23 - 27 April, 2019 | Budapest, Hungary |
Contact us: info@munapest.com

MODEL UNITED NATIONS OF BUDAPEST - MUNAPEST
DATA PROTECTION POLICY

All personal data will be processed lawfully, fairly and in a transparent manner by Nemzetközi Diplomáciai Társaság and by International Diplomatic Student Association during the organisation and execution of the conference called Model United Nations of Budapest – Munapest in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation) hereinafter referred to as “GDPR.”   The purpose of this document is to provide a policy statement regarding the nature of personal data processing, the purpose of data processing, the sharing of personal and sensitive data in correlation with the Munapest conference, in addition, regarding the rights of the data subject in correlation with the processing of their personal and sensitive data.  

 

  • Which data are processed as personal data?

All data are considered personal data which relates to a living individual who can be identified directly from that data. This includes data concerning the name, place and time of birth, mother’s name, address and online identification of the data subject.  

 

  • What does data processing mean?

Data processing is a series of automated or non-automated actions taken with the exchanged data, including collection, recording, systematisation, division, storage, conversion or alteration, query, examination, application, sharing, transmission, distribution or disclosure, synchronisation, conjuncture, restriction, erasure or eradication.    

  • Who is the processor of the personal data?

All obtained data are processed by the organisers of the conference, Nemzetközi Diplomáciai Társaság and International Diplomatic Student Association, an accredited student organisation of Corvinus University of Budapest.   Details of Nemzetközi Diplomáciai Társaság:

Details of International Diplomatic Student Association:

  • Representative: President Dóra Török
  • Institution of accreditation: Corvinus University of Budapest
  • Headquarters: 1093 Budapest, Fővám tér 8.
  • E-mail: idsahungary@gmail.com, president@idsa.com
  • Website: www.idsa.hu

  • Which personal data are subject to our data processing?

During application period the following personal data of the applicants are being processed:

  • Name
  • Date of birth
  • Address
  • Citizenship
  • E-mail address
  • Institution of higher education, major, year
  • Professional experience

During application period the following data of the organisers are being processed:

  • Name
  • Date of birth
  • E-mail address
  • Phone number
  • Institution of higher education, major, year
  • Professional experience

The following data of the participants are being processed:

  • Name
  • Date of birth
  • Citizenship
  • Address
  • Institution of higher education, major, year
  • Image and recorded voice
  • E-mail address, phone number
  • Data concerning special diet and food allergies
  • Bank Account Number (IBAN)

The following data of the organisers are being processed:

  • Name
  • Date of birth
  • Image and recorded voice
  • E-mail address, phone number
  • Data concerning special diet and food allergies

  • What is the purpose and legal basis of data processing?

Personal data can be processed by reference to specified purpose and specified legal basis. The potential legal bases of data processing are included in Art. 6 GDPR (1).  

 

  • Purpose and legal basis of data processing of applicants

Individuals applying as participants must provide their name, date of birth, address, e-mail address and citizenship, as well as the name of their institution of higher education, major, year and professional experience in order to facilitate and contribute to a successful application process. According to this process, the applicant’s name, e-mail address, date of birth and address are used to determine the applicant’s age and for communication purposes. The applicant’s citizenship is processed for the purpose of verifying and collecting the need for visa invitation letters. The name of the applicant’s institution of higher education, major, year and professional experience are processed in order to ensure the professional execution of the application process.   The personal data – except the citizenship – of individuals applying as organisers are processed for the reasons set in the previous paragraph. The citizenship of individuals applying as organisers is not processed because only those can apply as organisers who are lawfully residing in Hungary from the start of the application process up until the end of the conference.   Once the applicant has agreed on the application form to receive our newsletter after the application period, the individual’s name and e-mail address will be processed accordingly.   The applicant’s data is processed in compliance with point (b) of Art. 6 GDPR (1) regarding that the conduct of the application process is a procedure requested by the applicant by submitting their application and cannot be conducted successfully without processing personal data.   Data processing for the purpose of newsletter is based on the approval of the data subject according to point (a) of Art. 6 GDPR (1). Refusal of approval or withdrawal of approval does not affect the conduct of the application process. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.    

