Which was made for visitors and registered users of the http://www.ludovika.hu website
The Specification of the Data Controller:
Ludovika University Publishing Cultural and Commercial Non – Profit Limited Liability Company
Registered office: 1089 Budapest, Orczy Road 1.
Company registration number: 01-09-690253
Tax number: 10413544-2-42
Represented by: Gergely Koltányi
managing director Data Protection Officer of the Data Controller name: dr. Gergely Hajnal
Address: 1119 Budapest, Mohai Road 38
Telephone number +36-1-432-9000 Extension: 20377
E-mail address: kozerdeku@ludovika.hu
I. Introduction
Ludovika University Press Ltd. (Registered office: 1089 Budapest, Orczy Road 1, mailing address: 1119 Budapest, Mohai Road 38, tax number: 10413544-2-42, e-mail address: info@ludovika.hu, telephone number : +36-1-432 9000 Extension:20377) – hereinafter referred to as both the service provider and the data controller – handles the data of the persons registered on the website during the operation of the website for the purpose of providing the services specified below and further detailed in the GTC. The web address of this data management information is the following: http://www.ludovika.hu
This data protection notice on the protection of personal data of natural persons and the free movement of data is in accordance with Regulation (EU) no 2016/679 of the European Parliament and of the Council made in accordance with its decree, having regard to CXII of 2011 on the right to information self-determination and freedom of information.
II. Definitions:
GDPR: (General Data Protection Regulation) of the European Parliament and of the Council (EU) no. 2016/679 regulation.
Data management: any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematization, segmentation, storage, transformation or alteration, retrieval, consultation, use, communication, transmission, distribution or otherwise; harmonization, interconnection, restriction, deletion or destruction.
Data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Personal data: any information relating to an identified or identifiable natural person (data subject); identify a natural person who, directly or indirectly, in particular on the basis of an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable.
Controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by the European Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by the European Union or Member State law.
Data subject’s consent: a voluntary, specific and well-informed and unambiguous statement of the data subject’s consent by means of a statement or unequivocal statement of consent to the processing of personal data concerning oneself.
Data breach: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored or otherwise handled.
Recipient: any natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. Public authorities that may have access to personal data in the context of an individual investigation in accordance with European Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who have been authorized to process personal data under the direct control of the controller or processor.
III Data Protection Directive:
The data controller declares that they carry out the processing of personal data lawfully and fairly and in a manner transparent to the data subject in accordance with the provisions of the data processing information. It processes personal data only for specified, explicit and legitimate purposes and defines the purposes in such a way that they are appropriate, relevant and limited to what is necessary.
It handles personal data accurately and up-to-date and immediately deletes inaccurate personal data.
The data controller shall store the personal data in a form that allows the identification of data subjects only for the time necessary. Personal data may be stored for a longer period only if the storage is for the purpose of archiving for the interest of the public, for scientific and historical research purposes or for statistical purposes.
The data controller shall ensure the processing of personal data by applying appropriate technical and organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or data damage.
The data controller shall apply the above principles/ policies to all information concerning an identified or identifiable natural person.
IV Data management activities:
Registration on the website:
Activity performed by the data controller: Management and storage of the data provided during the relevant registration in order to establish online product sales and easier, simpler contact.
Purpose of data management: The purpose of registration on the website is to be able to contact and keep in touch with the data subject (consumer), to simplify the use of the web store for the data subject and to provide additional services (i.e. discounts for registered customers).
Legal basis for data processing: Voluntary, specific, informed and unambiguous consent of the data subject (user).
The data subject can give their consent to the data management by checking on the blank checkbox on the website which was specifically made for this purpose.
Scope of personal data managed:
Individuals concerned | Natural persons completing the registration. |
Scope of personal data managed | The specific purpose of data management. |
Name/ Company name | Identification, contact. |
Address/ Headquarters | Identification, contact. |
Identification, contact. | |
Telephone | Identification, contact. |
Date of registration | Technical information operation. |
IP address | Technical information operation. |
Duration of data management:
The data controller shall process the data specified above until the withdrawal of the data subject’s consent and the termination of the registration. Your consent to the data processing may be cancled at any time. The data will be deleted when the consent to the data processing is cancled. Modification or deletion of personal data may be initiated via e-mail, telephone or letter at the contact details provided above.
