Privacy Policy

Városliget LTD., House of the Hungarian Millennium

I. WHO WE ARE
Városliget Ltd.
Seat: 1146 Budapest, Dózsa György út 41.
Registry number: 01-10-047989; registered by the Supreme Court Registry
Tax number: 24819699-2-42
Web: www.jegy.ligetbudapest.hu

II. CUSTOMER DATA PRIVACY POLICY
Városliget Ltd. is operating the website of online ticket selling for Millennium House and processing data is engaged that the customer data privacy policy described here is in accordance with operative Hungarian laws and those of the EU, especially:
• Act CXII of 2011 on personal information autonomy and freedom of information.
Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Városliget Ltd. complies with its obligations under the General Data Protection Regulations (GDPR) by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining unnecessary data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Városliget Ltd. undertakes to publish, before the recording and processing of any Personal Data of its users, a clear, eye-catching and unequivocal communication, informing about the method, purpose and principles of the collection of personal data.

Városliget Ltd. is liable to inform users by calling their attention concerning the way, purpose and principles of using personal data.
In all those cases, when Városliget Ltd would use personal data for different purposes than registered, the users would be informed and asked for consent, or offered the possibility of withdrawing consent. Information of the customer data privacy policy concerning
The Városliget Ltd. Millennium House online ticket selling and booking is available on www.jegy.ligetbudapest.hu website.
Városliget Ltd. is entitled to modify customer data privacy policy. Information concerning this is on www.jegy.ligetbudapest.hu website.

III. LEGAL BASIS FOR PROCESSING PERSONAL DATA
Városliget Ltd. is keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining unnecessary data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Városliget Ltd. is committed to protecting your personal information and will only use it legally and responsibly.
The legal basis for processing personal data are the following: (Point 1, Article 6 of the GDPR)
• the data subject has given consent to the processing of his or her personal data for one or more specific purposes (consent permission)
• consent can be withdrawn at any stage of processing personal data
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject (legal obligation)
• processing is necessary in order to protect the vital interests of the data subject or of another natural person (vital interest)
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (legitimate interest)
In case the users give false data to Városliget Ltd. it is the user’s task to provide the consent of the person affected.

IV. PURPOSES OF PERSONAL DATA PROCESSION
1. Newsletter
The purpose of customer data processing is sending e-mail newsletter: with commercials to users. In case the user subscribes to the newsletter, Városliget Ltd sends newsletters repeatedly.
Sign up for the newsletter is through the www.millenniumhaza.hu website, through Facebook ads at www.facebook.com/ligetbudapest website, and by paper at the Millennium Háza.
The legal basis for processing personal data is Point a) Section (1) of Article 6 of GDPR.
Processed data are: name, e-mail address, data processed in the sphere of creating profile.
The time-limit of destroying personal data: personal data are used by Városliget Ltd till prohibited by the user by unsubscribing. Unsubscribing is possible by clicking on the link at the bottom of the newsletter page. Destroying personal data occurs 10 workdays after getting the withdrawal of consent.
2. Personal offers, creating profile
The purpose of customer data processing is to create profile to help the user to meet with relevant information and personal offers on the website and in newsletters.
The legal basis for processing personal data is Point a) Section (1) of Article 6 of GDPR.
Processed data are: e-mail, first name and family name, address, information connected to the use of the website (date and time of visit, comment on the exhibition, pages visited, click through, use of search), use of the cart (order identification, values of products), purchases (date and value of transaction, product category, discount used, payment type), technical information (IP address, cookies, browser type, Google, facebook identifier, source page), newsletter and notification usage (e-mail, opening time, means, clicks to links, purchase data).
The time-limit of destroying personal data: personal data are used by Városliget Ltd till prohibited by the user by unsubscribing.
3. Self-portraits
Visitors can take a self-portrait at the selfie point at the House of the Hungarian Millennium.
Visitors can view the photos on tablets, than they can send it to themselves by mail – with a unique ID.
For the email address refer to IV. 1 and 2 points.
The legal basis for processing personal data is Point a) Section (1) of Article 6 of GDPR.
Processed data are: e-mail address
The time-limit of destroying personal data: personal data are used by Városliget Ltd till prohibited by the user by.
4. Statistics
Data can be used by the controller for statistics. The name, or other identifiable data of the user can never be part of personal data used for statistics
5. Technically stored data
Technically stored data are the data of the user’s computer generated during the use of a service, automatically logged in data processing (for example IP address, session ID). Data are automatically logged without the user’s consent or the act by using internet, as it is the specific way it works with the server-client communication. These data are not to be connected with the user’s other personal data, except legal cases. Data are processed exclusively by the controller. The files logged automatically are stored during the period necessary for providing the operation of the system.
6. Web-analytical surveys
Google Tag Manager, Google Analytics helps to measure the advertising, tracks the Flash, video, and social networking sites and applications. Information concerning the management of analytical measures is to be found here: http://www.google.com/analytics. Google Analytics measures are used by Városliget Ltd exclusively for statistical purposes optimizing the operation of the website.
7. Other data processing
Users are informed concerning data processing not mentioned here at registration.
Városliget Ltd. is transmitting personal data for public authorities (pl. court of justice, prosecutor, National Tax and Customs Authority) – in case the exact purpose and the circle of data is assigned by the authorities – only to an extent that is necessary for the purpose of the request.
Városliget Ltd., as controller is authorized and liable to transmit all the personal data stored properly to authorities under legal obligation. The transmission of data and its consequences are not the responsibility of Városliget Ltd.
Employees and proxies of Városliget Ltd. are authorized to know the personal data.