  • Purpose and legal basis of personal data processing of participants

The name of the participant is processed in order to determine the number of participants in the conference, to prepare the Munapest badge, to communicate with the participant and in order to prepare the invoice.   The e-mail address and phone number of the participant are processed for the purpose of communication with the participant.   The date of birth of the participant is processed in order to determine and check the age of the participant.   The address of the participant is processed for communication, in addition for preparation of the invoice and for the preparation of a required Invitation Letter for visa application.   The citizenship and name of the participant’s institution of higher education, as well as the participant’s major and year are processed for the preparation of a required Invitation Letter for visa application.   The photo of the participant provided by the data subject is processed in order to prepare the Munapest badge and to check the participation eligibility of the individual.   The aforementioned data are processed in compliance with point (b) of Art. 6 GDPR (1) in order to fulfil our contractual obligations. The processing of name and address of the participant for the preparation of receipt follows point (c) of Art. 6 GDPR (1) in order to comply with the obligations included in the Act C of 2000 on accounting 166. § (3) and 169. §.   Considering that the participant pays the participation fee by transfer, the IBAN number of the participant is processed regarding that the bank of Nemzetközi Diplomáciai Társaság is keeping a record of it within the account history. The legal basis of this data processing is included in point (c) of Art. 6 GDPR (1) in order to fulfil our obligations included in the Act C of 2000 on accounting 166. § (3) and 169. § by the extraction of the account history.   During the conference, the participant may be involved in voice or image recording (such as video or photograph). The voice and image recordings are used for marketing purposes and are published on the websites of International Diplomatic Student Association and Munapest, on the Facebook pages and closed groups of International Diplomatic Student Association and Munapest, in addition to other social media platforms (such as Instagram). The legal basis of publishing voice and image recordings of the participant is based on the approval included in point (a) of Art. 6 GDPR par. (1). Refusal of approval or withdrawal of approval does not affect the right to participate in the conference. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.   In order to provide the participant with suitable meal during the conference, data on special diet or food allergy are processed. The legal basis of this data processing is based on the approval included in point (a) of Art. 9 GDPR (2). Refusal of approval or withdrawal of approval does not affect the right to participate in the conference, however, in this case the participant is provided with the regular meal. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.   In case the participant as an applicant did not give their approval to processing their name and e-mail address for the purpose of receiving newsletters, it is possible to do so any time during the conference. In this case, data processing is based on the approval included in point (a) of Art. 6 GDPR (1). Refusal of approval or withdrawal of approval does not affect the right to participate in the conference. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.

   

  • Purpose and legal basis of personal data processing of organisers

The name of the organiser is processed in order to determine the number of organisers, to check the organising eligibility of the individual, to prepare the Munapest badge and to communicate with the organiser.   The date of birth of the organiser is processed in order to determine and check the age of the organiser.   The e-mail address and phone number of the organiser is processed for the purpose of communication with the organiser.   The photo of the organiser provided by the data subject is processed in order to prepare the Munapest badge and to check the organising eligibility of the individual.   The aforementioned data are processed in compliance with Art. 6 GDPR par. 1 (b) in order to fulfil our contractual obligations.   During the conference, the organiser may be involved in voice or image recording (such as video or photograph). The voice and image recordings are used for marketing purposes and are published on the websites of International Diplomatic Student Association and Munapest, on the Facebook pages and closed groups of International Diplomatic Student Association and Munapest, in addition to other social media platforms (such as Instagram). The legal basis of publishing voice and image recordings of the participant is based on the approval included in point (a) of Art. 6 GDPR (1). Refusal of approval or withdrawal of approval does not affect the right to participate in the conference. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.   In order to provide the organiser with suitable meal during the conference, data on special diet or food allergy are processed. The legal basis of this data processing is based on the approval included in point (a) of Art. 9 GDPR (2). Refusal of approval or withdrawal of approval does not affect the right to participate in the conference, however, in this case the organiser is provided with the regular meal. Approval of data processing can be withdrawn any time; however, withdrawal of approval does not affect the legality of data processing based on previous approval before the withdrawal.

 

  • Legal basis of enforcement of claims

The name and e-mail address of the participant and the organiser are processed in case any legal claims may arise against the participant or the organiser based on the existing contractual relation.   

