I Legal background, aim, accessibility, scope of the policy:
I.1 Legal background of the policy
This Policy defines the rules of data management and data transfer at Mozaik Education Ltd. (hereinafter Publisher), and the production of records management regulations is not regulated by law.
Act CXII of 2011 on Informational Self-determination and Freedom of Information,
Act CXIX of 1995 on the Use of Name and Address Information Serving the Purpose of Research and Direct Marketing,
Act VI of 1998 on the Promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, prepared in Strasbourg on 28 January 1981,
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities,
Act CVIII of 2001 on certain issues of electronic commerce activities and information society services.
Pursuant to Section 3 of Act CXII of 2011
data subject: any natural person directly or indirectly identifiable by reference to specific personal data;
personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions;
personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life, personal data concerning
health, pathological addictions, or criminal record;
criminal personal data: personal data relating to the data subject or that pertain to any prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in connection with a crime or criminal proceedings;
data of public interest: information or data other than personal data, registered in any mode or form, controlled by the body or individual performing state or local government responsibilities, as well as other public tasks defined by legislation, concerning their activities or generated in the course of performing their public tasks, irrespective of the method or format in which it is recorded, its single or collective nature; in particular data concerning the scope of authority, competence, organisational structure, professional activities and the evaluation of such activities covering various aspects thereof, the type of data held and the regulations governing operations, as well as data concerning financial management and concluded contracts;
data public on grounds of public interest: any data, other than public information, that are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
the data subject’s consent: any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;
the data subject’s objection: a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
controller: natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;
data processing: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);
data transfer: ensuring access to the data for a third party;
disclosure: ensuring open access to the data;
data deletion: making data unrecognisable in a way that it can never again be restored;
tagging data: : marking data with a special ID tag to differentiate it;
blocking of data: marking data with a special ID tag to indefinitely or definitely restrict its further processing;
data destruction: complete physical destruction of the data carrier recording the data;
data process: performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;
data processor: any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;
data source: the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated;
data disseminator: the body responsible for undertaking the public responsibility which uploads the data sent by the data source it has not published the data;
data set:: all data processed in a single file;
third party: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;
EEA Member State: any Member State of the European Union and any State which is party to the Agreement on the European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States which are parties to the Agreement on the European Economic Area, based on an international treaty concluded between the European Union and its Member States and a State which is not party to the Agreement on the European Economic Area;
third country: any State that is not an EEA State;
ensuring the implementation of Act CXII of 2011 on Informational Self-determination and Freedom of Information,
determining data and privacy regulations.
recording data management and data processing rules for users (students, parents, teachers, visitors, etc.),
setting rules for the transfer of data,
the rights of the persons involved in the data register and the order of their enforcement,
The purpose of the policy is to inform the persons involved in the data management about all the facts related to the handling of the data, in particular the purpose and legal basis of the data processing, the data controller and the person authorized for data processing, the duration of the data handling, and who may be familiar with the data.
I.5 The personal and temporal scope of the policy, the duration of the data management
I.5.1 The personal and temporal scope of the policy
All employees of the Publisher are subject to this Policy.
It enters into force on the date of acceptance of the Policy and is for an indefinite period.
In case of an employee relationship established later than the date of approval, the policy has to be acknowledged by the employee, and it must be mentioned in the written notice prepared pursuant to Section 46 (1) of Act I of 2012 of the Labor Code.
I.5.2 Duration of the data management
I.5.2.1 The management of user-provided personal data is maintained until the user unsubscribes from the service – with the same user name. The date of deletion is 10 working days after the user’s unsubscription (cancellation request) has arrived. In the event of the use of unauthorized, misleading personal data or in case of a crime committed by the user or a system attack by a user, the data controller is entitled to delete the data at the same time the user’s registration is cancelled and in the event of suspicion of a criminal offense or suspicion of civil liability, the data controller may retain personal data for the duration of the proceedings to be conducted.
