Data protection and data processing policy for the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme
The purpose of the present data protection and data processing policy (hereinafter referred to as ‘Policy’) is to define data protection and data processing principles related to the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme (hereinafter referred to as ’Programme’) hosted by the Széchenyi Programme Office Consulting and Service Nonrofit Limited Liability Company (hereinafter referred to as ’Data Controller’ or ’Company’) and therefore, the data subject will be provided with adequate information of data processed by the Company based on the General Data Protection Regulation.
Acts and their abbreviations used and considered in relation to the Policy
| the Act | Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 17 December 2013 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
| Regulation (EU) 2021/1060 | Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June 2021 laying down common provisions on the European Regional Development Fund, the European Social Fund Plus, the Cohesion Fund, the Just Transition Fund and the European Maritime, Fisheries and Aquaculture Fund and financial rules for those and for the Asylum, Migration and Integration Fund, the Internal Security Fund and the Instrument for Financial Support for Border Management and Visa Policy |
| Regulation (EU) 2021/1059 | Regulation (EU) 2021/1059 of the European Parliament and of the Council of 24 June 2021 on specific provisions for the European territorial cooperation goal (Interreg) supported by the European Regional Development Fund and external financing instruments |
| Regulation (EU) 2021/1058 | Regulation (EU) 2021/1058 of the European Parliament and of the Council of 24 June 2021 on the European Regional Development Fund and on the Cohesion Fund |
| Regulation (EU) 2021/947 | Regulation (EU) 2021/947 of the European Parliament and of the Council of 9 June 2021 establishing the Neighbourhood, Development and International Cooperation Instrument – Global Europe, amending and repealing Decision No 466/2014/EU and repealing Regulation (EU) 2017/1601 and Council Regulation (EC, Euratom) No 480/2009 |
| 241/2023. (VI. 20.) Gov. Decree | Government Decree 241/2023. (VI. 20.) on the implementation of the Interreg CBC programmes in the 2021-2027 programming period |
Definitions
Definitions in the present Policy meet definitions of Article 4 of GDPR:
| personal data | any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
| processing | any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| controller | the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law |
| processor | a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller |
| third party | a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data |
| recipient | a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing |
| consent of the data subject | any freely given, any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her |
| personal data breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed |
| supervisory authority | means an independent public authority which is established by a Member State pursuant to Article 51 |
I. Data controllers and contact details
1. Managing Authority of the Programme
| name: | Ministry of Foreign Affairs and Trade of Hungary Deputy State Secretariat for Regional and Cross-border Economic Development |
| registered office: | 1027 Budapest, Medve u. 25-29. „B” F30/2. |
| represented by: | Mr. Péter Kiss-Parciu (Deputy State Secretary) |
| e-mail: | hathatar@mfa.gov.hu |
2. Joint Technical Secretariat of the Programme
| name: | Széchenyi Programme Office Consulting and Service Nonprofit Limited Liability Company |
| registered office: | 1053 Budapest, Szép utca 2. 4. em |
| company reg. no: | 01 09 916308 |
| represented by: | Mr. Áron Szakács (managing director) |
| e-mail: | info@szechenyiprogramiroda.hu |
II. Data processors
The data controller forwards the personal data necessary for the performance of the tasks of the managing authority specified in the domestic and European Union legislation to the data processor.
