subject regarding the matter.	until the time the consent is withdrawn, but the Controller will erase data 5 years after the e-mail inquiry to the Customer Service or the telephone conversation, according to Section 22 of Book 6 of the Civil Code. In case the Controller is obligated to hold on to the data according to the Act on Accounting, it will erase them only after 8 years after after the e-mail inquiry to the Customer Service or the telephone conversation, regardless of the consent of the Data Subject	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject, Section b) of Paragraph 1 of Article 6 of the GDPR, performance of a contract, Section c) of Paragraph 1 of Article 6 of the GDPR, compliance with a legal obligation to which the Controller is subject to, and Section 17/A of the Act CLV of 1997 on the Consumers’ rights
F. Complaint management	Consumer	a) name and address of the consumer b) place,time and method of the complaint c) detailed report of the consumer’s complaint, note of the documents and other evidence presented by the consumer d) the Conroller’s statement on the consumer’s complaint, in case an imminent investigation is possible, e) signature of the minutes taker and the consumer (except in case the complaint was submitted by e-mail or telephone) f) date and time of the minutes, g) identification number of the complaint	Investigation and documentation of the matter, or documentation of the telephone conversation with the customer service, or documentation of the entry in the Complaints Book, in order to keep record of the questions and notes regarding the Controller’s activity. Communication will be archived, thus in case any questions or disputes the original information will be accessible, and the Controller may get in contact with the Data Subject regarding the matter.	The Controller has to hold on to the minutes of the complaint and the copy of the given response for 5 years, and has to be able to present them to the competent authority upon request. In case the Controller is obligated to hold on to the data according to the Act on Accounting, it will erase them only after 8 years after submitting the complaint, regardless of the consent of the Data Subject.	Section a) of Paragraph 1 of Article 6 of the GDPR, consent of the Data Subject, Section b) of Paragraph 1 of Article 6 of the GDPR, performance of a contract, Section c) of Paragraph 1 of Article 6 of the GDPR, compliance with a legal obligation to which the Controller is subject to, and Section 17/A of the Act CLV of 1997 on the Consumers’ rights

 

 

 

3. Profiling

 

The Controller does not perform profiling activity. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

4. Persons accessing the personal data

 

The data is accessible to the employees of the Controller and the data processors nominated in this Privacy Policy, in order to perform their tasks. For example, the nominated data processors may have access to the data in order to perform services, handle specific matters and processing data.

 

5. Transfer of personal data

 

The data of the Data Subject shall not be transferred to a third party aside from those set forth in Section 4. Transfer of data shall only happen to third persons or designated parties in case we notify the Data Subject in advance of the designated party and subsequently the Data Subject approves, or in case the prevailing laws allow such transfer. The Controller does not transfer personal data to third countries or international organizations.

 

6. Links to social media providers, social media browser extensions:

 

The Controller’s Website has direct links to the Facebook website. In such a case, the data will only be transferred to the aforementioned social media operators, in case You click on the given icon (in case of Facebook, on the ’f’ icon). When you click on the given icon, the corresponding social media operator’s site opens in a pop-up window. On these websites, You may publish information on our operation according to the terms of the given social media operator. For further information: https://hu-hu.facebook.com/privacy/explanation

 

7. Security of personal data:

 

The Controller shall ensure the safety of personal data by taking all necessary technical and organizational measures and implement such procedural rules that ensure that the recorded, stored, and processed data is protected, and can not be destroyed, misused or wrongfully altered. The Controller calls to the attention of the third parties who have access to the Data Subjects’ data to comply with the requirement of personal data security.

The Controller ensures that the processed data can not be accessed, disclosed, transferred, altered, or deleted by unauthorised personnel. The Controller shall use its best endeavours to prevent the destruction or damage of the data. The undertakings above are mandatory also to the employees of the Controller involved in the processing of the data and the data processors acting on behalf of the Controller.

The Controller’s computer systems and electronic data storages are located on the computers at 41. Zugligeti út, 1121 Budapest.

In order to ensure the security of the personal data and to prevent unauthorised access to it, the Controller takes the following measures: the access to the server and the computers is password-protected. In case the data is stored on paper, the data storage is placed in a sealed locker, only accessible to the personnel to whom it is necessary with regards to their job description and tasks.

 

8. Notifying the Data Subjects of the personal data breach

 

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the Data Subject without undue delay. The communication to the Data Subject shall not be required if any of the following conditions are met:

1. the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
2. the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects referred to in paragraph 1 is no longer likely to materialise;
3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.
4. Information regarding Data Subjects’ rights

 

Beyond the rights set forth in connection with the use of the recordings, the Data Subjects may exercise the following rights regarding the data processing described in this document:

 

Right to information and right of access by the Data Subject:

The Data Subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. a) the purposes of the processing;
2. b) the categories of personal data concerned;
3. c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
6. f) the right to lodge a complaint with a supervisory authority;
7. g) where the personal data are not collected from the Data Subject, any available information as to their source;
8. h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where personal data are transferred to a third country or to an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.

The right to obtain a copy referred to in the previous paragraph shall not adversely affect the rights and freedoms of others.

The rights above may be exercised through the contacts listed in Secion 1. above.

Right to rectification

The Controller shall rectify the inaccurate personal data of the Data Subject upon his or her request without undue delay. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to, upon request, obtain the erasure of personal data concerning him or her from the Controller without undue delay, where one of the following grounds applies:

1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. b) the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or the processing is used for direct marketing purposes;
4. d) the personal data have been unlawfully processed;
5. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. f) the personal data have been collected in relation to the offer of information society services.