I.5.2.2 User-provided personal data – even if the user does not unsubscribe to the service – may be managed by the Publisher as a data handler until the user expressly requests them in writing to terminate their processing. A request to terminate the user's unauthorized access to a service does not affect the user’s access to the service request, but the user may not be able to access certain services in the absence of personal information. Personal data are deleted within 10 working days of receiving request for their deletion.
I.5.2.3 Data that are automatically recorded, technically captured during the system's operation will be stored in the system from the time they are generated, until it is ensured that the system is functioning properly. The Publisher ensures that these automatically recorded data cannot be linked to any other user's personal data, except in cases that are legally binding. If the user's consent to managing the personal data has been terminated or the user unsubscribed from the service, then his person will not be identified from the technical data.
II Privacy Principles, guidelines, data management, remedy
II.1 Basic principles of data management
Personal data shall be obtained and processed fairly and lawfully.
Personal data may be processed under the following circumstances:
if the data subject have given their consent, or
when processing is necessary as decreed by law or by a local authority, within the scope defined therein.
Consent of a legal representative of a minor with no or limited legal capacity is required, except for the parts of service where the consent targets mass registration occurring in everyday life and does not require any special consideration.
The personal data processed must be essential for the purpose for which it was recorded, and must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
Personal data may only be stored for specific and lawful purposes and may not be used otherwise.
Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied at all stages of data processing operations.
Personal data can only be handled with appropriate informed consent.
Before processing operations are carried out the data subject shall be clearly and elaborately informed of all aspects concerning the processing of their personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, and the persons to whom the data may be disclosed. Information shall also be provided on the data subject’s rights and remedies.
Personal data processed must meet the following requirements:
their recording and management is fair and lawful;
accurate, complete and timely, if necessary;
their storage is capable of identifying the person concerned only for the time necessary to achieve the purpose of the storage.
An application of a general and uniform personal identification sign is restricted.
Personal data must be proportionate to the purpose of their storage and must comply with this objective and may not extend beyond that.
The personal data storage method must be such as to allow the identification of the user concerned for the time necessary for the purpose of storage.
Appropriate safety measures shall be implemented against accidental or unlawful deletion or destruction or accidental loss and unauthorized access, alteration, or dissemination of personal data stored in automated data files.
Personal data can be transmitted and different data managements can be linked when the party concerned has consented to it or if the law allows it and if the terms of the data management are met for each personal data.
Personal data (including special data) may be transferred to a data controller or processor operating in a third country – irrespective of the medium or mode of data transfer – if the data subject has given his explicit consent, or the law allows it and the adequate level of protection of the personal data have been ensured in the third country during the course of the control and processing of the data transferred. Transfer of data to EEA Member States shall be considered as if the transmission took place within the territory of Hungary.
II.2.1 For the use of the Publisher's services, the Publisher uses personal data that are strictly necessary with the consent of those involved and solely related to the purposes.
II.2.3 In some cases – official court, police inquiries, legal action against copyright, property or other breaches or serious suspicion of them, prejudice to the interests of the Publisher, endangering the Publisher’s services, etc. – the Publisher may make the personal data of the user concerned that are in the possession of the Publisher available to the third party.
II.2.4 The Publisher’s system may collect data on the activity of users that can not be linked to the personal data provided by the user during registration, nor to the data generated by other websites or services.
II.2.5 The Publisher undertakes to publish clear, noticeable and unambiguous information prior to the inclusion, recording and management of any personal data, informing the users of the method, purpose and principles of data collection. In addition, in all cases where data recording and management are not made mandatory by law, the Publisher draws the user's attention to the voluntary nature of the data supply. In case of mandatory processing, reference to the legislation containing the information has to be indicated. The data subject shall be informed about the person entitled to control the data and to carry out the processing. Information on data management is also ensured by the fact that legislation provides for the retrieval of the data from the existing data management by transmission or interconnection.
