Privacy Policy

PRIVACY POLICY

Kecskemét Animation Film Festival XVI 2023

KECSKEMÉTFILM Kft. (hereinafter: Data Controller, We) provides information in this Privacy Policy concerning the data processing of the KECSKEMÉT ANIMATION FILM FESTIVAL, to be held on 21–25 June 2023. (hereinafter: KAFF, Festival).

I.               GENERAL INFORMATION REGARDING DATA PROCESSING

1. WHAT DOES DATA PROTECTION MEAN AND WHY IS IT IMPORTANT?

Data protection is a set of principles, rules, procedures, data management tools and methods that ensure the lawful processing of personal data and the protection of data subjects, with the aim of protecting the rights of data subjects and preventing unauthorized access to personal data.

Data protection is an important means of protecting the privacy, which do not actually protect the data, but its owner.

 

2. OUR COMMITMENT TO THE PROTECTION OF PERSONAL DATA

In the course of organising KAFF, the Data Controller processes the personal data of the following data subjects (hereinafter: Data Subject, Data Subjects, You):

·        data subjects whose personal data have been recorded in the KAFF registration system, connected to the creation of the named animation film,

·        jury members requesting accreditation for the Festival,

·        invited guests,

·        organizers and volunteers of the Festival (with the exception if the employee of Kecskemétfilm Kft.),

·        contact persons of the business partners,

·        persons of whom the Data Controller takes pictures, audio or video recordings on the website and related online platforms during the Festival,

·        persons who file a complaint regarding KAFF's data processing,

·        persons who register for the online broadcast of the Festival.

In this Privacy Policy, and wherever your personal data is used, we provide concise, transparent and intelligible information about the method, purpose and circumstances of data management, using clear and plain language.

In all cases, the personal data made available to us will be processed in accordance with the applicable Hungarian and European Union data protection legislation and legal practice, and in all cases we will take the technical and organizational measures for ensuring the security of the processing. Respecting the basic principle of accountability, we continuously provide up-to-date and comprehensible information about our data processing activities.

In view of changes in legislation and the continuous development of jurisprudence, as well as changes in the services we offer, we reserve the right to continuously update the Privacy Policy.

You can always access the current version of the Privacy Policy, as well as the previously effective versions in the footer of the website www.kaff.hu (hereinafter: Website).

 

DEFINITIONS

Knowledge of the basic concepts of data protection is essential for the interpretation of this Privacy Policy. The definitions are contained in Article 4 of the GDPR, from which we highlight the following:

‘Personal data’ means any information relating to an identified or identifiable natural person ("data subject");

‘An identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Data subject’ is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing;

‘Special categories of personal data’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and the sexual life or sexual orientation of natural persons; personal data which are prohibited under Article 9 (1) of the GDPR may be processed only in the exceptional cases provided for in Article 9 (2) of the GDPR, in particular with the express consent of the data subject;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means

‘Data processing operations’ are collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Disclosure’ is making the data available to anyone;

‘Deletion of data’ is making data unrecognizable in such a way that their recovery is no longer possible;

‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

’Controller or controller responsible for the processing’ is anyone who determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

’Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

’Consent of the data subject’ is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 

’Recipient’ is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; 

’Third party’ is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘Newsletter’ is an electronic mail, transactional, advertising or other campaign information sent to the e-mail address of persons subscribed to an address list, typically created automatically and sent by an application designed for this purpose.

 

4. PURPOSE OF PRIVACY POLICY

The purpose of this Privacy Policy is to provide easily transparent and understandable information for those concerned that

·        how we collect your personal data in connection with the organization and conduct of the Festival for what purpose we use it, and according to what principles and rules we process your personal data,

·        what personal data is processed during the organisation and conduct of KAFF,

·        under what circumstances we may transfer your personal data to others and what rights you can assert in relation to the processing of your personal data.

 

5. PERSONAL AND OBJECTIVE SCOPE OF THE PRIVACY POLICY

The personal scope of this Privacy Policy extends to the registered participant, guests, jury and the organiser staff, the business partners and the contact persons of the contractual partners of the Data Controllers, as well as the Data Processors.

In this Privacy Policy, the Data Controller provides detailed information on the essential circumstances, methods, principles, legal basis, purpose and duration of data processing related to the Festival. 

 