1. National authorities of the Programme
| name: | Ministry of Foreign Affairs and Trade of Hungary Deputy State Secretariat for Regional and Cross-border Economic Development |
| registered office: | 1027 Budapest, Medve u. 25-29. „B” F30/2. |
| represented by: | Mr. Péter Kiss-Parciu (Deputy State Secretary) |
| e-mail: | hathatar@mfa.gov.hu; |
| name: | Ministry of Investments, Regional Development and Informatization of the Slovak Republic Section of Cross-Border Cooperation Programmes |
| registered office: | Pribinova 4195/25, 811 09 Bratislava, Slovakia |
| represented by: | Mr. Jakub Kubaň |
| e-mail: | jakub.kuban@mirri.gov.sk |
| name: | Ministry of Development, Public Works and Administration of Romania General Directorate for European Territorial Cooperation, National Authorities For European Programmes Unit |
| registered office: | Bldv. Libertatii no.14, 4th floor, room 412, District 5, Bucharest |
| represented by: | Ms Maria Magdalena Voinea |
| e-mail: | Magdalena.voinea@mdrap.ro |
| name: | Secretariat of Cabinet of Ministers of Ukraine Directorate of International Technical Assistance Coordination EU Programs Implementation and Cross-border Cooperation Unit |
| registered office: | Grushevskoho str., 12/2, Kyiv 01008, Ukraine |
| represented by: | Mr. Rostyslav Tomenchuk (Director) |
| e-mail: | tomenchuk@kmu.gov.ua |
2. Audit and control bodies of the Programme
Counterparts of the MA/NA; responsible for the coordination of the programming process in their countries in the programme preparation period and they bear the ultimate responsibility for the implementation of the programme on their country’s territory.
Control Body in Hungary
| name: | Széchenyi Programme Office Consulting and Service Nonprofit Limited Liability Company |
| registered office: | 1053 Budapest, Szép utca 2. 4. em. |
| represented by: | Ms. Márta Gordos |
| e-mail: | gordos.marta@szpi.hu |
Control Body in Slovakia
| name: | Ministry of Investments, Regional Development and Informatization of the Slovak Republic |
| registered office: | Pribinova 4195/25, 811 09 Bratislava, Slovakia |
| represented by: | Ms. Jana Skovajsová |
| e-mail: | jana.skovajsova@mirri.gov.sk |
Control Body in Romania
| name: | Ministry of Development, Public Works and Administration of Romania |
| registered office: | Bldv. Libertatii no.14, 4th floor, room 412, district 5, Bucharest-040129 |
| represented by: | Ms. Tamara Paica |
| e-mail: | tamara.paica@mdlpa.ro |
Control Body in Ukraine
| name: | State Audit Service |
| registered office: | 04070, Kyiv, P. Sagaydachnogo Street, 4 |
| represented by: | Mr. Dmytro Shevchuk |
| e-mail: | d.p.shevchuk@dasu.gov.ua |
Audit Authority
| name: | Directorate General for Audit of European Funds Hungary; Directorate for Economic Development and Auditing International Funds |
| registered office: | 1115 Budapest, Bartók Béla út 105-113. |
| represented by: | Mr. Balázs Dencső |
| e-mail: | eutaf@eutaf.gov.hu |
Group of Auditors
Hungary:
| name: | Directorate General for Audit of European Funds Hungary; |
| registered office: | 1115 Budapest, Bartók Béla út 105-113. |
| represented by: | Ms. Ágnes Riskó |
| e-mail: | agnes.risko@eutaf.gov.hu |
Slovakia:
| name: | Ministry of Finance of the Slovak Republic, Section of Audit and Control |
| registered office: | Štefanovičova 5 817 82 Bratislava 15, Slovakia |
| represented by: | Petra Kučák Nétryová |
| e-mail: | petra.kucak.netryova@mfsr.sk |
Romania:
| name: | Romanian Court of Accounts – Audit Authority |
| registered office: | 20 General Ernest Brosteanu street, Sector 1, Bucharest |
| represented by: | Radu Costin |
| e-mail: | radu.puia@rcc.ro |
Ukraine:
| name: | Accounting Chamber of Ukraine |
| registered office: | 7 M. Kotzyubinskogo Str. 01601, Kyiv, Ukraine |
| represented by: | Mr. Vasyl Nevidomyi |
| e-mail: | Nevidomyi_VI@rp.gov.ua |
Given that Ukraine is a third country under the GDPR, the data controller has examined the provisions of GDPR Articles 44-46, and finds that the transmission of the processed data is secure as it is done to a body (ministry) performing a public task.
