Privacy Policy
The Privacy Notice of
penzmuzeum.hu/en
1. General data protection notice of MNB-EduLab Nonprofit Kft.
General data protection notice of MNB-EduLab Nonprofit Kft.
MNB-EduLab Nonprofit Kft. (hereinafter referred to as EduLab or Controller) processes personal data obtained or recorded by it in the course of its activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Directive 95/46/EC (hereinafter referred to as the GDPR) and Act CXII of 2011 on the right to self-determination and freedom of information (hereinafter referred to as the Infotv.).
Purpose and scope of the information notice:
The purpose of this information notice is to set out the data protection and data processing principles and data protection and data processing policy applied by EduLab, which EduLab, as data controller, recognises as binding upon itself, and to provide information on the data processing carried out by EduLab – excluding certain employer data processing – on the rights related to data processing and on the possibilities for legal remedy.
By publishing this notice, EduLab, as data controller, informs data subjects about general information related to the processing of personal data.
Data controller:
MNB-EduLab Nonprofit Kft.
Registered office: 1122 Budapest, Krisztina körút 6-8.
Customer service: 1122 Budapest, Krisztina krt. 6. tel.: (+36 80) 203-776
Data Protection Officer: Dr. Márton András Homoki
Tel.: +36 30 199 2248
Email: adatvedelem@penzmuzeum.hu
EduLab's principles of data processing:
The processing of personal data by EduLab or within the organization or systems of EduLab shall be carried out exclusively in a lawful manner, within the framework of fair procedures and in a transparent manner.
Data processing is lawful only if at least one of the conditions set out in Article 6(1) of the GDPR (legal basis) is met. The procedure is fair and transparent if the data subject is provided with easily accessible and comprehensible information about how their data is collected, used, accessed, or otherwise processed.
Personal data shall be processed for specified, explicit and legitimate purposes. Personal data shall not be processed in a manner that is incompatible with those purposes.
Data processing shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Data processing must be accurate, and inaccurate data processing must be corrected immediately, i.e., all reasonable measures must be taken to ensure that personal data that are inaccurate in relation to the purposes of the processing are erased or rectified.
Data must be stored in a manner that allows the data subjects to be identified only to the extent necessary to achieve the purpose.
When processing data, appropriate technical and organizational measures must be taken to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
2. Data Processed by the Data Controller
This section provides information on the data processing activities that may concern natural persons who contact EduLab. The relevant categories of data processing are as follows:
In order to fully access and use the services of the penzmuzeum.hu website and mobile application (hereinafter: “Website”), users of the Website (hereinafter: “User”) are required to register. The Data Controller processes the personal data provided by the User during the registration process as set out below.
2.1. Data processed during visits to the Money Museum website
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name | To enable EduLab to provide access to its online services, to make use of all functionalities available through the Website, to obtain feedback from data subjects regarding its core activities, and to ensure that all necessary information can be communicated to data subjects. In the case of technical data collected during visits to the Website, the purpose is to improve the quality of the service. | The processing of personal data is based on the User’s voluntary consent, given with full knowledge of this Privacy Notice. | For technical data collected during visits to the Website: for the period strictly necessary for the purpose, but no longer than two years. |
Email address | |||
Password | |||
In the case of group visits: job title, institution, and technical data collected during the visit |
2.2. Data Processed in Relation to the Money Museum Commemorative Coin Printing Service
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Image of the data subject (photograph) | To verify the appropriateness of the images/photos uploaded during the coin-printing process and to restrict the use of images/photos that do not meet content requirements. | The processing of personal data is based on the User’s voluntary consent, given with full knowledge of the information provided during registration. |
For images/photos that pass the content review: 30 days.
|
2.3. Use of the Chatbot
This website uses Tidio, a chat platform that connects users with the Controller's customer service. When using the chatbot, we only collect the user's name, with the User's consent, in order to start the chat. The exchanged messages and data are stored in the Tidio application.