6. PRINCIPLES OF DATA PROCESSING

PRINCIPLE	CONTENT
a. Lawfulness, fairness and transparency	Data processing must be legal, fair and transparent during the entire period of data processing.
b.  Purpose limitation	The principle of purpose limitation means that we can only process your personal data for a clearly defined, legitimate purpose, and that the collection of data and other data processing operations must be aligned with the purpose of data processing. It follows from the principle of purpose-boundness that personal data can only be processed until the purpose of data processing is achieved.
c.  Data minimisation	The principle of data minimisation means that only those personal data that are absolutely necessary to achieve the data processing goals can be processed legally.
d.  Accuracy	The principle of accuracy means that the data stored in our filing systems must correspond to reality in the entire process of data processing. If the data is inaccurate or incorrect, based on your request, we will work with you to restore the accuracy of your personal data.
e.  Storage limitation	The principle of storage minimisation means that personal data can only be stored as long as the purpose of data management is achieved. Personal data cannot be accumulated or stored indefinitely. To this end, we determine the duration of data processing and, if this is not possible, the criteria for determining the duration.
f.  Integrity and confidentiality	As a data controller, we treat the personal data transferred to us confidentially. Your personal data can only be accessed by our employees and agents who are entitled to data management based on their job or duties. We take care of the preservation of documents and data containing personal data with technical and organizational security measures in line with the state of the art and expected of similar organizations.
g.  Accountability	The principle of accountability means that, as a data controller, we must be able to prove the legality of data protection, i.e. compliance with the provisions of the GDPR. For the sake of accountability, we document our data management activities in accordance with the provisions of the GDPR. We keep a record of the transfer and publication of the necessary information, the data management we carry out, the measures we take for the sake of data security, data protection incidents, and inquiries related to data protection.

 

7. WHAT PERSONAL DATA CAN WE PROCESS?

Depending on how you use our Website, and what information you share with us when taking part in KAFF, we may collect the following personal data from you:

a. name (surname and/or first name)

b. e-mail address

c. residential address or billing address (country, city, postal code, house number)

d. tax number (only in case of invoice request)

e. phone number (business or personal)

f. username

g. password entered during registration

h. occupation, title, position

i. identity card, passport number

j. biography of the artist and member of jury

k. social security (TAJ) number

l. time and place of birth

m. bank account number

n. any other personal information you share with us when filling out a registration form

o. IP address, password, login data (e.g. registration date), cookies and other technical information from which we can find out how you use our website

p. name of the employer and the organisation

q. image, voice and video recording

r. your personal information provided during complaint handling

8. WHAT DO WE USE YOUR PERSONAL DATA FOR?

a. Registration and entries for the Festival can be submitted.

b. During the screening of the entered films, we will publish the names of the creators, the producer and other members of the crew.

c. During the communication of the Festival, we include information about the participants and organizers of the Festival, as well as the professional CV of the creators of the mentioned films, in our publications.

d. The personal data of the members of the pre-jury, the jury, and the children's jury are processed in order to evaluate the works and select the winners of the prizes.

e. We process the data of the organizers, volunteers and invitees in order to run the Festival.

f. We order accommodation or transport services for our guests who requested these services.

g. In order to broadcast online on the Festival's online platforms (including social media), we will make and use the video/audio recording of the person concerned at the Festival location.

h. In accordance with the principle of accountability, in order to ensure technical and security requirements, we automatically log the technical data and conversion events generated during the use of the Services based on the legitimate interests of the users of the Website.

i. We use the contact data of our business partners in connection with the establishment, performance and termination of contracts.

j. Subscribers will be informed about information about the Festival in a newsletter.

k. If the physical organization of the Festival is prevented, we will provide online viewing of the films for the registered participants of the Festival.

9. ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL DATA?

The personal data of the data subjects can be processed on the following legal bases according to the GDPR:

·        the Data Subject has given his consent to the processing of his personal data for one or more specific purposes;

·        data processing is necessary to fulfil a contract in which the Data Subject is one of the parties, or it is necessary to take steps at the Data Subject's request prior to the conclusion of the contract;

·        data processing is necessary to fulfil the legal obligation of the Data Controller;

·        the data processing is necessary to enforce the legitimate interests of the Data Controller or a third party, and the Data Controller has determined through an interest assessment test (balancing test) that the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data do not take priority over these interests.

 

10. PROVISIONS REGARDING DATA MANAGEMENT OF MINORS

Given that a significant number of the animated films nominated for the Festival are intended for a minor target audience, some of the films will be judged by a children's jury. When processing the personal data of minors, we take special care to obtain the necessary consent for data processing from the legal representative.

The legal representative can give consent to data processing on behalf of minors who have not reached the age of 14 and those otherwise incapacitated.

A minor who has reached the age of 14, as well as a data subject with otherwise limited legal capacity, may consent to data processing with the consent or subsequent approval of their legal representative.

Professional CVs and portraits of the members of children’s jury will always be discussed with their legal representative before publication.

 

11. WHO WILL BE AUTHORIZED TO PROCESS YOUR PERSONAL DATA?

 

We, as the Data Controller, determine the purpose and means of processing your personal data.

Name and contract details of data controller

Company name: Kecskeméti Animációs Filmgyártó és Forgalmazó Korlátolt Felelősségű Társaság

Headquarters: H-6000 Kecskemét, Liszt Ferenc utca 21.

Tax number: 11029245-2-03

Company registration number: 03-09-102262

Solely represented by: Ferenc Mikulás managing director

E-mail address: kaff@kecskemetfilm.hu

Telephone: 00 36 76 481788

 

As a data controller, we treat the personal data provided to us confidentially. Your personal data can only be accessed by our employees and agents who are entitled to data management based on their job or duties.

12. WHO CAN WE SHARE YOUR PERSONAL DATA WITH?

 

Data processors

In order to organise and run the Festival, we must also use the services of IT (e.g. hosting, IT services, web development) and other technical service providers.

The data processors will process your personal data on our behalf, strictly according to our instructions and providing appropriate guarantees.

