Hungarian Jigsaw Puzzle Association
1 Purpose of data privacy notification
This Data Privacy Notification describes the data protection and data management principles and rules applied by the Hungarian Jigsaw Puzzle Association (hereinafter: Association or Data Controller). The aim of the notification is to present transparently:
• What personal data is managed by the Association
• On what legal basis and for which purpose is the data processed
• Which rights are entitled for people concerned
• How these rights could be used by people concerned
• What options are available for legal remedy
Data management is based on following legislations:
• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
• CXII of 2011 Law on the right to informational self-determination and freedom of information (Infotv.)
• Act V of 2013 on the Civil Code (Ptk.)
• Act C of 2000 on Accounting
• Act I of 2012 on the Labor Code (Mt.)
• The CXXVII of 2007 Law on general sales tax.
1.1 Basic concepts:
Personal data - Any information that relates to an identified or identifiable natural person
Data Controller - The natural or legal person who determines the purposes and means of data management. In this notification the data controller is the Hungarian Jigsaw Puzzle Association
Data Processor - The natural or legal person that manages personal data on behalf of the Data Controller
Data Subject - Any natural person whose personal data is managed by the Association (e.g. association member, competitor, volunteer, newsletter subscriber).
1.2 Data Controller details:
Name: Hungarian Jigsaw Puzzle Association
Headquarter: 1223 Budapest, Halk utca 23/B
Registration number: 01-02-0018377
Tax number: 19400219-2-43
Email: magyarorszagipuzzleegyesulet@gmail.com
Joint data management is not implemented in this case, the Association does not perform joint data management with other organizations.
2 Legal basis and purposes of data management
The legal basis applies to the data management of the Association according to Article 6 of the GDPR.
Different legal basis may be linked to individual data management purposes, for example:
• Consent (GDPR Article 6 (1) a)): eg. newsletter subscription
• Contract performance (GDPR Article 6 (1) b)): eg. agreement between competitors and the organizer, organizing events
• Legal obligation (GDPR Article 6 (1) c)): eg. accounting and tax obligations
• Legitimate interest (GDPR Article 6 (1) f)): eg. the Association may have legitimate interest in publishing photos and videos taken at events to promote the Association's activities
3 Details of data management
3.1 Personal data of association members and supporting members
• Scope of processed data: name, address, telephone number, e-mail, (parental consent for children under 18)
• Purpose of data management: monitoring of membership fees, invoicing, contact
• Legal basis: contract fulfillment (membership relationship), legal obligation (accounting regulations)
• Data transmission: billing data for the accountant
• Storage method: on paper and electronical form, in a closed cabinet/password-protected system
• Retention period: 5 years from the termination of membership, at least 5 years in the case of certificates according to the Accounting Act.
3.2 Registration of participation in competitions, recording results
• Scope of processed data: name, date of birth/age, e-mail address, billing data (address), nationality
• Purpose of data management: registration for competitions, recording results, invoicing
• Legal basis:
o Contract fulfillment (competition organizing, registration)
o Consent (eg. if the competitor expressly consents to the publication of the photo recording, if there is no legitimate interest-based treatment for this)
o Legitimate interest (see below under publishing photos/videos)
• Data transmission: there is no regular data transmission to third parties, except for the accountant in connection with invoicing data
• Storage: in an electronic system (eg. website, Google Forms), paper-based attendance sheets
• Retention time:
o Results for 3 years
o Data related to invoicing for 5 years (Accounting Act)
• Underage participants: In the case of children under 16 years of age parental/legal representative consent is required for competition and registration. Competition regulations may limit the individual competition of children under 14 years of age
3.3 Data of people (eg. employees, contractual partners) in any legal relationship with the Association
• Range of processed data: name, date of birth, residential address, tax number, social security number, mother's name, telephone number, bank account number
• Purpose of data management: fulfillment of legal obligations (working, payroll, taxation, etc.)
• Legal basis: legal obligations (GDPR Article 6 (1) c)) and contract fulfillment
• Storage: on paper and electronical form, in a closed cabinet/password-protected system.
• Retention period: the period required by law (eg. 5-10 years), or even longer if it is written in a support contract
3.4 Personal data of volunteers applying for competitions
• Range of processed data: name, address, date of birth, mother's name, e-mail address, social security number, tax identification number
• Purpose of data management: conclusion of voluntary contracts for helping in driving competitions
• Legal basis: contract fulfillment (voluntary agreement)
• Data transfer: to the accountant (for settlement)
• Retention period: 5 years from the end of the competition/voluntary contract, unless it is a long-term agreement
3.5 Data of newsletter subscribers
• Range of processed data: e-mail address
• Purpose of data management: information about the Association's news and events
• Legal basis: consent (GDPR Article 6 (1) a))
• Retention period: until unsubscription
• Unsubscribe: can be requested at any time at the Association's contact details, free of charge
4 Post photos and videos taken at events
The Association can take photos and videos at its competitions, marathons and other events. They can be published on its own website, social media platforms (eg. Facebook) or in its publications. The purpose of these photographs is to promote and present the Association's activities and events.
