Sign up below to receive news and information about the foundation’s current events and mobility opportunities. By signing up to our newsletter, you declare that you have known and agreed on the foundation’s Data Protection Policy (below).
DATA PROTECTION POLICY
Kulturalis Kapcsolatokert Alapitvany’s Data Protection Policy applies to all employees, trustees, volunteers, interns and mobility participants of the Foundation (1131 Budapest, Gyongyosi u. 45. 8. lh. fszt. 3. Hungary).
Operational date: 25th May 2018
1. Introduction and purpose of this policy
Kulturalis Kapcsolatokert Alapitvany (KKA) is committed to good practice in the handling of Personal Data and careful compliance with the requirements of the GDPR. The policy is designed to protect the interests of clients, staff and any individual whose data is processed by KKA, as well as the organisation itself.
Types of data
KKA needs to process information about employees, trustees, volunteers, interns, organisations and individuals who use our service. This includes the names, personal and/or business email addresses of entrants to the ICRP Internship Programme, attendees of KKA events and international mobilities, subscribers to the KKA’s mailing list, individual donors and publishers contributing to any KKA publications.
Legal grounds for using your personal data
We will only use your personal data where we have a legal ground to do so. We determine the legal grounds based on the purposes for which we have collected and used your personal data. In every case, the legal ground will be one of the following:
Consent: For example, where you have provided your consent to receive newsletters from us. You can withdraw your consent at any time by sending an email to firstname.lastname@example.org with the subject <<unsubscribe>>.
Our legitimate interests: Where it is necessary for us to promote our services and operate our sites efficiently for the creation, publication and distribution of news, call for participants and related journalistic content. For example, we will rely on our legitimate interest when we analyse what content has been viewed on our sites, so that we can understand how they are used.
Compliance with law: In some cases, we may have a legal obligation to use or keep your personal data.
KKA respects individuals’ rights and aims to be open, honest and transparent with individuals whose data we hold. We aim to be open and transparent in the way we use Personal Data, and will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. KKA is committed to providing training and support for staff who handle personal data, so that they can act confidently and consistently. Our priority is to avoid causing harm to individuals. Principally, this means: keeping information securely in the right hands; holding good-quality information.
KKA’s Board of Trustees recognises its overall legal responsibility for Data Protection compliance. Day-to-day responsibility for Data Protection is delegated to a nominated Data Protection Officer, currently Andras Lorincz (Founder, COO). The main responsibilities of the Data Protection Officer are:
- Briefing the trustees on Data Protection responsibilities as required
- Reviewing Data Protection and related policies annually
- Advising other staff on Data Protection issues
- Ensuring that Data Protection induction and training is provided for any new employee or intern of KKA
- Handling any subject access requests
- Approving unusual or controversial disclosures of personal data
All staff, volunteers and interns of KKA are required to read, understand and accept any policies and procedures that relate to the personal data they may handle during their work.
3. Data recording, storage and security
All staff must consult with and obtain permission from the Data Protection Officer before creating a Personal Data set. Access to Personal Data sets is strictly limited to staff of KKA.
Personal Data sets should, where reasonable, be password-protected. Any external hard drive containing personal data sets should be password-protected where possible. KKA’s laptop computers should be password protected at all times.
When not in use, the laptops and external hard drives should be kept in a locked office or cabinet. Personal information held non-electronically shall be kept in a locked filing cabinet.
All databases should be backed up periodically on a manual basis.
Sensitive personal data must not be stored on any database (e.g. information about an individual’s ethnicity, religion, sexuality or health).
Personal Data of those who enter the ICRP Internship Programme and/or training and mobility programmes offered by KKA will be retained for a period of five years.
Email addresses on our mailing list are retained indefinitely, subject to our annual review of the Data Protection policy by the Data Protection Officer and continued consent from the subject in question, which may be withdrawn at any time.
The CVs of those who make an application to any open position for KKA (and are unsuccessful), in any role, will be held for no longer than six months after the position for which they have applied has been filled unless we have express permission from the candidates. The Personal Data of staff of KKA will be held indefinitely, subject to the annual review of the Data Protection policy.
In all cases, KKA is committed to communicating openly, honestly and transparently the lawful basis under which an individual’s Personal Data is processed and their individual rights in relation to the data which we hold.
Documents containing personal information will be disposed of securely, either in confidential waste bins or shredded. Sensitive personal documents relating to the recruitment and employment of KKA’s staff and trustees should be shredded prior to disposal.
Using children’s personal data
We do not aim any of our services directly at children under the age of 16 and we do not knowingly collect personal data about children under 16.
4. Rights of access
The Data Protection Officer is responsible for ensuring that right of access requests are handled within one month. Right of access requests must be presented to the Data Protection Officer in writing. All staff is responsible to pass on any request which could reasonably be considered a subject access request to the Data Protection Officer without delay.
The Data Protection Officer is responsible for verifying the identity of any individual before handing over any Personal Data.
KKA will not charge for subject access. Individuals can ask for a copy of the information records we hold about them, and for us to explain where we got our information.
An individual only has the right to see personal information we hold about them personally – no one can ask to see another person’s information.
5. Data processors
KKA commits to only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. KKA commits to ensuring a written contract is in place in any appointment, the clauses of which must be subject to the requirements of the GDPR.
People have the right to know if KKA collects, stores and uses their personal information, and they can ask KKA to tell them what kinds of personal information it processes, how it uses the information, who it passes the information on to and in what circumstances it does so.
All the individuals about whom KKA collects data will be made aware of the uses that it makes of the information about them, and in particular to, whom it may be disclosed. This information will be given at the time when data is collected. A statement to this effect should be included on all forms, surveys, questionnaires, and other documents where KKA asks for personal information.
Anyone wishing to update the information KKA holds about them, ask KKA to remove their Personal Data or make a subject access request to KKA should contact the Data Protection Officer at email@example.com
7. Lawful basis
KKA is committed to ensuring that subjects are aware their data is being processed, for what purposes and under what lawful basis it is being processed, what types of disclosure are likely (if any) and how the subject may exercise their rights in relation to the data.
The table below details the Personal Data KKA processes and its recorded lawful bases for this processing. The lawful basis of any Personal Data set is subject to the annual review of the Data Protection policy by the Data Protection Officer.
|Subject||Personal Data held||Lawful basis|
|Subscribers to mailing list||Name and email address||Consent|
|Event attendees||Name, email address and any additional needs||Legitimate interest|
|Mobility participants||Name, email address, phone number, date of birth, emergency contact’s name and phone number, and any additional needs||Legitimate interest|
|Staff, trustees, interns and volunteers||Name, email address, phone numbers, home address and any additional needs||Legitimate interest|
|Publishers contributing to any KKA publications||Name, email address||Legitimate interest|
|Individual donors||Name, email address||Legitimate interest|
If you have any questions about how KKA will use your personal information or information about your organisation, please email firstname.lastname@example.org
Policy prepared by Andras Lorincz (Data Protection Officer, Kulturalis Kapcsolatokert Alapitvany)