The data controller does not transfer the personal data defined above to a third country or any international organization.
The data controller and its employees have the right to access the data. Method of data storage is electronic.
Entering personal data is absolutely necessary for identification in the databases and for keeping contact.
Rights of the individuals: the data subject themselves
(a) the individual may request information on the processing of personal data concerning themself and access to such personal data,
b) the indiviual may request their correction,
c) the individual may request their deletion,
d) the individual may request a restriction on the processing of personal data,
e) the indivdual may object to the processing of personal data,
f) the individual may exercise its right to data portability,
(g) the indiviual may exercise its right of appeal.
The individual may lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) or with the competent court as specified at the end of this leaflet.
Result of withdrawl of conset: Failure, refusal or withdrawal of the individual’s consent shall not have any adverse consequences for the data subject.
V. Placing an order
Activity performed by the data controller: Finalization of the purchase initiated by the buyer and commencement of the execution of the order.
The purpose of data management: Initiating and ultimately processing the order finalized by the buyer on the website, for example online product sales, and identifying and contacting the buyer as a customer in order to fulfill the order. The data controller can only fulfill the order with the information of the contact and invoicing data.
Legal basis for data processing: Data processing is necessary for the fulfillment of the order (contract) placed by the customer/ buyer [Article 6 (1) (b) GDPR].
The contract between the data controller and the data subject is concluded upon receipt of the confirmation e-mail sent by the data controller to the buyer’s e-mail address after the order has been placed.
Individuals concerned: In the case of the natural person / legal entities placing the order, the contact person is a natural person.
Scope of personal data managed:
Scope of data managed | The specific purpose of data management. |
Name/ Company name | Identification, contact, invoicing. |
Address/ Headquarters | Identification, contact, invoicing. |
Identification, contact. | |
Shipping, billing information | Identification, contact. |
Telephone | Identification, contact. |
Date of registration | Technical information operation. |
IP address | Technical information operation. |
Duration of data management:
The data controller manages the data specified above until the fulfillment of the order, or in accordance with the provisions of the Civil Code section 6:22 for 5 years after the order.
The data controller does not transfer the personal data defined above to a third country or any international organization.
The employees of the data manager processing the order have the right to get acquainted with the data. Method of data storage is electronic.
Rights of the ones concerned: the individuals concerned
(a) may request information on the processing of personal data concerning them and access to such personal data,
(b) request their rectification,
(c) request their cancellation,
d) request a restriction on the processing of personal data,
e) object to the processing of personal data,
f) exercise its right to data portability,
(g) exercise its right of appeal.
The individual concerned may lodge a complaint with the NAIH (National Authority for Data Protection and Freedom of Information) or apply to the competent court as set out at the end of this prospectus.
VI. Invoicing
Activity performed by the data controller: The data controller documents the purchase and payment by issuing the invoice and at the same time fulfills the obligations specified in the legislation.
Purpose of data management: To document purchases and payments made on the website in accordance with the applicable legislation, as well as to fulfill accounting and legal obligations.
Legal basis for data processing: Data processing is necessary for the data controller to fulfill its legal obligations set out in Section 169 (2) of the Accounting Act and Section 169 of the VAT Act [Article 6 (1) (c) GDPR].
Individuals concerned: In the case of the natural person / legal entities placing the order, the contact person is a natural person.
Scope of personal data managed:
Scope of data managed | The specific purpose of data management. |
Name/ Company name | Identification, contact, invoicing. |
Address/ Headquarters | Identification, contact, invoicing. |
Identification, contact. | |
Telephone | Identification, contact. |
Tax number / Tax ID | The consumer’s (buyer’s) identification. |
Account data | Account identification. |
Date of issue of the invoice | Technical information operation. |
Duration of data management:
The data controller manages the data specified above until the fulfillment of the order, if it is obliged to keep it according to the obligation according to the Accounting Act, then for eight years from the deletion of the user account or, if an order without registration, from the fulfillment of the order.
The data controller does not transfer the personal data defined above to a third country or any international organization.
