Privacy and Data Processing Notice
Harom Het Galeria Limited Liability Company
(1114 Budapest, Bartók Béla út 37. ground floor)
May 21, 2024 Budapest, Hungary
1. Introduction of Data Controller
In order to ensure the legality of internal data processing processes and the rights of data subjects, Harom Het Galeria Limited Liability Company (hereinafter referred to as "Company") has created the following privacy notice.
Data Controller Name: Harom Het Galeria Limited Liability Company
Registration Number: 01 09 937752
Headquarters: 1114 Budapest, Bartók Béla út 37. ground floor
Email Address: info@37gallery.com
Representative: Andrea Bódis, Gallery Manager
We inform you that our Company carries out the processing of personal data in accordance with the relevant legislation, primarily the Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Information Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation).
Our Company handles personal data confidentially and takes all necessary technical and organizational measures to ensure the security of data storage and processing.
Through this notice, our Company fulfills its obligation to provide information in accordance with the Regulation.
Through this notice, we inform you about the essential provisions of the processing of your personal data. The purposes of each data processing and their characteristics are determined as follows:
2. Definitions
The definitions are based on the Regulation:
1. "personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. "controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. "processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. "consent of the data subject": any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
6. "personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
7. "special categories of personal data": personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
8. "recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
9. "third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
10. Where this notice provides information about data or processing, it shall refer to the personal data and their processing.
III. Characteristics of Individual Data Processing Purposes
1. Handling of personal data of job applicants
If you apply for any of our advertised positions, the Company, as the data controller, will process the application materials you submit during the recruitment process.
If you provide us with your application material (CV, cover letter, and any additional personal data you may send) for the purpose of applying for a job advertisement, we will process the data contained therein for the purpose of filling the advertised position and evaluating your application. In the case of unsolicited applications or applications for positions not advertised, the data processing will be carried out for a maximum of 1 year.
By submitting your application to us after becoming acquainted with this notice, you provide clear, affirmative consent for the processing of your personal data for the purposes stated in this notice.
Please note that personal data processing is solely for the purpose of selecting the appropriate staff, and your personal data will not be processed for any other purpose.
Our Company handles personal data confidentially and takes all necessary technical and organizational measures to ensure secure data storage and processing.
Purpose of Data Processing
To conduct the selection process necessary to fill the positions advertised by our Company and to understand the professional and human values, educational background, and previous work experience of applicants, including yourself, in order to find the most suitable person for the vacant position.
Processed Personal Data
Personal data contained in the application material you submitted, primarily: CV, cover letter.
If you send additional personal data to our Company, it will be processed in accordance with the provisions of this notice. If we do not need or the processing of any document or data sent by you is contrary to the principle of purpose limitation, we will immediately delete or destroy it.
Legal Basis for Data Processing
Article 6(1)(a) of the Regulation, namely your consent, forms the legal basis for the processing of your personal data.
By applying for a position advertised by our Company and submitting the necessary application material, you clearly and explicitly indicate your consent to the processing of your personal data submitted during the application process in accordance with the provisions of this notice.
Recipients of Provided Personal Data
Only employees of our Company who are authorized to make recommendations or decisions regarding the filling of the advertised position are entitled to handle the personal data you provide.
Our Company does not use any data processor for data processing. In the case of paper-based resumes handed over in person, our receptionist may access the personal data of job applicants if they are not submitted in a sealed envelope.
Transfer of Personal Data to Third Countries or International Organizations
Our Company does not transfer your personal data to any third country or international organization.
Duration of Personal Data Processing
Until the position is filled, but for a maximum of 1 year.
Automated Decision Making and Profiling
Neither occurs during data processing.
Provision of Personal Data
The processing of personal data
is a prerequisite for the evaluation of the application and the conduct of the selection process.
2. Newsletter (marketing email)
If you subscribe to our newsletter on the platforms provided or made available by us, we will send you news, information, and marketing materials related to our Company to the provided contact information.
Newsletter sending is possible only with your prior consent, in accordance with the Regulation and applicable Hungarian regulations. Subscribing to the newsletter constitutes clear, affirmative consent to the processing of your personal data for the purposes stated in this notice.
You can unsubscribe from the newsletter at any time by clicking on the link provided in the newsletter.
Purpose of Data Processing
Subscription to the newsletter is done by direct email. The data you provide during subscription will only be used to send the newsletter.
Processed Personal Data
Name and email address provided during subscription.
Legal Basis for Data Processing
Article 6(1)(a) of the Regulation, namely your consent, forms the legal basis for data processing. Our Company considers that the processing of data provided when subscribing to the newsletter is based on the express consent of the data subject.
Recipients of Provided Personal Data
Only employees of our Company who are authorized to review messages sent by you or to process them for necessary administrative purposes are entitled to access the personal data provided by you.
We use a data processor (IT specialist) as defined in our privacy policy appendix for data processing.
Our data processors can handle your personal data only for the purpose determined and specified in the contract, and they have no independent decision-making authority regarding data processing. Our data processors have undertaken obligations of confidentiality and contractual guarantees regarding the preservation of personal data they become acquainted with during the performance of their tasks.