II.2.6 In all cases where the Publisher intends to use the personal data for purposes other than the purpose of the original record, the Publisher shall inform the user thereof and obtain their prior express consent or give him the opportunity to prohibit the use.
II.2.7 The Publisher, as the data collector adheres to the restrictions stipulated by the law in the case of the recording, recording and management of the data, and on request informs the data subject of the Publisher’s activity by electronic mail. The Publisher undertakes not to impose any sanction on a user who refuses to provide non-mandatory data.
II.2.8 The Publisher undertakes to implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to ensure that the personal data recorded, stored or processed are protected and prevents their destruction or unauthorized use and unauthorized alteration. The Publisher also undertakes to call any third party to whom the personal data may be transferred or handed over for compliance with this obligation.
II.2.9 Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the data controller shall rectify the personal data in question.
II.2.10 Personal data shall be erased if
so requested by the data subject;
incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;
the purpose of processing no longer exists or the legal time limit for storage has expired;
so ordered by court or by the Authority.
II.2.11 Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose which prevented their erasure.
II.2.12 When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
II.2.13 If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within thirty days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.
II.3 Details of the data controller
Name: Mozaik Education Ltd.
Address: 6723 Szeged, Debreceni u. 3/B
Company register number: 06-09-001610
Name of registration court: Szeged Court of Registration
The user concerned may request the information about the management of their personal data and may request the rectification of their personal information or deletion (except for data processing ordered by law) as indicated in data recording or by the customer service of the data controller.
At the request of the user concerned, the data controller shall provide information about the data managed by the data controller, their purpose, legal basis, duration, name and address of the data processor activities related to processing, and who and why received the data. The data controller shall be required to provide information in writing, within a short period of time, but not later than 30 days from the date of receipt. This information is free of charge if the user has not requested information from the data controller for the same issue in the current year. In other cases the data controller may require a fee.
The data controller deletes personal data if their management is unlawful, if the users requests their deletion, if the purpose of the data as determined by the law has expired, if the deletion was ordered by the court or by the data protection commissioner.
When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
The subject may object to the processing of their personal data if
disclosure is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research;
the exercise of the right of objection is otherwise permitted by law.
The data controller shall – simultaneously with the suspension of data processing – examine the objection within the shortest possible time but not later than 15 days from the submission of the request and inform the applicant in writing thereof. If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
If the data subject disagrees with the decision taken by the controller, the data subject shall have the right to turn to court within thirty days of the date of delivery of the decision.
The controller shall not delete the data of the data subject if processing has been prescribed by law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the court has found the objection justified.
In the event of any infringement of his rights the data subject may turn to court action against the controller. The court shall hear such cases in priority proceedings.
Possibilities for seeking judicial remedy with the (National Authority for Data Protection and Freedom of Information) (hereinafter referred to as “Authority”).
National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1125 Budapest Szilágyi Erzsébet fasor 22/c
II.5.1 Changes in personal data and the request to delete personal data can be communicated by means of a written statement in a letter sent to the service's internal mail system. Unsubscribing from newsletters happens through modifying the user interface settings on the page.
II.5.2 Some personal data may also be modified by modifying the personal profile page.
II.5.3 After the request for deletion or modification of personal data is executed, the previous (deleted) data can no longer be recovered.
II.6 Data processing
II.6.1 The Publisher shall not use a separate external data processor. The Publisher shall process the data managed by the Publisher themselves.
II.7 Possibility of data transfer
II.7.1 The Publisher as a data controller is entitled and obliged to transmit to the competent authorities any personal data that is available to the Publisher and that has been lawfully stored. The Publisher is obliged to provide the data by law or by statutory obligation. The data controller shall not be liable for the transfer of such data nor the resulting consequences.