The employees of the data controller dealing with the processing and accounting of the order, as well as the contractual partner and data processor of the data controller performing accounting tasks have the right to get acquainted with the data. The method of data storage is electronic.
Rights of the ones concerned: the individuals concerned
(a) may request information on the processing of personal data concerning them and access to such personal data,
(b) request their rectification,
(c) request their cancellation,
d) request a restriction on the processing of personal data,
e) object to the processing of personal data,
f) exercise its right to data portability,
(g) exercise its right of appeal.
The individual concerned may lodge a complaint with the NAIH (National Authority for Data Protection and Freedom of Information) or apply to the competent court as set out at the end of this prospectus.
VII. Sending newsletters:
The activity performed by data controller is to provide key information on the products marketed by the data controller.
The purpose of data management is to keep closer contact with the registered individual and newsletter subscribers and to provide more information about the product range and possible promotions.
The legal basis for data processing is the voluntary, specific, informed and unambiguous consent of the data subject.
The individual concerned can give their consent to the data management by checking the blank checkbox on the website which was made specifically for this purpose.
The individual concerned are the natural persons completing the registration who have also subscribed to the newsletter as defined above.
Scope of personal data managed:
Scope of managed data | The specific purpose of data management. |
Name | Identification, contact. |
Identification, contact, | |
Date of registration | Technical information operation. |
IP address | Technical information operation. |
Duration of Data Management:
The data controller wii process the data specified above until the withdrawal of the data subject’s consent and the termination of the registration. The data subject’s consent to the processing may be withdrawn at any time. The data will be deleted when the consent to the data processing is revoked. Modification or deletion of personal data can be initiated by e-mail, telephone or letter using the contact options provided above.
The data controller does not transfer the personal data defined above to a third country or any international organization.
The employees who have the task of keeping in touch with the customers and contractual partners according to the internal organizational rules are entitled to get acquainted with the data. The method of data storage is electronic.
Rights of the individuals concerned: the persons concerned
(a) may request information on the processing of personal data concerning them and access to such personal data,
(b) request their rectification,
(c) request their cancellation,
d) request a restriction on the processing of personal data,
e) object to the processing of personal data,
f) exercise its right to data portability,
(g) exercise its right of appeal.
The person concerned may lodge a complaint with the NAIH (National Authority for Data Protection and Freedom of Information) or apply to the competent court as set out at the end of this prospectus.
Result of withdrawl of conset: Failure, refusal or withdrawal of the individual’s consent shall not have any adverse consequences for the data subject.
VIII Data Security Measures:
The controller will ensure the security of the data, take the technical and organizational measures and establish procedural rules to ensure that the data recorded, stored or processed are protected and prevent their destruction, unauthorized use and unauthorized alteration. Furthermore, it calls on the third parties to whom the data subject is transferred to comply with data security requirements.
The data controller will ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons.
The data controller will make every effort to ensure that the data is not damaged or destroyed. The above commitment is also prescribed by the data controller for the employees participating in its data management activities and for the data processors acting on behalf of the data controller.
The computer systems of the data manager are located on servers operated by the University of Public Administration.
Access to servers and personal computers is password-protected. The University of Public Administration has a separate data security policy that imposes additional security obligations.
IX Managment of Data Breach:
If the Data Controller detects an event or act resulting in the accidental or unlawful destruction, loss, modification, unauthorized transfer or disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled by them (hereinafter collectively: data breach), shall comply with Articles 33 to 34 of the GDPR (General Data Protection Regulation) to notify the data breach to the NAIH (National Authority for Data Protection and Freedom of Information) or to inform the data subject or data subjects of the data breach if it is likely to pose a high risk to the rights and freedoms of the natural persons.
The individual who detects a data breach with regard to personal data transmitted, stored or otherwise handled by the data controller as described above may report it to the data controller at the following contact details:
In person: Budapest 1119 Mohai Road 38, III floor, 301 office
By mail: National University Press, Budapest 1119 Mohai Road 38
Telephone: +36-1-432-9000 Extension: 20377
E-mail: info@ludovika.hu
In addition to indicating the subject of the data breach, the notifier must provide the following:
• name of the notifier;
• contact details of the notifier: telephone number and / or e-mail address,
• (in the case of an employee) the organizational unit,
• whether the incident affects the IT system.
