The operator of the Hospital in the Rock Nuclear Bunker Museum hereby informs its visitors (hereinafter referred to as the data subject) about its practices in the field of personal data processing, the organizational and technical measures taken to protect the data, as well as the related rights of the data subjects and the possibilities of enforcing them.

1. IDENTIFICATION AND CONTACT DATA OF THE DATA CONTROLLER
1.1. The controller of the personal data of the data subjects is the "A Szikla" Museum Public Benefit Foundation (registered office 1012 Budapest, Lovas út 4 / C), hereinafter referred to as the service provider.

Contact details of the service provider:
Delivery address: 1012 Budapest, Lovas út 4/C
E-mail address:: info@sziklakorhaz.eu
Phone number:: 06707010101

1.3. Our Company is not obliged to appoint a data protection officer pursuant to Art. 37 GDPR

2. IDENTIFICATION AND CONTACT DETAILS OF DATA PROCESSORS
During the processing of data, the Service Provider uses the following data processors in order to provide high-quality service to our customers:

2.1. IT service and hosting services

  • Dotroll Kft., 1148 Budapest, Fogarasi út 3-5.
  • Oxford One Zrt., 1039 Budapest, Czetz J. u. 48-50.

2.2. Our courier and express delivery partners

  • Express One Hungary Kft., 1239 Budapest, Európa utca 12.
  • Magyar Posta Zrt, Budapest, Dunavirág u. 2-6, 1138

2.3. Our bookkeeping service partners

  • Eurokontroll Kft., 1011 Budapest, Mária tér 5.
  • KBOSS Kft. 1031 Budapest, Záhony utca 7/D.

2.4. Our partners providing bank card payment services:

  • SimplePay - OTP Mobil Szolgáltató Kft. Budapest, Hungária krt. 17, 1143

2.5. In order to fulfill our legal obligations or to protect our legitimate economic interests, we disclose certain personal data to public authorities.
The Service Provider ensures that a private legal organization identified as a third party may access the data of the data subject only in full compliance with the legal provisions on data protection, information security and confidentiality, to the extent stipulated in the agreement concluded with such an organization.
The Service Provider reserves the right to involve another data processor in the data processing in the future, which will be transferred to this information. In the absence of an express legal provision, the Service Provider shall only transfer personally identifiable data to third parties with the express consent of the respective Customer.

3. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

3.1. The processing of data may be carried out on the basis of the voluntary, informed and explicit consent of the data subjects, in respect of users registered on the website, subscribers to the newsletter, those registering for a guided tour as a group, as well as applicants for events and promotions.

The declaration of a minor who is incapacitated and has limited legal capacity requires the consent of his or her legal representative, except for services where the declaration is aimed at registration, which occurs en masse in everyday life and does not require special consideration. The consent os subsequent approval of their legal representative is not required for the legal declaration containing the consent of a minor data subject over the age of 16, to be valid.

3.2. We act within the meaning of Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "Regulation"), based on the voluntary consent of the data subject.

3.3. We process the personal data of data subjects lawfully and fairly and in a transparent manner towards the data subjects.

4. PURPOSES OF PROCESSING PERSONAL DATA

4.1. The personal data of data subjects may only be processed for a specific purpose, in order to exercise rights and fulfill obligations. At all stages of data processing, it must comply with the purpose of data processing. We only process personal data that is essential for the realization of the purpose of data management, suitable for achieving the purpose. We process your personal data only to the extent and for the time necessary to achieve the purpose. We do not process your personal data in a way that is incompatible with the purposes.

4.2. The data processing of the service provider's services is based on voluntary consent, however, in some cases, the management, storage and transmission of a certain set of the data provided is mandatory by law.

4.3. The service provider does not use the personal data for any purpose other than those indicated.

4.4. There is no automatic individual decision-making on the part of the service provider within the meaning of Article 22 of the Regulation.

