Privacy Policy

GENERAL PRIVACY POLICY
 
Kecskemétfilm Kft.
 
  1. GENERAL PROVISIONS
 
  1. The purpose of Privacy Policy
 
KECSKEMÉTFILM Kft. (hereinafter: Data Controller) provides information in this Privacy Policy concerning the general data processing and management of the Company and the data processing on the www.kecskemetfilm.hu website.
Data protection is a set of principles, rules, procedures, data management tools and methods that ensure the lawful processing of personal data and the protection of data subjects, with the aim of protecting the rights of data subjects and preventing unauthorized access to personal data.
This Privacy Policy’s purpose is to establish those internal regulations and measures which aim to ensure the compliance of data processing activity of KECSKEMÉTFILM Kft. as Data Controller, with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: Regulation, GDPR),- furthermore to ensure compliance with the regulations of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Info Law).
Issues not covered by this document are governed by the applicable laws.
 
The Data Controller gives priority to the protection of the privacy and personal data of the persons who come into contact with it, continuously complying with the principle of accountability to the data subjects. In accordance with this, the Data Controller handles the personal data provided to it in all cases in compliance with the applicable Hungarian and European Union legislation and ethical requirements, and in all cases takes the technical and organizational measures necessary for proper secure and lawful data management.
 
  1. Scope of data management
 
The personal scope of this Privacy Policy extends to the employees of KECSKEMÉTFILM Kft., natural persons who share personal data with a view to establishing an employment or other employment relationship with the Data Controller,  the creators, staff members and contractual contact persons with the Data Controller who have a contractual or professional relationship, the natural persons who contact the Data Controller during the studio visit, as well as the natural persons who contact the Data Controller for other purposes (hereinafter: the Data Subject) .
 
 
In this Privacy Policy, the Data Controller provides detailed information on the essential circumstances, methods, principles, legal basis, purpose and duration of data management during the general activities of KECSKEMÉTFILM Kft. and on the kecskemetfilm.hu website.
 
  1.  Name and contact details of Data Controller

Kecskeméti Animációs Filmgyártó és Forgalmazó Korlátolt Felelősségű Társaság
short name: KECSKEMÉTFILM Kft.
registered seat: H-6000 Kecskemét, Liszt Ferenc utca 21.
company registry no.: Cg. 03 09 102262
solely represented by: MIKULÁS Ferenc, Executive Director
 
tax no.: 11029245-2-03
electronic contact: , kaff@kecskemetfilm.hu
website: www.kaff.hu, www.kecskemetfilm.hu, www.magyarnepmesek.eu
phone no.: 00 36 76 481788
hereinafter: Company or Data Controller
 
  1. Definitions
 
’Personal data’ means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
’Data subject’ is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
’Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
Controller or controller responsible for the processingis the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 
Processoris a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
 ’Consent of the data subject’ is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 
 Recipientis a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. 
Third partyis a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
Special categories of personal data’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and the sexual life or sexual orientation of natural persons; personal data which are prohibited under Article 9 (1) of the GDPR may be processed only in the exceptional cases provided for in Article 9 (2) of the GDPR, in particular with the express consent of the data subject.

 
  1. INFORMATION ON DATA MANAGEMENTS FOR EACH CATEGORY OF DATA
 
 
Data category Personal data of data subjects processed Legal basis for data processing Purpose of data processing Duration of data processing
IN RECRUITMENT SELECTION PROCEDURE
 
PERSONAL DATA GIVEN FOR THE PURPOSE OF EMPLOYMENT AND OTHER LEGAL EMPLOYMENT BY THE DATA SUBJECT
 
 
 
  • Contact details of the applicant:
  • address
  • e-mail address
  • telephone number
 
 
  • Data on qualifications, professional experience
 
  • Personal data provided by the applicant in his / her CV, motivation letter
 
 
  • Data provided by the applicant during the selection interviews or concerning the evaluation of the applicant
Freely given consent of the data subject under Article 6 (1) (a) of the GDPR.
 