The personal data of the data subject - if absolutely necessary e.g. in connection with a legal dispute or in order to make a financial or accounting assessment of an economic event - may be transferred on an ad hoc basis to the service providers entrusted by the Data Controller, e.g. lawyers, auditors, financial advisers who are bound by professional or contractual confidentiality.

 

Other recipients

The personal data of the guests of the Festival for whom the Data Controller is booking accommodation or travel will be transferred to the accommodation or transport service provider, based on the prior consent of the guest concerned, with the data content contained therein.

Personal data will be transmitted for postal service and delivery company: Magyar Posta Zrt. and the authorized courier service (GLS General Logistics Systems Hungary Kft., FedEx Trade Networks Transport & Brokerage (Hungary) Kft.).

Photos and videos taken at the Festival can be used in next year's catalogues of the Festival, so they can be forwarded to the companies participating in its production.

Organizations providing film professional support (National Cultural Fund, National Film Institute) also become recipients of personal data during the presentation of contracts, accounting documents, performance certificates and image documentation certifying the implementation of tenders.

 

The name and contact details of the winner will be forwarded to the supporting companies or organizations offering the prize.

The recipients process the personal data transmitted to them as an independent data controller, in accordance with the provisions of their own Privacy Policy, and joint data management does not take place.

The Data Controller does not intend to transfer the personal data of the data subject to a third country (not a non-EEA Member State), for which this cannot be excluded, he draws special attention to this in this document and the Cookie Policy.

External service providers

In connection with organising and running the Festival, the Data Controller uses external service providers in many cases.

Regarding the personal data processed in the systems of external service providers, the guidelines are contained in the privacy policy of the external service providers. The Data Controller will do everything in its power to ensure that the external service provider processes the personal data transmitted to it in accordance with the law and uses them exclusively for the purposes specified by the data subject or set out in this Privacy Policy.

The Data Controller informs the data subjects about the transfer of data to external service providers in the framework of this Privacy Policy.

 

13. HOW LONG CAN WE PROCESS YOUR PERSONAL DATA?

In connection with registration and entry to the Festival, we process your personal data until the end of the registration period of the next KAFF.

The authors’ and other staff members’ personal data published in the KAFF’s catalogue will be processed for an unlimited period as a part of cultural heritage.

The name of the author’s and other staff member’s of the animated film will be processed according to the usage period of the nominated work.

If a contract is concluded between us, your personal data processed on the basis of the contract concluded between us under the legal title of fulfilment of the contractual obligation, after the termination of the contract, according to the statute of limitations of the Civil Code, we process it until 5 years have passed.

In case of a contractual relationship, your invoicing data will be processed for a maximum of 8 years based on legal authorization, after which this data will be deleted.

In the case of a post containing personal data published on our Facebook page or YouTube channel, we process the data until the content is deleted from our Facebook page or KAFF’s YouTube channel.

In the case of data processing related to complaint handling, copies of the minutes, transcripts and the response to the complaint will be kept for 3 years.

If the Festival is held online in whole or in part, your data will be processed until the end of the event affected by the registration for online participation.

 

II.               DETAILED INFORMATION REGARDING CERTAIN DATA PROCESSINGS

 

1.   PERSONAL DATA PROCESSED IN CONNECTION WITH REGISTRATION AND ENTRY TO THE FESTIVAL

Data Subjects: contact persons filling out the registration form of the Festival

Personal data processed: contact persons’ personal data provided in the KAFF registration system (name, e-mail address, telephone number of the contact person; name, nationality, address, telephone number, e-mail address)

Source of data: contact person

Purpose of data processing: handling of KAFF entry material, identification of the film entered for the Festival, contact with the entrant, sending an invitation to register for the next festival

Legal basis for data processing: the legitimate interest of the Data Controller in maintaining contact with the contact person of the rightsholder and staff of Film for the successful completion of registration and entry to the Festival based on Article 6 (1) point f) of the GDPR. (Balancing test is available upon request.)

Duration of data processing: until the end of the next registration of the Festival

Possible consequences of failure to provide data: in the absence of personal data, it is not possible to handle the KAFF entry material and to contact the entrant, create a notification list to send an invitation to register for the next festival

Does data transfer take place: yes, for the organizers and other professional participants of the Festival, as well as the data processors

 

2.   PERSONAL DATA PROCESSED IN CONNECTION OF PUBLICATION OF THE WORKS

Data Subjects: authors (i.e.: director, sound editor, animation artist, composing artist etc.), producers and staff members of the registered animation work

Personal data processed: name of the director and other authors, name of the producer, name of the staff members  

Source of data: contact person

Purpose of data processing: public screening and broadcasting of the work within the framework of the Festival, use of award-winning works after the Festival

Legal basis for data processing: fulfilment of the legal obligation of the Data Controller under Article 6 (1) (c) of the GDPR) in connection with the mandatory indication of name credit according to the Act LXXVI of 1999 on Copyright

Duration of data processing: according to the usage period of the entered work

Possible consequences of failure to provide data: in the absence of data, the Data Controller cannot fulfil the obligation to display name of the authors and staff members in connection with the publication and communication the work

Does data transfer take place: no, with the exception of the data processors providing IT services and hosting services

 

3.   PERSONAL DATA PROCESSED IN CONNECTION OF COMMUNICATION THE FESTIVAL

Data Subjects: authors (i.e.: director, sound editor, animation artist, composing artist etc.), producers and staff members of the registered animation work, members of juries (including members of the pre-jury and children's jury), organisers and volunteers of the Festival

Personal data processed: name, portrait photo and biography of the director and other authors, name of the producer, name of the staff members, name of the members of jury (including children’s jury), name, telephone number and e-mail address of the organisers and volunteers of the Festival 

Source of data: contact person, data subject, in the case of a child jury member, the legal representative of the data subject.

