This privacy statement discloses how Mozaik Education Ltd. (hereinafter Company) manages, transfers and processes data.
the Regulation (EU) 2016/679 (hereinafter Regulation) of the European Parliament and of the Council,
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information,
Act CXIX of 1995 on the Handling of Names and Addresses for Purposes of Research and Direct Marketing,
Act VI of 1998 on the enunciations of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed in Strasbourg on 28 January 1981,
Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity,
Act CVIII of 2001 on certain issues of electronic commerce activities and information society services
I. 2. Definitions
The normative definitions used in this privacy statement are contained in Article 4 of the Regulation.
Accordingly, we list the main definitions:
1. 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated shall mean, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. 'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
4. 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. 'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. 'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘user’ means a natural person who registers to or visits any of the Company’s homepages (www.mozaik.info.hu, www.mozaweb.hu, www.mozaweb.com, www.mozanaplo.hu, www.mozalog.com, verseny.mozaik.info.hu, www.intellisense.education, www.labcamera.com, www.intellisen.se, www.fizikaapp.com, www.matekapp.com, www.cutnlearn.com.).
I. 3. The main scopes of this privacy statement:
ensuring the implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council
ensuring the implementation of Act CXII of 2011 on Informational Self-determination and Freedom of Information,
determining data and privacy regulations,
recording data management and data processing rules for users (students, parents, teachers, visitors, etc.),
setting rules for the transfer of data,
disclosing the rights of the persons involved in the data register and the order of their enforcement,
The purpose of the privacy statement is to inform the persons involved in the data management about all the facts related to the handling of the data, in particular the purpose and legal basis of the data processing, the data controller and the person authorized for data processing, the duration of the data handling, and who may be familiar with the data.
I. 4. Name of controller
This privacy statement is issued by the Controller:
The Company reserves the right to unilaterally modify this privacy statement any time. By continuing to use the service, the users acknowledge the modification of the data management rules, and there is no need to request their further consent.
'Processor' shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Article 4 (8) of Regulation)
The use of a processor does not require the prior consent of the users of our services, but users have to be informed about it. Data processors handle the personal data provided by the Company in accordance with the provisions of their respective privacy policies, on which further information can be found on the data processor's website. Accordingly, we provide the following information:
II. 1. The IT provider of Company
To maintain and manage its website, our company has contracted with a processor, which provides IT services (hosting, application development, application management), and manages the personal data provided on the website, for the duration of the contract; thus this processor manages the personal data on the website and stores these data on its servers. The name and data of this processor are:
Name of company: Zengo Kft.
Headquarters: 6724 Szeged, Kossuth Lajos sgt. 72.
Company registration nr: 06-09-010660
TAX number: 13748742-2-06
Phone number: +36 62 202 039
Email address: firstname.lastname@example.org
II. 2. The accounting service provider of our company
To fulfill its tax and accounting obligations, our company uses an accounting outsourcing service provider, which manages the personal data of our contractual partners and paying agents.The name and data of this processor is:
Name of company: IMOSOFT KFT.
Headquarters: 6723 Szeged, Debreceni u. 3/B. II./6.
Company registration nr: 06-09-000295
TAX number: 10326996-2-06
Phone number: +36 62 470 101
Email address: email@example.com
II. 3. Postal services, delivery, package delivery
These processors receive the personal data (name, address and phone number) of our customers in order that they deliver the orders our customers have placed.
These service providers are:
Name of company: Magyar Posta Zrt.
Headquarters: 1138 Budapest, Dunavirág u. 2-6.
Company registration nr: 01-10-042463
TAX number: 10901232-2-44
Phone number: +36 30 771 1802
Cégnév: GLS General Logistics Systems Hungary Kft.
This processor receives the personal data (name, address and bank account number) of our customers who have outstanding debts and uses these data for handling the non-executed payments.
Name: Hevesi Ügyvédi Iroda
Headquarters: 6720 Szeged, Somogyi u. 6., III./2.
Phone number/ Fax: +36 62 450 018
Email address: firstname.lastname@example.org
II. 5. Banking services
This processor receives the personal data (name, address, bank account number) of our customers in case of product return. This processor uses these data for transferring the purchase price electronically to our customers.
