Data protection and data processing policy

Events organised by the Interreg VI-A IPA Hungary-Serbia Programme

The purpose of the present data protection and data processing policy (hereinafter referred to as
‘Policy’) is to define data protection and data processing principles related to the Lead Partner
Seminars for the 1st Call for Proposals of the Interreg VI-A IPA Hungary-Serbia Programme (2021-
2027), organised by the Joint Secretariat (hosted by Széchenyi Program Office LLC, hereinafter referred
to as ‘Company’) on behalf of the Managing Authority. The event will be held in person on the following
dates:

10 June 2024 – Subotica (SRB); 11 June 2024 – Szeged (HU)

Therefore, the data subject will be provided with adequate information of data processed by the
Company or the data processor, source of the data, purpose of the processing, legal basis for the
processing, period of processing, name and address of data processor involved by data controller,
activity of data processor related to data processing, furthermore, where personal data is transferred
the legal basis for and recipient of transfer of personal data.

Acts and their abbreviations used and considered in relation to the Policy

the Act Act CXII of 2011 on the Right of Informational Self-Determination and on
Freedom of Information
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation)
EU Regulation REGULATION (EU) 2021/1059 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 24 June 2021 on specific provisions for the European territorial
cooperation goal (Interreg) supported by the European Regional Development
Fund and external financing instruments
REGULATION (EU) 2021/1060 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 24 June 2021 laying down common provisions on the European
Regional Development Fund, the European Social Fund Plus, the Cohesion
Fund, the Just Transition Fund and the European Maritime, Fisheries and
Aquaculture Fund and financial rules for those and for the Asylum, Migration
and Integration Fund, the Internal Security Fund and the Instrument for
Financial Support for Border Management and Visa Policy

Definitions

Definitions in the present Policy meet definitions of Article 4 of GDPR:

personal data any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person

processing any operation or set of operations which is performed on personal data or

on sets of personal data, whether or not by automated means, such as

1
 collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction

controller the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or
the specific criteria for its nomination may be provided for by Union or
Member State law

processor a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller

third party a natural or legal person, public authority, agency or body other than the
data subject, controller, processor and persons who, under the direct
authority of the controller or processor, are authorised to process personal
data

Where definitions of GDPR in force are different from the definitions of the present policy, definitions
of GDPR in force shall prevail.

I. Data controller and contact details

Data controller regarding data events:

name: Széchenyi Programme Office Consulting and Service Nonprofit Limited

Liability Company (hereinafter referred to as ‘Company’)
registered office: 1053 Budapest, Szép utca 2. 4. em.
company reg. no: 01 09 916308
represented by: Áron László Szakács (managing director)
e-mail: info@szechenyiprogramiroda.hu

II. Data processor and contact details

Data protection officer designated by the Company:

name: dr. Réka Selmeczi

postal address: 1053 Budapest, Szép utca 2. 4. em.
e-mail: dataprotectionofficer@szpi.hu

III. Personal data, purpose of processing, legal basis for processing, period of processing

Personal data: name, e-mail, name of represented organisation, the audio and video of the
event that might be recorded, signature

Purpose of processing: Ensuring registration, managing contact for sending the relevant
information material and fulfilling the reporting obligations of the
Programme and the data controller

Legal basis for processing: GDPR Article 6 (1) (e)

Means of processing: electronic, on paper

2
Period of processing: for 3 years after 31st December following submitting accounts of eligible costs
related to the implementation of the Programme but latest until 31 December
2030.
IV. Principles

The Company processes personal data in accordance with principles of good faith and fair dealing and
transparency and subject to law in force and provisions of the present Policy.

The Company processes personal data only on the basis of the present Policy and for a specific
purpose(s) and does not go beyond them.

If the Company intends to use personal data for purpose(s) other than the original purpose(s), the
Company informs the data subject of such a purpose and use and obtain the previous and express
consent of the data subject (where there is no other legal basis determined by GDPR) and the Company
allows the data subject opportunity to defy the use of personal data.

The Company does not control personal data provided, person who provided the personal data, shall
be liable for adequacy.

The Company does not transfer personal data, except that the Company is entitled and obliged to
transfer or forward personal data available to and properly stored by the Company to competent
authority where transfer and forward of personal data is determined by law or legally binding order of
authority. Company shall not be liable for such a transfer or its consequences.

The Company ensures the security of personal data, takes all technical and organizational measures
and establishes rules of procedure that guarantee protection of recorded, stored and processed
personal data, and prevent accidental losses, destruction, unauthorised access, unauthorised use,
unauthorised alteration and unauthorised dissemination.