Purpose of data processing: providing information on KAFF’s website, editing publications related to the Festival, promoting the Festival, preparation of a KAFF catalogue in order to provide information about the Festival and the animated films presented at the Festival and their creators 

Legal basis for data processing: the Data Controller's legitimate interest in organizing the Festival informing the audience and the public and preserving the works presented at the Festival as cultural heritage within the scope of the right to freedom of the press pursuant to Article 6 (1) (f) of the GDPR. (Balancing test is available upon request.)

Duration of data processing: for indefinite time period

Possible consequences of failure to provide data: in the absence of data, the Data Controller cannot promote KAFF and inform the audience and the public about the Festival

Does data transfer take place: the printing press and the companies participating in the production of the communications, and the data processors providing IT services and hosting services and organising services

 

4.   PERSONAL DATA PROCESSED IN ORDER TO EVALUATE ENTRIES AND AWARD PRIZES

Data Subjects: authors (i.e.: director, sound editor, animation artist, composing artist etc.), producers and staff members of the registered animation work; jury members requesting accreditation for the Festival (including members of the pre-jury, children's jury)

Personal data processed: name, nationality, e-mail address, telephone number of the director and other authors; the producer; the staff members; name, e-mail address, telephone number, occupation, position, organization / media company/ educational institution represented of the jury member (including Children’s Jury)

Source of data: contact person, data subject, in the case of a child jury member, the legal representative of the data subject.

Purpose of data processing: evaluate entries, award prizes and, handing over an award of KAFF

Legal basis for data processing: the Data Controller's legitimate interest in evaluate entries and award prizes of KAFF and preserving the works presented at the Festival as cultural heritage pursuant to Article 6 (1) (f) of the GDPR. (Balancing test is available upon request.)

Duration of data processing: for indefinite time period

Possible consequences of failure to provide data: in the absence of data, the Data Controller cannot evaluate entries and select the winners

Does data transfer take place: yes, for other actors involved in the organization of the Festival and for the data processors

 

5.   PERSONAL DATA PROCESSED IN ORDER TO ORGANIZE THE FESTIVAL

Data Subjects: the organizers (members of the Organizing Committee of the Festival, the assigned staff of the Festival) and the volunteers of the Festival

Personal data processed: name, e-mail address, telephone number, occupation, position organization / media company / educational institution represented, date of birth, place of birth, mother’s name and address, tax identification number and tax number, bank account number of the organizers of the Festival (members of the Organizing Committee of the Festival, the staff of the Festival) the volunteers and invitees of the Festival

Source of data:  data subject

Purpose of data processing: organizing the Festival, managing the guest accreditations of the Festival, successful conduct of the Festival, identification of guests and provision of entry to the Festival, preparation of an accreditation guest list in order to send an accreditation form / invitation to the next year's Festival

Legal basis for data processing: in the context of the recording of the contractor's data, the legal basis for data processing is the performance of the contract under Article 6 (1) (b) of the GDPR; with regard to the issuance and retention of accounting documents, the legal basis for data processing is the fulfilment of the legal obligation to the Data Controller under Article 6 (1) (c) of the GDPR.

Duration of data processing: in the case of a contract: 5 years after the termination of the contract, with regard to invoicing data in accordance with § 169, paragraph (2) of Accounting Act 8 years, in the absence of a contract: up to 6 months from the date of contact

Possible consequences of failure to provide data: in the absence of data, the Data Controller cannot fulfil the obligation to display name of the authors and staff members in connection with the publication and communication the work

Does data transfer take place: no except for the data processors providing IT and hosting services

 

6.   PERSONAL DATA PROCESSED IN ORDER TO BOOKING ACCOMODATION TO THE PARTICIPANTS AND GUESTS OF THE FESTIVAL

Data Subjects: authors (i.e.: director, sound editor, animation artist, composing artist etc.), producers and staff members of the registered animation work; jury members requesting accreditation for the Festival (including members of the pre-jury, children's jury), invited guests (representatives of creators, production companies, representatives of the supporting organization, contact persons and representatives of the press), the organizers of the Festival (members of the Organizing Committee of the Festival, the staff of the Festival), the volunteers of the Festival

Personal data processed: name, nationality, date and place of birth, mother’s name, address, ID card number, passport number

Source of data: contact person, data subject

Purpose of data processing: booking accommodations and arranging travel on request for the participants of the Festival

Legal basis for data processing: freely given consent of the data subject under Article 6 (1) (a) of the GDPR. In the event of withdrawal of consent, all personal data will be deleted.    