The processors listed below receive personal data (order ID, order amount, the list of products that have been ordered) required for payment processing when an electronic payment or payment by card occurs in our Company’s webshop.
III. 1. Data processing of contracting parties – recording customers and suppliers
(1) Based on the performance of the contract, the Company manages the name, name at birth, date of birth, address, e-mail address, bank account number, client number (customer number, order number), and online ID of a natural person that is a customer or supplier under contract with the Company for the purpose of entering into, performing, and terminating a contract, as well as offering a contract discount. Data processing shall be considered lawful even if processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. The recipients of the personal data are the customer service representatives, accountants, and processors of the Company.
(2) Duration of the processing of personal data: 5 years after the termination of the contract.
(3) Data processing is based on the performance of the contract.
(4) Personal data of the data subject are transferred to the processor.
III. 2. Contact details of the natural person representative designated by legal person clients, customers, suppliers
(1) Personal data processed: name, address, phone number e-mail address and online identifier of the natural person.
(2) Purpose of data processing: Provision of the contract signed with the legal person partner of the Company; business communication; legal basis: consent of the data subject.
(3) Recipients or categories of recipients of the personal data: employees of the Company performing customer service and trade related tasks.
(4) Period for which the personal data will be stored: 5 years after the end of the business relationship or after the data subject stops acting as representative.
(2) Our Company's website stores and processes the following data of the visitor's online session and the device from which the browser was opened: • IP address of the visitor, • browser type, • operating system (language), • time of server request, • which page was visited; which function or service was used.
(3) Allowing or enabling cookies is not strictly necessary. You can change your browser settings to block cookies or to notify you when a website sends you cookies. By default, most browsers allow cookies, but this setting can be changed to prevent your browser from automatically allowing cookies and to prompt for cookies.
Please be aware that if you disable cookies, certain sections or features of our website may not work.
(4) Cookies in themselves do not identify the individual user.
(5) Cookies used on the website of the Company:
1. Session cookies
These cookies are necessary to allow visitors to browse the website, to effectively and fully utilise its features and services that are available through the website. Such services include the storing of information about the actions performed by the visitor while browsing the website. These cookies only last as long as the visitor's online session, and disappear from the computer or device when the browser is closed.
The legal basis for data processing is Article 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information services.
Purpose of data processing: ensure the proper functioning of the website.
2. Persistent cookies:
Such cookies enable the Company to store the user's site preferences. The visitor may prohibit the data processing at any time before the use of the service and during the use of the service. These data cannot be linked to the identifier of the user and cannot be transferred to a third party without the user's consent.
2.1. Functional cookies:
The legal basis for data processing is the consent of the visitor.
The purpose of data processing is to improve the efficiency of the service, improve user experience and make the site more comfortable for use.
III. 4. Data of natural persons registered and processed in connection with the trainings by the Company as trainer
(1) A natural person registering for the accredited training of the Company shall enter his or her data by filling in a paper-based application form.
(2) Personal data processed: name; place of birth; date of birth; mother’s name; address; e-mail address; phone number; the title and date of entering into and termination of the training contract; OM (Ministry of Education) number of the educational institution; the core public education task providing a basis for the training contract; data concerning work schedules of training; expected date of termination of studies.
(3) On the basis of the 277/1997 Government Decree on teacher further training, teachers’ post-graduate professional examination, and on the allowances and benefits of further training participants, the Company shall process the natural person identification data of registrants for the accredited trainings for the purpose of making, amending and monitoring the contract for the provision of the Company’s accredited training and thereof for the purpose of charging fees and validating credit points. Furthermore, the Company shall process the phone number, e-mail address and online identifier of registrants and participants on the basis of the consent of the aforementioned persons.
(4) The legal basis for data processing is the 277/1997 Government Decree on teacher further training, teachers’ post-graduate professional examination, and on the allowances and benefits of further training participants.
(5) Recipients or categories of recipients of the personal data: employees of the Company performing customer service and training related tasks; employees of the IT provider (processor) of the Company performing hosting related tasks.