For more information about Tidio, please click on the following link: Privacy Policy | Tidio.
The Controller uses messages or data solely to follow up on problems or questions reported by Users.
Data transfer: In order to use the chatbot application, we transfer data to Tidio Poland Sp. z o.o. (registered office: Wojska Polskiego 81, 70-481 Szczecin, Poland).
2.4. Cookie Management on the Website
For information regarding the management of cookies, please refer to the following page:
https://www.penzmuzeum.hu/en/cookie-information/
2.5. Data Processed During Money Museum / EduLab Events
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name |
The purpose of the data processing is to enable the registration required for the organisation of events, to identify the participants, and to maintain contact with the participants. |
The processing of personal data is based on the User’s voluntary consent, given in full knowledge of the information provided at the time of registration. |
For the period specified in the detailed information notice provided during registration. In the case of data used for communication purposes, for no longer than five years following the event |
Email address | |||
telephone number | |||
job title / position | |||
billing information | |||
the data subject’s image |
The taking of still and moving images; The use and publication of such still and moving images on the controller’s website, social media platforms, promotional materials and in the course of its tendering activities.
|
Until the data subject withdraws their consent to the processing of their personal data, and provided that the data subject does not request the erasure of their data, but in any event no later than three years from the date on which the Image was created |
2.6. Operation of security cameras
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
the data subject’s facial image | The purpose of the data processing is to establish the level of security required for the performance of tasks by the Money Museum as an institution, to protect the assets held at the Money Museum, and to safeguard the Museum’s property, as well as to ensure an appropriate level of occupational safety. For the protection of persons and property, the purpose is to detect violations, apprehend offenders, prevent unlawful acts, and facilitate the effectiveness of any necessary measures or investigative actions by providing access to evidence | During the operation of security cameras, the processing of personal data is based on the legitimate interests of the data controller in accordance with Article 6(1)(f) of the GDPR.
Where personal data is processed on the basis of legitimate interests, a balancing test is conducted, which involves:
- identifying and recording the legitimate interest;
- identifying and recording the interests and rights of the data subject;
- assessing the necessity and proportionality of the processing, in line with the principles of purpose limitation, data minimisation, and limited storage;
- informing the data subject about the outcome of the legitimate interests assessment.
| “For data recorded by surveillance cameras covering public areas: 3 days. For data recorded by surveillance cameras not covering public areas: 30 days. For data recorded by cameras installed in the processing rooms of the coin and banknote collection: 365 days. For data recorded by cameras operating in the research room: 365 days. If any procedural action is carried out using the recorded footage, the retention period of the data may be extended as necessary.”
|
recording of moving images |
2.7. Data processed in connection with the Money Museum/EduLab's tenders and educational activities
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name
| In the case of applications announced and scholarship programmes established by EduLab in line with its tasks, processing is carried out for the evaluation of applications, the awarding of scholarships, and, in the context of educational activities, for identification necessary to access the educational platform and for access to educational materials. | In carrying out its legally mandated tasks, EduLab processes personal data as follows: for the announcement and evaluation of applications and for the educational platform, based on the participants’ consent in accordance with Article 6(1)(a) of the GDPR; and for the accounting of paid fees, based on compliance with a legal obligation in accordance with Article 6(1)(c) of the GDPR. For registrants under the age of 16, processing is valid only with the consent of the parent or legal guardian of the data subject. | EduLab retains data in the case of study competitions until the evaluation of applications is completed, but no longer than the end of the subsequent financial year. In the case of scholarship programmes and other applications, data are retained for five years following the conclusion of the programme. For the educational platform, data are retained until consent is withdrawn. |
Place and date of birth
| |||
Address
| |||
Email address
| |||
Telephone number
|
Data transfer:
Data may be transferred to partner organizations and educational institutions as described in the program announcements.
