Data protection rules and information on data processing
I. General Provisions
An innovative electronics curriculum can be downloaded from the Website. The curriculum is created under Erasmus+ Project (hereinafter: Project). To be able to download and use the curriculum, the User / Data subject has to register on the Website. The full curriculum will be available for free on the Website during the project period (from 1th September 2018 till 31th August 2020) and will be maintained after the project period as well. The Operator processes the data received during the registration of the User / Data subjects in order to send updates, information regarding the curriculum, for the statement of the project and certifying the participation in the events regarding the Project. The Operator is the data controller of all the data that is considered as personal data and is being uploaded by the Users / Data subjects during the visit of the Website.
The Operator manages the personal data of the User / Data subjects completely in accordance with the relevant laws in force that contribute to the secure Internet access of the User / Data subjects.
The Operator manages the personal data of the User / Data subjects privately, in accordance with the legal requirements in force – especially the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information („Privacy Act”), furthermore the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016; hereinafter as: GDPR) – provides their security, takes all the necessary technical and organizational measures, furthermore forms those procedural rules, which are necessary to comply the relevant legal provisions and other recommendations.
I.2. These Rules summarize those principles, which determine the policy and daily practice of the Operator regarding the protection of personal data, presents those services, which require the personal data of the User / Data subjects, furthermore in these Rules the Operator declares the purpose and way this kind of data is used and how the storage and protection of personal data is ensured.
I.3. While creating these Rules the Operator have taken the relevant laws in force and the significant international recommendations into consideration, namely:
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information;
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Act VI of 1998 on Convention for the Protection of Individuals with regard to Automatic. Processing of Personal Data. Strasbourg, 28 January 1981;
- Act CXIX of 1995 on managing name and address data serve for research and securing of business directly
- Act C of 2003 on electronic communications;
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;
- the recommendations and resolutions of the data protection commissioner and the relevant data protection practice.
I.4. Upon the request of the User / Data subject the Operator is ready to provide full information on the processed personal data, the purpose, reasons and duration of processing, as well as on its activities relating to data processing.
The Operator shall only process personal data that is required to get the number of visitors on the Website, to exercise its rights in its legal relationship with the Users / Data subjects, to fulfill its obligations, to communicate with them in the framework of this document.
II. The main definitions and principles regarding managing personal data
II.1.1. Data processing: shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);
II.1.2. Data controller: shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them;
II.1.3. Data subject: shall mean a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly, and who is data subject of the data processing carried out by the Operator;
II.1.4. Personal data: shall mean any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject;
II.1.5. Data protection incident: unlawful processing or process of personal data, especially unauthorized access, alteration, transmission, public disclosure, deletion or destruction, furthermore accidental deletion or damage.
II.1.6. Profiling: shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
II.1.7. Pseudonymisation: shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
II.2.1. Lawfulness, fairness and transparency
Personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. The recording of personal data shall be done under the principle of lawfulness and fairness.
Personal data may be processed when the User / Data subject has given his consent or when processing is necessary as decreed by law or by a local authority based on authorization conferred by law (hereinafter as “mandatory processing”).
II.2.2. Purpose limitation
The purpose of managing must be satisfied in all stages of data managing operations.
II.2.3. Data minimization
The personal data processed must be essential for the purpose of the data processing, and it must be suitable to achieve that purpose.
The data manager shall carry out data operations in order to secure the accuracy (correctness) of the processed data.
II.2.5. Storage limitation
Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
Personal data shall be erased if processed unlawfully, so requested by the User / Data subject, incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, the purpose of processing no longer exists or the legal time limit for storage has expired, so instructed by court order or by National Authority for Data Protection and Freedom of Information (hereinafter as: NAIH).
II.2.6. Integrity and confidentiality
Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
If the User / Data subjects provide personal information to the Operator, the Operator shall take all the necessary steps to ensure the security of this data - both during network communication (i.e. online data processing) and during data storage and preservation of data (i.e. offline data processing).
The User / Data subject may request from the data manager i) information when his personal data is being processed, ii) the rectification of his personal data, and iii) the erasure or blocking of his personal data, excluded the mandatory processing.