Transfer of Personal Data to Third Countries or International Organizations
Our Company does not transfer your personal data to any third country or international organization.
Duration of Personal Data Processing
Until the withdrawal of consent (until unsubscribing from the newsletter).
Automated Decision Making and Profiling
Neither occurs during data processing.
Provision of Personal Data
The processing of personal data is a prerequisite for sending the newsletter, which can only be based on your prior, voluntary consent. You can unsubscribe from the newsletter at any time via the link at the bottom of the email or through our website menu.
​
3. Communication via Email
In today's fast-paced world, our company primarily maintains contact with its partners and customers electronically. Within this framework, you can directly send an email message to us at the email address info@37gallery.com.
During any electronic communication with you related to any matter, we handle your personal data in accordance with what is written in this section.
Purpose of data processing
Contacting via the above email address through direct email sending is possible. The data you provide during contact will be used solely for communication with you and for processing matters related to the message.
Processed personal data
Name, email address, and any other information deemed essential by you regarding the matter initiated by you.
Legal basis for data processing
Article 6(1)(b) of the Regulation, therefore, the data processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.
Our company considers communication with consumers as preliminary data processing related to a later concluded contract (agreement) or data processing related to an already concluded contract.
Recipients of provided personal data
Only our employees who have proposal-making or decision-making authority related to the communication initiated by you, or necessary for processing, are authorized to access the personal data provided by you.
No data processors are engaged in data processing.
Transfer of personal data to third countries or international organizations
Our company does not transmit your personal data to third countries or international organizations.
Duration of personal data processing
If any type of contract or agreement is concluded between our company and you, the personal data obtained during communication will be processed in connection with the specific contract, but for a maximum of the statute of limitations period.
If no contract or agreement is concluded between our company and you after pre-contractual data processing, the message(s) will be deleted after the conclusion of the communication.
Automated decision-making and profiling
Neither occurs during data processing.
Provision of personal data
Processing of personal data is necessary for responding to the message and thus facilitating communication between you and our company.
4. Handling of Personal Data of Business Partners for Contact Purposes
During its everyday operations, our company enters into business relationships with other economic entities. It is necessary for the natural persons involved in the performance to maintain contact with each other during cooperation with business partners.
Purpose of data processing
The purpose of maintaining business contacts is to promote the performance of the contract concluded between you or the economic entity represented by you and our company, and for closer and more effective cooperation.
Processed personal data
Name, email address, phone number.
Legal basis for data processing
With regard to maintaining contacts, the legal basis for data processing is Article 6(1)(f) of the Regulation, i.e., the legitimate interest of our company.
The legitimate interest of our company is to maintain contact for the purpose of performing the contract(s) concluded with you or the entity represented by you. Direct contact is necessary for more efficient economic activity.
Source of personal data
Our company receives your personal data directly from you or from your employer based on lawful authorization.
Recipients of provided personal data
Our company provides your personal data only to those employees who are involved in the performance of the relevant legal relationship.
No data processors are engaged in data processing.
Our data processors may handle your personal data only for the purpose determined and stipulated in our contract, according to our instructions. They do not have independent decision-making authority regarding data processing. Our data processors have undertaken confidentiality obligations and contractual guarantees regarding the preservation of personal data they become aware of during the performance of their tasks.
Transfer of personal data to third countries or international organizations
Our company does not transmit your personal data to third countries or international organizations.
Duration of personal data processing
Our company will delete your personal data after the expiration of the limitation period specified in accordance with Section 2 of Article 169 of Act C of 2000 on Accounting following the completion of the contract.
Automated decision-making and profiling
Neither occurs during data processing.
Provision of personal data
Processing of personal data is necessary for the performance of the contract.
5. Issuing and Retaining Invoices (strict accounting forms)
All income-generating taxpayers are required by law to issue an invoice to the purchaser, which must then be retained for a specified period. Therefore, our company is obliged by law in relation to this data processing, and the characteristics of data processing are determined as follows.
Purpose of data processing
The purpose of processing personal data by our company is to:
1. comply with the obligation stipulated in Section 159(1) of Act CXXVII of 2007 on Value Added Tax (VAT Act), which requires the taxpayer (in this case, our company) to ensure the issuance of an invoice for the sale of products or the provision of services to the purchaser of the product or the recipient of the service, and
2. comply with the obligation stipulated in Section 169(2) of Act C of 2000 on Accounting, which requires that the accounting document (the invoice itself) that supports the accounting settlement must be retained for at least 8 years.
For this purpose,
the necessary personal data (customer name, address, tax number) are processed in our invoicing system.
Processed personal data
Name, address, tax number of the customer, if any.
Legal basis for data processing
Article 6(1)(c) of the Regulation, therefore, the processing is necessary for compliance with a legal obligation to which the controller is subject.
Recipients of provided personal data
Our company provides your personal data only to those employees who are involved in the issuance of invoices or who have decision-making authority.
No data processors are engaged in data processing.