3. The operator of the Programme’s website
| name: | BluePixel Kommunikációs és Produkciós Iroda Limited Liability Company |
| registered office: | 3525 Miskolc, Régiposta utca 16. 4. em. 6. |
| company reg. no: | 05-09-022588 |
| represented by: | Czikora Ágnes |
| e-mail: | info@bluepixel.hu |
III. Data protection officer and contact details
Data protection officer designated by the Company:
| name: | Ms. Orsolya Sefcsik dr. |
| postal address: | 1053 Budapest, Szép utca 2. 4. em |
| e-mail: | adatvedelmitisztviselo@szechenyiprogramiroda.hu |
IV. Personal data, purpose of processing, legal basis for processing, period of processing
| personal data | purpose of processing | legal basis for processing | means of processing | period of processing |
| birth surname and first name of data subject | 1. data necessary to identify the natural person (hereinafter referred to as ‘contractual partner’) to conclusion of the contract; 2. data of the contact person during the implementation of certain projects of the Program, as well as the person who prepares and approves the financial report; 3. implementation of the programme: data of programme management, national contact points and Joint Monitoring Committee members for identification and accounting | 1. GDPR Article 6 (1) (b) 2. GDPR Article 6 (1) (e) 3. GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| title of the data subject | 1. data of the contact person during the implementation of certain projects of the Program, as well as the person who prepares and approves the financial report; 2. implementation of the programme: data of programme management, national contact points and Monitoring Committee members for identification and accounting | GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| permanent and/or temporary address of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| place of birth, date of birth of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| nationality of the data subject | in the call for experts, the CV may contain (knowledge of the given language is an advantage during local administrative procedures) -evaluation guidelines and/or the Monitoring Committee may prescribe, due to the specificities of the Programme – proof of expertise in the specific project of the Programme is required (does the project fit to the structure of the area), and compliance with equal opportunities | GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| e-mail address of the data subject | 1. newsletter; 2. contact (the data subject can choose the most effective form of contact for her or him); 3. event registration | 1. GDPR Article 6 (1) (a) 2. GDPR Article 6 (1) (b), (e) 3. GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| tax identification number of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| mother’s full name of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| social security number of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| bank account number of the contractual partner | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| phone number of the data subject | contact (the data subject can choose the most effective form of contact for her or him) | GDPR Article 6 (1) (b), (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
personal identification number or identity card number of the data subject | data necessary to identify the natural person to conclusion of the contract | GDPR Article 6 (1) (b), (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| passport number of the data subject | 1. data necessary to identify the natural person to conclusion of the contract; 2. mission details of contractual partner or programme management staff | GDPR Article 6 (1) (b), (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| the name of the school awarding the qualification of the data subject | may be included in the curriculum vitae in an expert call for proposals | GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| data on language skills, field of interest of the data subject | may be included in the curriculum vitae in an expert call for proposals or programme management applicants (handled in the form specified in the Company’s regulations regarding to the employees of the Company) to verify the appropriate skills and qualifications | GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
previous jobs of the data subject | may be included in the curriculum vitae in an expert call for proposals | GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| photos of the data subject | 1. in the call for experts and in the management of the programme, it may be included as part of the CV for the purpose of identification during the selection period; 2. photos taken at events related to programme management or project implementation, and supporting document submitted for the clearance of projects | GDPR Article 6 (1) (e) and Act V of 2013 on the Civil Code (2:48 §) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| videos, audio recordings of the data subject | videos, audio recordings taken at events related to programme management or project implementation, and supporting document submitted for the clearance of projects | GDPR Article 6 (1) (e) and Act V of 2013 on the Civil Code (2:48 §) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
| signature of the data subject | signing of declarations, documents submitted for settlement, handover-acceptance documents, signing of contracts, proving the authenticity of data recorded in the monitoring system, attendance sheets, certification of the organization’s representation (copy of signature title) | 1. if the data subject is the contractual partner – GDPR Article 6 (1) (b) 2. if the data subject is not a contractual partner of the Controller – GDPR Article 6 (1) (e) 3. the signatures of the persons who participated in the event, which are organized in connection with the Programme – GDPR Article 6 (1) (e) | electronic, on paper | duration specified by the European Union / no later than 10 years from the closure of the programme |
V. Principles
The Company processes personal data in accordance with principles of good faith and fair dealing and transparency and subject to law in force and provisions of the present Policy.
The Company processes personal data only on the basis of the present Policy and for a specific purpose(s) and does not go beyond them.