II.2.8. The Operator declares as a general principle, that in every case it requests personal information from the User / Data subjects, the Users / Data subjects are entitled to freely decide whether or not to provide the requested information after reading and interpreting the required information text. However, it should be noted that if the User / Data subject does not provide the personal information, that User / Data subject will not be able to access the registration required services of the Site.
The Operator respects the principles of data processing and endeavor to enforce them every time.
III. The legal basis of the data processing
The Operator processes the data set out at Chapter V. referring to the legal basis below.
The legal basis of the data processing regarding Point IV.1. and IV.2.: for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6, Section (1) Point f) of GDPR).
The legal basis of the data processing, namely the purposes of the legitimate interests pursued by the controller or by a third party (Article 6. Section (1) Point f) of GDPR) is based on the Data Balancing Test found in Appendix 1. The Operator has also taken into account the lawfulness, fairness and transparency of data processing [Article 5. Section (1) Point a)] and that the interests and rights of Users / Data subjects should be limited only to the necessary extent.
Regarding Point IV.2. the legal basis of the data processing is Article 6. Section (1) Point a) of GDPR, the data subject’s consent.
III.1. The Operator processes the personal data of the User / Data subject set out at Point V.1.1. according to the purposes of the legitimate interests pursued by the controller or by a third party (Article 6. Section (1) Point f) of GDPR).
III.2. The Operator processes the personal data of the User / Data subject set out in Points V.1.2. and V.1.3. for purposes to certify the User’s participation in the events (camps, multiplier events) in accordance with Article 6 Section (1) Point f) of GDPR for the purposes of the legitimate interests pursued by the controller or by a third party. The disclosure of photographs taken on the events for promotional purposes are only possible if the Operator receives the User’s / Data subject’s consent (Article 6. Section (1) Pont a)).
IV. The purpose of the data processing
The Operator processes the data set out in Chapter V. in order to enforce the following purposes:
IV.1. The purpose of the Data processing is: (i) providing access to the curriculum during and after the Project period, and providing information on the content downloaded by the Users (name, e-mail address); (ii) creating statistics with pseudonymised data (trends of website downloads, year of birth, current educational level, grade, class, learning, competition results, annual amount of spending on electronic hobby, questions related to English language skills); iii) contacting data subject (name, email address); iv) proof of holding events (camps, other events) during the Project with singing attendance sheet; v) recording images for promotional purposes on events.
IV.2. During the events, (camps, multiplication events etc.) the Operator may take pictures and video recordings during the event to inform the public about the progress of the Project (promotional purposes). These images can be published on the Operator’s website and in the press. For this data processing, the Operator shall obtain a statement from the data subjects before the events and provide prior notice thereof.
IV.3. In every case where the Operator intends to use the provided personal data for other purposes that the original purpose of the recording informs the User / Data subject and receives its prior direct consent, furthermore, provide possibility to prohibit the use.
V. The subject of the data processing
V.1. Precondition to downloading and using the curriculum, the User has to register on the Website. Participation in events organized within the framework of the Project is subject to the completion of a registration questionnaire and an attendance sheet, in which various data are collected. This data processing is based on the legal basis of Point III. in order to fulfill purpose set out in Point IV:
V.1.1. In case of Users registering on the Website:
- Year of birth
- Residence (city)
- User name
- E-mail address
V.1.2. In case of Data subjects participating on events:
V.1.3. On the registration questionnaire for students wishing to participate in the Project study groups
- E-mail address
- Current educational level
- Name of the educational institution
- Learning result
- Competition results
- Annual amount of spending on electronic hobby
- Questions related to English language skills
V.2. Users / Data subjects under age of 16
To process personal data of Users / Data subjets under the age of 16 parental consent is necessary, which is also necessary for the validity of their declaration
The Operator asks for the age or the date of birth of the User / Data subject in order to verify the age of the User / Data subject.
If the User / Data subject is under the age of 16, a checkbox appears for the User / Data subject, in which it declares that the legal representative has consented to the registration and/or participation in the event.
