Data protection and data processing policy

Data protection and data processing policy for the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme

The purpose of the present data protection and data processing policy (hereinafter referred to as ‘Policy’) is to define data protection and data processing principles related to the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme (hereinafter referred to as ’Programme’) hosted by the Széchenyi Programme Office Consulting and Service Nonrofit Limited Liability Company (hereinafter referred to as ’Data Controller’ or ’Company’) and therefore, the data subject will be provided with adequate information of data processed by the Company based on the General Data Protection Regulation.

Acts and their abbreviations used and considered in relation to the Policy

the ActAct CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 17 December 2013 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Regulation (EU) 2021/1060   Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June 2021 laying down common provisions on the European Regional Development Fund, the European Social Fund Plus, the Cohesion Fund, the Just Transition Fund and the European Maritime, Fisheries and Aquaculture Fund and financial rules for those and for the Asylum, Migration and Integration Fund, the Internal Security Fund and the Instrument for Financial Support for Border Management and Visa Policy
Regulation (EU)
2021/1059
Regulation (EU) 2021/1059 of the European Parliament and of the Council of 24 June 2021 on specific provisions for the European territorial cooperation goal (Interreg) supported by the European Regional Development Fund and external financing instruments
Regulation (EU) 2021/1058Regulation (EU) 2021/1058 of the European Parliament and of the Council of 24 June 2021 on the European Regional Development Fund and on the Cohesion Fund
Regulation (EU) 2021/947Regulation (EU) 2021/947 of the European Parliament and of the Council of 9 June 2021 establishing the Neighbourhood, Development and International Cooperation Instrument – Global Europe, amending and repealing Decision No 466/2014/EU and repealing Regulation (EU) 2017/1601 and Council Regulation (EC, Euratom) No 480/2009
241/2023. (VI. 20.) Gov. DecreeGovernment Decree 241/2023. (VI. 20.) on the implementation of the Interreg CBC programmes in the 2021-2027 programming period

Definitions

 Definitions in the present Policy meet definitions of Article 4 of GDPR:

personal data  any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
processingany operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
controller                 the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
processora natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
third partya natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
recipienta natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
consent of the data subjectany freely given, any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
personal data breacha breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
supervisory authoritymeans an independent public authority which is established by a Member State pursuant to Article 51

I. Data controllers and contact details

1. Managing Authority of the Programme

name:Ministry of Foreign Affairs and Trade of Hungary Deputy State Secretariat for Regional and Cross-border Economic Development
registered office:1027 Budapest, Medve u. 25-29. „B” F30/2.
represented by:Mr. Péter Kiss-Parciu (Deputy State Secretary)
e-mail:hathatar@mfa.gov.hu

2. Joint Technical Secretariat of the Programme

name:Széchenyi Programme Office Consulting and Service Nonprofit Limited Liability Company
registered office:1053 Budapest, Szép utca 2. 4. em
company reg. no:01 09 916308
represented by:Mr. Áron Szakács (managing director)
e-mail:info@szechenyiprogramiroda.hu

II. Data processors

The data controller forwards the personal data necessary for the performance of the tasks of the managing authority specified in the domestic and European Union legislation to the data processor.

1. National authorities of the Programme

name:Ministry of Foreign Affairs and Trade of Hungary Deputy State Secretariat for Regional and Cross-border Economic Development
registered office:1027 Budapest, Medve u. 25-29. „B” F30/2.
represented by:Mr. Péter Kiss-Parciu (Deputy State Secretary)
e-mail:hathatar@mfa.gov.hu;
name:Ministry of Investments, Regional Development and Informatization of the Slovak Republic Section of Cross-Border Cooperation Programmes
registered office:Pribinova 4195/25, 811 09 Bratislava, Slovakia
represented by:Mr. Jakub Kubaň
e-mail:jakub.kuban@mirri.gov.sk
name:Ministry of Development, Public Works and Administration of Romania General Directorate for European Territorial Cooperation, National Authorities For European Programmes Unit
registered office:Bldv. Libertatii no.14, 4th floor, room 412, District 5, Bucharest
represented by:Ms Maria Magdalena Voinea
e-mail:Magdalena.voinea@mdrap.ro
name:Secretariat of Cabinet of Ministers of Ukraine Directorate of International Technical Assistance Coordination EU Programs Implementation and Cross-border Cooperation Unit
registered office:Grushevskoho str.,  12/2, Kyiv 01008, Ukraine
represented by:Mr. Rostyslav Tomenchuk (Director)
e-mail:tomenchuk@kmu.gov.ua


2. Audit and control bodies of the Programme

Counterparts of the MA/NA; responsible for the coordination of the programming process in their countries in the programme preparation period and they bear the ultimate responsibility for the implementation of the programme on their country’s territory.