Legal basis for the processing of special categories of personal data (eg health data related to disability) is the explicit given consent of the data subject prior to the establishment of the employment relationship in accordance with Article 6 (1) (a) of the General Data Protection Regulation
and in accordance with Article 9 (2) (a).
 
 
 
  • Identification, contact
 
 
  • certificate of the qualifications required to fill the position
  • Assessing the existence of the qualification, education and professional experience required for the given job, as well as evaluating the motivation of the applicant
  • Evaluation of the applicant's suitability in the selection procedure
In case of announcing a specific job application, the submitted CVs and other personal materials will be deleted within 30 days from the end of the job application, if the Applicant has not given his / her explicit consent to be included in the HR database.
 
In case of CVs and other personal materials sent without a specific job application, the candidates' CVs and personal materials will be kept for 5 years.
(The longer-than-average duration of data storage is justified by the fact that CVs are more durable in the case of artistic positions related to the activities of the Data Controller as animation film producers and festival organizers.)
 
In the In the event of withdrawal of consent, all personal data will be deleted.
 
 
PERSONAL DATA OF EMPLOYEES Personal data provided by the data subject to the Employer, which are necessary for the establishment of the employment relationship, the exercise of legal and contractual rights arising from the employment relationship and to fulfil their obligations
 
  • Name
  • Birth name
  • Place of birth
  • Date of birth
  • Mother's birth name
  • Residence
  • Location (if different from where you live)
  • Tax identification number
  • Social Security Identification Number (TAJ number)
  • Retired registration number (in case of a retired employee)
  • ID card number
  • Official ID card number
  • Current account number
  • A copy of a diploma
  • Wages
  • Position
  • Working hours
  • Work schedule
  • Workplace
  • Qualification data
  • Data on professional experience
  • Data on sick leave
  • Name, place and date of birth of children under 16 (if the employee wishes to take child leave)
  • Photo (with consent only)
  • After the establishment of the employment relationship during the employment relationship, the Employer may also acquire and process personal data of the employee, which necessarily becomes aware of it
(eg personal data on the Employee’s abilities, employment behavior, etc., disqualification from a bailiff, data sent by an occupational health service provider to the Employee’s health service).
suitability, etc.)
 
 
Employee data required for the determination of social security pension:
Relevant legislation: Act LXXXI of 1997. Section 43 (2) on the Social Security (Tbny.)
 
  • documents covering the period of service
  • documents relating to wages and salaries
  • proof of payment of sick pay
 
Documents containing employee data related to or required for tax assessment
Relevant legislation: Art. 202 (1): right to tax after five years from the last day of the calendar year
 

If the tax laws impose legal consequences for this, the Company may manage the fulfilment of tax and contribution obligations (payroll accounting, social security administration) related to the employees' health and trade membership data.
 
 
 
Archival retention rules: non-disposable records.
Relevant legislation: Act LXVI of 1995 on Public Archives and the Protection of Private Archival Material.
Pursuant to Section 4 of the Act (Ltv.) on the possession of archival material
bodies (…) are obliged to ensure the preservation of (…) permanent documents in their possession or possession. It follows from this rule that such documents cannot be discarded.
Ltv. According to Section 3 (j) permanent documents are
 “economic, social, political, legal, national defense, national security, scientific,
culturally, technically or otherwise significant, to research, learn about, understand the historical past,
a document which contains information which is essential for the performance of the service and for the exercise of civil rights and which is not or only partially obtainable from other sources.
 
 
The Employer processes the personal data compulsorily transferred to the Data Controller as an Employer on the basis of the legal authorization of Section 10 (1) - (4) of the Labor Code pursuant to Article 6 (1) (c) of the GDPR. .
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
In the case of the Employee, the purposes of data processing are the establishment and maintenance of the employment relationship, fulfillment of obligations (in particular, eg payment of wages, payment of optional fringe benefits, deduction of statutory taxes and contributions, granting of leave, etc.) and legal and / or
exercise of contractual employer's rights, planning and registration of human resource needs in connection with the employer's projects, internal control, security performance of an activity, as well as termination of employment, and provision of data based on law (eg to a pension paying body).
The Employer's personal data may be used by the Employer for statistical purposes and for statistical purposes - without the employee's consent,
in a way that is not personally identifiable.
 