V.3. The Operator does not collect sensitive data under any circumstances, which refers to personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs, health, pathological addictions, criminal record, or sexual life.
V.4. The personal and other data provided by Users / Data Subjects is not completed or linked to data or information from other sources by the Operator.
V.5. The Operator records some data of the User / Data subject, such as IP address, other traffic data, and behavioral data in order to quantify the attendance of the Website and identify potential bugs and breaches. These data are processed by Operator only for the necessary timeframe and not linked to those data, which are suitable to identify the person of the User / Data subject (pseudonymisation). The managing of the data can be performed on foreign servers.
VI. The duration of the data processing
VI.1. The duration of the data processing:
VI.1.1. In case of personal data provided during the registration process (see V.1.1. and V.1.3.) 10 years following the achievement of the purpose of the data processing (providing access to the curriculum during and after the Project period, providing and sending information, creating pseudonymized statistics).
VI.1.2. In case of Users / Data subjects attending any Project event (see V.1.2.) during and after the Project period, until the closing of the audit of the tender related to this Project.
VII. Exercising the rights of the User / Data subject
VII.1. For data processed under Article 6 Section (1) Point (d) and (f) (legitimate interest) of the GDPR, in accordance with VII.4., instead of deletion / revoking consent, the User / Data subject may object to the processing of his / her personal data.
VII.4. The User / Data subject shall have the right to object to managing of the related data:
a) if processing or disclosure is carried out solely for the purpose of discharging the Operator’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
In the event of a User's / Data subject’s objection, the Operator shall not be entitled to further data processing unless it proves that data processing is justified by compelling legitimate reasons that prevail over the interests and rights of the User / Data subject or are related to the submission, validation or protection of legal claims.
In the event of objection, the Operator shall investigate the cause of objection within the shortest possible time inside a one-month period, adopt a decision as to merits and shall notify the User / Data subject in writing of its decision.
Upon the User’s / Data subject’s request the Operator shall provide information concerning the data relating to him, the sources from where they were obtained, the purpose, grounds and duration of the processing, the name and address of the recipients and on every activity regarding the data processing.
Operator shall comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the User’s / Data subject’s request, within not more than one month.
The information of the concerned person shall be provided free of charge for any category of data once a year. Additional information concerning the same category of data may be subject to a charge. The amount of such charge may be fixed in an agreement between the parties. Where any payment is made in connection with data that was processed unlawfully, or the request led to rectification, it shall be refunded.
The Operator may refuse to provide information to the data subject in the cases defined by Information Act. Where information is refused, the Operator shall inform the User / Data subject in writing as to the legal provision serving grounds for refusal. Where information is refused, the Operator shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the National Authority for Data Protection and Freedom of Information. Operator shall notify the Authority of refused requests once a year, by 31 January of the following year.
VII.6. Data portability
According to Article 20 of GDPR the User / Data subject shall have the right to receive the provided data concerning the User / Data subject in a structured, commonly used and machine-readable format and have the right to transmit those data to another data manager.
In exercising his or her right to data portability pursuant to paragraph 1, the User / Data subject shall have the right to have the personal data transmitted to another data manager, where technically feasible.
If the Operator refuses to comply with the User’s / Data subject’s request on data portability, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within one month of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the authority.
Regarding the data processed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest) User / Data subject is not entitled to the data portability.
VIII. Anonymous user ID (cookie) placement and web-index (“web beacon”) policy
IX. Data storage, processing and forwarding
IX.1. Data storage
The Operator stores the processed data on a storage based on physical server.
Name of the storage provider: Hidden Design Kft.
Address of the storage provider: 1095 Budapest, Gát utca 21. fszt. 1.
Contact information of the storage provider:
Postal address: 1094 Budapest, Tűzoltó utca 66. Földszint 4.
Name of the storage provider: Google Ireland Limited.
Web page of storage provider: https://www.google.com/drive/
Contact information of the storage provider: https://support.google.com/policies/contact/general_privacy_form
IX.2. Data processing, data forwarding
The Operator uses a data processor to fulfill reporting obligations the Operator has towards the data processor regarding the Project.