 

  • Time period of data processing

The personal data of the applicants are processed for a month after the end of the application period in case the individual was not accepted as a participant or as an organiser. In the case of a successful application, all personal data unnecessary for participating in the conference will be deleted by us after the deadline specified above has elapsed. If there is an unsuccessful application, the processing of the applicants’ name and e-mail address continues in case the individuals gave their approval to receiving newsletters. The aforementioned personal data is processed until the withdrawal of approval.   The personal data of the participants and organisers are erased from the database two months after the end of the conference. The name and e-mail address of the participants are exceptions from this in case the individual gave their approval to receiving newsletters, as well as the image and recorded voice of the participants and the organisers in case they approved recording. The aforementioned personal data is processed until the withdrawal of approval.   The name, address and IBAN of the participant is processed for eight years after the start of data processing considering the Act C of 2000 on accounting 169. §.   Data processing specified in section 5.4 shall not last longer than one year after the occurrence of the claim. In case during that time administrative or judicial procedure has started to enforce the claim, data processing shall last until the enforcement of the final decision made during the administrative or judicial procedure.    

  • Rights of the data subject

Considering the data processing the data subject is entitled to the following rights:

  1. Right of access – Art. 15 GDPR
  2. Right to rectification – Art. 16 GDPR
  3. Right to erasure (‘Right to be forgotten’) – Art. 17 GDPR
  4. Right to restriction of processing – Art. 18 GDPR
  5. Right to data portability – Art. 20 GDPR
  6. Right to object – Art. 21 GDPR

  • Right of access by the data subject

The data subject is entitled to receive confirmation concerning whether their data are being processed and considering that it is the case, the data subject is also entitled to have access to personal data and to the following information:  

  1. the purpose of data processing,
  2. categories of the processed data,
  3. recipients or categories of recipient to whom the processed data have been or will be disclosed, in particular recipients in third countries and international organisations,
  4. the intended duration of the storage and processing of data, where it is not possible, the criteria regarding the determination of time period,
  5. the right of the data subject to request the processor to rectify, erase or restrict the processing of the personal data and to object to the processing of those personal data,
  6. the right to lodge a complaint addressed to a supervisory authority,
  7. in case the data was not provided by the data subject, any available information concerning the source of data,
  8. The existence of automated individual decision-making, including profiling referred to in Art. 22 GDPR (1) and (4), in these cases, any meaningful information concerning the applied logic, as well as the significance of this type of data processing and the potential consequences regarding the data subject.

Where personal data are transferred to a third country or to an international organisation the data subject is entitled to be informed about the appropriate safeguards of transfer included in Art. 46 GDPR. In case personal data is transferred to a third country or to an international organisation, it is done with conviction that the data processing mechanism of the third country or international organisation is approved by the European Commission. According to Art. 46 GDPR, in the absence of that, the processor or controller in the third country or international organisation is committed to apply the appropriate safeguards, including as regards data subjects’ rights.   Copy of the personal data shall be provided to the data subject by request. For additional copies, based on administrative costs a reasonable fee may be charged.   Where the request for information is submitted electronically by the data subject, the information shall be provided in commonly used electronic form (such as Word document, PDF file) unless otherwise requested.   The right of the data subject to request copy of personal data shall not adversely affect the rights and freedoms of others.    

  • Right to rectification

The data subject shall have the right to obtain rectification of their inaccurate personal data without undue delay. Concerning the purpose of data processing, the data subject is entitled to request the completion of incomplete data.    

  • Right to erasure (‘Right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of their personal data without undue delay where one of the following grounds applies:

  1. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for processing,
  3. the data subject objects to the processing pursuant to Art. 21 GDPR (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 GDPR (2),
  4. the personal data have been unlawfully processed,
  5. the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which controller is subject.

  • Right to restriction of processing

The data subject shall have the right to obtain the restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
  2. the processing is unlawful and the data subject opposes the reassure of the personal data and requests the restriction of their use instead,
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
  4. the data subject has objected to processing pursuant Art. 21 GDPR (1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.   A data subject who has obtained restriction of pressing shall be informed by the controller before the restriction of processing is lifted.    

