Data Protection Statement
ECIIA 2024 CONFERENCE
Introduction
ETK Service Provider Ltd. (hereinafter referred to as the “Controller”) will organize the “Solve The Puzzle – ECIIA Conference – International Internal Audit Conference” on 26-27 September 2024.
The Data Controller is committed to protecting the rights of persons associated with the organization, in particular to respecting and actively promoting the exercise of individual rights and rights to the protection of personal data, and to safeguarding business secrets.
The Data Controller reserves the right to unilaterally amend this Privacy Notice. In particular, this Privacy Notice may be amended if necessary due to changes in legislation, the practices of data protection supervisory authorities, newly identified security risks or other changes.
No transfers outside the EEA will take place in the course of this processing. No automated decision-making or profiling is performed by the Data Controller.
The identity and the contact details of the controller
Name of the controller: ETK Service Provider Ltd. (hereinafter referred to as “the Controller”)
Headquarters: 1149 Budapest, Angol u 34.
Tax number: 12362389-2-42
Website: http://etk-rt.hu
Conference website: https://eciiaconference2024.iia.hu
Phone number: 1/222-40-43
Representative: Tamás Miskolczi, President
The controller is not obliged to appoint a DPO under Article 37 of the GDPR.
Designated contact person for data protection matters:
Name: Tamás Miskolczi
E-mail address: miskolczit@etk-rt.hu
Processing the data of individuals attending the conference
Purposes of data processing
| The purposes of the processing for which the personal data are intended | – Identification of conference participants- Send conference participants the technical information they need to participate- Proof of performance of contractual obligations related to the conference |
- Data subjects and scope of personal data processed
| The data subjects concerned by this processing: | Individuals attending the conference |
| The categories of personal data concerned: | Last name, first name, billing address (company name, country/region, postcode/zip, town/city, country), phone, e-mailThe data is entered at the registration form |
- Legal basis for processing
| The legal basis for this processing is: | Performance of a contract – Article 6(1)(b) GDPR – processing is necessary for the performance of a contract. |
| Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; | Not relevant |
| Where special categories of personal data are processed, the special category of personal data: | Not relevant |
| Additional condition(s) for the processing of sensitive data under Article 9(2) GDPR: | Not relevant |
- Duration of data storage
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;: | The invoice is issued 8 years after the end of the accounting year. |
- Other conditions
| The possible consequences of failure to provide such data: | The provision of data cannot be omitted, without which it is not possible to identify and notify participants. |
- The recipients of the transfer of personal data
| The data processors used in the present processing: | MAZE Ltd. (2612 Kosd, Táncsics Mihály utca 26., tax number: 12691290-2-13) – provides the IT services necessary for the maintenance and management of the websites;Rentit Ltd. (2030 Érd, Festő utca 93. tax number: 23894930213) – Technical support for the organisation of events, providing the QR code access control system. |
| Joint controllers: | Not relevant |
| In connection with this processing, data may be regularly transferred to the following recipients: | No data transmission |
| Is there a transfer outside the EEA (if so, how do the additional conditions under Chapter V of the GDPR apply)? | No |
Processing data of representatives of organisations attending the conference
- Purposes of data processing
| The purposes of the processing for which the personal data are intended: | – Identification of conference participants- Send conference participants the technical information they need to participate- Proof of performance of contractual obligations related to the conference |
- Data subjects and scope of personal data processed
| The data subjects concerned by this processing: | Representatives of the organisations participating in the conference |
| The categories of personal data concerned:: | Last name, first name, billing address (company name, country/region, postcode/zip, town/city, country), phone, e-mail |
- Legal basis for processing
| The legal basis for this processing is: | Legitimate interest – Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. |
| Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party | The data controller has a legitimate interest in keeping a record of conference participants in order to inform participants of what they need to know, to screen out unauthorized visitors and to prove that it has fulfilled its contractual obligations in relation to the conference. |
| Where special categories of personal data are processed, the special category of personal data: | The Controller does not special category of personal data |
| Additional condition(s) for the processing of sensitive data under Article 9(2) GDPR: | Not relevant |
- Duration of data storage
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period | 8 years after the end of the accounting year in which the invoice is issued |
- Other conditions
| Possible consequences of not providing data: | The provision of data cannot be omitted, without which it is not possible to identify and notify participants. |
Registration of conference participants for information on future conferences
- Purposes of data processing