If the Company intends to use personal data for purpose(s) other than the original purpose(s), the Company informs the data subject of such a purpose and use and obtain the previous and express consent of the data subject (where there is no other legal basis determined by GDPR) and the Company allows the opportunity to defy the use of personal data.
The Company does not control personal data provided, person who provided the personal data, shall be liable for adequacy.
The Company does not transfer personal data, except that the Company is entitled and obliged to transfer or forward personal data available to and properly stored by the Company to competent authority where transfer and forward of personal data is determined by law or legally binding order of authority. Company shall not be liable for such a transfer or its consequences.
The Company ensures the security of personal data, takes all technical and organizational measures and establishes rules of procedure that guarantee protection of recorded, stored and processed personal data, and prevent accidental losses, destruction, unauthorised access, unauthorised use, unauthorised alteration and unauthorised dissemination.
VI. Rights of the data subject
The data subject may exercise right in the following ways:
- by post
- in person
- Right of information and access personal data
The data subject may at any time request the Company to provide information on data processed by the Company or the data processor involved by or according to the order of the Company, purpose of the processing, legal basis for the processing, period of processing, name and address of data processor, activity of data processor related to data processing, the circumstances, effect of a personal data breach, measures taken for averting personal data breach, furthermore, where personal data is transferred the legal basis for and recipient of transfer of personal data.
In relation to the above, the data subject may request a copy of his/her processed data. In case of an electronic request the Company executes the request first electronically (PDF format), except where the data subject requests expressly otherwise.
The Company already draws attention to the fact that if the above right of access affects adversely the rights or freedoms of others, including in particular trade secrets or intellectual properly, the Company may refuse the execution of the request, to the extent it is necessary and proportionate.
- Right to rectification and modification
The data subject may request the rectification, modification and completion of personal data processed by the Company.
- Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Company.
Furthermore, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- Right to erasure (’right to be forgotten’)
The data subject may request the erasure of one or all personal data concerning him or her.
In this case, the Company erasures the personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- data processing is based on legitimate interest of the Company or third person but the data subject objects to the processing and (except objection to processing related to direct marketing) there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
The Company informs the data subject of the refusal to the request of erasure in any event (e.g. data processing is required for the establishment, exercise or defence of legal claims), indicating the reason of the refusal. Erasure of personal data is executed that after fulfilment of request of erasure personal data (erasured) cannot be restored.
In addition to the exercise of right to erasure, the Company erases personal data if the data processing is unlawfully, the purpose of data processing is no longer exists, data storage period determined by law is already expired, it is ordered by court or authority.
- Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject.
Where processing has been restricted, such personal data will not be processed or will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject will be informed by the Company before the restriction of processing is lifted.
- Right to object
Where the legal basis for processing is legitimate interest of the Company or third person (except compulsory data processing) or data is processed for direct marketing, scientific or historical research purposes or statistical purposes, the data subject has the right to object to processing of personal data concerning him or her. Objection may be rejected if the Company demonstrates
- compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
- that data processing is related to the establishment, exercise or defence of legal claims of the Company.
The Company examines the lawfulness of the objection of the data subject and where the objection is grounded, the Company stops data processing.
- Right to legal remedy
See section VIII.
VII. Modification of the Policy
The Company reserves the right to modify the present Policy through an unilateral decision at any time.
If the data subject does not agree with the modification, he or she may request the erasure of his or her personal data as determined above.
VIII. Legal remedies and enforcement
The Company as data controller may be contacted for the purpose of any question or comments related to data processing using contact details in point III.
In case of any violation related to data processing, the data subject may make a complaint to the competent data protection supervisory authority of the Member State of residence, workplace or the place of the alleged violation.
In Hungary, complaint shall be made to Hungarian National Authority for Data Protection and Freedom of Information (’NAIH’, address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).
The data subject may bring the following cases before court:
- violation of rights,
- against the legally binding decision of the supervisory authority,
- if the supervisory authority does not deal with the filed complaint or does not inform the data subject of aspects or result of the procedure related to the filed complaint within 3 months.
Data protection and data processing policy for the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme
- Programme documents
- 01/11/2023