Control Body in Hungary

name:Széchenyi Programme Office Consulting and Service Nonprofit Limited Liability Company
registered office:1053 Budapest, Szép utca 2. 4. em.
represented by:Ms. Márta Gordos
e-mail:gordos.marta@szpi.hu

Control Body in Slovakia

name:Ministry of Investments, Regional Development and Informatization of the Slovak Republic
registered office:Pribinova 4195/25, 811 09 Bratislava, Slovakia
represented by:Ms. Jana Skovajsová
e-mail:jana.skovajsova@mirri.gov.sk

Control Body in Romania

name:Ministry of Development, Public Works and Administration of Romania
registered office:Bldv. Libertatii no.14, 4th floor, room 412, district 5, Bucharest-040129
represented by:Ms. Tamara Paica
e-mail:tamara.paica@mdlpa.ro

Control Body in Ukraine

name:State Audit Service
registered office:04070, Kyiv, P. Sagaydachnogo Street, 4
represented by:Mr. Dmytro Shevchuk
e-mail:d.p.shevchuk@dasu.gov.ua

Audit Authority

name:Directorate General for Audit of European Funds Hungary; Directorate for Economic Development and Auditing International Funds
registered office:1115 Budapest, Bartók Béla út 105-113.
represented by:Mr. Balázs Dencső
e-mail:eutaf@eutaf.gov.hu

Group of Auditors

Hungary:

name:Directorate General for Audit of European Funds Hungary;
registered office:1115 Budapest, Bartók Béla út 105-113.
represented by:Ms. Ágnes Riskó
e-mail:agnes.risko@eutaf.gov.hu

Slovakia:

name:Ministry of Finance of the Slovak Republic, Section of Audit and Control
registered office:Štefanovičova 5 817 82 Bratislava 15, Slovakia
represented by:Petra Kučák Nétryová
e-mail:petra.kucak.netryova@mfsr.sk

Romania:

name:Romanian Court of Accounts – Audit Authority
registered office:20 General Ernest Brosteanu street, Sector 1, Bucharest
represented by:Radu Costin
e-mail:radu.puia@rcc.ro

Ukraine:

name:Accounting Chamber of Ukraine
registered office:7 M. Kotzyubinskogo Str. 01601, Kyiv, Ukraine
represented by:Mr. Vasyl Nevidomyi
e-mail:Nevidomyi_VI@rp.gov.ua

Given that Ukraine is a third country under the GDPR, the data controller has examined the provisions of GDPR Articles 44-46, and finds that the transmission of the processed data is secure as it is done to a body (ministry) performing a public task.

3. The operator of the Programme’s website

name:BluePixel Kommunikációs és Produkciós Iroda Limited Liability Company
registered office:3525 Miskolc, Régiposta utca 16. 4. em. 6.
company reg. no:05-09-022588
represented by:Czikora Ágnes
e-mail:info@bluepixel.hu

III. Data protection officer and contact details

Data protection officer designated by the Company:

name:Ms. Orsolya Sefcsik dr.
postal address:1053 Budapest, Szép utca 2. 4. em
e-mail:adatvedelmitisztviselo@szechenyiprogramiroda.hu

IV. Personal data, purpose of processing, legal basis for processing, period of processing

personal datapurpose of processinglegal basis for processingmeans of processingperiod of processing
birth surname and first name of data subject

1. data necessary to identify the natural person (hereinafter referred to as ‘contractual partner’) to conclusion of the contract;

2. data of the contact person during the implementation of certain projects of the Program, as well as the person who prepares and approves the financial report; 3. implementation of the programme: data of programme management, national contact points and Joint Monitoring Committee members for identification and accounting