Legal basis: Legitimate interest (GDPR Article 6 (1) f)): The Association has a legitimate interest in promoting its own activities and documenting its events. The person concerned has the right to protest against taking or publishing the image at any time, especially if the person is recognizable on the image. In such a case, the image/video will be removed or anonymized by the Association based on the justified request.
Transfer of data abroad: Since the servers of Facebook and other social platforms are available outside the EU, uploading images or videos may be considered a transfer abroad. The legal basis for this is the legitimate interest of the Association. The data management of the platforms already falls under the scope of the respective platform's own data management rules.
5 Automatic data saving of websites
During the operation of the Association's website and its servers, also may be collected technical data, eg.: domain name, IP address, browser type, operating system, etc. The Association treats this data separately from personal data and use it for statistical purposes or for the purpose of operating the website.
Legal basis: legitimate interest (technical security necessary for website operation)
6 Use of cookies
Based on the Act on Information Self-Determination and Freedom of Information and the Act on Electronic Commercial Services: cookies ensure the proper functioning of the website, eg. the user's previous settings are preserved. The user can make disable or delete cookies at any time through its browser.
Legal basis: the user's consent (in the case of cookies that are not absolutely necessary), and the Association's legitimate interest in operating the website (cookies that are absolutely necessary).
7 Information about social networking sites
The Association can use certain services of Google, Facebook, Instagram, Youtube. During advertising activities on social network platforms the voluntary consent of the user is valid, that was given on the social network sites. The respective platform (Facebook, Google, etc.) has its own regulations on data management and data transmission abroad.
8 External Service Providers (Data processors)
• Hosting provider: CWeb.hu Informatikai Kft.
• Accountant/Payroll: Danta Kft.
• Delivering letters or parcels: Magyar Posta Zrt. (1138 Budapest, Dunavirág utca 2–6.)
• Correspondence, Office 365, etc.: Microsoft Magyarország (1031 Budapest, Graphisoft park 3., M épület)
• Google (eg. Google Forms, Gmail, Google Drive)
• social media site: Facebook (Hannover Reach, 5-7 Hannover Quay, Dublin 2, Ireland)
9 Rights and legal remedies of people concerned
Based on Articles 13-22 of the GDPR, the person concerned has the right to:
• Right to information: there could be a request at any time by the person concerned that the Association provide information about the processed data concerning him/her
• Right of access: feedback can be requested on what personal data of the person concerned is processed and how
• Right to rectification: the Association can be asked to correct or modify inaccurately recorded data
• Right to erasure: erasure of personal data can be requested under certain conditions
• Right to restrict data processing: the processing of data can be restricted (eg. in case of disputed data accuracy)
• Right to data portability: transfer of the provided personal data can be requested to him-/herself or to another data controller in a machine-readable format
• Right to protest: if the data processing is based on legitimate interest, the person concerned may protest to this at any time. If the protection is well-founded, the Association should terminate the data processing.
• Right to complain: with the National Authority for Data Protection and Freedom of Information (NAIH) or at the Court
NAIH contact details:
• Address: 1055 Budapest, Falk Miksa utca 9–11.
• Website: www.naih.hu
Deadline for processing requests: the Association responds to requests within 1 month, if possible, as stipulated in the GDPR. In the practice, it strives for a shorter processing time of 10 days, unless there are legal obstacles.
10 Handling of requests for deletion or correction
If you would like to correct or delete any of your personal data processed by the Association, please contact us in writing (by post at our headquarter or by e-mail). We will examine the requests and, if there is no legal or other obstacle to deletion, we will fulfill the request immediately (within 1 month at the latest).
11 Modification of data privacy policy
The Association reserves the right to modify this data privacy policy. This may occur in cases where the scope of services is expanded, the technical system changes, or if it is required by law. However, such a modification may not mean that the personal data is processed differently from the original purpose. The data controller will always ensure the secure storage of the data.
12 Final policies
The Hungarian Jigsaw Puzzle Association declares that it will always ensure that the data entrusted to it is handled securely and in accordance with the GDPR and relevant Hungarian legislation. In matters not regulated in this notification, the policies of the GDPR and relevant Hungarian legislation shall apply.
Budapest, 2025.02.18.
Hungarian Jigsaw Puzzle Association