Duration of data processing: two years after the last day of the booked stay date

Possible consequences of failure to provide data: in the absence of data, the Data Controller cannot book the hotel rooms the participants who requested accommodations

Does data transfer take place: to data processors providing IT and hosting services, the organizations and companies offering the award

 

7.   PERSONAL DATA PROCESSED IN CONNECTION WITH THE BROADCAST OF THE FESTIVAL (FOR PUBLICATION OF THE RECORDING ON THE KAFF FACEBOOK PAGE AND ONLINE STREAMING)

Data Subjects: the participants of the Festival

Personal data processed: name, occupation, image, video recording, sound

Data source: Data Controller and persons participating in the organization of the Festival

Purpose of data processing: informing the public about the Festival and the animated films presented at the Festival, making daily video reports of the Festival, which are available on the Festival's website and on social media platforms; presentation of the authors and creators of the animated films at the Festival, promoting the Festival; recording of certain film professional programs (e.g. master class) and publishing them on the Festival's YouTube channel

Legal basis for data processing: data processing related to journalism, the Data Controller has a legitimate interest in informing and entertaining users when editing the content of the Facebook page based on GDPR Article 6 (1) point f) (Balancing test is available upon request.)

Duration of data processing: until the content is deleted from our Facebook page or YouTube channel

Possible consequences of failure to provide data: in the absence of data provision, the Data Controller cannot publish informative and entertaining content containing images of the data subjects to users on its Facebook page.

Will data be transferred: no, with the exception of the data processors (Meta Platforms Ireland Ltd and Google Ireland Ltd and IT and hosting service provider of KAFF’s website)

 

8.   WEBSERVER LOGGING

Data Subjects: users of the Website, whose user activity is automatically logged by the web server

Personal data processed: identification number, date and time of the visit, address of the page visited and time spent there, IP address of the user's computer, type and version of the operating system and browser, as well as user searches

Source of data: the Data Subject

Purpose of data processing: during visits to the Website, the Data Controller records visitor data in order to check the operation of the Services and the Website functions and to prevent abuse.

Legal basis for data processing: the Data Controller has a legitimate interest in identifying users and preventing abuses [GDPR Article 6 (1) para. point f)] (Balancing test is available upon request.)

Duration of data processing: one month

Possible consequences of failure to provide data: control of the functions of the Website, prevention of abuse is not possible in the absence of managed visitor data. The Data Subject cannot object to the data recording, because the data processing is justified by compelling legitimate reasons (currently widely used technical solutions), without which the provision of the given service is not possible.

Does data transfer take place: no, with the exception of data processors providing IT services and hosting services

 

9.   CONTRACT PERSONS OF COMPANIES CONTRACTING WITH THE DATA CONTROLLER

Data Subjects: employees of third parties designated as contact persons in the performance of the contract, who contract with the Data Controller

Personal data processed: surname, first name, e-mail address, phone number, position, other data on the business card

Source of data: contractual partner of the Data Controller

Purpose of data processing: maintaining contact, fulfilling the rights and obligations arising from the contract.

Legal basis for data processing: The Data Controller has a legitimate interest in maintaining contact for the fulfilment of contracts [GDPR Article 6 (1) para. point f)] (Interest assessment test is available upon request.)

(An interest assessment test is available upon request.)

Duration of data processing: until the business relationship with the given contractual partner is terminated, or there is no change in the contact person for the given contractual partner

Does data transfer take place: no, with the exception of data processors providing IT services and hosting services

 

PERSONAL DATA PROCESSED IN CONNECTION WITH NEWSLETTER SERVICE

Data Subjects: the users of KAFF’s website who signed up to the newsletter service; those with whom the Data Controller has previously been contacted as a nominee or participant in connection with the Festival will be informed by the Data Controller in an email about the newsletter subscription option on the website with a link to the subscription interface on the website

Personal data processed: surname, first name, e-mail address

Source of Data: the Data Subject; earlier registration

Purpose of data processing: we provide information on film entries and the conditions of participation in the Festival, and up-to-date information on the events of the Festival

Legal basis for data processing: freely given consent of the data subject under Article 6 (1) (a) of the GDPR. In the event of withdrawal of consent, all personal data will be deleted.

Duration of data processing: until the withdrawal of the consent; you can unsubscribe from the newsletter at the bottom of each newsletter

Does data transfer take place: No except for the newsletter, IT and hosting service provider.

 

PERSONAL DATA PROCESSED DURING ONLINE REGISTRATION IF THE FESTIVAL IS BROADCASTED ONLINE

Data Subjects: registered natural persons or representatives of legal entities

Personal data processed: surname, first name, e-mail address, username, password

Source of Data: the Data Subject

Purpose of data processing: providing the possibility of online visitor registration, sending a confirmation e-mail, ensuring the viewing of films nominated for the Festival in the event that the physical organization of the Festival is hindered (e.g. restrictions due to the COVID19 epidemic)

Legal basis for data processing: freely given consent of the data subject under Article 6 (1) (a) of the GDPR. In the event of withdrawal of consent, all personal data will be deleted.    