4.5. The purpose of the processing of personal data is to carry out business communication and other marketing activities on the part of the data processor aimed at the data subjects, in detail:

4.5.1. Newsletter: In the case of registration for the newsletter, in the case of the data provided by the data subject, the purpose of processing the data is to identify the user for the purpose of sending newsletters. For users registered for the newsletter, the service provider sends out newsletters sharing educational and professional content, informs about its promotions, news, blog posts and events. The user may object to the use of the data for this purpose by unsubscribing, the user may delete himself from the newsletter sending database by clicking on the "Unsubscribe" link at the end of the sent newsletters. Of course, even in case of an individual request, we will delete the user from the newsletter database, which request can be reported at the info@sziklakorhaz.hu email address or sent by post to 1012 Budapest, Lovas út 4 / C. The User may also request the modification of his/her data and request access to the data provided by him/her at the info@sziklakorhaz.hu e-mail address.

Ways to subscribe to the newsletter:

• By consenting to the newsletter subscription and accepting the data management policy when registering on www.aszikla.hu and www.sziklakorhaz.hu.

• By using the newsletter subscription on www.sziklakorhaz.hu and www.aszikla.hu websites (which website does not result in registration) and by accepting the privacy policy.

• When registering for guided tours and events, use the newsletter subscription link in the confirmation email.

4.5.2. Improving our services / satisfaction surveys: The aim of the service provider is to be able to provide the highest possible service and online customer experience, therefore it collects and uses certain information about shopping habits (cookies), therefore it conducts market research and can ask data subjects to fill out a questionnaire measuring their satisfaction after using a particular order / service. The completed questionnaire will be processed, stored and evaluated anonymously. We carry out these activities on the basis of our legitimate business interests, so that the fundamental rights and freedoms of data subjects are not compromised by such activities.

4.5.3. Online order: Process orders, including their receipt, screening, delivery, and billing.

• To deal with the cancellation of orders or any other matter related to the ordering of the purchased goods or services.
• Handling of return products in accordance with the relevant legal provisions.
• Refund of the consideration for products in accordance with the relevant legal provisions.
• To provide supportive services, to answer questions about products and services or to answer questions addressed to us by the data subject regarding a particular order / registration.

4.5.4. Information about registered events: If you are a data subject registered for a guided tour or event, the service provider is entitled to send you information about the given event. Such information may include, for example, a change in the content / time / length of the event, the cancellation of the event, technical information. The Service Provider is also entitled to share the data provided by the data subject with its employees and data processors participating in the implementation of the event. The rules for registering for occasional events will be published on www.sziklakorhaz.hu and www.aszikla.hu.

4.5.5. Information about History Academy events: By registering at the History Academy, those who register consent to us sending them information letters about the History Academy events.

4.5.6. Information about professional events: by registering for professional events, those who register agree that we will send them information letters related to professional events.

4.5.7. Grants: The Service Provider provides support to institutions within the framework of a sponsorship contract. As part of the grant, institutions organize a visit to the Hospital in the Rock Nuclear Bunker Museum, of which they are obliged to keep service records. The register includes the first and last names of the individuals participating in the supported program, the date of completion, and photo documentation of the completion.

4.5.8. Promotions: The Service Provider may organize promotions on a campaign basis. The occasional conditions for these are set out in a separate policy. The rules of the current promotion can always be found on the www.sziklakorhaz.hu and www.aszikla.hu websites, on a link placed in a central place.

4.5.9. Application for an advertised job: By sending the application file, the applicant gives his voluntary and express consent to the processing of his/her personal data contained in his/her application file. We process personal data exclusively for the purpose of evaluating the application, in accordance with the applicable legal regulations.

4.5.10. Google Analytics: The www.sziklakorhaz.hu and www.aszikla.hu websites use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", text files placed on the data subject's computer, which are used to help analyze the use of the website. The information generated by the cookie about your use of the website (including the IP address of the data subject) is transmitted to and stored by Google on servers in the USA. Google will use this information to evaluate the use of the website by the data subject, to compile reports on website activities for website operators and to provide other services related to website activities and internet usage. Google may also transfer this information to third parties if this is required by law or if those third parties process the information on behalf of Google. Google will not associate the IP address of the data subject with any other data held by Google. By selecting the appropriate settings of your browser, you can refuse the use of "cookies", however, please note that in this case the data subject will not be able to use all the functions of the website. By using this website, the data subject consents to the processing of his or her data in the manner specified above and for the purposes specified above. The Service Provider does not use the personal data for any purpose other than those indicated, however, it is entitled to link them to other databases managed by the Service Provider.

