Chinese Image Medicine Association of Hungary

DATA PROCESSING POLICY

The aim of this Data Processing Policy is to lay down the fundamental principles and rules for the processing of personal data and other data by the Chinese Image Medicine Association of Hungary (CIM) (hereinafter: Association).

This Data Processing Policy governs the processing of data disclosed by the users of the following websites: https://www.kinaikepmedicina.hu/ , https://kundawell.hu/, https://kundawell.hu/, and https://www.facebook.com/CIMHungary/ , https://www.facebook.com/ZYQHungary/ , https://www.facebook.com/Kinaikepmedicina – not excluding the use of other online platforms -, and data disclosed during the course of paper-based registration with data subject’s informed and voluntary consent.

Principles of data processing:Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.

• The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

• In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.

• The accuracy and completeness, and – if deemed necessary in the light of the aim of processing – the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

• Personal data shall not be transferred to a third party.​

I. GENERAL PROVISIONS

DATA CONTROLLER

Name of data controller: Chinese Image Medicine Association of Hungary (hereinafter: Data Controller or Association)

Data controller’s tax number: 18909155-1-13

Data controller’s company registration number: 13-02-0007291

Data controller’s registered seat: 2621 Verőce, Erdész Street 2.

Data controller’s contact information: e-mail: info@kundawell.hu

Data controller’s bank account: Magnet Bank

Bank account number: HUF 16200137-18534094, EURO 16200137-18534104

Postal address: 1399 Budapest, Pf.: 692

Legal basis of data processing: in accordance with Section 5 subsection (1) a) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information the legal basis of data processing is data subject’s consent; furthermore, as also laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: GDPR), applicable from 25 May, 2018, the legal basis of data processing is data subject’s consent.

Data subjects targeted: those who register on the electronic- or paper-based registration platforms of the Association, and those who register for events.

Consent to data processing: Data subject (the person who registers for the event, or the person who registers on different platforms of the Association), after the completion of the form or the registration platform, and giving his informed consent to data processing (by checking the box), upon handing over/submitting the registration form gives his voluntary and express consent to the processing of his personal data by Data Controller as laid down in this policy.

Consent to data processing may be withdrawn without limitation at any time during the course of data processing. In this case data subject waives receiving information on the event, and further events in this way.

Purpose of Data Processing:

• sending confirmation e-mails on registration for events,

• sending e-mails regarding due payment of course fees,

• sending information via e-mail,

• initiating contact,

• sending invoices of course fees by post.

• Provision of services relating to organising participation in various events, for example events featuring Professor Xu Mingtang, such as preparing a contract pertaining to the provision of services, defining and modifying the contents thereof, monitoring the fulfilment thereof, invoicing the costs arising therefrom, exercising claims relating thereto, and informing applicants and participants about the event in question.

• Furthermore, in case data subject’s consent was obtained, sending notifications and newsletters on further functions, events and news within the scope of activities of the Association, such as ZYQ Qigong, Chinese Image Medicine and Zhong Yuan Qigong events organised in Hungary and abroad, and sharing Hungarian or foreign information relating to the Association.

• Taking photographs and recording footage of the events, on which participants may be identifiable. The purpose of the photographs and footage taken is for them to be further used for the educational activities of the Association and for the subsequent presentation of the events.

Method of data processing: manual, and manual data entry in computer, keeping records of the e-mail addresses of the participants of events, and managing e-mail addresses in e-mail system, and taking photographs and footage of the events.

2. DEFINITION OF PERSONAL DATA PROCESSED:

User may disclose the following data in the course of voluntary data reporting (on a voluntary basis, but required for using the service) by completing the form on the following websites: https://www.kinaikepmedicina.hu/ or www.kundawell.hu and by submitting a paper-based registration:

• user’s name, “Surname” and “First name” – of the person who writes the message – purpose: initiating contact, identification;

• e-mail address – “E-mail” – purpose: initiating contact, sending information;

• billing data: Billing name, Billing address, in case of a company Tax number – “Billing address” – necessary for issuing the invoice,

• data related to Zhong Yuan Qigong courses (e.g. Zhong Yuan Qigong trainer’s name)

• phone number: cancellation of events, data reconciliation

​

3. DATA PROCESSOR

1. in case of https://www.kundawell.hu page

Name of Storage provider: MediaCenter Hungary Kft.

The headquarters of the service provider: 6000 Kecskemét, Sosztakovics u. 3. II. 6.