Duration of data processing: Until the end of the event affected by the registration, or until the consent of the person concerned is withdrawn. In case of withdrawal of consent, all personal data will be deleted.

Does data transfer take place: no except for IT and hosting service provider

 

14. DATA PROCESSORS

Some personal data provided to us may be forwarded to the data processors engaged by us, in view of the purpose of the data processing. The data processors process the received personal data in accordance with the provisions of the data processing contract concluded with the data controllers and may not use them for other data management purposes.

Our permanently cooperating data processors are the following:

 

DATA PROCESSING ACTIVITY	NAME	ADDRESS, CONTACT
Website operation	Raster Studio Kft.	Address: 6000 Kecskemét, Thököly u. 3. Website: https://rasterstudio.hu E-mail: titkarsag@rasterstudio.hu
System administration service	BESTCOM Kft.	Address: 6000 Kecskemét, Kőhíd utca 10. Website: https:/bestcom.hu  E-mail: bestcom@bestcom.hu
Newsletter service	Bithuszárok Bt.	Address: 2051 Biatorbágy, Damjanich utca 8. Website: https://bithuszarok.hu E-mail: info@bithuszarok.hu

In all its activities, the Data Controller uses only such partners (subcontractors) who comply with the requirements of the data protection legislation in force at any time.

Email server: Google LLC (cloud), hosting: Google LLC (Google Drive)

Google LLC (cloud), hosting: For information about GDPR compliance with Google LLC (Google Drive), visit:https://cloud.google.com/security/gdpr#tab7

The GDPR compliance of Google LLC’s services is ensured by the fact that the data protection compliance of the contractual clauses of the Google model has been recognized by the European Data Protection Authorities (DPA’s), given that G Suite and the Google Cloud Platform the transfer to any part of the world fully complies with the legal requirements of the GDPR.

GENERAL CONTRACTUAL TERMS OF DATA PROCESSING BY DATA PROCESSOR

 

In accordance with the GDPR, the data processor undertakes to:

(a)

processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b)	ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)

takes all measures required pursuant to Article 32 of GDPR; (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

(d)	respects the conditions for engaging another processor;

(e)	taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR

(f)	assists the controller in ensuring compliance with the obligations pursuant to the provisions on Security of personal data taking into account the nature of processing and the information available to the processor;

(g)	at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h)	makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

(i) upon termination of the provision of the data processing service, at the discretion of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies, unless Union or Member State law provides for the storage of personal data;

(j) provide the Data Controller with all information necessary to verify the erasure of the data or copies and to enable and facilitate audits, including on-site inspections, by the Controller or another auditor appointed by him. The Data Processor shall immediately inform the Data Controller if it considers that any of its instructions violate this GDPR or the data protection provisions of the Member States or the Union.

k) report the data protection incident to the Data Controller within 72 hours of becoming aware of it. That notification shall include at least:

(i) a description of the nature of the data protection incident, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident; (ii) the name and contact details of the data protection officer or other contact person for further information;

j) provides the Data Controller with all information necessary to verify the deletion of data and copies, and which enables and facilitates audits conducted by the Data Controller or other inspectors commissioned by the Data Controller, including on-site inspections. The Data Processor shall immediately inform the Data Controller if it believes that any of its instructions violates this GDPR or national or EU data protection provisions.

k) reports the data protection incident to the Data Controller within 72 hours of becoming aware of it. In said notification, at least:

(i) the nature of the data protection incident must be described, including – if possible – the categories and approximate number of Data Subjects, as well as the categories and approximate number of data affected by the incident;

(ii) the name and contact details of the data protection officer or other contact person providing additional information must be provided;

(iii) the likely consequences of the data protection incident must be described; as well as

(iv) the measures taken or planned by the Data Processor to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

l) supports the Data Controller in fulfilling the Data Subjects' requests to exercise one or more of their rights provided for in the GDPR;

m) if the Data Processor receives a request from any Data Subject to exercise one or more of the rights provided for in the GDPR, the Data Processor informs the Data Subject to contact the Data Controller directly with the request, and at the same time informs the Data Controller of the request without delay;

n) keeps all the records required in Article 30 (2) of the GDPR and, if the processing of personal data on behalf of the Data Controller makes this possible, makes these records available to the Data Controller upon request.

 

The Data Processor undertakes to handle the personal data it processes exclusively in accordance with the relevant legislation.

The Data Controller is entitled to check the performance of the activity specified in this contract, and in particular the method of storing and processing the personal data of the Data Subjects, once a year at a previously agreed time.

If the Data Processor suffers damage in connection with the Data Controller's activities, the Data Controller is obliged to compensate it. If the Data Processor initiates a claim for compensation or initiates proceedings in connection with the Data Controller's activities, the Data Controller is obliged to exempt the Data Processor from compensation, imposed fines, and penalties within 30 days.

15. EXTERNAL SERVICE PROVIDERS

Data processing within social media platforms (e.g. Facebook page) and video sharing service

(e.g. YouTube) is always subject to the respective its own privacy policy, rules and practices, which are continuously published on the interfaces operated by the respective service provider.