(6) Period for which the personal data will be stored: 7 years after the provision of the service.
(7) A natural person registering for the non-accredited training of the Company shall enter his or her data by filling in an online application form.
(8) Personal data processed: name; place of birth; date of birth; address; e-mail address; phone number; date of training; name, address and OM (Ministry of Education) number of the educational institution he or she is employed by; the core public education task providing a basis for their training contract; qualification; data concerning work schedules of training (place, date, name of the training programme).
(9) On the basis of the 277/1997 Government Decree on teacher further training, teachers’ post-graduate professional examination, and on the allowances and benefits of further training participants, the Company shall process the natural person identification data of registrants for the non-accredited trainings for the purpose of making, amending and monitoring the contract for the provision of the Company’s non-accredited training and thereof for the purpose of charging fees and validating credit points. Furthermore, the Company shall process the phone number, e-mail address and online identifier of registrants and participants on the basis of the consent of the aforementioned persons.
(10) The legal basis for data processing is the 277/1997 Government Decree on teacher further training, teachers’ post-graduate professional examination, and on the allowances and benefits of further training participants.
(11) Recipients or categories of recipients of the personal data: employees of the Company performing customer service and training related tasks; employees of the IT provider (processor) of the Company performing hosting related tasks.
(12) Period for which the personal data will be stored: 7 years after the provision of the service.
III. 5. Registration on the website or in the application of the Company
(1) A natural person registering on any of the websites or in any of the applications of the Company (mozaBook for Windows, mozaBook app, mozaik3D app) can give his or her consent to the processing of his or her personal data by checking the relevant box or clicking the appropriate button.
(2) Personal data processed: natural person’s name (first name, surname), nickname, address (billing address, shipping address), country, date of birth, e-mail address, phone number, online identifier; name of educational institution, ID of the educational institution, address of the educational institution; natural person’s position in the educational institution, class, social network identifier.
(3) Purpose of processing personal data:
Providing services through the website.
Establishing contact by e-mail, phone, SMS or mail.
Information about the Company’s products, services, conditions on entering into contract, and discounts.
Marketing materials can be sent electronically or by post.
Analysing the use of the website.
Technical development of the IT system.
Protecting the rights of the users.
The Company may use the data provided by the users during the use of service to create user groups and to display targeted content and/or adverts to these user groups on the Company’s websites.
(4) The legal basis for data processing is the consent of the data subject.
(5) If the user links his or her Facebook/Google/Office365/Vkontakte account to his or her user account registered on the Company's websites at his or her discretion, the Company may therefore process the following personal data of the user in addition to the aforementioned personal data: Facebook/Google/Office365/Vkontakte profile name, Facebook/Google/Office365/Vkontakte profile URL, Facebook/Google/Office365/Vkontakte profile ID.
(6) Recipients or categories of recipients of the personal data: employees of the Company performing customer service and marketing related tasks; employees of the IT provider (processor) of the Company performing customer service related tasks.
(7) Period for which the personal data will be stored: until the data subject is registered at the website or uses a particular service, or until the data subject withdraws his or her consent (application for revocation).
(8) The controller shall not inspect the personal data provided. The data subject is solely responsible for the genuinity of the data provided. By providing their e-mail address, all users take responsibility for not sharing the provided email address with others for the purpose of using services. The user registering the e-mail address shall bear all responsibility regarding login with the provided email address.
(9) Data recorded during the operation of the system: data of the user’s computer that are generated during the course of using a particular service and which are recorded as an automatic result of the technical processes by the controller. The system shall automatically record data that is to be recorded automatically upon login and log out without the user’s prior consent or action. Other users of these data – excluding mandatory cases – cannot be connected to personal data. The data are only accessible by the controller.
(10) The Company deletes the personal data of users after 24 months of inactivity.
III. 6. Data management relating to newsletter service
(1) Any natural person registering for the newsletter on Company’s website(s) may consent to the management of personal data by marking the relevant square or clicking the appropriate button. The individual concerned can unsubscribe from aforementioned newsletter anytime either by clicking the “Unsubscribe” button, or by providing a written statement in letter form or via e-mail, which indicates retraction of consent. If so, Company deletes all data of unsubscribing individual. Company does not pass on said data to any Third Part, those are to be used exclusively for the regular delivery of the newsletter or the written information regarding the newsletter.