  • Right to data portability

The data subject shall have the right to receive their personal data which was provided to the controller, in a structure, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Art. 6 GDPR (1) or on a contract pursuant to point (b) of Art. 6 GDPR (1).   The data subject shall have the right to have their personal data transmitted directly from one controller to another, where technically feasible.   Neither Nemzetközi Diplomáciai Társaság nor International Diplomatic Student Association shall take responsibility for the data processing of the controller to whom the personal data has been transmitted by the right of the data subject.    

  • Right to object

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing, including profiling.   Direct marketing is the sum of those informational and additional services which operate by direct inquiry methods, with the purpose of transmitting advertisements to clients by promotion of goods and services.    

  • How to exercise the rights in correlation with data processing?

The data subject’s rights in correlation with data processing shall be exercised in a written request sent to Nemzetközi Diplomáciai Társaság or to International Diplomatic Student Association. The request shall be sent via e-mail to one of the e-mail addresses noted in point 3 of this policy or sent via post to the headquarter of Nemzetközi Diplomáciai Társaság or International Diplomatic Student Association.   The data subject shall be informed about the measures taken within one month after the request has been received. This deadline shall be extended by two months in case the nature of the request is noticeably complex or in case high number of requests has been received.   In case your claim is not unfounded nor excessive, the implementation of the request is free of charge to the data subject. In case the claim is unfounded or excessive, it must be proven by the controller.   In case the request has not been implemented, the data subject shall be informed of the reasons and possible legal remedies within one month after the request has been received.

 

  • Automated decision-making and profiling

Personal data of the data subject are not used for automated decision-making, nor profiling.    

  • Responsibilities concerning the inaccuracy of personal data

Neither Nemzetközi Diplomáciai Társaság nor International Diplomatic Student Association shall take responsibility for the inaccuracy of data provided by the data subject.   

 

  • Who has access to the processed data?

The organisers of Munapest conference, the Presidency of Nemzetközi Diplomáciai Társaság and International Diplomatic Student Association shall have access to the processed personal data of the data subject. In addition, the following recipients shall have access to the personal data of the data subject:

  • BUDACONT 2000 Könyvelő és Szolgáltató Betéti Társaság (headquarter: 1016 Budapest, Gellérthegy u 5. 1. em. 3., registration number: 01-06-510517) has access to the personal data indicated on the invoice of the participation fee and to the IBAN numbers on the bank account statement in order to complete the accounting of Nemzetközi Diplomáciai Társaság.
  • Data are being stored on the cloud-based service Google Drive operated by Google LLC (headquarter: 1600 Amphitheatre Parkway Mountain View, CA 94043 USA). The services of Google LLC are in compliance with the data protection policies included in GDPR and fulfils the obligations agreed in EU-US Privacy Shield framework.
  • In case the participation fee is paid by transfer, the name and IBAN number of the data subject shall be stored in the database of OTP Bank Nyrt. (headquarter: 1051 Budapest, Nádor utca 16., registration number: 01-10-041585).

The employees of the aforementioned companies shall have moderate access to the personal data of the data subject.    

  • Method of data collection

Personal data shall not be obtained from public databases nor from other sources.    

  • What does personal data breach mean and what actions should be taken?

Personal data breach is a security damage which may result in accidental or unlawful erasure, loss, alteration, disclosure or accessibility of disclosed, stored or processed personal data of the data subject.   In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority pursuant to Art. 33 GDPR (1).   The notification shall describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned. The notification shall communicate the name and contact details of the data protection officer, shall describe the likely consequences of the personal data breach and shall describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.   In case the personal data breach is likely to have a high risk concerning the rights and freedoms of the data subject, information shall be provided to the data subject without undue further delay.    

  • Legal remedy

In the case of complaint concerning this data processing policy, the complaint shall be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c; phone number: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).   In the case of the rights of the data subject are violated, the data subject shall have the right to go to court. The lawsuit shall be initiated against Nemzetközi Diplomáciai Társaság in Hungary, considering that Nemzetközi Diplomáciai Társaság operates in Hungary. In case the data subject initiating the lawsuit is a resident within the European Union, the lawsuit shall be initiated in the country of residence. In Hungary, the execution of the lawsuit falls under forensic jurisdiction. In case the data subject is a resident in Hungary, the data subject shall have the right to initiate the proceeding before the court of residence. For further request, the data subject shall be informed in detail about the possibilities of legal remedies.