II.7.2 If the Publisher partially or completely transfers the operation or utilization of content services on any of the Publisher’s websites to a third party, the Publisher may without requesting a separate consent completely hand over to this third party the personal data managed by the Publisher for further management of the data. This transfer of data may only serve the continuous process of the registration of already registered users, but the user may not be put in a more disadvantageous situation as regards data management and data security rules than the one specified in the current text of this Policy.
II.7.3 Some of the personal data of the users will be forwarded for a specific purpose, based on the user's consent, as follows:
the Publisher publishes personal data and ordering data recorded for registration of the users in order to deliver the ordered packages and the Publisher, separately from personal data, transfers browsing data regarding the products for statistical purposes to IMOSOFT Kft (6723 Szeged, Debreceni u. 3.). The personal data transmitted in such manner will be handled by IMOSOFT Ltd. in accordance with their own privacy and data management regulations.
in case the user wishes to use the online payment system for payment on the website of the Publisher, the following personal data will be transmitted to the payment service provider based on the express, unique consent of the user: username; purchase amount; delivery name, delivery telephone number, delivery address; billing name, billing email address, billing phone, billing address. The consent involves the user accepting the Terms and Conditions of online purchase. The personal data transmitted are handled according to the payment service provider's own data protection and data management rules;
II.8 Modifying the Policy
II.9 Rights of users regarding their personal data handled by the data controller
II.9.1 To require information about the management of their personal data, the users may send a registered or certified letter to the Publisher to the address of the data controller (6723 Szeged, Debreceni u. 3/B) or an e-mail to email@example.com. An information request sent by e-mail is considered authentic by the data controller only if it is sent by the user from a registered email address. The request for information may include the data of the user managed by the data controller, their source, purpose, legal basis, duration of the data processing, names and addresses of the data processors, the activities related to data management and, in the case of the transfer of personal data, who and for what purpose received the personal data of the user.
II.9.2 The data controller shall be required to provide information in writing, within a short period of time, but not later than 30 days from the date of receipt. In the case of an email, the date of receipt shall be deemed to be the first working day following the date of dispatch.
II.9.3 Anybody to whom the personal data was previously transferred with the purpose of data management need to be informed about the rectification, blocking or erasure of the handled personal data. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
II.9.4 The data subject shall have the right to object to the processing of data relating to him
if processing or disclosure is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
in all other cases prescribed by law.
In the event of objection, the Publisher, as the data controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision.
If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection. If the data subject disagrees with the decision or if the controller fails to meet the deadline specified in this section, the data subject shall have the right to turn to court within thirty days of the date of delivery of the decision or from the last day of the time limit
III The scope of data stored at the Publisher
III/1 Teachers’ data stored and controlled by the Publisher as training institution
III/2/1 The Publisher controls the below data of teachers participating in its training programme:
place and date of birth
mother’s maiden name
place of residence or temporary accommodation
the title and date of entering into and termination of the training contract
the name, address and OM (Ministry of Education) number of the educational institution they are employed by
the core public education task providing a basis for their training contract
place of training
in case of adult training, data concerning work schedules of training
expected date of termination of studies.