(2) Personal data processed: natural person’s name (surname, first name), e-mail address
(3) The purpose of managing personal data:
1. Sending newsletters regarding Company’s products and services
2. Sending promotional material
(4) Legal basis for data management: consent of individual concerned.
(5) Recipients of personal data, recipient categories: Company’s customer service employees, members of Company’s marketing team, and Company’s IT provider tasked with hosting services as data processor,
(6) Duration of personal data storage: until the continuation of the newsletter service, or the retraction of consent (application for revocation).
III. 7. Data management on Company’s social media sites (e.g. Facebook, Twitter, Instagram, LinkedIn, YouTube)
(1) Company upholds social media sites for the introduction and promotion of its products and services.
(2) Questions posed and inquiries made on Company’s social media sites does not constitute an official complaint.
(3) The personal data shared by visitors on Company’s social media sites is not managed by Company.
(5) Upon publication of illicit or offensive content, Company is entitled to withdraw subject’s membership or delete comment made by subject without prior notice.
(6) Company is not accountable for any content or comment infringing legislation shared by users of social media site. Company is not liable for any error, malfunction, or issue due to changes in system operation on social media site.
III. 8. Data management regarding Company’s webshop
(1) Keeping in line with the regulations on electronic commercial services and section 13/A of Act 108 of 2001 on information society services, as well as Decree 45/2014 detailing the provisions on contracts between consumer and undertaking, purchase of items from Company’s webshop constitute a contract. In the event of purchase from Company’s webshop, the legal basis for data management is the contract.
(2) Based on subsection (1) of section 13/A of Act 108 of 2001, Company is entitled to manage the personal identification data and address of natural persons who register and/or make a purchase in the webshop in accordance with the regulations on the formation, content specification, alteration, and execution of contracts regarding information society services, for the purpose of billing and exercise any legal claims, as well as the subject’s telephone number, e-mail address, bank account number, and online ID, consent being the legal basis.
(3) In the event of information society services rendered, Company is entitled to manage the personal identification data and address of natural persons as well as the date, duration, and location of the usage of services for billing purposes based on subsection (2) of section 13/A of Act 108 of 2001.
(4) Recipients of personal data, recipient categories: Company’s customer service employees, members of Company’s marketing team, Company’s employees responsible for tax and accounting as data processors in connection with the fulfillment of taxation and accounting obligations, Company’s IT provider tasked with hosting services as data processor, and employees of the courier with regards to the delivery information (name, address, telephone number).
(5) Duration of the management of personal data: until the continuation of registration / service or the the retraction of consent (application for revocation); in the event of purchase, for 5 years following purchase.
III. 9. Data processing regarding prize draws
(1) If the Company runs a prize draw (Section 23 of the Act XXXIV of 1991), it may process the name, address, phone number, e-mail address and online identifier of the data subject with his or her consent. Participation in the prize draw is voluntary.
(2) Purpose of personal data processing: deciding and contacting the winner, sending the prize. The legal basis for the data processing is the consent of the data subject.
(3) Recipients or categories of recipients of the personal data: employees of the Company performing customer service and training related tasks; employees of the IT provider (processor) of the Company performing hosting related tasks, employees of the courier company.
(4) Period for which the personal data will be stored: 6 months after the end of the prize draw.
III. 10. Data management for direct marketing
(1) Unless otherwise provided by specific other legislation, advertisements may be conveyed to natural persons by way of direct contact (hereinafter referred to as “direct marketing”), such as through electronic mail or equivalent individual communications - subject to the exception set out in Act XLVIII of 2008 -, only upon the express prior consent of the person to whom the advertisement is addressed.
(2) The personal data that can be processed by the Company for advertising purposes include the name, address, email address and online identifier of natural persons.
(3) The purpose of personal data processing is to perform direct marketing activities related to the Company's activity, i.e. sending advertising brochures, newsletters, current offers in printed (via post) or electronic form (via email) regularly or periodically to the addresses specified at registration.