Within one working day at the latest, if the data controller considers the incident to be serious, it will immediately examine the report and, if necessary, request additional data from the notifier. Within 72 hours of the report of the incident, the data controller will provide data to the NAIH (National Authority for Data Protection and Freedom of Information.
The reporting should include the following:
- the nature of the data breach, including the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident;
- the name and contact details of the contact person for further information;
- the likely consequences of the data breach;
- the measures taken or planned by the data controller to remedy the data breach, including to take appropriate measures to mitigate any adverse consequences arising from the data breach.
If the data breach requires further investigation, the data controller will take the necessary steps to assess the real and potential effects of the data protection incident during the investigation, with the involvement of appropriate professionals. A report will be made by the appropriate professionals. The report should include a proposal for security measures to address the data breach.
The data controller decides on the measures to be taken.
If the controller considers that the data breach is likely to pose a high risk to the rights and freedoms of the natural persons, it will inform the data subject(s) of the data breach without undue delay.
The data controller will clearly and understandably describe in the information the nature of the data breach, highlighting the following:
- the name and contact details of the contact person for further information;
- the likely consequences of the data breach;
- the measures taken or planned by the data controller to remedy the data breach, including to take appropriate measures to mitigate any adverse consequences arising from the data breach.
The data controller will not inform the data subjects if:
- have implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data breach, in particular measures such as the application of encryption which make the data incomprehensible to persons not authorized to access personal data,
- has taken further measures following the data breach to ensure that the high risk to the data subject’s rights and freedoms is unlikely to materialize.
- the information would require a disproportionate effort, i.e. the number of data subjects is so large that the data controller would only be able to inform them as disproportionately expended as above. In this case, the controller shall arrange for the relevant information to be made public.
X Keeping Records of Data Breaches:
The data controller will keep record of the data breach.
The following must be entered in the register:
• the scope of the personal data concerned,
• the number and number of people involved in the data breach,
• the date of the data breach,
• the circumstances and effects of the data breach,
• the measures taken to deal with the data breach,
• other data specified in the legislation prescribing data management.
The data controller is obliged to keep the data on the data breach in the register for five years in the case of an incident involving personal data and for 20 years in the case of an incident involving special data.
XI Data processors:
The Hosting provider is the University of Public Service – 1101 Budapest, Hungária Boulevard 9.
The information you provide is stored on a server operated by your hosting provider. The data may be accessed by the employees specified for the data management activities defined above and by the employees operating the server.
Name of the activity is the following; hosting service, server service.
XII. Right of appeal:
In case of violation of the rights of the data subject, the individual may take legal action against the data controller. The court will act out of priority over others in the case. The data controller is obliged to prove that the data processing complies with the provisions of the law. The trial falls within the jurisdiction of the tribunal. The action may also be brought before the court of the place of residence or stay, at the choice of the plaintiff (the person concerned).
The controller undertakes to cooperate fully with the court concerned or the NAIH (National Authority for Data Protection and Freedom of Information) in these proceedings and to provide the data relating to the processing to the court or the NAIH (National Authority for Data Protection and Freedom of Information).
The data controller also undertakes to compensate for the damage caused by the unlawful processing of the personal data of the data subject or the breach of data security requirements. In the event of a breach of the data subject’s right to privacy, the data subject may claim damages. The data controller shall be released from liability if the damage was caused by an unavoidable cause outside the scope of data processing, and if the damage or the violation caused by the violation of the right to privacy is due to the intentional or grossly negligent conduct of the data subject.
Legislation underlying data management:
REGULATION (EU) No. 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL REGULATION of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No. 95/46 (General Data Protection Regulation)
2011 CXII Act on the Right to Information Self-Determination and Freedom of Information
CVIII of 2001 Act on Certain Issues related to Electronic Commerce Services and Information Society Services
Act C of 2003 on Electronic Communications
Act V of 2013 on the Civil Code
Act C of 2000 on Accounting
2007 CXXVII Act on Value Added Tax
The data controller reserves the right to change/ modify this prospectus at any time.
July 1, 2020; Budapest
UPS Bookstore (Education Centre)
1083 Budapest, Üllői Road 82.