Data protection policy

I. DATA PROCESSING POLICY

Preamble, principals

Urbán Education Felelősségű Társaság (corporate seat: 1025 Budapest, Pitypang utca 7., Trade Registry Number: 01-09-393759), as data controller (hereinafter referred to as Data Controller or Company) act during the processing of personal data in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “Regulation” or “GDPR”) and in compliance with the applicable law.

The Data Controller respects your (hereinafter referred to as “Data Subject”) rights relating to the protection of personal data. This information provides a brief and simple summary of what data we collect, how we can use such data and it describes the means employed by us and the Data Subject’s possibilities of data security and right enforcement in connection with data security.

You may find a detailed regulation in the abovementioned Regulation and in related legal acts; in case of needing more information the study of the Regulation is recommended or you may contact the Data Controller at the contacts indicated in this information.

During the processing the Data Controller acts in compliance with the following principles.

Before the beginning of the processing the Data Controller shall inform the Data Subject in compliance with the prescribed provisions and in a timely manner.

The Data Controller collects, stores and uses personal data in compliance with the requirement of purpose limitation; only for the purpose for which it was requested.

The collected personal data shall be adequate, relevant and shall be collected to the extent that is appropriate for the purpose for which it was collected, and by complying with such rule the principle of data minimisation is respected.

With respect to accuracy and regarding the purposes for which the data are processed the Data Controller must take every reasonable step so that the Data Subject’s personal data are complete, accurate, up-to-date and reliable.

The Data Controller uses the personal data for marketing purposes only upon the consent of the Data Subject and opportunity shall be provided to the Data Subject to prohibit such communication.

The Data Controller takes proportionate and comprehensive measures in order to ensure the protection of the Data Subject’s personal data pursuant to this Data Processing Policy including such cases where personal data are transferred to third parties. Data transfer to third parties shall not take place without the prior and expressed consent of the Data Subject.

The scope of this data processing policy includes the entire data processing activity of the Data Controller and pursuant thereto it – particularly but not exclusively – includes the processing of personal data of contact persons of business entities coming into contact with the Data Controller during its business activities as Data Subjects and it also includes the use of the www.regenerationsymposium.com website, the data processing relating to the electronic surveillance system operating at the Data Controller and the principles of data security being employed.

Interpretative provisions

  • Regulation, GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  • Infotv means Act CXII of 2011 on Informational Self-determination and Freedom of Information;
  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Sensitive data means personal data relating to racial or ethnic origin, political opinion or preferred party, religion or beliefs, trade union membership, sex life, health status, addiction or criminal data.
  • Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  • Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  • Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients;
  • Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, reliability, behaviour, location or movements;
  • Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • Authority: Hungarian National Authority for Data Protection and Freedom of Information, naih.hu

Data and contact info of the Data Controller (service provider)

Name of the Data Controller: Urbán Education Kft Felelősségű Társaság (cg.:01-09-393759)
Corporate seat: 1025 Budapest Pitypang utca 7
Postal address: 1025 Budapest Pitypang utca 7
Data Protection Officer: Judit Bernath
Call centre: +36204957776
E-mail address of the call centre: symposium@implant.hu
Place and contact info of handling of complaints: 1025 Budapest, Pitypang utca 7


II. Purposes of processing, data being processed, duration of processing, persons authorized to access the data with respect to Participants of the congress organized by the Controller who are the users of the Controller’s services

The provisions of this chapter apply to the processing of personal data of any and all Data Subjects who use the services of the Service Provider.

1. Purposes of and basis for processing

The Controller processes personal data only for specified purposes, to the necessary extent, to exercise a right and in order to fulfill an obligation at all times. Processing shall be in accordance with the purposes of processing during the whole term of processing and the recording of and processing of personal data shall be fair and lawful. Personal data can only be processed to the extent and for the time necessary to achieve the aim. The Controller controls via internal policies that only those recipients process the data who contribute to and who are necessary for the achievement of the aim.

The Controller processes Personal Data based on statutory requirements in the following cases: fulfillment of invoicing, accounting, bookkeeping obligations (Act on Accounting, Act on VAT, Act on the Rules of Taxation).

The Controller processes the personal data based on the explicit and voluntary consent of the Data Subject in the following cases: activities relating to organizing events, registration necessary for the participation in the conference, sending information via e-mail.  By filling out the application form the participants give their consent to the processing and collection of their personal data in order to achieve the purposes of processing described above.

The purpose of processing is the organization and conducting the Regeneration Symposium Congress and the communication with the data subjects via e-mail. The Controller processes the personal data of the Data Subjects in order to credit the compulsory training points.