 

EXTERNAL SERVICE PROVIDER	SERVICE	PRIVACY POLICY LINK	TERMS OF SERVICE LINK
Meta Platforms Ireland Ltd 4 Grand Canal Square, Grand Canal Harbour 462129 Dublin Ireland.	Facebook     https://www.facebook.com/kaff.hu	http://www.facebook.com/full_data_use_policy https://www.facebook.com/policy/cookies/	http://www.facebook.com/legal/terms?ref=pf
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Írország	YouTube   https://www.youtube.com/KAFFanimation.	https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/	https://www.youtube.com/static?template=terms
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Írország	Gmail	https://policies.google.com/privacy?hl=en-US	https://policies.google.com/privacy?hl=en-US

 

There are share buttons on our Website that you can click to share content from our Website on social media channels such as Facebook. We do not use these buttons to share your personal data with social media providers. When you click on a share button, the relevant social media provider collects personal data directly from you. Please read the privacy policy of the social media providers you wish to share content with before clicking the appropriate share button.

The use of the "Like" and "Comment" social plugins requires that the user is logged in to their Facebook account and has consented to the placement of "Application and website cookies". If both requirements are met, the user will be able to see and use extensions such as the "Like" or "Comment" button. If any of the above requirements are not met, the user will not see the plugins.

 

III.            DATA SECURITY

In the course of our data processing, in order to ensure the security of personal data, in compliance with our obligations under the GDPR, we take all the technical and organizational measures and develop the procedural rules that are necessary to enforce the data security regulations.

We ensure the protection of the security of data processing with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.

We keep it during data processing

a) confidentiality, i.e. we protect the information so that only those who have the right to access can access it;

b) integrity, i.e. we protect the accuracy and completeness of the information and the method of processing;

c) availability, i.e. we ensure that when the authorized user needs it, he/she can really access the desired information and that the related tools are available.

We treat the personal data we process as confidential and take appropriate measures to protect against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access.

In order to protect the data files managed electronically in the various registers, an appropriate technical solution must be used to ensure that the data stored in the filing system cannot be directly linked and assigned to the data subject.

With the following measures, we reduce the risk of the data provided by users during registration becoming accessible in the event of an unauthorized break-in:

·        Application of a firewall, appropriate virus protection;

·        Periodic log analyzes based on IT system logs;

·        Regular IT maintenance, control, regular monitoring of IT systems;

·        The Data Controller's computer equipment, systems, rooms and devices for data storage are located at the Data Controller's headquarters.

·        Each computer is protected with a unique password.

·        The data is stored in a database / mail server. The mail server can be accessed with an email / password pair. The database is not accessible to external applications.

·        Some systems require the user to use two-factor authentication.

·        The paper-based documentation is exceptional and is kept in a lockable cabinet, records are maintained and reviewed regularly, and compliance with legal requirements is continuously checked.

·        Contributions, subscriptions, etc. the systems save it in an identifiable way.

·        The Data Processor protects access to documents and your desktop computer with a strong password - other security measures.

Regardless of the protocol (e-mail, web, ftp, etc.), electronic messages transmitted on the Internet are vulnerable to network threats that lead to unfair activity, contract disputes, or the disclosure or modification of information. We take all necessary precautions to protect you from such threats. We monitor systems to capture any security discrepancies and provide evidence for any security incidents. In addition, system monitoring also makes it possible to check the effectiveness of the precautions used.

 

IV.    RIGHTS AND OBLIGATIONS RELATING TO PERSONAL DATA BREACH

 

A PERSONAL DATA BREACH is when personal data or data are accidentally or unlawfully:

- destroyed,

- lost,

- altered,

- communicated unauthorized, or

- made unauthorized.

The GDPR imposes a notification obligation on the Data Controller, depending on the extent to which the incident endangers the rights and freedoms of natural persons.

Pursuant to Article 33 of the GDPR, the Data Controller is obliged to notify the incident to the competent supervisory authority without undue delay and may waive this incident only if the personal data breach is not likely to endanger the rights and freedoms of natural persons.

If the personal data breach occurs in connection with the activities of the data processor, it is obliged to notify it to the Data Controller without undue delay.

Upon the occurrence of a personal data breach, the Data Controller shall immediately take measures to remedy the personal data breach, taking into account the mitigation or prevention of any adverse consequences arising from the incident.

The Data Controller keeps a record of personal data breaches.

The purpose of the register is to enable the Data Controller to verify compliance with the GDPR during the audit of NAIH as the comptenet supervisory authority.

The Data Controller shall report the data breach to the NAIH without undue delay and, if possible, no later than 72 hours after the data breach became known to the NAIH, unless the data breach is likely to pose no risk to the rights and freedoms of natural persons.

The Data Controller is obliged to inform the data subject without undue delay about the personal data breach if it poses a high risk to the rights and freedoms of natural persons. If a high-risk personal data breach affecting the personal data of the data subject occurs during the data processing of the Data Controller, the Data Controller will inform the data subject of the following facts and circumstances:

description of the personal data breach,

- the name and contact details of the contact person responsible for data protection matters,

- a description of the likely consequences of the personal data breach

- a description of the measures planned or taken by the controller to remedy the incident, including measures to mitigate any adverse consequences of the personal data breach.