 
For employees with disabilities, the specific purposes of the processing of personal data are:
Pursuant to Section 120 of the Labor Code, the Employer shall provide the Employee with a changed working capacity, who is entitled to a disability allowance or is entitled to a personal benefit for the blind.
in connection with the exercise of the additional leave, may process the personal data of the Data Subject in order to establish the right to exercise the additional leave.
The Mmtv. Section 23 (7) stipulates that the employer employing a disabled employee must establish the rehabilitation contribution
maintains a register for the purpose of this and may manage the personal data of the Data Subject as defined in the Mmtv.
 
In the course of employee data processing, the Data Controller bears in mind that the Employee may only be required to make a statement or provide data that does not infringe his or her right to privacy, and that the establishment, performance or
relevant to its termination.
Only such aptitude test may be applied to the Employee, which is prescribed by the employment regulations, or which is necessary in order to exercise the right or fulfill the obligation specified in the employment regulations.
 
 
 
 
 
 
 
 
 
 
 
 
 
Documents related to the employment relationship, which are related to the establishment, existence and termination of the employment relationship: as a general rule, the
three (3) years from the termination of employment.
Relevant legislation: Section 286 (1) of the Labor Code (the labor law claim expires in three years)
These include: Mt. 14-18. §: employment contract, study contract, termination, instruction, commitment,
employer regulations, information.
Claim for compensation for damage caused by a criminal offense and for the payment of personal injury damages and related
documents: five (5) years as they are subject to a limitation period of five (5) years.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Employee information required to determine Social Security Retirement Benefits: five years after reaching the retirement age for the insured.
 
 
 
 
 
 
 
Documents containing Employee Data related to or required for tax assessment as of the last day of that calendar year:
five (5) years from which the tax should have been declared, reported, reported or, in the absence of a return, reported should have been paid.
 
However, the Act CL of 2017 on the taxation regime must be taken into account, in which cases the
the limitation period may be extended by up to 6-12 months.
 
 
 
 
 
Archival preservation rules: - Ltv. "permanent records" within the meaning of
- the Archives TV. cannot be scrapped or deleted, the Employer must keep them indefinitely.
 
 
 
 
 
PERSONAL DATA OF CREATORS AND OTHER STAFF IN THE FILM DATABASE
 
 
 
 
  • The creators (director, cinematographer, assistant director, composer, writer, animation designer), producer, production manager and other staff members of the films made in the production of KECSKEMÉTFILM Kft.
  • the names of the creators of co-produced works
  • The names of the creators of the works in progress in the production of KECSKEMÉTFILM Kft
 
 
In the case of creators, the compliance with the legal obligation to indicate the name set out in Act LXXVI of 1999 on Copyright according to the Article 6 (1) (c) of the GDPR,
In the case of other staff member freely given consent of the data subject under Article 6 (1) (a) of the GDPR.
 
 
 
 
 
 
The compliance with the legal obligation to indicate the name set out in Act LXXVI of 1999 on Copyright.
 
 
 
The mandatory indication of names according to the Copyright Act: indefinite period.
case of consent of the data subject:
withdrawal of consent.
 
 
 
 
PERSONAL DETAILS OF CONTACT PERSONS VISITING THE STUDIO In case of a group studio visit,
 
  • the name,
  • e-mail address and
  • telephone number of the representative of the group or educational institution.
Freely given consent of the data subject under Article 6 (1) (a) of the GDPR.
 
 
 
 
 
 
 
 
 
  • Carrying out visitor registration,
  • organization of the studio visit
  • contact.
 
 
Until the end of the event affected by the registration or the withdrawal of the data subject's consent.
In the event of withdrawal of consent, all personal data will be deleted.
 
