Rights of the data subject

Rights of the data subject

Personal data is any information by which the data subject can be identified. Thus, personal data is not only the name or identification number of the data subject, but also knowledge of his or her physical, mental, etc. identity.

The data subject may exercise his or her rights in relation to the processing by contacting the controller, who shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Rights of the data subject:

RIGHT TO TRANSPARENT INFORMATION

The data controller shall provide the data subject with information on the circumstances of the processing, including, inter alia, which personal data of the data subject, for what purposes, on what basis and for how long will be processed; the data subject's rights in relation to the processing; the source of the data if personal data have not been obtained from the data subject; to whom he or she may address any questions or complaints regarding the processing, etc.

When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means

(See Articles 12-14 GDPR for more information)

The provision of the information must be documented so that it can be proved, in the event of a request from the authorities, that the controller has provided the data subject with adequate information.


RIGHT OF ACCESS

The data subject may request from the controller full information about the processing and a copy of his or her personal data.

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22 of GDPR, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(See Article 15 GDPR for more information)

The Data Processing Policy of ELTE requires the departments to keep records of data transfers in order to be able to provide the necessary data either at the request of the data subject or at the request of the authority.


RIGHT TO RECTIFICATION

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(Article 16 GDPR)


RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data where one of the following grounds applies:

  1. the purpose of the processing has ceased;
  2. the data subject has withdrawn his or her consent and there is no other legal basis for the processing;
  3. the data subject objects to the processing of personal data which is based on a legitimate interest pursued by the controller or by a third party or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and there are no overriding legitimate grounds for the processing;
  4. the processing is unlawful;
  5. the personal data have to be erased in order to comply with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to information society services offered directly to children.

(See Article 17 GDPR for more information)


RIGHT TO RESTRICTION OF PROCESSING

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. the data subject contests the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the processing is based on legitimate interest pursued by the controller or by a third party or is necessary for the performance of a task carried out in the public interest / in the exercise of official authority vested in the controller, and the data subject objects to the processing.

In this case, the controller only stores the data, with the exceptions set out in the GDPR. 

(See Article 18 GDPR for more information)


INFORMATION RELATING TO THE IDENTITY OF THE RECIPIENTS INFORMED OF THE RECTIFICATION, ERASURE OR RESTRICTION OF PROCESSING

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

(Article 19 GDPR)


RIGHT TO DATA PORTABILITY

Where the processing is based on consent or a contract, and the processing is carried out by automated means, the data subject has the right to:

  • receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to
  • transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising the right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of this right shall be without prejudice to the right to erasure. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

(See Article 20 GDPR for more information)


RIGHT TO OBJECT

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest pursued by the controller or by a third party or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(See Article 21 GDPR for more information)

 

Article 4 GDPR ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.


THE RIGHT TO TAKE ACTION AGAINST AUTOMATED DECISION-MAKING

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This provision shall not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  3. is based on the data subject's explicit consent.

The controller shall ensure that the data subject has at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

(See Article 22 GDPR for more information)


THE RIGHT TO LEGAL REMEDY

In the event of a breach of his or her rights, the data subject may refer the matter to the Data Protection Officer or the National Authority for Data Protection and Freedom of Information or to the courts (alternatively available options).

Data protection officer (See Article 12 GDPR, 38-39 GDPR for more information)

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under GDPR (Article 38(4) GDPR).

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12(4) of GDPR).

Data protection officer of the University:

Data Protection Office
1056 Budapest, Szerb u. 21-23.
Email: dataprotection@elte.hu

Procedures that can be initiated at the National Authority for Data Protection and Freedom of Information (Articles 57-58, 77 GDPR; Paragraph 51/A (1), Sections 52-54, 55 (1)-(2), 56-58, 60-61 of Privacy Act)

Anyone (i.e. not only the data subject) may lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter the Authority), in order to initiate an investigation on the grounds that a personal data breach has occurred or is imminent. 

It is important that the notification is not anonymous, otherwise the Authority may reject the notification without any substantive investigation. Further grounds for refusal are set out in Section 53 of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Privacy Act).

The Authority's investigation is free of charge and the costs of the investigation are advanced and borne by the Authority. The detailed rules for the conduct of the procedure are laid down in Sections 54, 55 (1) to (2) and 56 to 58 of the Privacy Act.

To ensure that the right to the protection of personal data is enforced, the Authority shall commence an authority procedure for data protection at the application of the data subject in line with Sections 60-61 of Privacy Act.

National Authority for Data Protection and Freedom of Information

1363 Budapest, Pf. 9.
www.naih.hu
Tel.: +36-1-391-1400

Judicial enforcement (Sections 23-24 Privacy Act; Article 79 GDPR)

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR. 

Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

In Hungary, the data subject, according to his/her choice may bring the action before the regional court having territorial jurisdiction over his domicile or place of residence.

Possibility to claim damages and compensation:

  • The controller or the processor shall be liable for compensating any damage which another person may suffer as a result of processing that infringes the provisions laid down in laws or the binding legal act of the European Union on the processing of personal data.
  • The controller or the processor shall be liable for paying a grievance award for the violation of personality rights that another person may suffer as a result of processing that infringes the provisions laid down in law or the binding legal act of the European Union on the processing of personal data, if the person whose personality rights had been violated has made a claim addressed to the controller or the processor for such a grievance award.

(See Sections 23-24 Privacy Act for more information)