| The purposes of the processing for which the personal data are intended: | Notifying interested parties of further conferences and events |
- Data subjects and scope of personal data processed
| The data subjects concerned by this processing: | Participants at the conference |
| The categories of personal data concerned:: | Name, e-mail address, organization |
- Legal basis for processing
| The legal basis for this processing is: | Legitimate interest – Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. |
| The law governing the processing or, in the case of processing based on legitimate interest pursuant to Article 6(1)(f) GDPR, the legitimate interest underlying the processing: | The data controller has a legitimate interest in sending offers to potential customers as part of its economic activity. It is also in the interest of the data subjects to obtain timely and relevant information about the services that are relevant to them. |
| Where special categories of personal data are processed, the special category of personal data: | No special data |
| Additional condition(s) for the processing of sensitive data under Article 9(2) GDPR: | Not relevant |
- Duration of data storage
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period | 5 years from the date of the conference or until the right to object is exercised |
- Other conditions
| Possible consequences of not providing data: | No information on further events possible |
| Other conditions, with regard to Article 13(2)(e) of the GDPR | Data provision may be waived |
Recording invoices and related supporting documents
- Purposes of data processing
| The purposes of the processing for which the personal data are intended: | Meeting the legal obligation to keep invoices and supporting documents. |
- Data subjects and scope of personal data processed
| The data subjects concerned by this processing: | Buyer |
| The categories of personal data concerned:: | Mandatory data content specified in Section 169 of the VAT Act: date of issue of invoice, invoice serial number clearly identifying the invoice, name, address and tax number of the invoice issuer, name, address and tax number of the customer – domestic taxable person, name of the goods/services supplied, quantity of goods/services supplied, net unit price of the goods/services supplied (net of tax), net value of the invoice (net of tax), VAT percentage and value; supporting documents for the invoice |
- Legal basis for processing
| The legal basis for this processing is: | Legal obligation Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject. |
| The law governing the processing or, in the case of processing based on legitimate interest pursuant to Article 6(1)(f) GDPR, the legitimate interest underlying the processing: | Act CL of 2017 (Art.), § 78 (3), Act C of 2000. |
| Where special categories of personal data are processed, the special category of personal data: | No special data |
| Additional condition(s) for the processing of sensitive data under Article 9(2) GDPR: | Not relevant |
- Duration of data storage
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period: | The invoice is issued 8 years after the end of the accounting year. |
- Other conditions
| Possible consequences of not providing data: | Legal obligation to provide data |
| Other conditions, with regard to Article 13(2)(e) of the GDPR | Mandatory data reporting |
| If using Article 6(1)(b) and (c) of the GDPR, is the provision of data based on a legal or contractual obligation or a precondition for the conclusion of a contract? | Data provision is based on legislation |
Recipients of the transfer of personal data
| The data processors used for the present processing: | MAZE Ltd. (2612 Kosd, Táncsics Mihály utca 26., tax number: 12691290-2-13) – provides the IT services necessary for the maintenance and management of the websites.Rentit Ltd. (2030 Érd, Festő utca 93. tax number: 23894930213) – Technical support for the organisation of events, providing the QR code access control system.Nizsalovszky Éva e.v. (1025 Budapest Vend u. 30. Budapest, tax number: 66573012-2-41) – external accountant CREON HEROES Zrt. (8500 Pápa, Szent István út 6. Fsz., tax number: 14032868-2-19) – operation of newsletter software. |
| In connection with this processing, data may be regularly transferred to the following recipients: | Compulsory invoice data service to the National Tax and Customs Administration According to Annex 10 of Act CXXVII of 2007 on Value Added Tax (VAT Act) |
| Is there a transfer outside the EEA (if so, how do the additional conditions under Chapter V of the GDPR apply)? | No data transfers to third countries |
Rights of the data subject
The Data Controller shall facilitate the exercise of the Data Subject’s right to information pursuant to Articles 13 and 14 of the GDPR by publishing this Data Processing Statement and the specific data processing notices electronically. Current copies of the Data Processing Statement and the specific data processing notices are available in hard copy at the registered office and at the premises of the Data Controller and copies may be provided upon request.
The Data Controller shall, at the time of obtaining the personal data or when first contacting the Data Subject, provide an electronic copy of this Data Processing Statement and the specific privacy notice applicable to the processing in question or, at the Data Subject’s request, a paper copy.
In addition, Data Subjects may request detailed information about the processing of their personal data at the contact details specified in point 2 and submit requests for the exercise of their data subject rights to the same contact details.