 
 
.      
PERSONAL DATA OF PARTICIPANTS AND TRAINEES PARTICIPANTS IN COURSE TRAINING ORGANIZED BY THE DATA CONTROLLER
  • Applicant's contact details:
  • address
  • e-mail address
  • telephone number
 
  • Data on qualifications, qualifications, professional experience
  • Personal data provided by the applicant in the professional CV, motivation letter
  • Data provided by the applicant during the selection interviews or concerning the evaluation of the applicant
The legal basis for data processing is the performance of a contract with course participants under Article 6 (1) (b) of the GDPR.
  • Identification, contact
 
  • Proof of the existence of the qualification required for participation in the course, workshop or internship
  • Assessing the existence of the qualification, education and professional experience required for participation in the course, workshop, internship, as well as evaluating the motivation of the applicant
  • Evaluation of the candidate's suitability in the selection procedure
Pursuant to the obligation of the Data Controller in line with Section 169 of Act C of 2000 on Accounting (hereinafter: the “Accounting Act”), the accounting certificate shall be kept for 8 (eight) years after the termination of the Contract, in case of legal dispute, if the later date for the period of 5 (five) years following the conclusion of the legal dispute, processes it on the legal basis of the fulfilment of its legal obligation.
The Data Controller shall comply with the provisions of Act CXXVII of 2007 on Value Added Tax. On the basis of its obligation under Section 179 of the VAT Act (hereinafter: “VAT Act”), it handles the documents issued by it and in its possession or otherwise available to it and the personal data contained therein, at least until the right to determine the tax expires.
The Data Controller shall comply with the 2017 CL. on the basis of the obligation pursuant to Section 78 (3) of the Act (hereinafter: “Art.”), the documents issued by it and in its possession or otherwise available and the personal data contained therein until the expiry of the right to assess the tax , in the case of a deferred tax, for 5 (five) years from the last day of the calendar year of its due date, and in the case of a legal dispute for 5 (five) years after its conclusion.
 
TREATMENT OF DATA BY NATURAL PERSONS CONTRACTING PARTIES (excluding employees) Natural persons contracting with the controller
 
• name,
• title, position
• e-mail address
• mother's name,
• time and place of birth,
• tax identification number, tax number,
• contact details,
• identity document, passport number,
 
 
• bank account number
 
 
In the context of the registration of the contractor's data, the legal basis for data processing is the performance of the contract under Article 6 (1) (b) of the GDPR.
 
 
 
With regard to the issuance and retention of accounting documents, the legal basis for data processing is the fulfilment of the legal obligation to the Data Controller under Article 6 (1) (c) of the GDPR.
  • Concluding, fulfilling and terminating the contract between the Data Controller and the data subject
  • Fulfilment of the statutory retention obligation for tax documents and accounting documents
  • Enforceability of claims, provability of the content of the contractual relationship in the event of a legal dispute
 
 
Pursuant to the obligation of the Data Controller in line with Section 169 of Act C of 2000 on Accounting (hereinafter: the “Accounting Act”), the accounting certificate shall be kept for 8 (eight) years after the termination of the Contract, in case of legal dispute, if the later date for the period of 5 (five) years following the conclusion of the legal dispute, processes it on the legal basis of the fulfilment of its legal obligation.
The Data Controller shall comply with the provisions of Act CXXVII of 2007 on Value Added Tax. On the basis of its obligation under Section 179 of the VAT Act (hereinafter: “VAT Act”), it handles the documents issued by it and in its possession or otherwise available to it and the personal data contained therein, at least until the right to determine the tax expires.
The Data Controller shall comply with the 2017 CL. on the basis of the obligation pursuant to Section 78 (3) of the Act (hereinafter: “Art.”), the documents issued by it and in its possession or otherwise available and the personal data contained therein until the expiry of the right to assess the tax , in the case of a deferred tax, for 5 (five) years from the last day of the calendar year of its due date, and in the case of a legal dispute for 5 (five) years after its conclusion.
 
