MANAGEMENT OF PERSONAL DATA
In the course of its activities, the Curia (the Hungarian Supreme Court) is paying particular attention to the protection of personal data and compliance with mandatory legal provisions. The Curia pays close attention to fair, for all the stakeholders transparent and targeted data management, and the principles of data minimisation, accuracy, limited storage, integrity and confidentiality, as well as accountability.
Present Privacy Statement does not cover the processing of personal data by the Curia in the course of its judicial functions. [REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter: GDPR) preamble (20)]
I. The Controller
Seat: 1055 Budapest, Markó utca 16.
Correspondence address: 1363 Budapest, Pf. 35.
Central phone number: (+36-1)-268-4500
Central fax number: (+36-1)-268-4740
Requests regarding the processing of personal data: email@example.com
II. Explanatory Notes
Data subject means any natural person identified on the basis of any particular personal data and any natural person directly or indirectly identifiable;
Personal data means any information relating to a Data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Curia;
Consent of the Data subject means any freely given, specific, informed and unambiguous indication of the Data subject's wishes by which the Data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Internet protocol address means the unique network identifier used for the mutual identification of devices that use the TCP/IP network protocol required for Internet usage. All IT devices connected to the Internet have a unique IP address through which they can be identified.
Cookie is a data package (file) generated by the web content server and transferred to the web browser program. Cookies may contain information about searches made on a particular web server and information that is stored on the server. The primary purpose of using cookies is to store user profile information, which primarily saves the user's preferred settings, so that the user can access the web site in the usual manner.
Cookies are stored in a separate directory by the browser program on the devices used by the Data subject (computer, tablet, smart phone, etc.). The cookie clearly identifies the user and the device used by them connected to the Internet and makes them identifiable for the web server. The GDPR lists the cookies and other identifiers that are used by the user among personal data.
Web beacon, web bug means images not visible for the naked eye on websites or in e-mails that make it possible that the transaction carried out by the users can be tracked and measured (e.g. opening a newsletter, clicking on URLs (links), etc.). Web beacons are usually used together with cookies, which make additional information available for user profiling.
Profiling means any form of automated management of personal data by web servers, where the personal information is used to evaluate features associated with a natural person. It may contain information, findings and conclusions about the user's interests, activities on the Internet and information provided by the user. It might be beneficial to the user, as the individual websites can be displayed in a way the user prefers providing information that is likely to be of interest to the user, but it also gives opportunity to abuse (e.g. measurement of work activity, use of health or travel related information).
Objection means the statement of the Data subject objecting to the processing of their personal data.
Supervisory authority means the independent public authority created in line with Section 51 of GDPR; in Hungary this is the National Agency for Data Protection.
III. Legal grounds for processing
The provisions included in Section 6 of GDPR.
If the person discloses personal information of another person, it is their duty to acquire the prior consent of the Data subject, which is presumed to have been given by the Curia.
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),
Act CXLL of 2011 on exercising autonomy and the freedom of information;
Act CLXII of 2011 on the status and remuneration of judges (hereinafter: Bjt,),
Act LXVIII of 1997 on the service status of judicial employees (hereinafter: Iasz.),
Act CLXI of 2011 on the organisation and administration of courts (hereinafter: Bszi.),
Act V of 2013 on the Civil Code (hereinafter: Ptk.),
Act C of 2012 on the Criminal Code (hereinafter: Btk.),
Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives,
Act C of 2003 on electronic infocommunication,
Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators,
Act C of 2000 on Accounting,
Act CL of 2017 on the Rules of Taxation (hereinafter: Art.),
Gov. Decree 335/2005. (XII.29.) on the general requirements of filing system of organs performing public duties,
Presidential Decree No. 14/2015. on the Code of Conduct of the Curia (hereinafter: KÜSZ.),
Instructions of the National Office for the Judiciary No. 18/2017. (XII. 20.) on the communication of the courts and the National Office for the Judiciary with the press.
IV. Aim of data processing
Chapter VIII contains the scope of the personal data to be processed, as well as the aim, legal basis and time period of data processing.
V. Data processors and those entitled to know the data
The authorised employees of the Curia are entitled to process personal data.
The Curia transfers personal data to third parties only if it is required by the law or any statutory provision or normative instrument governing public organisations based on a legal provision, or if the Data subject consented to the data transfer.