2. Data being processed, duration of processing, persons authorized to access the data

The Controller collects and processes personal data by referring to the specified legal basis in accordance with the following table(s) for the specified retention period:

Data processed on the basis of statutory requirements

Personal data

Retention/storage period

Data on accounting documents

For the retention period required by applicable law

Data processed on the basis of the voluntary consent of the Data Subject

(Data Subjects are informed on how to withdraw their consent later in this policy)

Personal data

Retention/storage period

Name, e-mail address, address, profession, data regarding salary, invoicing data, number of the medical stamp, phone number, image of participants of educational and scientific events, photo and video recording of natural persons, professional experience, professional titles, titles, specialization

Until the termination of contractual relationship

 

3. The Controller employs the following Data Processor(s) to process personal data for specified activities:

Data Processor

Trade Registry Number/Tax Registration No.

Activities

Bernáth Levente EV.

69224621-1-33

Organizing events, coordination

Devcenter Net Bt.

01-06-725691/ 20369745-1-43

Website development, design

Rikk Audit Kft.

01-09-894024/ 14214457-2-41

Accounting

CompOffice-R Kft

13-09-096805/ 13155478-2-13

Installation of entry systems

OTP Mobil Kft.

01-09-174466

Payment service provider

4. The Controller transfers the data to the following recipients: the Company’s employees performing customer service tasks or commercial activities, to agents, and to employees and data processors performing accounting and taxation tasks.

In accordance with the applicable law, the personal data of the participants are recorded and stored in the database of Urbán Education Kft. managed exclusively by the company. Participants expressly accept and give their consent to the storage and processing of their personal data by Urbá Education Kft. during the event.

In the event of electronic registration the personal data of the data subjects are transferred to the servers of the Controller via a secure connection protected by SSL (Secure Socket Layer) technology so unauthorized persons cannot access them. For the security of data the Controller employs data security measures to ensure the protection of privacy of the persons who participate in the Congress.

The collection and processing of personal data are only for enabling the adequate conduct of the Congress and for enabling the Controller to fulfill its obligations with respect to the organization of the Congress and to notify and inform the Data Subjects in time.


III. Purposes of processing, data being processed, duration of processing, persons authorized to access the data with respect to sending newsletters to the Participants of the congress organized by the Controller

Provisions of this chapter apply to the processing of personal data of such Data Subjects who have registered at www.regenerationsymposium.com and have given their consent by ticking the relevant box to receive information of courses and the Congress held in the future via e-mail by Urbán Education Kft.

1. Purposes of and basis for processing

The Controller processes personal data only for specified purposes, to the necessary extent, to exercise a right and in order to fulfill an obligation at all times. Processing shall be in accordance with the purposes of processing during the whole term of processing and the recording of and processing of personal data shall be fair and lawful. Personal data can only be processed to the extent and for the time necessary to achieve the aim. The Controller controls via internal policies that only those recipients process the data who contribute to and who are necessary for the achievement of the aim.

The Controller processes the personal data based on the explicit and voluntary consent of the Data Subject in the following cases: Sending newsletters (Marketing) by Urbán Education Kft.

The Controller processes the personal data of the Data Subjects in order to inform the Data Subjects about courses and the Congress a few times in a year so Data Subjects can participate in the Congress.

In this case the processing is based on the consent of the Data Subject which consent can be withdrawn any time by submitting a request to the Controller. If the consent is withdrawn, the Controller will not send any professional material to the Data Subject via e-mail.

2. Data being processed, duration of processing, persons authorized to access the data

The Controller collects and processes personal data by referring to the specified legal basis in accordance with the following table(s) for the specified retention period:

Data processed on the basis of the voluntary consent of the data subject

(Data Subjects are informed on how to withdraw their consent later in this policy)

Personal data

Retention/storage period

Name, e-mail address

Retention period until the cancellation of subscription, withdrawal of consent

 

The Controller transfers the data to the following recipients: the Company’s employees performing customer service tasks or commercial activities and to employees and data processors performing accounting and taxation tasks.

IV. Use of the website (www.regenerationsymposium.com)

The Data Controller informs the visitors of the website that by using the website (lacking the contact with the Data Subject being the user of the website) data collection and data processing takes place via the application of anonymous user IDs (cookies) and by accepting them as a Data Subject. The Data Controller provides significant information about cookies below.

The Data Controller may use information packages or in other words cookies for the services and on the Website; cookies are sent by the webserver, their content is variable, they are alphanumeric, and they are downloaded to the user’s computer and are stored there for a determined period of time.

Cookies are text files that are capable of unique identification and storing profile information that are downloaded to the Data Subject’s computer. It is important to know that such text files are not capable to identify the Data Subject on their own, they are only capable to recognise the Data Subject’s computer. In the world of networks on the Internet personal information and customized service can only be ensured if service providers can uniquely identify the customs and needs of their clients. On one hand, service providers choose anonymous identification to learn more about their visitor’s information usage in order to improve the standards of their services and on the other hand to provide possibilities of customization to their clients.