V. DATA TRANSMISSION, DATA PROCESSING
When using the services users consent to the data transmission to the following partners of Városliget Ltd. The legal base for data transmission is the performance of the contract, Point b) Section (1) of Article 6 of the GDPR.
Developer of the ticket selling site: Oander Development Kft. (tax number: 26210443-2-42, registry number: 01 09 307976, seat: 1061 Budapest, Andrássy út 2. III. em. 1.)
Operator of the ticket selling site: SigmaNet Szolgáltató Kft. (tax number: 13919252-2-41, registry number: 01 09 879863, seat: 1132 Budapest, Viktor Hugo u. 18-22.)
Providing the technical conditions of invoicing: Számlázz.hu, operator: KBOSS.hu Kft. (tax number: 13421739-2-13, registry number: 13-09-101824, seat: 2000 Szentendre, Táltos u. 22/b)
Commissioned by the processing of data for the newsletter: Hubspot Ireland Ltd. (One Dockland Central, Guild Street, Dublin 1)
Newsletter by Facebook add: : Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour Dublin 2 Ireland)
In the course of data processing personal data are transmitted to a third state (U.S.A.) according to the regulation of Chapter V of the GDPR
The controller is transmitting data necessary for the payment for banks selected by the user. Personal data asked by banks are not known for the service provider.
Városliget Ltd. is transmitting data not mentioned above only based on the consent of the user.

VI. PRESERVING PERSONAL DATA, DATA PROCESSING SECURITY
The computer system of Városliget Ltd. is to be found at its seat and at the data processing.
Városliget Ltd. selects and operates IT devices used for processing personal data so that the data:
• is available exclusively to those who entitled (availability);
• its authenticity and authentication is provided (data processing authenticity);
• its integrity is verifiable (data integrity);
• is protected against unauthorized access (confidential data).
Városliget Ltd. is protecting data with adequate measures especially against unauthorized access, transformation, transmission, disclosure, deleting or destroying, or random destruction, injury, or becoming inaccessible as a result of change in the technical use.
Városliget Ltd. protects the security of data processing with technical and organizational measures providing suitable protection level against risks of data processing.
In the course of the automatic processing of personal data Városliget Ltd. ensures by further measures that:
• the prevention of the use of automatic data processing systems by unauthorized person by means of data transmission apparatus
• • the prevention of the use of automatic data processing systems by unauthorized persons using data transmission equipment;
• the controllability and the establishment of whether personal data was transmitted or can be transmitted to other servers;
• the controllability and the establishment of personal data entry (date and person of loggers) to the automatic data processing systems;
• restoring system breakdown
• and report of the errors issued in the course of automatic processing.
Messages sent in internet are vulnerable regardless of the protocol (e-mail, web, FTP etc.) and may lead to dishonest activity or modification of information. Városliget Ltd. gives protection against threats by monitoring the systems to record changes in security.
Városliget Ltd is supervising the systems to record all security changes and to provide evidence in all cases of security events.
System monitoring enables the control of effective prevention. Városliget Ltd is however not responsible for damages caused by irretrievable offenses.