VI. Data subject's rights and possibilities for seeking legal remedy
1. Rights of the Data subject regarding data processing
- Right to be informed
The Data subject can request information from the Curia in writing using the contact details specified in Section I regarding the following:
- which personal data are processed,
- on what legal ground,
- for which purpose,
- from which source,
- for how long.
Furthermore, who does the Curia grant access to which personal data, when, based on which legal provisions or to whom did the Curia forward their personal data.
- Right to rectification
The Data subject is entitled to call on the Curia using the contact details specified in Section I to correct any incorrect data regarding the Data subject or, if it is compatible with the aim of the data processing, to amend any of their personal data (e.g. changed email address or postal address).
- Right to delete
The Data subject can call on the Curia in writing using the contact details specified in Section I to delete some of the Data subject's data. This request cannot be granted if the Curia carries out mandatory data processing required by legal provisions.
- Right to restrict
The Data subject can call on the Curia in writing using the contact details specified in Section I to blocks their personal data if one of the conditions specified in Subsection (1) of Section 18 of the GDPR is met.
- Right to object
The Data subject has the right to object to the processing of their personal data in writing using the contact details specified in Section I for reasons in connection with their own situation.
For the purpose of exercising the above rights, the Data subject may submit a written request to the Curia which will be reviewed by the Curia within 25 days of receipt, or immediately in the case of a request to correct incorrect data. If the legitimacy of the Data subject’s request is clearly established, then the Curia shall carry out the necessary measures and inform the Data subject in the same way the request was submitted (electronically or on paper). If the request cannot be granted, then the Curia decides to reject it and notifies the Data subject about the decision in the same way the request was submitted (electronically or on paper).
The personal data provided by the Data subject in the course of exercising their rights as a Data subject shall be processed by the Curia in line with their own legitimate interest in accordance with Annex 8 of the KÜSZ for the purpose of granting the request and to prove that the request was granted.
2. Data subject's legal remedies
The Data subject is entitled to request written information from the Curia or submit questions to the Curia regarding the processing of their personal data using the contact details specified in Section I. Based on the Data subject's request, the Curia shall carry out the necessary measures within 25 days or immediately in case of the request to correct incorrect data. If no measures are carried out, then within 25 days after the receipt of the request, the Curia shall inform the Data subject about the reasons why no measures will be carried out and call the Data subject's attention to the fact that they are entitled to submit a complaint to the Supervisory authority and to request a judicial review.
- Name and contact details of the Supervisory authority
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)/Hungarian National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Correspondence address: 1530 Budapest, Pf.: 5.
- Initiating court proceedings
If illegal data processing is detected, then the Data subject is entitled to contact the Supervisory authority or initiate a civil procedure against the Curia. The process is under the scope of responsibility of the Budapest Metropolitan Court (Fővárosi Törvényszék). The process may be initiated before the court where the Data subject resides or the court chosen by the Data subject.
VII. Data security measures
The Curia protects personal data by appropriate measures against accidental or unlawful destruction, loss, modification, damage, unauthorized disclosure or unauthorized access.
The Curia regulates access to personal data processed on paper and in electronic form in such a way that only the designated staff members have the right to know them in order to fulfil the purposes of data processing. The Curia has established eligibility levels for the processing of personal data, the IT systems are protected by a firewall and adequate virus protection is granted.
Access to electronically processed personal data is logged by a program and the actual access and any transfer of such data are recorded. Any data protection incidents are recorded by the Curia and are reported to the Supervisory Authority within 72 hours.
VIII. Special rules regarding the processing of certain personal data
1. Processing of personal data related to the browsing of the homepage of Curia and the use of the WiFi network, as well as the use of so-called cookies and web beacons, web bugs
When applying cookies and web beacons, the legal basis for data processing is the Data subject's consent. Personal data is usually not required to view the information on the website.
The website remembers the actions and personal settings of the Data subject for a certain period of time, so that if the Data subject visits the website of Curia again, their personal settings will be recognized by the site and the Data subject does not have to re-enter them.
With the help of the cookies, the Curia collects further information about the using habits of visitors, in order to improve user experience by developing features and services provided by the web site. Statistics on the visits of the website are analysed by the Curia using Google Analytics. For information on the protection and safety of measurement data see the following home page: https://policies.google.com/?hl=hu. You can delete or disable cookies, but in this case, some features of the site may not work properly. The information stored by cookies is only used for the purposes described herein and the Curia does not use it to determine the identity of the Data subject.