III/2 Data of teachers, students and students’ carers as users comprising the Publisher’s customer base in relation to the administrative space provided for web registration, digital class register and record of achievement on the server hosted by the Publisher
III/3/1 The Publisher processes the data of teachers, students and students’ carers as users who are part of the Publisher’s customer base in relation to the administrative space provided for web registration, digital class register and record of achievement on the server hosted by the Publisher:
child or pupil’s name, place and date of birth, gender, nationality, place of residence, temporary accommodation, National Insurance number and the legal title of their residence in Hungary in the case of non-Hungarian nationals
parent or legal representative’s name, place of residence, temporary accommodation, phone number
data regarding the child’s student status
data regarding entrance examination
the core educational task that the training contract is based on
data regarding a pending or terminated training contract
data regarding a child’s or student’s non-attendance
data regarding a special needs child or student
Ministry of Education ID number of child or student
NABC (National Assessment of Basic Competences) ID
data regarding student status
data regarding private student status
behaviour of the student, evaluation and marking of student’s diligence and knowledge, exam data
in case of adult training, data concerning work schedules of training
data regarding student’s disciplinary and compensatory cases
student’s student ID number
data regarding student book supply
data regarding repetition of school year
date and reason of termination of student status
data of national assessment evaluation
The child or student’s following data:
the name, place and date of birth, place of residence, temporary accommodation, parent's name, name of legal representative, parent’s or legal representative's place of residence, temporary accommodation and telephone number, start date, suspense period and termination of training contract, private student status, the number of missed lessons, and the student’s location can be disclosed to the Controlling Authority, the Court, the Police, the Public Prosecutor’s Office, the Notary of the Municipality, Public Administration and the National Security Service in order to establish the legality of the student’s non-attendance of a lesson on a school day or other compulsory activity organized by the school; to contact the parent or legal representative of the student; to establish the student’s legal status and to monitor the fulfilment of compulsory education;
data regarding the child’s entrance into or transfer from a pre-school or school can be disclosed to the pre-school or school involved; data regarding the student’s entrance into an establishment of higher education can be disclosed to the establishment of higher education involved;
the name, place and date of birth, place of residence, temporary accommodation, National Insurance number, parent's or legal representative’s name, parent’s or legal representative's place of residence, temporary accommodation and telephone number, the student’s pre-school and school health assessment documentation, data regarding any accidents to the child or student can be disclosed to healthcare institutions and institutions carrying out educational healthcare services in order to assess the child’s or student’s health;
the name, place and date of birth, place of residence, temporary accommodation, National Insurance number, parent's or legal representative’s name, place of residence, temporary accommodation and telephone number, data regarding the student’s non-attendance, and data regarding the student’s special needs can be disclosed to Social Services and Child and Youth Protection authorities in order to establish and eliminate the threat;
data needed to apply for and prove entitlement to available state funding can be disclosed to the Controlling Authority;
billing details can be disclosed to student book retailers
data of any certificates acquired through state examinations can be disclosed to the establishment recording certificates and through them to the establishment recording entrance requests to establishments of higher education;
Data regarding the child’s or student’s:
special needs, social disadaptability, learning difficulties can be disclosed to and shared amongst pedagogical service institutions and educational institutions;
pre-school development and school readiness can be disclosed to the parent, pedagogical service institutions and the school;
behaviour, diligence and knowledge assessment can be disclosed within the class and the teaching staff involved, the parent, the examination board, the person in charge of practical training, the subjects of the student contract or if evaluation takes place outside of the school, to the school, or in case of changing schools, to the new school and the person in charge of monitoring;
necessary for issuing the child’s student card can be disclosed to KIR (Information System of Public Education) and those participating in issuing the student card.
Data regarding the student’s training contract, with special attention to
data regarding entrance examination
behaviour, diligence and knowledge assessment and evaluation; exam data
data regarding student’s disciplinary and compensatory cases
data regarding special needs and exemptions thereof
data regarding type of disorder in student with social disadaptability, learning difficulties or difficult behaviour
data regarding disadvantage or multiple disadvantages
Identity Card number
the student’s photo in the digital class register
statistical data supporting the operation of the system
other data can be disclosed with the approval of the data subject.
III/4 User data
The Publisher processes the data necessary for providing the service the user wishes to use on websites such as www.mozaik.info.hu, www.mozaweb.hu, www.mozaweb.cometc operated by the Publisher given that the user concerned has given permission in advance.
IV Principles of data transfer
IV/1 Transfer of teachers’, students’, students’ guardians’ and users’ data
The Publisher shall only transfer data concerning teachers, students, guardians or users that is prescribed by law. The data can be transferred to the Court, the Police, the Public Prosecutor’s Office, the Municipality, State Administration and the National Security Service. In the event of the Publisher’s legitimate interests being adversely affected, jeopardy of the Publisher’s services etc. due to legal proceedings, copyright infringement, material damage or other infringement, moreover having reasonable suspicion of any of the above, the Publisher shall disclose the employee’s available data to third parties.