5. PROCESSED DATA, METHOD OF HANDLING AND MAINTENANCE OF DATA

5.1. The Service Provider shall take all reasonable measures to ensure that the data collected, stored or processed by it are accurate and, if necessary, up-to-date, and that inaccurate personal data will be deleted or rectified.

5.2. By applying appropriate technical and organizational measures, we ensure adequate security of personal data against unauthorized or unlawful processing, accidental loss, destruction, alteration or damage. However, please note that the transmission of data over the Internet cannot be considered a fully secure data transfer. The Service Provider makes every effort to make the processes as secure as possible, however, we cannot take full responsibility for the transmission of data through www.sziklakorhaz.hu and www.aszikla.hu website, but we adhere to strict regulations regarding the data received by the Service Provider in order to ensure the security of the data of the data subject and to prevent unlawful access.

5.3. The Service Provider shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by an unauthorized person. The processed data can only be accessed by the Service Provider, its employees and the data processors.

5.4. The Service Provider uses a data processor in connection with its e-mail offers and other mass e-mail inquiries, information and data cleaning. The Service Provider and the data processors are entitled to access the personal data in accordance with the applicable legislation.

5.5. Under no circumstances shall the service provider collect sensitive data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data (health status data) for the purpose of uniquely identifying a natural person.

5.6. A personal data breach is any event that results in the unlawful processing of personal data, in particular unauthorized or accidental access, alteration, disclosure, deletion, loss or destruction, as well as accidental damage, in relation to personal data handled, transmitted, stored or processed by the Service Provider. The Service Provider is obliged to notify the National Authority for Data Protection and Freedom of Information without undue delay (but no later than 72 hours after the personal data breach has come to its attention), unless the Service Provider can prove that the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons. The Service Provider keeps records of personal data breaches for the purpose of monitoring the measures related to the personal data breach and informing the data subjects.

5.7. Data processed by the Service Provider:

5.7.1. Website visit: IP address; the date of the visit; details of the subpages visited

5.7.2. Newsletter subscription: surname, first name, e-mail address, date of registration

5.7.3. Registration and purchase: surname; first name; shipping and billing address; contact details: e-mail address, telephone number; date of purchase; other optional information (e.g. interests)

5.7.4. Billing and collection of related fees: surname; first name; shipping and billing address; contact details: e-mail address, telephone number; date of purchase; method and date of payment, date of execution

5.7.5. ’Circle of Friends’ (Baráti kör), professional events: surname, first name, contact details: e-mail address, telephone number

5.8. The Service Provider may obtain the professional contact details of persons at professional events, recommendations and public databases to whom it has not yet recorded an explicit statement regarding direct contact. In the case of these persons, the Service Provider processes the contact data in the legitimate interest of the Service Provider, with the proviso that the data processing may be limited to the professional contact data of the data subject, and the data subject has the right to declare the prohibition of direct contact at the time of contact and at any time thereafter.

5.9. The Service Provider may transfer the traffic and billing data to a claim manager, a bailiff, or to bodies legally entitled to settle billing and distribution disputes pursuant to Section 157 (9) of Eht. (Electronic Communications Act) If the data subject does not fulfill his or her obligations under the contract / order or does not comply with it properly, the Service Provider is entitled to transfer the personal data to a third party for the purpose of enforcing a claim.