(4) The legal basis for data processing is the consent of data subjects.
(5) The recipients or the categories of recipients of personal data are: The Company’s employees involved in customer service, employees of the IT provider (processor) of the Company performing hosting related tasks, and employees of the Post Office in case of postal delivery.
(6) Personal data will be retained until the withdrawal of consent.
IV. Processing of data based on legal obligation
IV. 1. Data processing for complying with tax and accounting obligations
(1) In order to fulfill its statutory tax and accounting obligations (accounting, taxation), the Company processes the statutory data of natural persons acting as its customers and suppliers. According to sections 169 and 202 of Act CXXVII of 2007 on the valueadded tax the data to be processed are: tax number, name, address, tax status. According to Section 167 of Act C of 2000 on Accounting the data to be processed are: name, address, name of the person or body ordering the economic transaction, signatures of persons effecting payment and verifying execution, as well as, depending on the organization, the signature of the inspector; in documents of movements of inventories and liquid assets receipts, the signature of the recipient, and the signature of payer in counter-receipts. According to Act CXVII of 1995 on Personal Income Tax the data to be processed are the following: entrepreneur’s licence number, tax identification code.
(2) The personal data will be retained for 8 years after the end of the legal relationship.
(3) The recipients of personal data are the Company’s employees performing tasks related to taxation, accounting, payroll accounting, social security and the Company’s processors.
IV. 2. Processing of data for complying with the anti-money laundering obligation
(1) In compliance with the legal obligations of the Company, in order to prevent and combat money laundering and terrorist financing, the company processes the personal data of its customers, their representatives and of beneficial owners defined in Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML/CTF Act): a) surname and forename b) surname and forename by birth, c) nationality, d) date and place of birth e) mother’s birth name f) home address, or habitual address in the absence thereof, g) number and type of identification document; official document suitable for identification purposes and official address card, copy of these documents. (Section 7).
(2) The recipients of personal data: the Company’s employees involved in customer service, the Company’s chief executive, the person designated by the company according to the AML/CTF Act.
(3) or a period of eight years after the end of the business relationship or after the date of carrying out the transaction order. (AML/CTF Act § 56 (2))
V. Data processing activity of the Company
V. 1. The Company practices data processing with regards to the following activities:
Data processing, web-hosting services
Internet portal services
V. 2. Processor-provided Guarantee
(1) The Company as Processor guarantees – with regards to competency, trustworthyness and resources in particular – that it will carry out the technical and organisational measures ensuring the fulfilment of the Regulation’s requirements, including the safety of processing.
(2) Processor ensures that during its activities the people who are entitled to have access to the personal data concerned – if they are otherwise not under any corresponding secrecy obligation prescribed by law – undertake secrecy obligations with regards to the personal data they have learned.
(3) The Company possesses appropriate hardware and software infrastructure. It undertakes the obligation to carry out the technical and organisational measures that are suitable to ensure the legality of processing and the rights protection of the concerned individuals.
(4) The Company possesses the legal and technical conditions to communicate with state organisations.
(5) Our Company undertakes to share all information with controller clients that is needed to verify being compliant with legal provisions applicable to the use of a processor,.
V. 3. Obligations and rights of client (controller)
(1) Controller is entitled to verify with Processor the fulfilment of the contractual activities.
(2) Controller bears the responsibility for the legality of the instructions in connection with obligations prescribed by the contract, at the same time, Processor is obligated to immediately inform Controller if the instructions or the fulfilment thereof is against regulations.
(3) Controller is obliged to inform the data subjects about the processing of their date in accordance with this contract, if obtaining their consent is required by law.
V. 4. Obligations and rights of the Company as Processor
1. Right of direction: Processor' handles all data in accordance with the written instructions of the Controller.
2. Confidentiality: In the Processor's activities, it ensures that persons authorised to access the personal data concerned, if they are not otherwise subject to a legally enforceable confidentiality rule, have a confidentiality obligation with respect to the personal data they have access to.
3. Data Security: The Controller shall endeavor to take all reasonable measures to ensure the security of the computer systems it uses, in particular to prevent unauthorised access to the data stored on the site.