1. GDPR Article 6 (1) (b)

2. GDPR Article 6 (1) (e)

3. GDPR Article 6 (1) (e)

electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
title of the data subject

1. data of the contact person during the implementation of certain projects of the Program, as well as the person who prepares and approves the financial report;

2. implementation of the programme: data of programme management, national contact points and Monitoring Committee members for identification and accounting

GDPR Article 6 (1) (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
permanent and/or temporary address of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
place of birth, date of birth of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
nationality of the data subjectin the call for experts, the CV may contain (knowledge of the given language is an advantage during local administrative procedures) -evaluation guidelines and/or the Monitoring Committee may prescribe, due to the specificities of the Programme – proof of expertise in the specific project of the Programme is required (does the project fit to the structure of the area), and compliance with equal opportunitiesGDPR Article 6 (1) (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
e-mail address of the data subject

1. newsletter;

2. contact (the data subject can choose the most effective form of contact for her or him);

3. event registration

1. GDPR Article 6 (1) (a)

2. GDPR Article 6 (1) (b), (e)

3. GDPR Article 6 (1) (e)

electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
tax identification number of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
mother’s full name of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
social security number of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
bank account number of the contractual partnerdata necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
phone number of the data subjectcontact (the data subject can choose the most effective form of contact for her or him)GDPR Article 6 (1) (b), (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme

personal identification number or identity card number of the data subject

data necessary to identify the natural person to conclusion of the contractGDPR Article 6 (1) (b), (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
passport number of the data subject

1. data necessary to identify the natural person to conclusion of the contract;

2. mission details of contractual partner or programme management staff

GDPR Article 6 (1) (b), (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
the name of the school awarding the qualification of the data subjectmay be included in the curriculum vitae in an expert call for proposalsGDPR Article 6 (1) (e)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
data on language skills, field of interest of the data subjectmay be included in the curriculum vitae in an expert call for proposals or programme management applicants (handled in the form specified in the Company’s regulations regarding to the employees of the Company) to verify the appropriate skills and qualificationsGDPR Article 6 (1) (e)

electronic,

on paper

duration specified by the European Union / no later than 10 years from the closure of the programme

previous jobs of the data subject

may be included in the curriculum vitae in an expert call for proposalsGDPR Article 6 (1) (e)

electronic,

on paper

duration specified by the European Union / no later than 10 years from the closure of the programme
photos of the data subject

1. in the call for experts and in the management of the programme, it may be included as part of the CV for the purpose of identification during the selection period;

2. photos taken at events related to programme management or project implementation, and supporting document submitted for the clearance of projects

GDPR Article 6 (1) (e) and Act V of 2013 on the Civil Code (2:48 §)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
videos, audio recordings of the data subject

videos, audio recordings  taken at events

related to programme management or project implementation, and supporting document submitted for the clearance of projects

GDPR Article 6 (1) (e) and Act V of 2013 on the Civil Code (2:48 §)electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme
signature of the data subjectsigning of declarations, documents submitted for settlement, handover-acceptance documents, signing of contracts, proving the authenticity of data recorded in the monitoring system, attendance sheets, certification of the organization’s representation (copy of signature title)

1. if the data subject is the contractual partner – GDPR Article 6 (1) (b)

2. if the data subject is not a contractual partner of the Controller – GDPR Article 6 (1) (e)

3. the signatures of the persons who participated in the event, which are organized in connection with the Programme – GDPR Article 6 (1) (e)

electronic, on paperduration specified by the European Union / no later than 10 years from the closure of the programme

V. Principles

The Company processes personal data in accordance with principles of good faith and fair dealing and transparency and subject to law in force and provisions of the present Policy.

The Company processes personal data only on the basis of the present Policy and for a specific purpose(s) and does not go beyond them.

If the Company intends to use personal data for purpose(s) other than the original purpose(s), the Company informs the data subject of such a purpose and use and obtain the previous and express consent of the data subject (where there is no other legal basis determined by GDPR) and the Company allows the opportunity to defy the use of personal data.

The Company does not control personal data provided, person who provided the personal data, shall be liable for adequacy.