5.10. By purchasing in the www.sziklakorhaz.eu webshop, the customer accepts the following statement:

I acknowledge that the following personal data stored in the user database of www.sziklakorhaz.eu by the data controller of the "A Szikla" Museum Public Foundation (1012 Budapest, Lovas út 4/C) will be transferred to OTP Mobil Kft. as a data processor. The range of data transmitted by the data controller is as follows: customer's name and address, order number, order value. The nature and purpose of the data processing activity carried out by the data processor can be found in the SimplePay Data Management information sheet at the following link: https://simplepay.hu/vasarlo-aff/

6. DURATION OF STORAGE OF PERSONAL DATA

6.1. The data provider provided by the data subject on a mandatory or voluntary basis is entitled to process it until the data subject makes use of the unsubscribe option, but for a maximum of 5 years. Personal data are stored in such a form that the data subject can be identified only for the time necessary to achieve the purposes for which the personal data are processed.

6.2. You can indicate your request for deletion of your own data by clicking on the unsubscribe link at the bottom of the letters, or you can indicate it by e-mail at the info@sziklakorhaz.eu e-mail address or by post to 1014 Bupapest, Lovas út 4/C. After receiving the cancellation request, the service provider will send a confirmation e-mail about the termination of the registration. In this case, the e-mail address will be deleted from the active customer list.

6.3. Personal data will be deleted at the same time as the purpose of data processing ceases to exist or at the request of the data subject without delay, except for those data that the Service Provider is obliged to keep for the period specified in the law ordering mandatory data processing based on a legal obligation, or if the registration and performance of the contract / purchase (if any) would become impossible in the absence of the given personal data.

6.4. In the case of complaint handling, pursuant to Section 17/B of the Consumer Protection Act, the service provider is obliged to keep the report of the oral complaint, the written complaint and the response to it for 5 (five) years.

6.5. In the event of a marketing request, the Service Provider will process the personal data until the Customer requests the deletion of his or her data or withdraws his or her consent to the processing of his personal data.

7. RIGHTS OF DATA SUBJECTS

7.1 About data processing the data subject

• may request information,
• may request the rectification, modification or completion of their personal data processed by us,
• may object to data processing and request the deletion and blocking of your data (with the exception of mandatory data processing),
• have the right to appeal before a court of law,
• may lodge a complaint with a supervisory authority or initiate proceedings (https://naih.hu/panaszuegyintezes-rendje.html).

Supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail:ugyfelszolgalat@naih.hu

Website:https://naih.hu/

7.2. Access to personal data: The service provider shall, at the request of the data subject, provide information on whether the service provider is processing his or her personal data and, if so, give him or her access to the personal data and inform him or her of the following information:

• the purpose of data processing;
• the types of personal data processed;
• in the case of the transfer of personal data of the data subject, the legal basis and recipient of the transfer;
• the envisaged duration of the data processing;
• the rights of the data subject in relation to the rectification, erasure and restriction of processing of personal data and to object to the processing of personal data;
• the possibility of having recourse to the Authority;
• source of data;
• the names, addresses and activities of the data processors in connection with data processing.
The Service Provider shall provide the data subject with a copy of the personal data undergoing data processing free of charge if the data subject has submitted his or her claim by post. If the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject. The Service Provider is obliged to provide the information without undue delay, but no later than within one month from the submission of the request, in an easily understandable form, at the request of the data subject. The data subject may submit a request for access to: • By post: 1012 Budapest, Lovas út 4/C
• Electronically: info@sziklakorhaz.hu

7.3. Rectification of processed data: The data subject may request the service provider (at the contact details specified in section 7.2) to rectify inaccurate personal data or to complete incomplete data, taking into account the purpose of data processing. The Service Provider shall make the correction without undue delay.

7.4. Erasure of processed data (right to be forgotten): The data subject may request that the service provider erase personal data concerning him or her without undue delay and the Service Provider shall be obliged to erase personal data relating to the data subject without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws his or her consent and there is no other legal basis for the data processing;
• the data subject objects to the processing of his or her personal data;
• the personal data have been processed unlawfully;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

Where the service provider has used a data processor to process personal data and is obliged to erase it on the basis of the above, it shall take reasonable steps and measures, taking into account available technology and the cost of implementation, to inform processors processing the personal data concerned that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, the personal data.