To ensure the privacy of your personal information, we have taken the following measures:
ensuring the continuous confidentiality of systems and services used to manage personal data;
in the case of physical or technical incidents, the ability to restore access to personal data and the availability of data in due time;
A method for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures taken to guarantee the security of data processing;
4. Use of further Processor: the Processor undertakes to use additional processors only in compliance with the conditions set out in the Regulation and in Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. In this contract, the Controller entrusts the Processor with a general authorisation to use a further Processor (as subcontractor).
5. Co-operation with Controller:
a) Our Company, as Processor, assists the Controller with all appropriate means in supporting the implementation of the rights of the concerned individuals and in fulfilling its obligations related to this activity.
b) Our Company, as Processor, assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.
c) Our Company, as Processor,makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 (Processor) of Regulation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. With regard to this point, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the Regulation or other Union or Member State data protection provisions.
V. 5. The Company’s data processing activity
(1) The Company enters into contract with the payer for the data processing activity of mozaLog.
(2) In connection with the mozaLog service, the Company performs data processing activities. The processing of data in the school administration system of the Company is considered data processing.
(3) The personal data provided by the data subject may be accessed by authorised personnel of the Controller, typically an educational or educational institution. Data processing and data transfer in educational establishments must comply with the Regulation, Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, and Act CXC of 2011. on National Public Education.
(4) The head teacher of the institution shall be liable for the controlling activities of the institution. The institution may authorise any employee under contract to exercise the powers of the Controller.
(5) The Controller entrusts to the Company the operation of the mozaLog system and the associated data processing tasks on the basis of legal regulations or by contract. In the case of state educational institutions, the Klebelsberg Centre is designated to perform the aforementioned tasks in accordance with Section 5(2)(20) of the Government Decree 134/2016 (VI. 10.) on bodies functioning as operators in respect of the provision of public education duties. In the case of non-state educational institutions (e.g. church, foundation or private educational institutions), data processing is performed under the service contract concluded with the Company.
(6) The Controller may ask a processor other than the Processor to perform tasks related to development, maintenance, system monitoring, system operation, customer service.
(7) The Processor shall not make any substantive decision on data processing and shall process the data of a natural person solely in accordance with the provisions of the Controller and not for its own use. Furthermore, the Processor shall store and retain personal data in accordance with the provisions of the Controller or the Act.
(8) The scope of the data of a natural person handled during data processing:
child or student’s name, place and date of birth, gender, nationality, place of residence, temporary accommodation, National Insurance number and the legal title of their residence in Hungary in the case of non-Hungarian nationals
parent or legal representative’s name, place of residence, temporary accommodation, phone number
data regarding the child’s student status
data regarding entrance examination
the core educational task that the training contract is based on
data regarding a pending or terminated training contract
data regarding a child’s or student’s non-attendance
data regarding a special needs child or student
Ministry of Education ID number of child or student
NABC (National Assessment of Basic Competences) ID
data regarding student status
data regarding private student status
behaviour of the student, evaluation and marking of student’s diligence and knowledge, exam data
in case of adult training, data concerning work schedules of training
data regarding student’s disciplinary and compensatory cases
student’s student ID number
data regarding student book supply
data regarding repetition of school year
date and reason of termination of student status
data of national assessment evaluation
The child or student’s following data:
the name, place and date of birth, place of residence, temporary accommodation, parent's name, name of legal representative, parent’s or legal representative's place of residence, temporary accommodation and telephone number, start date, suspense period and termination of training contract, private student status, the number of missed lessons, and the student’s location can be disclosed to the Controlling Authority, the Court, the Police, the Public Prosecutor’s Office, the Notary of the Municipality, Public Administration and the National Security Service in order to establish the legality of the student’s non-attendance of a lesson on a school day or other compulsory activity organized by the school; to contact the parent or legal representative of the student; to establish the student’s legal status and to monitor the fulfilment of compulsory education;
data regarding the child’s entrance into or transfer from a pre-school or school can be disclosed to the pre-school or school involved; data regarding the student’s entrance into an establishment of higher education can be disclosed to the establishment of higher education involved;