 
PROCESSING OF DATA RELATING TO BUSINESS CONTACT PERSONS OF COMPANIES CONTRACTED WITH THE DATA CONTROLLER, MANAGEMENT AND TRANSMISSION OF PERSONAL DETAILS OF THE CONTACT OF OWN EMPLOYEES Employees of third parties contracting with the data controller or other persons having a legal relationship with them who are involved in the performance of the contract as contact persons,
or persons who have an employment relationship or other legal relationship with the data controller
• name,
• e-mail address,
• telephone number,
• schedule.
Legitimate interest in facilitating cooperation and communicating between the parties in order to conclude, perform and terminate the contract, in accordance with Article 6 (1) (b) of the GDPR.
(Balance of interest test available upon request.)
• contact,
 
• exercising the rights and obligations arising from the contract
 
Until the termination of the relationship with the given contractual partner or the notification of the change in the person of the contact person,
and in accordance with Act on Accounting TV., Act on VAT and Art., as explained above.
 
 
The source of the data - in addition to the contacts of the companies contracting with the Data Controller - is the data subject himself. In case of companies contracting with the Data Controller, the personal data of the contact person shall be provided by the contact person himself/herself or another representative of the company contracting with the Data Controller.
 

The source of the data - in addition to the contacts of the companies contracting with the Data Controller - is the data subject himself / herself. In the case of companies contracting with the Data Controller, the personal data of the contact person are provided by the contact person himself / herself or another representative of the company contracting with the Data Controller.
 
 
 
 
 
III. INFORMATION ON THE TRANSMISSION OF DATA - RECIPIENTS OF THE TRANSMISSION OF DATA
 
 
Personal data processed in the recruitment and selection procedure is sometimes transferred to the person participating in the procedure, who has an employment or business relationship with the Data Controller.
With regard to the Employee's data, the Data Controller otherwise transfers the Personal Data of the Data Subject to other bodies only in exceptional cases. Thus, for example, if a legal dispute between the Data Subject and the Data Controller is the subject of legal proceedings and the court seised is required to provide documents containing the Data Subject's personal data. If the Police or another authority contacts the Data Controller and requests the transmission of documents containing the personal data of the Data Subject for the investigation or conduct of proceedings, the transmission of the requested personal data is mandatory. In addition, for example, the lawyer representing the Data Controller will also have access to the personal data in the event of a dispute between the Data Subject and the Data Controller.
Personal data will be transmitted for postal service and delivery company: Magyar Posta Zrt. and the authorized courier service (GLS General Logistics Systems Hungary Kft., FedEx Trade Networks Transport & Brokerage (Hungary) Kft.).
In addition, the data of the data subject - if absolutely necessary e.g. in connection with a legal dispute or in order to make a financial or accounting assessment of an economic event - they may be transferred on an ad hoc basis to the service providers entrusted by the data controller, e.g. lawyers, auditors, financial advisers who are bound by professional or contractual confidentiality.
Organizations providing film professional support (National Cultural Fund, National Film Institute) also become recipients of personal data during the presentation of contracts, accounting documents, performance certificates and image documentation certifying the implementation of tenders.
 
The name and contact details of the winner will be forwarded to the supporting companies or organizations offering the prize.
 
 
The recipients process the personal data transmitted to them as an independent data controller, in accordance with the provisions of their own Privacy Policy, and joint data management does not take place.
The Data Controller does not intend to transfer the personal data of the data subject to a third country (not a non-EEA Member State), for which this cannot be excluded, he draws special attention to this in this document.
 
  1. DATA PROCESSING RECORDS
 
The Data Controller shall keep a record of the data processing activities performed under his / her responsibility pursuant to Article 30 (1) of the GDPR.
This Privacy Policy contains the following information from this record in the above tabular forms:
(a) the name and contact details of the controller and, if any, the name and contact details of the controller, the controller 's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and the categories of personal data;
(d) the categories of recipients to whom the personal data will or will be communicated, including recipients in third countries or international organizations;
(e) where applicable, information on the transfer of personal data to a third country or international organization, including the identification of the third country or international organization and, in the case of a transfer pursuant to the second subparagraph of Article 49 (1), appropriate guarantees;
(f) where possible, the time limits for deleting the different categories of data;
(g) where possible, the technical and organizational measures referred to in Article 32 (1) of the GDPR.
 