The Operator shall use a data processor as follows:
Scope of the data: Personal data set out in Point V.1.3., furthermore name, signature, photo taken at events, other project documentations
Purpose of the data processing: reporting obligations towards the financer of the Project, accountability
Name of the data processor: Tempus Közalapítvány
Address of the data processor: 1077 Budapest, Kéthly Anna tér 1,
IX.3. Safeguards provided by the Operator
The Operator undertakes an unconditional and irrevocable obligation to ensure the protection of the personal data of the User / Data subject. The Operator is responsible for ensuring the compliance of the partners involved in the further controlling and processing of personal data, thereby ensuring the required protection of personal data.
The Operator does not transfer personal data to third countries.
X. Data security measures, Data Protection Officer
X.1. Data security measures
Regarding the managing and storing of personal data provided by Users / Data subjects, the Operator should act with utmost care. In the field of IT security, the Operator uses the most effective, most modern tools and procedures reasonably available.
The Operator plans and implements the data processing operations to protect the privacy of the affected Users / Data subjects. The Operator ensures the security of the data, and takes the technical and organizational measures and has established the procedural rules to enforce the provisions of Information Act and other privacy and data protection rules.
X.1.1. The Operator shall protect the data by suitable measures against especially any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or damage, furthermore the unavailability originated from the change of the technology used.
X.1.2. The Operator in order to protect electronically processed data in several registries ensures by means of an appropriate technical solution that the data stored in the registry cannot be directly linked and assigned to the concerned User / Data subject unless this is permitted by law.
X.1.3. The Operator has chosen and operates the IT tools used to process personal data while providing the service that the processed data
a) is available to the entitled persons (availability);
b) authenticity and certification is provided (authenticity of data processing);
c) lack of alteration can be certified (integrity of data)
d) protected from unauthorized access (data privacy).
X.1.4. The Operator ensures the security of data processing by means of technical, institutional and organizational measures that provide the necessary security level adequate to the data processing risks.
X.1.5. The Operator provides security through application-level security procedures.
X.1.6. Electronic messages transmitted over the Internet independently from protocols (e-mail, web, ftp, etc.) are vulnerable to network threats that may lead to fraudulent activity or disclosure or modification of information. In order to protect against such threats, the Operator shall take all precautionary measures that may be expected from him. The Operator monitors the systems in order to capture all security dangers and provide evidence of any security incident. However, the Internet is not known - as is well known to the Users / Data subjects - to be 100 percent secure. The Operator shall not be liable for any damages caused by the unavoidable attacks carried out despite the expected maximum care.
X.2. Data Protection Officer
The Operator declares to not being obliged to have a data protection officer; therefore the Operator does not have a data protection officer.
XI. Pseudonymisation, statistics
XI.1. The Operator may use the data for statistical purposes only after a pseudonymisation. The aggregated, statistical use of the data cannot contain in any form the name of the User / Data subject concerned, or any other identifiable data.
XII. Execution of requests from authorities
XII.1. The Operator may be contacted by court, public prosecutor, investigating authority, offense authority, administrative authority, data protection commissioner or other authorities authorized by law in subject of information request, disclosure and handing over of data, furthermore, providing documents.
XII.2. The Operator - provided the authority has declared the exact purpose and the scope of the data - issues personal data only to the extent that it is indispensable to achieve the purpose of the request.
The complainant data subject may ask for legal remedy at the territorial competent court or to National Authority for Data Protection and Freedom of Information (NAIH): 1024 Budapest, Szilágyi Erzsébet fasor 22 / C. (www.naih.hu)
In case if you do not agree with the above, please do not register on our Website or attend our events.
If you have additional questions regarding data protection, please contact us.
These rules are listed public at the Website from the date below from which date it is effective.
Csepreg, May 20, 2019.
Data Balancing Test
Data controller: XTALIN Kft.
Registered office: 9735 Csepreg, Dr. Szemes Zoltán utca 20.