Postal address of the service provider: 6001 Kecskemét, Pf. 588

Tax number of the service provider: 13922546-2-03

Telephone number of the service provider: +36 76 575 023

2. in case of https://www.kinaikepmedicina.hu page

Name of Storage provider: Silicium Network Kft.

The headquarters of the service provider: 2000 Szentendre, Papszigeti út 19.

Postal address of the service provider: 1137 Budapest, Radnóti Miklós utca 11. Fsz. 2

Tax number of the service provider: 23474178-2-13

Telephone number of the service provider: + 36 70 944 7008

Data Processor shall process data (registration and storage). The purpose of data processing shall be determined by Data Controller; Data Processor shall not carry out operations other than registration and storage,and shall not transfer data to a third party.

4. DURATION OF DATA PROCESSING:

Data Processor shall process data until the withdrawal of data subject’s consent. Upon the withdrawal of data processing the Association shall permanently erase Data Subject’s data related to providing information, maintaining contact and sending newsletters. Data Subject will no longer receive newsletters and the Association shall not initiate contact by any other means.

In order to perform obligations related to issuing the invoice and obligations under tax regulations, the duration of the storage of data processed under Act C of 2000 on Accounting is eight years.

Data subject may request the erasure or modification of his personal data by the following means:

• by post at the address: 2621 Verőce, Erdész Street 2.

• via e-mail at the e-mail address: info@kundawell.hu

• by clicking on the link “unsubscribe” at the bottom of the newsletter.

​

5. NEWSLETTER

• data collection, the definition of data processed: Surname, first name, e-mail address

• the definition of data subjects: Those who complete the registration form, those registering https://www.kinaikepmedicina.hu/, and/or https://kundawell.hu/ or other electronic platforms, and those registering on a paper-based form.

• purpose of data processing: sending informational e-mails to data subject on the events organised by the Association in Hungary, for example events featuring Professor Xu Mingtang, and news regarding the Association.

• Duration of data processing, deadline for the erasure of data: data processing shall continue until the withdrawal of consent via electronic means, e-mail, or post

• The potential data controllers with the right of access: personal data shall be exclusively processed by Data Controller, in accordance with the aforementioned fundamental principles.

• Rights of data subject related to data processing for the purpose of sending newsletters: Data Subject may at any time request the erasure of his data, and unsubscribe from the newsletters of the events featuring Xu Mingtang and organised by the Association.

​

6. FACEBOOK

Upon liking or following Facebook pages (https://www.facebook.com/CIMHungary/ , https://www.facebook.com/ZYQHungary/), https://www.facebook.com/Kinaikepmedicina) data subject gives his consent to the processing of data on his Facebook profile, which data shall not be used by Data Controller for purposes other than previously defined, only for maintaining contact and providing information related to the Association’s scope of activities, such as events featuring Xu Mingtang. Even in this case, Data Controller shall not extract data from data subject’s Facebook profile from Facebook, and shall not copy or reproduce the data; data processing continues to take place in Facebook’s system.

Upon withdrawal of liking or following the page, data subject may at any time terminate the contact and this method of data processing.

Data processing takes place on the website Facebook.com, therefore, the duration and method of data processing, and the possibilities for the erasure and modification of data are governed by the regulations of the social networking site facebook.com:

• https://www.facebook.com/legal/terms?ref=pf

• https://www.facebook.com/about/privacy/

7. INVOICING

In some cases, those completing the registration form have payment obligations, which they may meet exclusively via bank transfer:

Bank account number:

• HUF 16200137-18534094

• EURO 16200137-18534104

Invoices are issued with the help of the website www.szamlazz.hu, which is operated by KBOSS.hu Kft. (registered seat: 1031 Budapest, Záhony St. 7.; company registration number: 01-09-303201; registration authority: the District Court of Pest as Company Registry Court; tax number: 13421739-2-41).

The invoice is issued by the Authority; in case of an invoice issued electronically, the invoice is sent to the buyer via e-mail or post, or is handed over personally at the event. In case of a manually issued invoice, it is handed over personally at the time the invoice is issued.

8. RIGHTS OF DATA SUBJECT

Data Subject may exercise his rights only if his person is identifiable; identification is typically implemented with data which had been processed by Data Collector in accordance with Data Subject’s previously obtained consent.

In order to protect the rights of data subjects, Data Controller shall only fulfil the request of identified data subjects. For example, it is common practice in case of e-mail addresses that if the request to erase an e-mail address is sent from the e-mail address that is being processed by Data Controller, the data subject thus verifies that they have authority to manage the e-mail account.