In addition to data of public interest and data the disclosure of which is provided in the law for reasons of public interest, in the course of data processing, the Curia needs the consent of the Data subject concerned to disclose information on registered personal data, unless it is required by the law. The electronic register, program system containing the personal data related to the Data subject shall not be connected with other types of or external data bases or program systems. By entering the website, a log file is made about certain parameters of the Data subject's computer or its Internet address (IP), which is for statistical purposes only.
The Curia will only disclose user data in a statistically processed form, unconnected to a unique (personal) identifier of the user.
The website of the Curia also contains links to other web pages, but the Curia does not take any responsibility for the content and operation of other websites.
Given the fact that the Internet is an open network with security risks, the Curia does not assume responsibility for damages resulting from the destruction, delayed arrival or other error of data and information transmitted in electronic form from its website. Furthermore, the Curia does not take any responsibility for damages resulting from the use of the website's information, including damages resulting from the partial or total unavailability, obsolescence or data loss of the website.
The web server and website of the Curia are provided by the Governmental Information Technology Development Agency (1027 Budapest, Csalogány u. 9-11.) within the framework of the National Information Infrastructure Development Program.
Processing of personal data made available via the WiFi network
The Curia provides free and open Internet access in its building using the service of T-Systems Hungary Ltd. (1117 Budapest, Budafoki út 56.), but does not take responsibility for the risks associated with the use of the wireless Internet service.
By connecting to the WiFi network, the Data subject expressly agrees that the Curia captures the unique MAC address of the device used by the Data subject for the duration of use.
Processing of personal data made available via electronic mail (email)
The Data subjects can communicate via the email addresses specified on the home page of Curia. In this case, the Curia processes the email address where the email was sent from.
If the email contains any personal information of another person, it is the duty of the person making such data available to acquire the prior consent of the Data subject, which is presumed to have been given by the Curia.
Processing of personal data made available on the phone
The Data subject can communicate with the Curia using the phone numbers specified on the home page of Curia. In such cases, the Curia processes the phone number where the incoming call originates from and deletes it automatically depending on the storage capacity. The Curia does not use these phone numbers to identify the Data subject. The Curia does not disclose the personal data obtained in the above manner to any third party, unless it is required by the law.
2. Processing of personal data linked to the use of the Tőry Gusztáv Legal Library.
The Legal Library can be used (the books can be used at the premises) based on the authorization of the President of the Curia and with the special permission of the head of the Library by employees of judicial bodies, lawyers, notaries, researchers, university students, etc.
Based on the consent of the Data subject, the following personal information is processed by the Curia: name, workplace (university in case of students), email address, degree, reader status, reader card identifier.
For the smooth operation of the Legal Library, the Curia processes the personal data of Data subjects in accordance with Annex 8 of the KÜSZ.
3. Data processing linked to the programmes organised by the Curia
The responsibilities of the Curia include the organization of professional and cultural programs during which the participants' personal data may need to be processed. The legal basis for the processing of personal data is the consent of the Data subject, which is considered by the Curia as granted when the Data subject signs up for the event or accepts the invitation.
At events accessible for anyone and not subject to registration, video or audio recordings might be made for documentation purposes where the Data subject might appear. These recordings may be published on the Curia's website and in its publications. The Curia creates and stores the visual and audio recordings made at the organised programme for documentation and archiving purposes. Audio and visual recordings about the Data subject are considered to be personal data processed by the Curia.
At events accessible for anyone but subject to registration, video or audio recordings might be made for documentation purposes where the Data subject might appear. These recordings may be published on the Curia's website and in its publications. The Curia creates and stores the visual and audio recordings made at the organised programme for documentation and archiving purposes. Personal data processed by the Curia are the voice and video recordings about the Data subject, their name and email address, as well as their identity document number. The Curia processes the name, email address and identity document number of the applicants to the programme in accordance with Annex 8 of the KÜSZ. The Curia creates and stores the visual and audio recordings made at the organised programme for documentation and archiving purposes.
At private events, video or audio recordings might be made for documentation purposes where the Data subject might appear. These recordings may be published on the Curia's website and in its publications. The Curia creates and stores the visual and audio recordings made at the organised programme for documentation and archiving purposes. The Curia shall store the name, workplace, position, contact details (mailing address, email address, telephone number), identity document number, place and date of birth of the participants, as well as the video and audio recordings made at the event to facilitate future communication and the organisation of programmes, as well as the documentation and archiving of the Curia's activities, while they process all the other personal data in accordance with Annex 8 of the KÜSZ.