V. Rights of the data subject

The data subject may exercise right in the following ways:

- e-mail
- by post
- in person
- unsubscribe/in case of request for erasure by clicking on the link for unsubscribing on the
bottom of the newsletter

The Company draws attention to the fact that in case of data processing based on consent, data subject
is entitled to withdraw the consent at any time, however this withdrawal shall not concern the
lawfulness of data processing based on consent before withdrawal.

➢ Right of information and access to personal data

The data subject may at any time request the Company to provide information on data processed
by the Company or the data processor involved by or according to the order of the Company,
purpose of the processing, legal basis for the processing, period of processing, name and address
of data processor, activity of data processor related to data processing, the circumstances, effect
of a personal data breach, measures taken for averting personal data breach, furthermore, where
personal data is transferred the legal basis for and recipient of transfer of personal data.

In relation to the above, the data subject may request a copy of his/her processed data. In case of
an electronic request the Company executes the request first electronically (PDF format), except
where the data subject requests expressly otherwise.

3
 The Company already draws attention to the fact that if the above right of access affects adversely
the rights or freedoms of others, including in particular trade secrets or intellectual properly, the
Company may refuse the execution of the request, to the extent it is necessary and proportionate.

➢ Right to rectification and modification

The data subject may request the rectification, modification and completion of personal data
processed by the Company.

➢ Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she
has provided to the Company, in a structured, commonly used and machine-readable format and
have the right to transmit those data to another controller without hindrance from the Company.
Furthermore, the data subject has the right to have the personal data transmitted directly from one
controller to another, where technically feasible.

➢ Right to erasure (‘right to be forgotten’)

The data subject may request the erasure of one or all personal data concerning him or
her.

In this case, the Company erasures the personal data without undue delay and the controller shall
have the obligation to erase personal data without undue delay where one of the following
grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no
other legal ground for the processing;
- data processing is based on legitimate interest of the Company or third person but the data
subject objects to the processing and (except objection to processing related to direct
marketing) there are no overriding legitimate grounds
for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.

The Company informs the data subject of the refusal to the request of erasure in any event (e.g.
data processing is required for the establishment, exercise or defence of legal claims), indicating
the reason of the refusal. Erasure of personal data is executed that after fulfilment of request of
erasure personal data (erasured) cannot be restored.

In addition to the exercise of right to erasure, the Company erases personal data if the data
processing is unlawfully, the purpose of data processing is no longer exists, data storage period
determined by law is already expired, it is ordered by court or authority.

➢ Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where
one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the
Company to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead;
- the Company no longer needs the personal data for the purposes of the processing, but they
are required by the data subject for the establishment, exercise or defence of legal claims;

4
 - the data subject has objected to processing pending the verification whether the legitimate
grounds of the Company override those of the data subject

Where processing has been restricted, such personal data won’t be processed or will, with the
exception of storage, only be processed with the data subject's consent or for the establishment,
exercise or defence of legal claims or for the protection of the rights of another natural or legal
person or for reasons of important public interest of the Union or of a Member State.
A data subject will be informed by the Company before the restriction of processing is lifted.

➢ Right to object

Where the legal basis for processing is legitimate interest of the Company or third person (except
compulsory data processing) or data is processed for direct marketing, scientific or historical
research purposes or statistical purposes, the data subject, has the right to object to processing of
personal data concerning him or her. Objection may be rejected if the Company demonstrates

- compelling legitimate grounds for the processing which override the interests, rights and
freedoms of the data subject or
- that data processing is related to the establishment, exercise or defence of legal claims of the
Company.
The Company examines the lawfulness of the objection of the data subject and where the objection
is grounded, the Company stops data processing.

➢ Right to legal remedy

See Section VII.

VI. Modification of the Policy

The Company reserves the right to modify the present Policy through an unilateral decision at any
time.

I the data subject does not agree with the modification, he/she may request the erasure of his/her
personal data as determined above.

VII. Legal remedies and enforcement

The Company as data controller may be contacted for the purpose of any question or comments
related to data processing using contact details above.

In case of any violation related to data processing, the data subject may make a complaint to the
competent data protection supervisory authority of the Member State of residence, workplace or the
place of the alleged violation.
In Hungary, complaint shall be made to Hungarian National Authority for Data Protection and Freedom
of Information („NAIH”, address: 1055 Budapest, Falk Miksa utca 9-11.; 1363 Budapest, Pf. 9.; phone:
+36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

The data subject may bring the following cases before court:
- violation of rights
- against the legally binding decision of the supervisory authority
- if the supervisory authority does not deal with the filed complaint or does not inform the data
subject of aspects or result of the procedure related to the filed complaint within 3 months