 
 
  1. PROCESSORS
Companies that are involved in the data processing:
 
Website operation
Virtualcom Szoftverház Korlátolt Felelősségű Társaság
short name: Virtualcom Szoftverház Kft.
registered office: HU-6034 Helvécia, Taál B u 23.
email: info@virtualcom.hu
 
The data processor operating the IT system of our company:
System administrator
BESTCOM Pénzügyi Tanácsadó és Számítástechnikai Szolgáltató Korlátolt Felelősségű Társaság
short name: BESTCOM Kft.
registered office: HU-6000 Kecskemét, Kőhíd utca 10.
email: bestcom@bestcom.hu
 
 
In all its activities, the Data Controller uses only such partners (subcontractors) who comply with the requirements of the data protection legislation in force at any time.
 
Email server: Google LLC (cloud), hosting: Google LLC (Google Drive)
Google LLC (cloud), hosting: For information about GDPR compliance with Google LLC (Google Drive), visit:
https://cloud.google.com/security/gdpr#tab7
The GDPR compliance of Google LLC’s services is ensured by the fact that the data protection complience of the contractual clauses of the Google model has been recognized by the European Data Protection Authorities (DPA’s), given that G Suite and the Google Cloud Platform the transfer to any part of the world fully complies with the legal requirements of the GDPR.
 
 
In accordance with the GDPR, the data processor undertakes to:
 
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
 
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
 
(c) takes all measures required pursuant to Article 32 of GDPR;
(i) the pseudonymisation and encryption of personal data;
 
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
 
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
 
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
 
(d) respects the conditions for engaging another processor;
 
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR
 
(f) assists the controller in ensuring compliance with the obligations pursuant to the provisions on Security of personal data taking into account the nature of processing and the information available to the processor;
 
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
 
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
1249 / 5000
(i) upon termination of the provision of the data processing service, at the discretion of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies, unless Union or Member State law provides for the storage of personal data;
(j) provide the Data Controller with all information necessary to verify the erasure of the data or copies and to enable and facilitate audits, including on-site inspections, by the Controller or another auditor appointed by him. The Data Processor shall immediately inform the Data Controller if it considers that any of its instructions violate this GDPR or the data protection provisions of the Member States or the Union.
k) report the data protection incident to the Data Controller within 72 hours of becoming aware of it. That notification shall include at least:
(i) a description of the nature of the data protection incident, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident; (ii) the name and contact details of the data protection officer or other contact person for further information;
 
The Data Controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
 
 
External service providers:
 
In the systems of External Service Providers, the data providers' own data protection policies apply to the data provided there. It handles the data received by the Data Controller from an external service provider (in the managed circle described above) in accordance with this document. With regard to the content made available within the framework of each service and shared on various social media sites, the external service provider enabling the sharing of the content qualifies as the controller of personal data, its activities are governed by its own terms of use and data protection policy. Examples of such external intermediary services are: Facebook, google, etc.
Facebook Inc. Headquartered in Palo Alto, California, USA, available at: www.facebook.com/help/feedback https://www.facebook.com/facebook
KAFF uses the video sharing service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, “YouTube”) (the “YouTube Platform”). In doing so, we use YouTube’s technical platform and services and operate our own YouTube channel at https://www.youtube.com/KAFFanimation. The interactive features of the YouTube platform, such as "Sharing", "rating" or "posting" is at your own risk.
Data obtained from you through the use of the YouTube Platform will be handled by YouTube and may be transferred to countries outside the European Union. When you visit our fan page, the information you obtain may be transferred to and processed by Google LLC (1600 Amphitheater Parkway, Mountain View, CA 94043) in the United States. We have no control over the type and extent of data handled by YouTube, the nature of the processing and use of such data, or the transfer of such data to third parties, particularly in countries outside the European Union. Information about what data YouTube processes and for what purpose can be found in the Google Privacy Statement: https://www.google.de/policies/privacy/.
 