Data balancing test created: 19th April 2019
According to Article 6 Section 1. of REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), 1. Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
According to Preamble (47) of the GDPR, “the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
If the data controller wants to use legitimate interest as legal basis, a data balancing test has to be carried out. While performing this test, the data controller was attentive to the Article 29 Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller.
Description of the data processing activity
The purpose of the data processing regarding Users / Data subjects registering on the website http://crystalclearelectronics.eu/ http://kristalytisztaelektronika.hu (hereinafter referred to as: Website) within the framework of the Erasmus+ Project (hereinafter referred to as: Project, starting from 1th September 2018 up to 31st August 2020) and after the project period, to provide access to the curriculum, sending news regarding the curriculum and acquiring contact information to do so.
The purpose of the data controller's data processing includes creating statistics with pseudonymisation (current educational level, grade, class, learning results, competition results, annual amount of spending on electronic hobby, questions related to English language skills) and accountability for the Project and the events organized within the Project (camps, multiplication events, study group) towards Tempus Közalapítvány and different control authorities (eg. OLAF).
The possibility of using different legal basis
The data controller has examined the possibility of applying different legal basis set out in Article 6 Section (1) point (f) of the GDPR for the data processing. The data controller concluded that neither of the legal basis set out in Article 6 Section (1) of the GDPR can be applied regarding the purpose and necessity of the data processing.
Data processing is necessary to make the innovative electronics curriculum available for students by downloading it from the Website, to inform the students about the development and updates of the curriculum and certifying the participation in the events (camps etc.) and to create pesudonymized statistics and for the proper implementation of the Project; therefore it is in the legitimate interest of the data controller. In addition, the data controller needs to prove the proper implementation of the Project to the Tempus Közalapítvány, which finances the project, and is also a data processor. Furthermore, an attendance sheet signed by the data subject shall attest participation in events, camps and multiplication events held within the framework of the Project.
Data subjects and the processed data
Users who are registering on the Website.
Data subjects (students, teachers etc.) who are attending events organized within the framework of the Project.
The processed data is personal data. No special data is processed.
- Year of birth
- Residence (city)
- E-mail address
- Current educational level
- Name of the educational institution
- Study Group
- Learning results
- Competition results
- Material spending on electronic hobby (annual basis)
- Level of English knowledge
Source of data
The data is originated from the Users / Data subjects
Prior information on the data processing / How long does the data controller keeps the information?
How long does the data controller keep the collected information?
In the case of registration on the Website, for 10 years after fulfilling the purpose of the data processing (providing access to the curriculum during and after the Project period, as well as sending information and updates, creating pesudonymized statistics etc.).
In case of Data subjects participating in the events, the collected data is being processed until the closing of the tender audit.
The purpose of data processing, the legitimate interests of the data controller
The legitimate interest that exists with the data controller: the data controller has contractually agreed to the implementation of the Project and has civil liability for its contractual implementation. For the proper implementation of the Project, the processing of personal data described in this test is required. Therefore, the controller’s legitimate interest stems from the fulfillment of the contract.
What is the purpose of the data processing?
The purpose of the data controller is to ensure the proper, contractual implementation of the Project, as well as the proper preparation, use and applicability of the innovative curriculum created during the Project, as well as the fulfillment of the obligation to settle the project towards the financier.
Can other people have a legitimate interest in data processing?
Since the collected information and personal data also helps to design and update the innovative curriculum created during the Project, the processing of personal data is also a legitimate benefit for the User / Data subject. In addition, the Tempus Közalapítvány as project financier has an interest in the highest level of professional implementation of the Project and has control over the data controller implementing the project. The data controller is accountable to the project financier and possibly to other legal authorities. For the proper fulfillment of accountability, personal data of Users and Data subjects attending events needs to be processed.
Risks to the rights and freedoms of Users / Data subejcts
The Users/ Data subjects concerned have the right to data protection on the basis of their right to self-determination. Also, the interests and fundamental rights of the data subjects may take precedence over the interests of the controller.