With the help of cookies, the Data Subjects’ preferences and settings are stored; they help to log in; they present customized advertisements and they analyse the operation of the website. For all that, we employ services to collect and track information about activities such as relevance, recommendation, searches, openings, the most important and the most commonly used functions.

Flash cookies are used by website operators to determine whether the Data Subject has previously visited the website and to help the identification of those functions/services that the Data Subjects may be the most interested in. Search and flash cookies improve online experience by retention of preferred information of the Data Subject while visiting a given website. Neither the search engine nor flash cookies can personally identify the Data Subject and the Data Subject may reject browser cookies through the settings of the browser, however, without the use of such cookies the Data Subject will not be able to use all services of the website.

If the Data Subject does not wish to download such ID to his or her computer it is his or her choice to set the browser to prohibit the placement of such unique ID on the computer and he or she is entitled to revoke such authorization or to delete the ID, however, it may be possible that he or she is not capable to access the services or not in a way if he or she would have allowed the placement of IDs.

The services are used by a lot of users in various software and hardware environment with different use of purpose and field of use. The development of the services can adjust to the users’ needs and possibilities if the operator of the website has a comprehensive image of the customs and needs of the users. Due to the huge number of users it is an efficient additional method - besides personal contact and personal feedback - if the data relating to the users’ customs and runtime environment is collected and analysed by an automated method by the operator of the website.

V. Balance of interests

With regard to processing without consent and which is enabled by the legitimate interests of third parties, the Controller sets forth the following rules.

If the legal basis is Section f) Paragraph (1) Article 6 of the GDPR (legitimate interests), the processing is lawful in the case and to the extent if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In such cases, the Controller performs a balance of interests test for assessing the lawfulness of processing, during which the necessity of the purposes of processing and the proportional limitation of the data subject’s rights and freedoms are assessed and properly confirmed.

During the balance of interests test the Controller identifies its legitimate interests and the interests and fundamental rights of the data subject being the counterpoint in the weighting. The condition of weighting of conflicting rights and interests is always assessed by the Controller with respect to the specific circumstances of the case. The Controllers takes into account, in particular, the nature and sensitivity of the data being processed, the degree of its publicity, and the severity of any breach that may occur, and so on.

The nature and quantity of the data that can be processed shall not exceed the extent that is necessary to ensure the legitimate interests.

VI. Data security

In accordance with the obligations of the Controller set forth by the Act on Informational Self-determination and Freedom of Information and the GDPR the Controller takes every measure to take care of the security of the Data Subject’s data and it furthermore takes any and all technical and organizational measures and establishes such procedural rules that are necessary for the enforcement of the GDPR and other data protection and security regulations. The data stored in the Controller’s database can only be accessed by the employees of the Controller who have explicit authorization.

The services include so called cloud applications as well. Cloud applications typically have international and cross-border nature and for instance they are used for storing data when the data are stored in a data center that can be placed anywhere in the world rather than storing such data on the computer / at the organizational computer center of the Controller. The main advantage of cloud applications is that they are independent of geographical location, greatly secure and they provide a flexibly extendable storing and processing capacity.

The Controller chooses its partners providing cloud applications with utmost care and it takes every measure to enter into an agreement with such partners which agreement takes into account the data security interests of the Data Subjects, takes every measure to ensure the transparency of the data processing principles of such partners and to regularly supervise data security.

There may be a reference or link to other service providers’ websites at the Controller’s website (including buttons and logos directing to login or sharing opportunities), where the Controller has no influence over the processing of personal data. The Controller notifies the participants that when they click on such links they may be directed to other service providers’ websites. In such cases we recommend to always read the data protection policy applying to the use of such websites. This Data Protection Policy only applies to the processing carried out by the Controller. If you modify or erase any of your data at the external website that will not affect the processing performed by the Controller, such modifications have to be carried out at the Website, as well.

Physical protection

For the security of data processed via documents the Controller applies the following measures:

  • the data can only be accessed by authorized personnel, other persons cannot access them, they cannot be disclosed to other persons;
  • documents shall be stored in a lockable, dry room which has firefighting equipment and equipment for the protection of property;
  • documents that are constantly and actively processed can only be accessed by authorized personnel;
  • the employee of the Controller who carries out the processing may only leave such room where processing takes place if he/she locks the data storage medium away or locks the office;
  • the employee of the Controller who carries out the processing shall lock the documents away that are the data storage medium when he/she finishes work;
  • if the data processed via documents are digitalized the Company applies the rules regarding documents stored digitally.

IT security:

The Controller provides IT security in accordance with the IT Security Policy in effect.