 
  1. DATA SECURITY
 
The Data Controller reduces the risk that the data provided by users during registration may become available in the event of an unauthorized intrusion by:
The Data Controller and the Data Processor shall take appropriate technical and organizational measures to take into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing and the varying likelihood and severity of risks to the rights and freedoms of natural persons. to guarantee a level of data security commensurate with the level of risk. The Data Controller complies with the principles of the GDPR. Contributions, subscriptions, etc. the systems are saved in an identifiable manner. Data controller protects access to documents and your desktop computer with a strong password - other security measures: firewall application, regular IT maintenance, control, closed system vpn access - documents are stored electronically, paper-based documentation is kept in an exceptional and lockable cabinet, records are kept , regular review, verification of compliance with legal requirements, the performance assistant employed outside the Data Controller does not have access to the data, so there is no need to control the internal access rights to the data.
Existing security measures are sufficient to manage the risks, based on the current state of technology and the experience gained from the Data Controller's activities to date.
 
  1. VI. RIGHTS AND OBLIGATIONS RELATING TO PERSONAL DATA BREACH
 
A PERSONAL DATA BREACH is when personal data or data are accidentally or unlawfully: - destroyed, - lost, - altered, - communicated unauthorized, or - made unauthorized.
The GDPR imposes a notification obligation on the Data Controller, depending on the extent to which the incident endangers the rights and freedoms of natural persons.
Pursuant to Article 33 of the GDPR, the Data Controller is obliged to notify the incident to the competent supervisory authority without undue delay  and may waive this incident only if the personal data breach is not likely to endanger the rights and freedoms of natural persons.
If the personal data breach occurs in connection with the activities of the data processor, it is obliged to notify it to the Data Controller without undue delay.
Upon the occurrence of a personal data breach, the Data Controller shall immediately take measures to remedy the personal data breach, taking into account the mitigation or prevention of any adverse consequences arising from the incident.
The Data Controller keeps a record of personal data breaches.
The purpose of the register is to enable the Data Controller to verify compliance with the GDPR during the audit of NAIH as the comptenet supervisory authority.
The Data Controller is obliged to inform the data subject without undue delay about the personal data breach if it poses a high risk to the rights and freedoms of natural persons. If a high-risk personal data breach affecting the personal data of the data subject occurs during the data processing of the Data Controller, the Data Controller will inform the data subject of the following facts and circumstances:
description of the personal data breach,
- the name and contact details of the contact person responsible for data protection matters,
- a description of the likely consequences of the personal data breach,
- a description of the measures planned or taken by the controller to remedy the incident, including measures to mitigate any adverse consequences of the personal data breach.
 
 
  1. PRINCIPLES OF DATA MANAGEMENT
 
The GDPR stipulates that the Data Controller's data processing activities must comply with the principles listed below in Article 5 of the GDPR, throughout the period of data processing. The Data Controller is committed to continuously enforcing the principles and regulations of the GDPR in the course of its personal data management activities.
 
  1. Lawfulness, fairness and transparency
 
Data processing must be lawful, fair and transparent throughout the data processing period (Article 5 (1) (a) GDPR). The Data Controller shall ensure the transparency of its data processing by publishing this Privacy Policy or by directly informing the data subjects as defined in Article 13 of the GDPR (where applicable in accordance with Article 14). This Privacy Policy contains detailed information regarding the data processing of the Data Controller in relation to the data subjects, the scope of the data processed, the title of the data processing, the duration of the data processing and the rights of the data subjects concerned. The Data Controller shall provide basic information related to data processing by providing direct information in accordance with Article 13 and, if necessary, Article 14. The Data Controller ensures the lawfulness of data processing by carrying out its data processing activities on the grounds specified in Article 6 of the GDPR, in these Privacy Policy and other data processing-related documents, in accordance with the GDPR principles.
  1.  The Data Controller ensures the fairness of data processing by providing adequate information, making the data processing process transparent to the various data subjects, explaining the content of data processing legislation, the rights of data subjects, and implementing organizational measures to ensure data security.
  2. The purpose of all these measures is for the Data Controller to assist all data subjects in exercising their rights under the GDPR.
 