The Curia shall store the personal data provided in paper form at a safe place for the purpose of participation in professional and cultural programmes. The Curia pays particular attention to prevent unauthorized access to personal information stored in the IT system or on paper.
If in the course of organizing professional and cultural programs, the disclosure of personal data to third parties (other courts or state institutions, hotels, cultural institutions, restaurants, etc.) becomes necessary, the Curia shall forward the personal data reasonably requested by the third party and absolutely necessary for entering the event/identification with the consent of the Data subject for a specific purpose.
4. Data processing regarding the communication with the press and other external communication
The legal basis for data processing is the compliance with the legal and other provisions regarding the contact with the media and the legitimate interest of the Curia. The purpose of data processing is to inform the public in an adequate manner.
The following data are processed: name of the media, name, phone number and email address of their representative. These personal data are processed by the Curia in accordance with Annex 8 of the KÜSZ.
5. Providing information about the electronic monitoring system
Legal basis for the data processing: Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators.
There is a camera in the Curia building in office no. 44 on the ground floor operated by the Curia, which is indicated by the warning sign displayed at the main entrance of the building.
The camera captures the images and actions of people entering the area monitored. No voice recording is made parallel to the video recording. The recordings of the camera can be monitored live by a designated law enforcement officer. The camera is continuously recording on weekdays between 07:00 and 18:00 while outside of this time frame, the camera starts recording when prompted by the motion detector.
The Curia may use the recordings for the following purposes:
- to investigate any possible non-compliance with the provisions regarding the processing of personal and special data,
- to take the necessary action in the event of a possible criminal offence or any other offence,
- to comply with requests based on legal provisions,
- to ensure that the Data subject is able to exercise their rights.
The Curia stores the recordings for three business days under the condition that they are automatically deleted after this time, unless the recordings are used for the above purposes. The Curia shall store the recordings digitally on the hard disk of a suitable IT device that is not accessible from any external network.
The President, the Vice President, the Secretary General, the Deputy Secretary-General, the Head of the Management Office and the deputy of the latter, as well as the assigned judicial personnel shall have access to the recordings for the purpose of performing their duties. Access to the recordings is facilitated by the IT Department of the Curia.
The Curia shall inform the Data subject that irrespective of Section VII of present Privacy Statement, the Data subject may request written information, the limitation of data processing and access to the recordings within 3 business days of the date when the video recording was made.
In their request the Data subject must specify the data (on which date and at what time the recording was made, how can the Data subject be identified, the manner in which the request should be granted and the reason for requesting the blocking of the video recording), based on which the Curia should take action.
Upon request by the Data subject, the Curia shall respond within 25 days at the latest. The Curia shall block the video recording for up to 30 days after receipt of the request from the Data subject and then, with the exception of statutory obligations, the blocked recording will be deleted. The Curia shall provide a copy of the recording if this does not violate any other rights of the Data subject.
6. Data processing linked to contracts entered into by the Curia
The legal basis for the data processing is compliance with the legal provisions governing the contract and the legitimate interest of the Curia. The purpose of data processing is to perform the contracts.
Personal information processed by the Curia is defined in Subsection 3 of Annex 1 of the Act on the Rules of Taxation (Art.).
The personal data provided in the course of entering into the contract shall be managed by the Curia and in line with their own legitimate interest in accordance with Annex 8 of the KÜSZ for the purpose of performing the contract and proving evidence for the performance.
There is no time limit for the processing of personal data provided in the privacy statements necessary for fulfilling the contracts entered into with a confidentiality obligation.
7. Processing of personal data in connection with applications for positions announced by the Curia
The Curia may fill their vacant judicial positions by means of tenders or advertisements.
In the case of job applications within the framework of a tender or an advertisement, the Curia as the data controller processes the personal data contained in the curriculum vitae and motivation letter of the applicant (Data subject) in paper format, in accordance with Annex 8 of the KÜSZ.
The legal basis for the processing of personal data is the consent of the Data subject, which the Curia considers to be granted when the Data subject submits their application, as well as the fulfilment of the statutory obligations of the Curia.
The Curia shall not make the data of the Data subject accessible to any third party.
IX. Amendment of the Privacy Statement
The Curia reserves the right to unilaterally amend present Privacy Statement at any time.