Access management:

The Controller has established and applies a centralized access management system to ensure by covering all phases of the user access lifecycle (from the first registration of new users to the final erasure from the records) that all users of the (IT) systems operated by the Controller may only access such data through the user interface which are necessary for the job, and to define the general requirements for controlling access to data and information in the IT systems operated by the Organization, and in case of the latter a basic requirement is to be able to determine in an up-to-date manner who and when can access and what applications/systems within the Organization.

During the use of the IT systems/applications that are operated by the Controller, the Controller also ensures via access management the enforcement of data protection principles and data security requirements, and prevents unauthorized access or alteration and unauthorized disclosure of data, while ensuring that users may access the tools and information which are needed to perform each task during the completion of the workflow.

Detailed rules of access management are contained in the Controller’s Access Management Policy in effect.

Incident management

The controller sets forth the procedures applying to the management of data breaches, responsibilities and the necessary rules of procedure in its Incident Management Policy.

Through incident management, the Controller facilitates the management of events that violate data protection related to its operation in a unified system, and the Controller also facilitates the prevention of data breaches and in the event of its occurrence the detection thereof and, if necessary, the Controller facilitates determining responsibilities and taking measures. The Incident Management Policy sets out the definitions, procedures, and measures that ensure the prevention of repeated occurrence of data breaches that occur during the operation of the Controller, and the handling of detected events.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately by the Controller and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

The Controller can perform pseudonymous data processing for greater security, and also in case of data that are collected for statistical purposes, or for development, testing, and maintenance of systems, as the pseudonymisation of personal data may reduce the risks for the data subjects and it makes easier for the Controller to act in accordance with the data protection requirements.

In order to encourage the use of pseudonymization during the processing of personal data, it allows simultaneous application of measures aiming pseudonymization and general analysis within the Controller's organization.

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the Controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

The Controller therefore endeavors – in order to comply with the GDPR – to minimize the processing of personal data, pseudonymize personal data as soon as possible, to ensure transparency with regard to the functions and processing of personal data, to enable the data subject to monitor the data processing, and to create and improve security features.

VII. Access to, modification, rectification and portability of the personal data

  1. Access

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of Personal Data concerned;
  3. the recipients or categories of recipient to whom the Personal Data have been or will be disclosed.
  1. Modification, rectification

The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

  1. Portability

The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the Personal Data have been provided, where:

  1. the processing is based on consent or on a contract where the Data Subject is one of the parties; and
  2. the processing is carried out by automated means.

VIII. Erasure, restriction of personal data, right to object

1. Erasure

(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the Data Subject withdraws consent on which the processing is based via Customer service, and where there is no other legal ground for the processing;
  3. the Data Subject objects on grounds relating to his or her particular situation, or where personal data are processed for direct marketing purposes and there is no other legal ground for the processing;
  4. the Personal data have been unlawfully processed;
  5. the Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
  6. the Personal data have been collected in relation to the offer of information society services for children.

(2) Where the controller has made the Personal data public and is obliged pursuant to paragraph (1) to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, those Personal data.

(3)   Paragraphs (1) and (2) shall not apply to the extent that processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  3. for reasons of occupational medicine or public interest in the area of public health;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.
2. Restriction

(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. the accuracy of the Personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal data;
  2. the processing is unlawful and the Data Subject opposes the erasure of the Personal data and requests the restriction of their use instead;
  3. the Controller no longer needs the Personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
  4. the Data Subject has objected to processing due to reasons in connection with his or her own status; pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

(2) Where processing has been restricted under paragraph (1), such Personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) A Data Subject who has obtained restriction of processing pursuant to paragraph (1) shall be informed by the Controller before the restriction of processing is lifted.

3. Objection

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of Personal data concerning him or her if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or on grounds of the legitimate interests of a Controller or a third party, including profiling based on those provisions. The Controller shall no longer process the Personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of Personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the Data Subject objects to processing for direct marketing purposes, the Personal data shall no longer be processed for such purposes.

IX. Possibilities of the user to exercise its rights

The user may seek the help of Hungarian National Authority for Data Protection and Freedom of Information if his or her inherent rights are violated or in cases stipulated by the Regulation and the user is entitled to file a lawsuit to the competent superior court within the geographical area in which the he or she resides or within the geographical area in which his or her usual residence is - subject to his or her choice:

Name:              Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1363 Budapest, Pf. 9. 
Address:          1055 Budapest, Falk Miksa utca 9-11.  
Telephone:       +36 (1) 391-1400
Facsimile:        +36 (1) 391-1410
Web:                naih.hu
E-mail:             ugyfelszolgalat@naih.hu

X. Amendments of the policy

The Data Controller preserves the rights to amend or update this policy any time without prior notification and to publish the updated version on its website. Amendments only apply to Personal data that are collected after the disclosure of the amended version. The Policy in effect from time to time is available at the following link: www.regenerationsymposium.com  

Please, check our Policy regularly to follow the amendments and to obtain information whether you are subject to the amendments.

Latest update: 18, February, 2022