In addition to the right to information under Article 13 of the GDPR, Data Subjects have the following rights in relation to data processing. The Data Controller shall comply with requests (provided that no extension is granted due to the complexity of the request or the number of requests) within a maximum of one month from the date of receipt of the request.
a) Right of access
On the basis of the data subject’s right under Article 15 of the GDPR, the Data Subject may request information and feedback from the Data Controller on the conditions and circumstances of the processing of his or her personal data, in particular:
- the purposes and legal basis of the processing of the Data Subject’s personal data;
- the categories of personal data concerned by the processing;
- the recipients of the personal data and the categories of recipients;
- the period for which the data relating to the personal data of the Data Subject are to be stored and the criteria for determining the retention period;
- about the data subject’s exercise of rights, legal remedies;
- whether the Data Controller carries out automated decision-making or profiling of personal data, and if so, the circumstances of such processing.
In the context of exercising their right of access, Data Subjects may, pursuant to Article 15(4) of the GDPR, request the Controller to provide them with an electronic copy of the personal data processed about them, free of charge, on one occasion.
b) Right to rectification
Pursuant to Article 16 of the GDPR, the Data Subject has the right to obtain from the Data Controller, upon his/her request, the rectification of inaccurate personal data contained in his/her personal data without undue delay and the completion of incomplete personal data.
c) Right to erasure
Pursuant to Article 17 of the GDPR, the Data Subject has the right to request the erasure of his or her data by the Data Controller in the event of withdrawal of consent, unlawful processing of data, the existence of an obligation on the Data Controller under EU or Member State law, the ceasing of the purpose of the processing, or where there is no legitimate ground for the processing in the event of the Data Subject exercising his or her right to object, or in the event of an objection to processing collected for direct marketing purposes.
The Data Controller shall not comply with a request for erasure of personal data if the personal data are required by law to be stored and the statutory data processing (data retention) period has not expired.
d) Right to restriction of processing
Pursuant to Article 18 of the GDPR, the Data Subject has the right to obtain from the Controller, at his or her request, the restriction of processing if one of the following situations applies:
- the Data Subject contests the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;
- the Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims;
- -The Data Subject has objected to the processing.
e) Right to data portability
Pursuant to Article 20 of the GDPR, the Data Subject may request that the Controller provide personal data processed on the basis of the Data Subject’s consent [Article 6(1)(a) GDPR] or the performance of a contract [Article 6(1)(b) GDPR] in a structured, commonly used, machine-readable format.
If otherwise technically feasible, the Data Controller shall, at the Data Subject’s request, transfer the personal data directly to another controller designated in the Data Subject’s request.
The right to data portability under this point does not create an obligation for controllers to implement or maintain technically compatible data management systems.
In the event that the Data Subject’s right to data portability adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Data Controller shall be entitled to refuse to comply with the Data Subject’s request to the extent necessary.
The rules on the right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
f) Automated decision-making, profiling
Pursuant to Article 22(3) of the GDPR, where automated decision-making (including profiling) is carried out in relation to the processing in accordance with the specific information notice, the Data Subject may request human intervention by the Controller, may also request to express his or her views on the decision-making process and may object to the decision. Currently, the Data Controller does not perform automated decision-making, profiling.
g) Right to object
Under Article 21 of the GDPR, the Data Subject may object at any time, on grounds relating to his or her particular situation, to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller [Article 6(1)(e) GDPR] or based on the legitimate interests of the Controller [Article 6(1)(f) GDPR]. In the event of an objection, the further processing of personal data shall only take place if the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Right to administrative and judicial redress
a) Data Protection Officer
The Data Subject may at any time contact the Data Protection Officer of the Data Controller or, in the absence of the Data Protection Officer, the Data Protection Officer, using the contact details provided in point 1, if he or she has a question or complaint regarding the processing or protection of his or her personal data or the exercise of his or her rights as a data subject.
b) Right to lodge a complaint with the data protection supervisory authority
Without prejudice to any other administrative or judicial remedies, any Data Subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information if the Data Subject considers that the Data Controller or a data processor on its behalf has committed or threatened to commit a breach of the law by its actions or omissions.
Contact details of the National Authority for Data Protection and Freedom of Information:
Head office: 1055 Budapest, Falk Miksa utca 9-11.
Address for correspondence: 1363 Budapest, Pf. 9,
Tel: 06 1/391-1400, +36 (30) 683-5969, +36 (30) 549-6838,
E-mail: ugyfelszolgalat@naih.hu,
Website: http://naih.hu/
(c) The right to an effective judicial remedy against the controller or processor
Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with the data protection supervisory authority, any Data Subject may bring an action before a court if he or she considers that his or her rights relating to the processing of his or her personal data have been infringed by the Controller or by a processor on his or her behalf.
The jurisdiction of the court of the seat of the Data Controller, i.e. the Metropolitan Court of Budapest, is competent to decide the lawsuit. The Data Subject may decide to bring the case before the court of the place of his/her residence or domicile. A list of courts is available at http://birosag.hu/torvenyszekek.