V The technical proceedings of data processing
V/1 Basic methods of data processing
The data processed by the Publisher can be stored in the following formats:
data created electronically but archived in paper format
(electronic) data, photo on the Publisher’s website
The records can be processed in printed form or in a computerised way.
V/2 Management of teachers’, students’, students’ guardians’, contractual partners’ and users’ data
V/2/1 Protection of teachers’, students’, students’ guardians’, contractual partners’ and users’ personal data
Personal data can only be handled by the following:
the General Manager of the Publisher
the Head of Finance and the Financial Department staff of the Publisher,
and the employee carrying out data processing.
Data must be protected against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss. In case the disclosure of data takes place via network transmission or other electronic means, the controller and the person carrying out the transfer shall implement additional data protection measures (verification, password protection, data deletion from network after transfer etc) to ensure technical protection of personal data.
V/2/2 Principles of processing and storing personal data
All employees of the Publisher are obliged to adhere to the order of data processing laid down in legislation and these regulations. Data controllers, employees and managers of the Publisher are responsible for protection of any data that is disclosed to them. Personal data can only be transferred by people and in ways specified by these regulations. Transfer of personal data in any way not specified here (verbally, on the telephone, in writing or through any other method) is strictly prohibited.
V/3 The rights of the data subject, teachers, students, students’ guardians and users and the principles of exercising their rights thereof
V/3/1 Informing the data subject; requesting a change in the details of the data subject
Prior to data processing being initiated the data subject shall be informed whether their consent is required or processing is mandatory. In case of mandatory processing, reference to the legislation containing the information has to be indicated.
The teacher, student or student’s guardian and users may request information on how their personal data is processed or correction of their personal data that the processor is obliged to carry out. The teacher, student or student’s guardian, users and contractual partners are entitled to receive information on who to, for what purpose and to what extent their data was transferred.
If requested by the data subject, teacher, student, student’s guardian or user, the Publisher’s General Manager shall provide information on the data processed by the Publisher or by the processor chosen by the Publisher, the purpose for which their data is required and the legal basis, the name and address of the person entitled to control the data and to carry out the processing, and their activity regarding data process; the duration of the proposed processing operation, and the entities whom their data may be disclosed to. The Publisher’s General Manager must provide the requested information in a written, clear and understandable form within 30 days of the request.
V/3/2 The data subject’s right to object
The subject may object to the processing of their personal data if
processing or disclosure is carried out for enforcing the rights and legitimate interests of the controller or the recipient, unless processing is mandatory;
personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research;
in all other cases prescribed by law.
In the event of objection, the Publisher’s General Manager – after suspending data procession – shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection. If the data subject disagrees with the decision taken by the controller, the data subject shall have the right to turn to court within thirty days of the date of delivery of the decision.
V/3/3 Judicial remedy
In the event of any infringement of the data subject’s rights, the teacher, the student, the student’s guardian or the user may turn to court action against the controller. The court shall hear such cases in priority proceedings.
VI The Publisher’s homepage
The Publisher’s homepage may be visited by all, free of charge, without providing any personal detail. Certain parts of the homepage may be visited without registration and the services provided are free of charge. Other parts of the homepage need registration.
During the registration process – voluntarily, without legal obligation – the user must provide information that is considered personal data.
The Publisher as controller controls and stores the data subjects’ data in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. The Publisher shall only store data that the data subject have given their explicit consent to and to an extent that is necessary to provide the data subject the requested service.
The Publisher shall store and safeguard personal data disclosed to them during the registration process and shall not under any circumstances transfer it to a third party – without previous and explicit consent of the data subject – unless prescribed mandatory by law.
If the data subject shall not wish to provide personal information, they shall not attempt to register.