VII. RIGHTS OF DATA SUBJECTS
Data subjectData subjects may ask information concerning the procession of their personal data, or the modification, deleting, cancellation of personal data, (except the compulsory data processing), and can use their right of data porting and objection.
Changes in personal data and the demand for deleting personal data may be communicated in the registered e-mail address. Certain personal data may be modified on the page with the personal profile.
Városliget Ltd. is providing the information free of charge. In case the data subject data subject’s application is clearly unfounded, or – especially by its recurrent character – is exaggerated, Városliget Ltd., considering administrative expenses of giving the information asked for or taking measures, can ask for a reasonable price or can refusetaking measures upon the request. .
Városliget Ltd. is providing the copy of the personal data to the data subject data subject. The controller may ask a reasonable price for further copies asked by data subject the data subject, on the basis of administrative expenses. Information is provided by Városliget Ltd. in electronic form. The controller is giving the information within a month from the submission of the application.
Városliget Ltd. is informing all the recipients given personal data, concerning all the modifications and deleting or data processing limitations, except it proves to be impossible or the effort is too great. Data subjects are informed at request of the recipients by Városliget Ltd.
1. Right to data porting:
 Data subjects are entitled to get the concerning data provided for the controller in a machine-readable format and to transmit them to another controller.
2. Automated decision making in individual cases, including profile creating:
Data subjects are entitled not to accept decisions based exclusively on automated data processing – including profile creating –, that have legal effects and affect them substantially. The above-mentioned entitlement is not applicable in case of the data processing:
• is necessary for entering into, or performance of, a contract between the data subject and a data controller;
• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
• is based on the data subject's explicit consent.
data subject
3. Right to limitation of data processing:
Városliget Ltd is constraining data processing in case any of the conditions below are fulfilled:
• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
data subjectdata subjectdata subject
4. The data subject’s right to access:
• The data subject data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: data subjectis based on the explicit consent of the data subject.
• categories of the data subject’s personal data;
• the data subject has an objection against data processing and there is no prevailing legal cause for it;
• the data subject had objection against data processing; in this case limitation is concerning the period of time until the ascertainment of the precedence of the controller’s legitimate ground to the data subject’s legitimate grounds.
• the data subject withdraws the consent forming the basis of data processing and there is no other legal basis for it;
• the data subject disputes the accuracy of the personal data - in this case the limitation is for the period of time necessary for the control of the accuracy of personal data;
• categories of the recipients informed or would be informed concerning the personal data (recipients of data transmission)
5. Procedural provisions:
Városliget Ltd. informs the data subject without delay, but the latest within a month from the submission of the application concerning the measures taken for his application.
In case personal data is false and the true personal data is available to the controller it should be modified.
In case Városliget Ltd. does not take measures for the data subject’s application without delay, but the latest within a month from the submission of the application concerning the causes of the missing measure, and that the data subject may file a complaint at the supervisory authority and use the right of judicial remedy.
In case data processing is limited, personal data processing is possible only with the data subject’s consent, or for the submission, vindication and protection of legal claims, or for the protection of the rights of other natural or legal persons. Városliget Ltd. informs beforehand the data subject of the limitation’s dissolving.
6. Right to amendment:
The data subject may ask for the amendment of the incorrect personal data processed by Városliget Ltd. and the completion of missing data.
data subject
7. Right to information:
Városliget Ltd. is taking the right measures for providing clear and understandable information available to data subjectData subjects concerning personal data processing. The right to information can be exercised through the e-mail address (adatvedelem@ligetbudapest.hu).
8. Right to objection:
Data subject are entitled to object on personal grounds against processing their personal data necessary for the legal interests of the processor or a third party, including profile creating based on the mentioned commissions. In case of objection the processor is not allowed to continue processing personal data, except compelling legal causes taking precedence against the interests, rights and freedom of the data subjector connected to the proposal, vindication or defence of their legal claims. In case the processing of personal data is for direct marketing, the data subjectdata subject is entitled to object anytime against the processing his or her personal data on this purpose, including profile creating as well, in case it is connected to direct marketing. In case of objection against processing personal data for direct marketing personal data processing is not possible.
9. Right to deleting:
Data subject are entitled to ask Városliget Ltd the immediate delete of relative personal data in case of the below circumstances.
10. Right to cancellation:
Data subject are entitled to withdraw their consent anytime. The withdrawal of consent shall not affect the lewfullness of processing based on consent before its withdrawal.