Personal data do not need to be erased where processing is necessary:

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• on grounds of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of this processing; or for the establishment, exercise or defence of legal claims.

7.5. Furthermore, the data subject may at any time decide that the service provider will no longer send him marketing requests. The data subject may withdraw his or her consent to receive a direct request at any time, free of charge, without justification or restriction, at the contact details provided in section 7.2 (indicating his or her exact personal data). Upon receiving of the unsubscribe request, the Service Provider shall immediately delete the data of the unsubscriber from the database of direct marketing and will no longer send marketing requests to the data subject, otherwise the Service Provider is entitled to process the data of the customer / participant in order to provide the services used by the data subject. I.e. the withdrawal of consent to data processing for direct marketing and/or newsletter purposes shall not be interpreted as the withdrawal of consent to data processing in connection with our website.

7.6. Restriction of processing: The data subject shall have the right to obtain restriction of processing from the Service Provider, where one of the following applies:

• the accuracy of the personal data is contested by the data subject, in which case the restriction applies to the period of time that allows the service provider to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Service Provider no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
• the data subject has objected to the processing; in this case, the restriction applies to the period until it is established whether the legitimate reasons of the service provider take precedence over the legitimate reasons of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Service Provider shall inform the data subject, at whose request processing has been restricted, before the restriction of processing is lifted.

7.7. Notification obligation related to rectification or erasure of personal data or restriction of processing: The Service Provider shall inform all recipients to whom the personal data have been disclosed of the rectification or erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the Service Provider shall inform him or her of those addressees.

7.8. Right to object: The data subject may object to the processing of his or her personal data if the processing

• necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Service Provider;
• necessary for the purposes of the legitimate interests pursued by the Service Provider or a third party.

In the event of an objection by the data subject, the Service Provider shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject or for the establishment, exercise or defence of legal claims.

7.9. The service provider shall inform the data subject without undue delay - but no later than one month after receiving of the application - of the action taken in response to the access, rectification, erasure, restriction, objection and request for data portability. If necessary, taking the complexity of the application and the number of applications into account, this time limit may be extended by further two months. The Service Provider shall inform the data subject of the extension of the time limit within one month after receiving the request, indicating the reasons for the delay. If the data subject makes the request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.

7.10. At the request of the data subject, information and the action taken on his or her request shall be provided free of charge. Where a request by a data subject is manifestly unfounded or excessive, in particular because of its repetitive character, the Service Provider may, taking the administrative costs of providing the information or communication or taking the action requested into account, charge a reasonable fee or refuse to act on the request. The burden of proof that the request is clearly unfounded or excessive shall lie with the Service Provider.

7.11. We will refuse to comply with a request if we demonstrate compelling legitimate grounds for processing which override the interests, rights and freedom of the data subject or for the establishment, exercise or defence of legal claims.

7.12. The adjudication of data protection lawsuits falls within the jurisdiction of the tribunal. The lawsuit may also be brought, at the choice of the data subject, before the court of the place of residence or temporary residence of the data subject. A foreign national may also lodge a complaint with the competent supervisory authority of his or her place of residence.

7.13. Before submitting your complaint to the supervisory authority or court, we kindly ask you to contact us using the contact details provided in section 1 in order to consult and resolve the problem as quickly as possible.

8. GOVERNING LEGISLATION

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the processing of personal data of natural persons (GDPR)
• Act CXII of 2011 on informational self-determination and freedom of information – (Info tv.)
• Act V of 2013 on the Civil Code (Ptk.)
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services – (Eker tv.)
• Act C of 2003 on Electronic Communications – (Ehtv)
• Act CLV of 1997 on Consumer Protection (Fogyv tv.)
• Act CLXV of 2013 on Complaints and Public Interest Announcements. (Pktv.)
• Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (Grtv.)

The Service Provider reserves the right to amend this Privacy Policy, of which it informs the data subjects in an appropriate manner. Information on data processing is published on www.sziklakorhaz.hu and www.aszikla.hu websites.