2.8. Data processed in connection with newsletter subscription
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name
|
To send electronic newsletters from time to time regarding our services, current and upcoming exhibitions, events, and other news. | Based on the data subject’s consent in accordance with Article 6(1)(a) of the GDPR; for registrants under the age of 16, processing is valid only with the consent of the parent or legal guardian of the data subject. |
Until the data subject requests the deletion of their data or withdraws their consent. |
Email address |
For the sending of our newsletters, we use the MailChimp online newsletter service operated by The Rocket Science Group LLC d/b/a MailChimp. In this process, the name, email address, and selected newsletter list data are transferred to The Rocket Science Group LLC d/b/a MailChimp.
The Rocket Science Group LLC d/b/a MailChimp is a company registered in the United States (USA) that has incorporated into its terms and conditions the standard contractual clauses approved by the European Commission for use between data controllers and data processors. This means that the transfer of data to The Rocket Science Group LLC d/b/a MailChimp is subject to the appropriate safeguards set out in Article 46 of the GDPR.
3. Data security measures:
The Controller undertakes to ensure the security of the data and to take the technical and organizational measures and establish the procedural rules necessary to ensure that the data collected, stored and processed are protected and to prevent their destruction, unauthorized use and unauthorized alteration. The Data Processor also undertakes to require any third party to whom it transfers or discloses data with the consent of the Users to comply with the data security requirements.
The Controller shall ensure that the data processed cannot be accessed, disclosed, transferred, modified or deleted by unauthorized persons. The data processed may only be accessed by the Controller's employees and shall not be transferred to third parties who are not authorized to access the data.
The Controller shall take all reasonable steps to prevent the accidental damage or destruction of the data. The Controller shall also impose the above obligation on its employees involved in data processing activities.
Under no circumstances shall the Controller collect special data, i.e. data relating to racial origin, national or ethnic minority status, political opinions or party affiliation, religious or other beliefs, membership of interest groups, health, addictions, sex life, or criminal record.
In the event of a data breach, the Controller shall notify the supervisory authority without undue delay, but no later than 72 hours after becoming aware of the data breach, unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons. In the unexpected event that the notification is not made within 72 hours, the Controller shall also provide reasons for the delay in the notification.
Where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the data breach without undue delay.
When informing the data subject about a data breach that is likely to result in a high risk, the Controller shall:
• clearly and in an easily understandable manner describe the nature of the data breach;
• provide information on the name and contact details of other contact points where further information can be obtained;
• indicate the likely consequences of the personal data breach;
• describes the measures taken or planned by the Controller to remedy the data breach, including, where appropriate, measures to mitigate any adverse consequences of the data breach.
4. Data processor's details and contact information
The Controller shall only use data processors who provide adequate guarantees that they will comply with the provisions of the data protection legislation in force at all times, ensure the protection of the rights of data subjects and implement appropriate technical and organizational measures to protect personal data.
The following partners act as data processors for the Controller in the course of data processing:
Name: Rocket Science Group LLC (www.mailchimp.com)
Registered office: 675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, US
Scope of data transferred: name, email address
Purpose of data transfer: newsletter service provider
Name: Zengo Kft.
Registered office: 6721 Szeged, Szent István tér 10.
Scope of data transferred: name, email address
Purpose of data transfer: registration
Purpose of using a data processor: To ensure the level of security required for the Money Museum to perform its tasks as an institution and to protect the assets kept at the Money Museum and the Money Museum's property, as well as to ensure an appropriate level of occupational safety.
5. Data transfer
By accepting this Privacy Policy, the User expressly consents to the Controller transferring the data provided to service providers with whom it has a direct contractual relationship. The transferred data may only be used by the data recipients for the purpose of fulfilling their contractual obligations; they are not entitled to store the data for further use or to transfer it to third parties in any form. The purpose of data transfer is to provide personalized services to Users, to optimize the services provided to them by the Controller's partners, and to fulfill the contractual obligations of the Controller. The stored data shall not be made available to other third parties, except in cases specified by law (e.g. in the context of criminal proceedings) or for the performance of EduLab's contractual tasks.