The Company does not transfer personal data, except that the Company is entitled and obliged to transfer or forward personal data available to and properly stored by the Company to competent authority where transfer and forward of personal data is determined by law or legally binding order of authority. Company shall not be liable for such a transfer or its consequences.

The Company ensures the security of personal data, takes all technical and organizational measures and establishes rules of procedure that guarantee protection of recorded, stored and processed personal data, and prevent accidental losses, destruction, unauthorised access, unauthorised use, unauthorised alteration and unauthorised dissemination.

VI. Rights of the data subject

The data subject may exercise right in the following ways:

    • e-mail
    • by post
    • in person
  • Right of information and access personal data

The data subject may at any time request the Company to provide information on data processed by the Company or the data processor involved by or according to the order of the Company, purpose of the processing, legal basis for the processing, period of processing, name and address of data processor, activity of data processor related to data processing, the circumstances, effect of a personal data breach, measures taken for averting personal data breach, furthermore, where personal data is transferred the legal basis for and recipient of transfer of personal data.

In relation to the above, the data subject may request a copy of his/her processed data. In case of an electronic request the Company executes the request first electronically (PDF format), except where the data subject requests expressly otherwise.

The Company already draws attention to the fact that if the above right of access affects adversely the rights or freedoms of others, including in particular trade secrets or intellectual properly, the Company may refuse the execution of the request, to the extent it is necessary and proportionate.

  • Right to rectification and modification

The data subject may request the rectification, modification and completion of personal data processed by the Company.

  • Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Company.

Furthermore, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  • Right to erasure (’right to be forgotten’)

The data subject may request the erasure of one or all personal data concerning him or her.

In this case, the Company erasures the personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
    • data processing is based on legitimate interest of the Company or third person but the data subject objects to the processing and (except objection to processing related to direct marketing) there are no overriding legitimate grounds for the processing;
    • the personal data have been unlawfully processed;
    • the personal data have to be erased for compliance with a legal obligation.

The Company informs the data subject of the refusal to the request of erasure in any event (e.g. data processing is required for the establishment, exercise or defence of legal claims), indicating the reason of the refusal. Erasure of personal data is executed that after fulfilment of request of erasure personal data (erasured) cannot be restored.

In addition to the exercise of right to erasure, the Company erases personal data if the data processing is unlawfully, the purpose of data processing is no longer exists, data storage period determined by law is already expired, it is ordered by court or authority.

  • Right to restriction of processing

 The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    • the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    • the data subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject.

Where processing has been restricted, such personal data will not be processed or will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject will be informed by the Company before the restriction of processing is lifted.

  • Right to object

Where the legal basis for processing is legitimate interest of the Company or third person (except compulsory data processing) or data is processed for direct marketing, scientific or historical research purposes or statistical purposes, the data subject has the right to object to processing of personal data concerning him or her. Objection may be rejected if the Company demonstrates

    • compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
    • that data processing is related to the establishment, exercise or defence of legal claims of the Company.

The Company examines the lawfulness of the objection of the data subject and where the objection is grounded, the Company stops data processing.

  • Right to legal remedy

See section VIII.

 

VII. Modification of the Policy

 The Company reserves the right to modify the present Policy through an unilateral decision at any time.

If the data subject does not agree with the modification, he or she may request the erasure of his or her personal data as determined above.

 

VIII. Legal remedies and enforcement

The Company as data controller may be contacted for the purpose of any question or comments related to data processing using contact details in point III.

In case of any violation related to data processing, the data subject may make a complaint to the competent data protection supervisory authority of the Member State of residence, workplace or the place of the alleged violation.

In Hungary, complaint shall be made to Hungarian National Authority for Data Protection and Freedom of Information (’NAIH’, address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

The data subject may bring the following cases before court:

  • violation of rights,
  • against the legally binding decision of the supervisory authority,
  • if the supervisory authority does not deal with the filed complaint or does not inform the data subject of aspects or result of the procedure related to the filed complaint within 3 months.

Data protection and data processing policy for the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme

The purpose of the present data protection and data processing policy (hereinafter referred to as ‘Policy’) is to define data protection and data processing principles related to the operation of the Interreg VI-A Next Hungary-Slovakia-Romania-Ukraine 2021-2027 Programme(hereinafter referred to as ’Programme’)