the name, place and date of birth, place of residence, temporary accommodation, National Insurance number, parent's or legal representative’s name, parent’s or legal representative's place of residence, temporary accommodation and telephone number, the student’s pre-school and school health assessment documentation, data regarding any accidents to the child or student can be disclosed to healthcare institutions and institutions carrying out educational healthcare services in order to assess the child’s or student’s health;
the name, place and date of birth, place of residence, temporary accommodation, National Insurance number, parent's or legal representative’s name, place of residence, temporary accommodation and telephone number, data regarding the student’s non-attendance, and data regarding the student’s special needs can be disclosed to Social Services and Child and Youth Protection authorities in order to establish and eliminate the threat;
data needed to apply for and prove entitlement to available state funding can be disclosed to the Controlling Authority;
billing details can be disclosed to student book retailers
data of any certificates acquired through state examinations can be disclosed to the establishment recording certificates and through them to the establishment recording entrance requests to establishments of higher education;
Data regarding the child’s or student’s:
special needs, social disadaptability, learning difficulties can be disclosed to and shared amongst pedagogical service institutions and educational institutions;
pre-school development and school readiness can be disclosed to the parent, pedagogical service institutions and the school;
behaviour, diligence and knowledge assessment can be disclosed within the class and the teaching staff involved, the parent, the examination board, the person in charge of practical training, the subjects of the student contract or if evaluation takes place outside of the school, to the school, or in case of changing schools, to the new school and the person in charge of monitoring;
necessary for issuing the child’s student card can be disclosed to KIR (Information System of Public Education) and those participating in issuing the student card.
Data regarding the student’s training contract, with special attention to
data regarding entrance examination
behaviour, diligence and knowledge assessment and evaluation; exam data
data regarding student’s disciplinary and compensatory cases
data regarding special needs and exemptions thereof
data regarding type of disorder in student with social disadaptability, learning difficulties or difficult behaviour
data regarding disadvantage or multiple disadvantages
Identity Card number
the student’s photo in the digital class register
statistical data supporting the operation of the system
VI Principles of data transfer
VI. 1. Transfer of teachers’, students’, students’ guardians’ and users’ data
The Company shall only transfer data concerning teachers, students, guardians or users that is prescribed by law. The data can be transferred to the Court, the Police, the Public Prosecutor’s Office, the Municipality, State Administration and the National Security Service.
VII. The technical proceedings of data processing
VII.1 Basic methods of data processing
The data processed by the Publisher can be stored in the following formats:
data created electronically but archived in paper format
(electronic) data, photo on the Publisher’s website
The records can be processed in printed form or in a computerised way.
VIII. The Company’s homepage
The Company’s homepage may be visited by all, free of charge, without providing any personal detail. Certain parts of the homepage may be visited without registration and the services provided are free of charge. Other parts of the homepage need registration.
During the registration process – voluntarily, without a legal obligation – the user must provide information that is considered personal data.
The Company as controller processes and stores the data subjects’ data in accordance with the Regulation and Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. The Company shall only process and store data for which it has a legitimate legal basis.
The Company shall store and safeguard personal data disclosed to them during the registration process or during the use of the Company websites or any of the Company’s products and shall not under any circumstances transfer it to a third party – without previous and explicit consent of the data subject – unless prescribed mandatory by law.
If the data subject shall not wish to provide personal information, they shall not attempt to register.
The data subject may request information on processing of their personal data and may request correction or deletion of their data.
The homepage stores the IP address of the data subject’s computer, the time and content of their browsing activity and what link they navigated to the homepage from.
With the prior consent of the user, the company creates a personal profile for him or her in order to enhance user experience as well as to provide the user with more personalised service and offers. By analyzing these data the Company shall find out what service or content is used, how often it is used and the extent they are used for.
The IP addresses only serve statistical purpose, the Company shall not link these to personal data.
The Company collects the following information regarding the usage of the Company’s websites, the services running on those, or other digital products (e.g. mozaBook, mozaik3D app, mozaBook app)
reading and content consumption habits (what, when, how much)
error messages and crashes of the application
habits of application use (what functions are being used, what appliance the application is running on)
IX. Smartphone applications
The Company operates several smartphone applications (eg. mozaBook app, mozaik 3D viewer, etc.) that enable users to browse and consume digital content and read e-books supplied by the Company on their smartphones and tablets.