Transfer of personal data to third countries or international organizations
Our company does not transmit your personal data to third countries or international organizations.
Duration of personal data processing
Our company will retain the invoice issued until the legal retention period specified in Section 169(2) of Act C of 2000 on Accounting has expired, which is at least 8 years.
Provision of personal data
The provision of personal data is necessary for the issuance of an invoice.
Apologies for the confusion. "Felvétel" can indeed mean "photo" or "capture" in Hungarian. It seems there was a misunderstanding. Let me correct that.
6. Handling of Personal Data in Photography Services
Our company offers photography services where we capture and create memorable moments for our clients. This section outlines how we handle personal data in the context of providing photography services.
Purpose of data processing
The purpose of processing personal data by our company is to provide photography services to our clients. This includes capturing images, editing photos, and delivering the final product to the client.
Processed personal data
Name, contact details (email address, phone number), address (if relevant for on-location shoots), and any other information provided by the client necessary for the photography services.
Legal basis for data processing
The legal basis for processing personal data in this context is typically based on the consent of the individual (client) for whom the photos are being taken. Additionally, processing may be necessary for the performance of a contract if the photography services are being provided under a formal agreement.
Recipients of provided personal data
Your personal data will be accessed by our photography team responsible for capturing and processing the images. If necessary, other personnel involved in delivering the final product, such as editors or designers, may also have access to the data.
No data processors are engaged in data processing.
Transfer of personal data to third countries or international organizations
Our company does not transmit your personal data to third countries or international organizations unless explicitly requested and agreed upon by the client.
Duration of personal data processing
We will retain your personal data for as long as necessary to fulfill the purpose for which it was collected, including any legal or contractual obligations related to the provision of photography services. After this period, your personal data will be securely deleted or anonymized.
Provision of personal data
The provision of personal data is necessary for the provision of photography services. Clients may choose to provide additional information, such as specific preferences or requirements, to enhance the quality of the service provided.
If you have any questions or concerns regarding the processing of your personal data in the context of photography services, please contact us at [+36708664222 / info@37gallery.com].
Your rights regarding data processing
Regarding camera surveillance
The person whose rights or legitimate interests are affected by the recording may, within three working days from the recording, request with the justification of their right or legitimate interest that the Company not destroy or delete the data. The Executive is entitled to decide on the request.
Right to information
You have the right to information regarding data processing, which the Company fulfills by providing this information. Right of access Upon your request, the Company will inform you at any time whether the processing of your personal data is ongoing, and if so, we will provide you with access to personal data and the following information:
1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. we also inform you of your right to request from the Company rectification, erasure, or restriction of processing of your personal data, and to object to such processing;
6. the right to lodge a complaint with a supervisory authority or to initiate court proceedings;
7. where the data are not collected directly from you, any available information as to their source;
8. if automated decision-making is carried out, including profiling, at least in those cases, the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to erasure
You have the right to request the Company to erase your personal data without undue delay if one of the following grounds applies:
1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. you withdraw consent on which the processing is based, and where there is no other legal ground for the processing;
3. you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject;
6. the personal data have been collected in relation to the offer of information society services.
The Company shall not comply with your request for erasure if processing is necessary for the following reasons:
7. for exercising the right of freedom of expression and information;
8. for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
9. for reasons of public interest in the area of public health;
10. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
11. for the establishment, exercise, or defense of legal claims. Data erasure is permanent and irreversible.
Right to restriction of processing
You have the right to request the Company to restrict processing if one of the following applies:
12. you contest the accuracy of the personal data, for a period enabling the Company to verify the accuracy of the personal data;
13. the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
14. the Company no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims; or
15. you have objected to processing pending the verification whether the legitimate grounds of the Company override yours.
If processing has been restricted, such personal data shall, with the exception of storage, only be processed:
16. with your consent;
17. for the establishment, exercise, or defense of legal claims;
18. for the protection of the rights of another natural or legal person; or
18. for reasons of important public interest of the Union or of a Member State.
Right to object
If the processing of your personal data is based on the legitimate interest of the Company, as is the case here, you have the right to object to the processing of your personal data at any time for reasons related to your particular situation, including profiling based on those provisions. In this case, the Company may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims, or if permitted by law. Right to data portability You have the right to receive the personal data concerning you, which you have provided to the Company, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller. You have the right to request that your personal data be sent directly from the Company to another controller.
Procedure for exercising your rights
You can exercise the above rights in an electronic letter sent to info@37gallery.com, or by postal mail sent to the address 37 Gallery, 1114, Budapest, Bartok Béla street 37, Hungary. The Company shall respond to your request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If the Company does not take action on your request, the Company shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The Company shall provide the information free of charge. Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The Company shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. In the case of manifestly unfounded or excessive requests, the Company may refuse to act or charge a reasonable fee.
National Authority for Data Protection and Freedom of Information (NAIH)
Postal address: Pf. 5, 1530 Budapest
Address: Szilágyi Erzsébet fasor 22/c, 1125 Budapest
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
URL: http://naih.hu