It is in the fundamental interest of those concerned that the provisions of the Fundamental Law, GDPR, Privacy Act, Civil Code or Penal Code on the protection of personal data and the protection of privacy prevail. It is also in the interest of those concerned to process their personal data exclusively for legitimate purpose, only for the strictly necessary time, in accordance with the principle of necessity and proportionality, and only to process their personal data that is strictly necessary.
The data controller does not violate or threaten the fundamental rights of the Users / Data subjects due to:
- While to download the curriculum, it is necessary to register on the website and provide personal information there, but the Website visitor may decide not to register and download the curriculum;
- The data controller uses the personal data for the continuous development of the curriculum and the fulfillment of its contractual obligations for the implementation of the Project;
- The data controller performs pseudonymisation on the data for statistics. Based on GDPR, pseudonymisation is the handling of personal data in such a way that, without the use of additional information, it is no longer possible to determine which personal data is relevant to a particular individual, reducing the risks associated with the processing of personal data;
- Data processing does not affect special categories of personal data;
- The data subject may at any time exercise his or her rights.
Safeguards that guarantee the fundamental rights and interests of Users / Data subjects
The controller processes the personal data of Users / Data subjects in a confidential manner, in accordance with the legal regulations in force, ensures data security and takes the technical and organizational measures needed and establishes rules of procedure which is necessary to enforce the relevant legal provisions and other recommendations.
The necessity and proportionality of data processing
The data processing in question is absolutely necessary for the data controller because, in the absence of the information gathered in this way, it would not be possible to properly create the content of the innovative curriculum and to develop it in the future, and the data controller would not be able to properly demonstrate its work to the project financier, that the events were actually organized, therefore the requested personal information is essential for the implementation of the project. If the processing of personal data could not be carried out, the data controller would not be able to implement the Project and would not be able to fulfill its contractual settlement obligations towards the project financier.
Can this aim be achieved with less personal data?
The data controller - taking into account the principle of data minimization - requests Users / Data subjects only to provide personal data that are indispensable for the proper implementation of the Project. In addition, the created statistics that assist the project are pesudonymized and can no longer be assigned to a specific person. The data controller would like to reduce the risks of data processing.
Balancing interests of parties during data processing
Relationship between the data controller and the User / data subject exists, as the User / Data subject is in possession of the innovative curriculum created by the data controller and also participates in Project events.
The controller is not in a dominant position, as the data subject may decide not to register to download the course material or not to attend the events.
In the course of data processing, personal data of persons under age of 16 may also be processed, in which case the User / Data subject shall declare whether his or her legal representative has agreed to the data processing.
Data is transmitted only to the data processor to verify attendance at the events (name, signature, picture of the event) and accountability.
The data subject can reasonably expect for what purpose and in what way will its personal data be processed, as data subjects receive e-mails about the curriculum updates and novelties that help their studies. The pesudonymized statistics are used to develop the innovative curriculum. Data subjects can also reasonably expect to sign an attendance sheet at events. Based on these facts, data subjects can properly assess the effects of processing their personal data, as there is no hidden aim of data processing.
Summary and result of the data balancing test
The data controller has examined whether his legitimate interest is stronger than the risks to the rights and freedoms of Users / Data subjects concerned and has established:
- having regard to the circumstances, risks, likelihood of impact on stakeholders in the balancing test, the controller concluded that the processing of personal data does not in itself adversely affect the rights and freedoms of those concerned;
- data processing for innovative curriculum development and related information can have a positive effect in the narrower sense of the Users / Data subjects downloading and using the curriculum, and furthermore in the broader sense, it can have a positive effect on the community interested in electronics and programming;
- as a result of the balancing test, the data controller concludes that on the basis of the legitimate interest, the personal data can be processed in order to achieve the purpose, it does not constitute an unnecessary and disproportionate restriction on the interests, fundamental rights or freedoms of those concerned;
- Based on the above, data processing is therefore necessary and proportionate; it does not cause undue interference in the privacy of the Users / Data subjects;
- the risk of the negative impact of data processing on the rights and freedoms of those involved is very low and some extent the data processing serves the interests of the Users / Data subjects;
- no further action is required for safe data processing.
Csepreg, May 20, 2019.