The Company collects the following data of the users’ habits of using the applications:
reading and content consumption habits (what, when, how much)
error messages and crashes of the application
habits of application use (what functions are being used, what appliance the application is running on)
location data of the device
Data recorded during the operation of the system: data of the user’s computer that are generated during the course of using a particular service and which are recorded as an automatic result of the technical processes by the controller. The system shall automatically record data that is to be recorded automatically upon login and log out without the user’s prior consent or action. Other users of these data – excluding mandatory cases – cannot be connected to personal data. The data are only accessible by the controller.
The data relating to ways of use shall under any circumstances be connected to the personal data of users running the application.
X. Summary of the rights of the data subject
X. 1. Right to prior information
The data subject shall have the right to be informed of the requirements and conditions of the processing of personal data prior to the collecting and processing of is or her personal data. Further details are available in Articles 13 and 14 of the Regulation.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information described in the Regulation. Further details are available in Article 15 of the Regulation.
X. 3. Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Further details are available in Article 16 of the Regulation.
X. 4. Right to erasure ('right to be forgotten')
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where any of the grounds described in the Regulation applies. Further details are available in Article 17 of the Regulation.
X. 5. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where any of the grounds described in the Regulation applies. Further details are available in Article 18 of the Regulation.
X. 6. Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it. Further details are available in Article 19 of the Regulation.
X. 7. Right to data portability
According to the terms of the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Further details are available in Article 20 of the Regulation.
X. 8. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Further details are available in Article 21 of the Regulation.
X. 9. Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Further details are available in Article 22 of the Regulation.
X. 10. Restrictions
The data subject shall have the right to obtain from the Company restriction of processing when accuracy of the personal data is contested by the data subject. In this case, the restriction is valid for a period enabling the controller to verify the accuracy of the personal data. The Company marks the data contested by the data subject, but whose correctness or accuracy has not been been clearly demonstrated. The data subject shall also obtain from the Company restriction of processing when the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. The data subject shall also obtain from the Company restriction of processing when the Company no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims. The detailed rules are set out in Article 23 of the Regulation.
X.11. Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Further details are available in Article 34 of the Regulation.
X.12. Right to lodge a complaint with a supervisory authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. Further details are available in Article 77 of the Regulation.
X.13. Right to an effective judicial remedy against a supervisory authority
Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them or when the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged. Further details are available in Article 77 of the Regulation
X.14 Right to an effective judicial remedy against a controller or processor
each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. Further details are available in Article 79 of the Regulation.
XI. Submission of a request of a data subject, measures taken by the controller
(1) The controller shall inform the data subject about the measures taken in response to his/her request for the exercise of his rights without undue delay, but no later than one month after the receipt of the request.
(2)If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended for two more months. The Controller shall inform the data subject about the extension of the deadline and indicate the reason for the delay within a month of the receipt of the request.
(3) If the data subject has submitted the request electronically, the answer shall, as far as possible, be provided electronically, unless otherwise requested by the data subject.
(4) If the Controller fails to take action upon the request of the data subject, it shall inform the data subject without delay and no later than one month after the receipt of the request about the reasons of non-action and that he or she may submit the request to a supervisory authority [Hungarian National Authority for Data Protection and Freedom of Information, 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; phone number: +36-1+391-1400; fax: +36-1-391-1410; email: email@example.com] and request legal redress.
(5) The Controller shall provide information pursuant to Articles 13 and 14 of the Regulation and information on the rights of the data subjects (Articles 15 to 22 and 34 of the Regulation), as well as take action free of charge. If the request is clearly unfounded or excessive, especially due to repeated submission, the Controller, depending on the nature of the requested information or action may
a) charge a fee, or
(b) refuse to take action.
The burden of proof of the clearly unfounded or excessive nature of the claim shall be borne by the Controller.
(6) If the Controller has well-founded doubts about the identity of the natural person submitting the request, he may request further information necessary to confirm the identity of the data subject.