 V.   RIGHTS OF THE DATA SUBJECT

The data subject may contact the Data Controller regarding the enforcement of his / her rights related to data management and his / her questions at the contact details included in this Privacy Policy.

The Data Controller shall inform the data subject of his / her actions or the reasons for their non-compliance within one month after the submission of the data subject's request (the data subject may file a complaint in this connection), this period may be extended by 2 months if necessary.

The procedure is free of charge (if justified and not excessive) and preferably electronic.

The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.

 

 

ÉRINTETTI JOG	TARTALMA
a.       Right to transparent information		You have the right to receive clear, transparent and easy-to-understand information about how we process your personal data and what rights you can assert in relation to data processing. We fulfil this obligation in this privacy Policy.
b.      Right of access by the data subject	You have the right to receive information about whether we process your personal data and - if we do so - which of your personal data and how we process them. The purpose of this is to make our data processing activities concerning you transparent for you, so that you can check whether we comply with the data protection legal regulations. We may deny access to your personal information only if it could reveal personal information about another person or would otherwise negatively affect another person's rights.
c.       Right to rectification	You can ask us to take reasonable measures to correct your personal data if, in your opinion, we handle your personal data inaccurately.
d.         Right to erasure	This right is also known as the ‘right to be forgotten’ and allows you to ask us to delete or remove your personal data if there is no compelling reason for us to continue processing it or if its use is unlawful. The right to deletion is not general, there are exceptions, e.g. if protection against legal claims justifies the processing of your personal data.
e.        Right to restriction of processing	You have the right to "block" or disable the further use of your personal data until we have decided your request for correction or as an alternative to deletion. If processing is limited, we may still store your personal data, but we may not use it further without your consent or authorization by law. In order to comply with the restriction, we keep a list of those who have "blocked" the use of their personal data.
f.      Right to data portability	You have the right to receive the personal data processed by us on a data carrier and forward them to another data controller - provided that the processing of your personal data is based on your consent or the contract between us, or the data processing is done in an automated manner.
g.       Right to object	You have the right to object to the processing of your personal data on grounds related to your particular situation, if the data processing is based on a legitimate interest. In this case, we can only continue processing your personal data if we can prove that the data processing is justified by compelling legitimate grounds that take precedence over your interests, rights and freedoms, or that are related to the establishment, exercise or defense of legal claims.
h.           Right to a remedy	In the event of a violation of your rights, you can contact the Hungarian National Data Protection and Freedom of Information Authority (NAIH) or a court, the method of which will be explained below.

 

During the exercise of the data subject's rights, we will inform you about the decisions made following your request and the planned or implemented measures without undue delay, but no later than thirty days from the receipt of the request. We provide the information through the same channel that you used when submitting the request, unless you specifically request otherwise.

VI. WHERE CAN YOU GO IF YOU HAVE A QUESTION OR WANT TO GET A LEGAL REMEDY?

If you would like to request additional information regarding the processing of your personal data or wish to exercise any of the above rights of the data subject, and if you are not satisfied with the way we have processed your personal data, please contact us!

If you have any questions or comments, you can contact the Data Controller directly:

E-mail: kaff@kecskemetfilm.hu

Phone: +3676 481 788

Please provide as much information as possible to help us identify the information you are requesting, the action you want to take, and why you think it should be done.

Before evaluating your request, we may ask for additional information in order to identify you. If you do not provide the requested information and as a result we are unable to identify you, we may refuse to fulfil your request.

You can submit requests related to our services in writing by e-mail.

In the same way, we consider a request received from the e-mail address previously provided to us as a request received from the data subject.

In the case of claims submitted from other e-mail addresses and in writing, the person submitting the complaint or claim must prove his/her involvement accordingly. In the absence of proof of involvement, we are unable to assess or fulfil the request.

We usually respond to your request within one month of its receipt. We may extend this period by another two months if necessary, taking into account the complexity and number of requests you submit.

We do not charge a fee for such communications or our activities, except:

- if you request additional copies of the processed personal data, we may charge our reasonable administrative costs, or

- if you submit manifestly unfounded or excessive requests, especially due to their repetitive nature, in which case we may charge our reasonable administrative costs or refuse to fulfil the request.

Complaints, questions and requests sent to us are stored for 6 months from the date of submission and then deleted, with the exception of correspondence arising from cases that are still in progress. If a legal claim arises in the case, the data will be preserved within the time limit for its enforcement - typically 5 years (see: Act V of 2013 on the Civil Code).

Data protection authority procedure

Hungarian National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság)

Headquarters: 1055 Budapest, Falk Miksa utca 9-11,

Mailing address: 1374 Budapest, Pf. 603.

Phone: +3613911400

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

 Right to go to court

In the event of a perceived violation of rights related to the handling of your personal data, you can also contact the competent court (contact details here: https://birosag.hu/torvenyszekek) or the Capital Court in the capital (1055 Budapest, Markó u. 27). At the choice of the data subject, the lawsuit can also be initiated before the court of the data subject's place of residence or residence.

Proceedings against the controller must be brought before the courts of the Member State in which the controller is established (Hungary),but may also be brought before the courts of the Member State of the habitual residence of the data subject.

9 January 2023