The right of erasure shall may not be exercised to the extent that processing is necessary:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest;
3. for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional, and these data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
4. for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject, in particular professional secrecy;
5. for reasons of public interest in the area of public health and these data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
6. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure would probably seriously risk or make impossible such data processing; or
7. for the establishment, exercise or defense of legal claims.

Right to restriction of processing

Upon Data Subject’s request, the Controller restricts the processing of Data Subject’s personal data where one of the following applies:

 

1. the accuracy of the personal data is contested by the Data Subject, in this case the restriction is for a period that enables the Data Subject to verify the accuracy of the personal data;
2. the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. The Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims;
4. the Data Subject has objected to the Controller’s processing pursuant to public interest or compelling legitimate grounds, in this case the duration of the restriction is for the time period needed for the verifying whether the legitimate grounds of the controller override those of the Data Subject.

Where processing has been restricted for the aforementioned reasons, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A Data Subject who has obtained restriction of processing pursuant to the aforementioned reasons shall be informed by the Controller before the restriction of processing is lifted.

 

Right to data portability

 

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

1. the processing is based on consent pursuant to contract; and
2. the processing is carried out by automated means.

 

In exercising his or her right to data portability pursuant to the aforementioned, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

 

The exercise of the right to data portability shall be without prejudice to the right to erasure (‘to be forgotten’). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

The right to data portability shall not adversely affect the rights and freedoms of others.

 

Right to object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the Controller’s processing of personal data concerning him or her where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions.In this case, the Controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.

 

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

 

Where personal data are processed for scientific or historical research purposes or statistical purposes, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

Right to withdraw consent

The Data Subject shall have the right to withdraw his or her consent at any time if the Controller’s data processing is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

Modalities in case of request by the Data Subjects on the exercise of the aforementioned rights

The Controller shall provide information on action taken on a request to the Data Subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

 

The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

 

If the Controller does not take action on the request of the Data Subject, the controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

The Controller shall provide the requested information and notification free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

 

The Controller shall inform every such recipient of personal data, with whom personal data was shared, of all modification, erasure, or data processing restriction, unless this proves to be impossible, or requires an unreasonably large effort. Upon request of the Data Subject, the Controller shall inform him/her of these recipients.

 

10. Data Processing

 

The Controller hereby notifies Data Subjects that relating its activity it has entered into a processing contract with the data processors described herein. The data processor does not make decisions on its own since it is only entitled to act as set forth in the processing contract and according to the instructions received. The Controller controls the works of the data processor. The data processor may only involve further data processors with the prior written consent of the Controller.

 

Data processor	Personal data accessible to the data processor Methods of use of the given personal data (the task performed for the Controller)	Duration of processing

 

The data processor does not make decisions on its own since it is only entitled to act as set forth in the processing contract and according to the instructions received.

 

11. Personal data of minors and third persons

 

Persons below 16 years of age are not allowed to provide their personal data without the consent of the person exercising parental authority over them. By providing the personal data, the parent, as Data Subject, represents and warrants that he/she is aware of the provision above and his/her legal capacity is not restricted regarding the provision of the information.

 

In case You are not entitled to lawfully provide any personal data (including the facial image of the persons on the photo of the vehicle), You must obtain the consent of the third person involved (such as legal representative, guardian, other person – e.g. a consumer – you are acting on behalf of), or provide other legal basis to provide the data. In context to this, You shall determine if the providing of given personal data shall be subject to consent of a third person. The Controller may not get in personal contact with You, thus You shall ensure the compliance with this provision, and the Controller shall not be held liable in any means regarding this matter. Regardless, the Controller is entitled to check the legal basis of processing any personal data at any given time. For example, in case You are acting on behalf of a third person – e.g. a consumer – we are entitled to ask for Your authorisation given by the person providing the data or for the consent of the Data Subject to process his or her data regarding the case.

The Controller will use its best endeavours to erase all unlawfully provided personal data. The Controller ensures, that if it becomes aware of such, the personal data involved shall not be transferred and shall not be used by the Controller. In case You become aware of the fact that a third person unlawfully provided Your personal data to the Controller, please notify us without delay on the contacts listed in Section 12.

 

12. Contacts

 

If you have questions or requests regarding your personal data stored in the system and their processing, you may send them to krs@classic-days.hu , or in writing to our address 41. Zugligeti út, 1121 Budapest. Please take note that – in your best interest-  regarding your personal data we are only able to give any information or take any action, in case you credibily verified your indentity.

 

13. Legal remedies

 

1. a) The Controller answers enquiries regarding questions and comments on data processing at the contacts listed in Section 1. of this Policy.
2. b) The Data Subject may initiate an investigation by The National Data Protection and Freedom on Information Authority (mailing address: 1530 Budapest, Pf.: 5., phone: +36-1-391-1400, e-mail: ugyfelszolgalat@naih.hu, web: naih.hu) with reference to infringement or imminent threat of infringement of personal data rights; and
3. c) In case of infringement of the Data Subject’s rights, the Data Subject may seek judicial remedies against the Controller. The court handles the case with priority. The Controller has the burden to prove that processing of the data was in accordance with the law. The Tribunal courts have jurisdiction over data infringement cases. Legal proceedings may also be brought before the court where the Data Subject has domicile or residence.