In all cases, the specific purpose of data processing has been indicated.
6. Data Protection Officer:
The Data Protection Officer performs the following tasks:
a) provides information and professional advice to the data controller or data processor and to employees involved in data processing on data protection issues,
b) monitors compliance with the GDPR and the internal data protection policy, including the assignment of responsibilities, awareness-raising and training of employees involved in data processing operations, and related audits,
c) provides professional advice on data protection impact assessments upon request and monitors the performance of such assessments;
d) cooperates with the supervisory authority;
e) acts as the point of contact for the supervisory authority on matters relating to data processing and, where appropriate, consults with the supervisory authority on any other matter.
7. User Rights
At the User's request, the Controller shall provide information on the personal data processed by it, their source, the purpose of data processing, the legal basis, the duration of data processing and, in the case of transfer of personal data, the legal basis for data transfer and the addressee. The information may be requested by email at adatvedelem@penzmuzeum.hu or by post at the following address: MNB-EduLab Nonprofit Kft. 1122 Budapest, Krisztina körút 6., in both cases with proof of identity and the provision of a postal address. The data controller shall respond in writing within 30 (thirty) days of receiving the request.
Users are entitled to request the correction of their personal data (indicating the correct data) also at the email address adatvedelem@penzmuzeum.hu or at the postal address MNB-EduLab Nonprofit Kft. 1122 Budapest, Krisztina körút 6., in both cases with proof of identity and providing a mailing address. The data controller shall make the correction in its records without delay and notify the data subject in writing.
In addition to the above, users may request the deletion or restriction of their data at any time by sending an email to adatvedelem@penzmuzeum.hu or by post to MNB-EduLab Nonprofit Kft. 1122 Budapest, Krisztina körút 6., free of charge, without giving any reason, by providing proof of identity and their postal address. Upon receipt of the request for deletion, the Controller shall immediately ensure that the data processing is terminated and delete the User from its records.
Instead of deletion, the Controller shall restrict the processing of personal data if the User so requests. If the processing of personal data is restricted, such personal data may only be processed with the consent of the data subject, for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
If the Controller does not comply with the User's request for rectification, restriction of processing or erasure, it shall communicate the factual and legal reasons for the refusal of the request for rectification, restriction of processing or erasure in writing within 30 days of receipt of the request. In the event of a request for rectification, erasure or restriction of processing being rejected, the Controller shall inform the User of the possibility of judicial remedy and of the possibility of lodging a complaint with the National Data Protection and Freedom of Information Authority.
The User may object to the processing of his or her personal data
• if the processing or transfer of personal data is necessary solely for the fulfillment of a legal obligation incumbent on the Controller or for the enforcement of the legitimate interests of the Controller, the data recipient or a third party, except in cases of mandatory data processing;
• if the personal data is used or transferred for direct marketing, public opinion polling or scientific research purposes; and
• in other cases specified by law.
The Controller shall examine the objection within the shortest possible time after the submission of the request, but within a maximum of 15 days, decide on its merits and inform the applicant in writing of its decision. If the User does not agree with the Data Controller's decision, or if the Controller fails to meet the above deadline, the User may appeal to the court within 30 days of the notification of the decision or the last day of the deadline.
8. Legal Remedies
If you believe that the data processing did not comply with the legal requirements, you may initiate proceedings or take the matter to court.
In addition, anyone may file a complaint with the National Authority for Data Protection and Freedom of Information, claiming that their rights relating to the processing of personal data have been infringed or are at risk of being infringed.
Contact details of the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
Postal address: 1363 Budapest, Pf.: 9.
Address: 1055 Budapest, Falk Miksa utca 9-11
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
9. Other provisions
This Privacy Policy is governed by EU Regulation 2016/679 (“GDPR”) and Hungarian law, in particular Act CXII of 2011 on the right to self-determination and freedom of information.
The Controller reserves the right to unilaterally amend this Privacy Policy at any time with prior notice to the data subjects.