Data Controller is not liable for damages arising from the exercising of data subject rights in bad faith by a third party, in case Data Controller exercised due care and in view of the data processed took the necessary steps to identify Data Subject, however, despite this, a third party misused Data subject’s personal data and exercised Data Subject’s rights on behalf of Data Subject, and thus caused damage to Data Subject (for example, a third party requested the erasure of Data Subject’s personal data, which was implemented by Data Controller upon identification.)

Data Subject may request from the Data Controller

• information on his personal data being processed;
• the rectification of his personal data;

• the erasure or blocking of his personal data, save where processing is rendered mandatory.

• Upon data subject’s request Data Controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, the circumstances and consequences of the personal data breach, and the measures taken to prevent such data breaches, and – if the personal data of the data subject is made available to others – the legal basis and the recipients;

• access to the personal data related to Data Subject;

• the restriction of the processing of his data.

• Further rights of data subjects:

1. • the right to object to profiling and automated processing;

   • the right to data portability.

Data Controller must comply with requests for information without any delay, and provide the information requested in an intelligible form, and if data subject so requests, in writing, within not more than twenty-five days – under GDPR from 25.05.2018 no later than one month. The information shall be provided free of charge for any category of data once a year. Data Controller may charge for additional information concerning the same category of data.

​Data Controller shall erase personal data if

• processed unlawfully;
• so requested by the data subject;
• incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;
• the purpose of processing no longer exists or the legal time limit for storage has expired;
• so ordered by court or by the Authority.

When data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.

If the Data Controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing, or upon data subject’s consent via e-mail, within the legal time frame. Where rectification, blocking or erasure is refused, Data Controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

​

9. OBJECTION TO THE PROCESSING OF PERSONAL DATA

The data subject shall have the right to object to the processing of data relating to him,

• if processing or transfer is carried out solely for the purpose of discharging Data Controller’s legal obligation or for enforcing the rights and legitimate interests of Data Controller, the recipient or a third party, unless processing is mandatory (in order to perform a legal obligation);

• if personal data is used or transferred for the purposes of direct marketing, public opinion polling or scientific research; and

• in all other cases prescribed by law.

In the event of objection, Data Controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify Data Subject in writing of its decision.

If, according to the findings of Data Controller, data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

If Data Subject disagrees with the decision taken by Data Controller, or if Data Controller fails to meet the deadline specified above, data subject shall have the right to turn to court within thirty days of the date of delivery of the decision or from the last day of the time limit.

If data subject objects to the processing of his personal data, or exercises his right to judicial remedy, or if a third party request is received for the disclosure of data which is not based on data subject’s consent, data may be disclosed to the legal representatives appointed by Data Controller where it is necessary in order to assess the legitimacy of the above.

​

10. JUDICIAL REMEDY

We kindly ask Data Subject to contact us in case he feels that Data Controller has infringed his right to the protection of personal data, so that we are able to rectify the possible infringement.

In the event of any infringement of his rights, Data Subject may bring court action against Data Controller. The court shall hear such cases in priority proceedings. The court has jurisdiction to decide the case. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions.

Data Controller shall be liable for any damage caused as a result of unlawful processing or by any breach of data security requirements. If Data Controller violates data subject’s rights related to personality as a result of unlawful processing or by any breach of data security requirements, data subject may seek compensation from Data Controller. Data Controller may be exempted from liability for the damage and from the obligation to pay compensation if he proves that the damage or the violation of data subject’s rights related to personality were caused by reasons outside the scope of data processing and beyond his control. No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part of the aggrieved party, or the violation of the rights related to personality was caused by intentional or serious negligent conduct on the part of data subject.

11. INVESTIGATION BY THE AUTHORITY

Data Subject may also lodge a complaint directly with, or request information from the Authority:

Name: Hungarian National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf.: 5.

E-mail: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: https://naih.hu

12. DATA SECURITY

During the operation of computer systems, the appropriate access management, internal organisational and technical measures ensure that your personal data shall not fall into unauthorized hands, and unauthorized parties cannot erase or modify data, or extract it from the system. Our data processors comply with data protection and data security requirements.

We document any personal data breaches, and if necessary, we notify you of the personal data breaches that may occur.

13. OTHER PROVISIONS

We retain our right to the unilateral modification of this Data Processing Policy, with the exception of the legal grounds, purpose and scope of data processing. The modification takes effect on the date when it is published on the site www.kinaikepmedicina.hu

This Data Processing Policy is effective from 11 Mayl, 2018.