 
  1. Purpose limitation
 
The purpose limitation principle means that the Data Controller may only process personal data for a clearly defined, legitimate purpose (Article 5 (1) (b) GDPR). The purpose limitation principle also means that the collection of data and other data processing operations (eg recording, storage, transmission, deletion, etc.) must be tailored to the purpose of the data management. It follows from the purpose limitation principle that personal data may only be processed until the purpose of the data processing has been achieved. Thus, if a data processing purpose has been achieved, personal data can only be further processed on the basis of an additional data processing purpose or title.
The Data Controller processes the personal data of the data subjects for the purpose indicated in the table.
 
  1. Data minimisation
 
The principle of data protection means that only data that are strictly necessary for the purposes of data processing can be lawfully processed (Article 5 (1) (c) GDPR).
 
  1. Accuracy
 
The principle of accuracy means that the data stored in the registration systems must be accurate throughout the data processing process (Article 5 (1) (d) GDPR). If the data is inaccurate or incorrect, the Data Controller, in cooperation with the data subject, shall ensure the restoration of the accuracy of the data on the basis of the data subject's request.
 
  1. Storage limitation
 
The principle of limited storage means that personal data may only be stored for as long as the purpose of the processing is achieved, ie personal data may not be accumulated or stored for an indefinite period (Article 5 (1) (e) GDPR). The principle of limited storage is reflected in the data controller's obligation to determine the duration of the data processing and, if this is not possible, the criteria for determining the duration. The Data Controller is obliged to inform the data subject about the above circumstances. The Data Controller shall enforce the principle of limited storageability with respect to the data processed in the framework of the provision of services as follows, based on the provisions of the applicable legislation. The Data Controller is entitled to process personal data only to the extent, in the manner and for the time necessary to perform the tasks of the Data Controller.
 
  1.  Integrity and Confidentiality
 
Maintaining integrity and confidentiality means that the Data Controller must protect personal data with organizational and security measures that guarantee adequate data security, damage resulting from unauthorized or unlawful handling, accidental loss, destruction or damage (Article GDPR5 ( Paragraph 1 (e)).
The Data Controller treats the personal data provided to it as confidential. The personal data of the data subjects may be accessed by the employees and agents of the Data Controller who, based on their job or duties, with the social and educational activities of the Data Controller and with the managerial and administrative tasks ensuring the operation of the Data Controller.
 
  1. Accountability
 
The principle of accountability means that the controller must be able to demonstrate the lawfulness of the processing, ie compliance with the GDPR (Article 5 (2) GDPR). For the sake of accountability, the Data Controller keeps a record of the transfer and publication of the necessary information, the data processing performed by him, the measures taken for data security, data protection incidents and requests related to data protection, and documents his data management activities in accordance with the GDPR.
 
  1. RIGHTS OF THE DATA SUBJECT
 
The data subject may contact the Data Controller regarding the enforcement of his / her rights related to data management and his / her questions at the contact details included in this Privacy Policy.
The Data Controller shall inform the data subject of his / her actions or the reasons for their non-compliance within one month after the submission of the data subject's request (the data subject may file a complaint in this connection), this period may be extended by 2 months if necessary.
The procedure is free of charge (if justified and not excessive) and preferably electronic.
The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
 
  • a) Right of confirmation
Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the Controller.
  • b) Right of access
Each data subject shall have the right to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.
  • c) Right to rectification 
Each data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
  • d) Right to erasure (Right to be forgotten) 
Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary: 
  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR. 
  • The personal data have been unlawfully processed.
  • The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the