The data subject may request information on processing of their personal data and may request correction or deletion of their data.
The homepage stores the IP address of the data subject’s computer, the time and content of their browsing activity and what link they navigated to the homepage from. The Publisher shall store these data in a way that cannot be linked to the data subject’s identity; by analyzing these data the Publisher shall find out what service or content is used, how often it is used and the extent they are used for.
The IP addresses only serve statistical purpose, the Publisher shall not link these to personal data.
VI/1 Principles of storing and controlling data provided by and with previous consent of visitors of websites hosted by the Publisher regarding sending out newsletters
Data control is carried out by the Publishers contractual partner, hereinafter referred to as Controller. Data processing is carried out by the Publisher’s contractual partner, hereinafter referred to as Processor.
The Publisher shall not disclose data to a third party, and shall only use it to send regular newsletters and written information relating to that.
VI/2 The scope of personal data controlled
VI/2/1 The data that can be provided with previous consent of the data subject are: e-mail address, telephone number, name, place of residence, temporary accommodation, place and date of birth, product categories purchased within orders, preferred payment type and delivery, purchase totals.
VI/2/2 Data recorded during the operation of the system: data of the user’s computer that are generated during the course of using a particular service and which are recorded as an automatic result of the technical processes by the controller. The system shall automatically record data that is to be recorded automatically upon login and log out without the user’s prior consent or action. Other users of these data – excluding mandatory cases – cannot be connected to personal data. The data are only accessible by the controller.
VI/2/3 The Publisher places a small set of data (so-called cookies) on the user’s computer in order to provide a personalised service. The purpose of cookies is to ensure the operation of the website on the highest possible level to improve user satisfaction. The user can delete cookies from their own computers or can adjust settings to disable cookies. By dismissing cookies the user acknowledges that without cookies the website will not be fully operational.
VI/2/4 The legal basis, purpose and method of data processing
VI/2/4/1 Data processing is carried out based on the voluntary declaration of the user browsing the internet content found on either of the Publisher’s following websites: www.mozaik.info.hu, www.mozanaplo.hu, www.mozaweb.hu, www.mozaweb.com given that prior to the declaration all necessary information was given. the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data The declaration shall include the user’s explicit consent to the personal data provided during the browsing activity being used. According to Point a) Section 5 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the legal basis of data processing is the data subject’s voluntary consent.
VI/2/4/2 The purpose of data processing is to provide services available on www.mozaweb.hu, www.mozanaplo.hu, www.mozaweb.com and the Publisher’s homepages. The list of personal data necessary for the use of these services can be found under relating services.
VI/2/4/3 The purpose of data stored automatically (see VI/2/2) is to provide services available through the Publisher’s internet pages, to display personalised content and adverts, statistics, the technical development of the IT system, and the protection of users’ rights. The controller may use the data provided by the users during the use of service to create user groups and to display targeted content and/or adverts to these user groups on the Publisher’s websites.
VI/2/4/4 The controller may not use personal data for purposes not specified by the above points. Personal data can only be disclosed to a third party or the authorities – unless deemed mandatory – with prior and explicit consent of the data subject.
VI/2/4/5 The controller shall not inspect the personal data provided. The data subject is solely responsible for the genuinity of the data provided. By providing their e-mail address, all users take responsibility for not sharing the provided e-mail address with others for the purpose of using services. The user registering the e-mail address shall bear all responsibility regarding login with the provided e-mail address.
VII Smartphone application
VII/1 The Publisher operates several smartphone applications (eg. mozaBook, 3D viewer, etc.) that enable users to browse the list of books supplied by the Publisher on their smart phones and tablets, to consume electronic content and read e-books.
The Publisher collects the following anonymous data of the users’ habits of using the applications:
reading and content consumption habits (what, when, how much)
error messages and crashes of the application
habits of application use (what functions are being used, what appliance the application is running on)
The data relating to ways of use shall under any circumstances be connected to the personal data of users running the application.