VIII. LAW ENFORCEMENT
In case you have any questions or comments, you can turn to the data protection officer on the following e-mail address: adatvedelem@ligetbudapest.hu.
Right to court appeal: In case of infringement you can appeal to courtand the case would be taken in accelerated procedure.
Data protection administrative procedure: With complaints you can turn to the National Data Protection and Information Freedom Authority.
Name: National Data Protection and Information freedom Authority
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
Phone number: 06.1.391.1400
Fax: 06.1.391.1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu


IX. DEFINITIONS USED IN THIS DATA PRIVACY POLICY
1. PERSONAL DATA: Any information concerning the natural person (“data subject”) identified or identifiable in the course of the use of the services of Millennium House. A natural person can be identified directly or indirectly, particularly on the basis of name, number, location, online identification, etc.
2. DATA PROCESSING: any operation made automatically or not automatically on personal data or files, like collection, recording, sorting, storing, transformation, change, query, reporting, classification, communication, transmission, dissemination, or other ways of usage and disclosure, connecting, controlling, deleting or destroying;
3. LIMITATION OF DATA PROCESSING: designation of personal data stored in purpose of the limitation of their future processing;
4. PROFILE CREATING: any form of the automatic processing of personal data, when personal data are used for evaluation, analysis, prediction of personal characteristics of certain natural person, especially job performance, economic situation, health, personal preferences, interest, trustworthiness, behaviour, habitation, or movement;
5. CONTROLLER: the legal person defining independently or with others the purposes and means of processing personal data;
6. DATA PROCESSING PERSON: the legal person handling personal data on behalf of the controller;
7. RECIPIENT: the natural or legal person, public authority, agency, or any other entity, whom the personal data is sent to, regardless that it is a third party;
8. THIRD PARTY: any data subjecta natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
9. CONSENT OF THE DATA SUBJECT: the voluntary, unambiguous, exact and grounded declaration of the data subject’s will, expressing by statement or unambiguous act where he/she gives his or her consent to the processing of his or her personal data;
10. DATA PROCESSING: technical tasks connected to data processing, regardless the method and means of making, and the location of the processing, if the technical tasks are fulfilled on the data;
11. DELETING: deleting data in such a way that restoring them is not possible anymore;
12. EEA STATE: member state of the EU, or a state the citizen of which has a legal status similar to the EEA member states based on an international agreement between the EU states and states not parties in the EEA convention;
13. DATA SUBJECT: any natural person identified or identifiable directly or indirectly by specific personal data;
14. USER: the natural person registered on the website of Városliget Ltd. or makes a purchase without registration;
15. THIRD STATE: all those states that are not EEA members;
16. DISCLOSURE: making available personal data for anybody.
Tickets