Center for Economic and Regional Studies (CERS)
document on data access for research purposes to anonymous data available and stored in the CERS Databank, as well as data management with the camera surveillance system
Date of entry into force: 25/01/2021
INFORMATION
Name and contact of Data Contoller
Center for Economic and Regional Studies (CERS)
Address: 1097 Budapest, Tóth Kálmán u. 4.
ÁHT identifier: 39794
Tax number: 15854946-2-43
E-mail: titkarsag@krtk.elte.hu
Phone: 06-1-309-2652
Website: www.krtk.elte.hu/en
Introductory provisions
This information is available at all times on the CERS’s website (www.krtk.elte.hu/en ).
At the time of commencing data management, CERS informs the Data Subject about all facts relating to the management of personal data with the document herein, in particular of the identity of the data controller, the purpose of data management, the scope of data in management, the legal basis for data management, the duration, the use of data processors, the persons entitled to access the data, data security measures, the rights of Data Subject and the possibilities for enforcing their rights.
Legal basis for data management
The Fundamental Law of Hungary;
Act CXII of 2011 on the right to self-determination in information and freedom of information (hereinafter: Infotv.);
Act V of 2013 on the Civil Code;
Act CXXXIII of 2005 on personal and property protection and private investigation activities;
Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: Regulation).
CERS manages data lawfully, fairly, and in a manner that is transparent to the Data Subjects.
CERS does not and shall not use or utilize the personal data provided for purposes other than those specified in this notice. CERS shall only control data provided by the Data Subjects or obtained by other lawful means, and shall not disclose such data to third parties under any circumstances, except in cases specified by applicable law. Personal data may only be transferred in accordance with the relevant provisions of the applicable legislation or with the consent of the Data Subject, to the extent specified therein.
Information on data management
This information notice applies to the management of personal data necessary for research-related access to anonymous data available and stored in the CERS Databank, as well as to the management of data carried out using the camera surveillance system located in the HCSO-CERS Research Room and in the CERS Data Room. The Data Management Notice applies to all data files accessible or stored in the Databank, including access to data in the CERS Databank and the HCSO-CERS Research Room jointly operated by the HCSO and the CERS, as well as access to data in the CERS Data Room operated by the CERS Databank, and the management of personal data related to the Databank’s data access service.
The camera surveillance system operated by the CERS affects the following premises:
HCSO-CERS Research Room, location: 1097 Budapest, Tóth Kálmán street 4., room B.3.30.
CERS Data Room, location: 1097 Budapest, Tóth Kálmán street 4., room B.3.31.
The camera system was installed to monitor the HCSO-CERS Research Room and the CERS Data Room enabling direct and recorded observation in all cases. The camera system operates in both rooms in a time interval of 24 hours.
Number and location of cameras in the HCSO-CERS Research Room:
A total of 14 cameras, of which 12 monitor individual workstations, and two take overview images in the corners.
Number and location of cameras in the CERS Data Room:
A total of 5 cameras, 3 of which monitor individual workstations, and two in the corners to take overview images.
Data management in terms of data access rights
Scope of data in management and purposes
During data access to anonymous data stored in the Databank and during camera surveillance, the CERS manages the following data:
name; address; date of birth; mother’s name; personal identification number, or in the absence of such, passport number; employer’s name; position; type of employment; duration of employment; phone number; e-mail address
In the case of the HCSO-CERS Research Room and the CERS Data Room, image recording.
The purpose of data management is to ensure that access to the CERS Databank services is regulated and identified. For this, the identification of the data subject is essential. CERS performs its public task specified in the law and the Founding Act by operating the Research Room, supports scientific research activities through the Research Room, and in doing so, provides access to anonymous data necessary for carrying out research activities to CERS researchers and external researchers under agreement.
CERS prepares user-level statistics on the use of devices or servers owned and operated by, which are used to develop the Data Controller’s internal data access process.
The statistics include the following data:
a) In the case of servers storing data files operated by the CERS Databank: user ID, CPU, RAM usage statistics, programs run by the user;
b) In the case of the HCSO-CERS Research Room: data for logging in/out of the Research Room, data for logging out/in of the server, appointment booking data;
c) In the case of the CERS Data Room: data for logging in/out of the Data Room, data for logging out/in of the server, appointment booking data.
The purpose of the camera system is to detect and verify if the researcher violates the order of the HCSO-CERS Research Room or the CERS Data Room (e.g.: wants to bring out data illegally or interferes with someone else’s research), or if a personal and property protection incident occurs.
Legal basis for data management in term of data access rights
The legal basis for data management in the case of the above mentioned is the legitimate interest in implementing and monitoring the regulated access to the HCSO-CERS Research Room, CERS Data Room and CERS Databank based on Article 6(1)(f) of the Regulation.
The stored recordings of the camera surveillance and recording systems operated by CERS may only be accessed by authorized persons for the purpose of proving violations committed against property or persons, as well as against the applicable data protection legislation (data security), and for the purpose of identifying the perpetrator.
Before starting data management, the Data Controller conducted a balancing test and determined that the control of the data can be reasonably expected, that data access would not be ensured or maintained otherwise, and that the scope of the controlled data is limited to the necessary minimum, due to which the data management is proportionate to the purpose of the data management and the interests involved.
Duration of data management
In order to verify scientific research, the CERS stores the data for a specific period of time, which varies depending on the research. If no research results are obtained during data access, the data controller stores the data for a maximum of the civil law limitation period, i.e. five years.
The data controller stores the photograph for a minimum of seven and a maximum of fourteen days after recording if it is not used.
Data processing
The CERS stores the data during data management on servers located at the CERS headquarters (1097 Budapest, Tóth Kálmán u. 4.). In addition to the CERS, the following parties have access to the electronic storage of personal data on the basis of a contract:
MTA Humanities Research Center (1097 Budapest, Tóth Kálmán street 4.);
Trust-IT Kft. (1203 Budapest, Közműhelytelep street 28/a.);
Data access
Use of the recordings:
Authorized employees of the CERS, managers of the CERS, the CERS IT staff in the event of operation checks or technical troubleshooting, as well as the system administrator, and authorized employees of the Central Statistical Office in the case of the HCSO-CERS Research Room, are entitled to view the recordings of the cameras (direct observation).
Authorized persons may view the recordings of the camera surveillance systems operated by the CERS, which enable direct observation and are stored, both in order to prevent and prove violations of data access rules and to identify the perpetrator of violations against property and persons. The data subject whose rights or legitimate interests are affected by the recording or possibly the recording of other personal data may request access and, within the storage period, may request that the CERS not destroy or delete the recording until a court or authority requests it.
Upon request by the court or other authority, the CERS shall immediately send the recorded image and any other related personal data of the person involved to the court or authority.
Rights of the Data Subject in relation to data processing
The Data Subject shall have the following rights within the period of data management, in accordance with the provisions of the Regulation:
access to personal data and information related to data management,
right to rectification,
restriction of data management,
right to erasure,
right to portability,
right to object,
right to withdraw consent.
If the Data Subject wishes to exercise his/her rights, this will involve the identification of the Data Subject, and the CERS will necessarily have to communicate with the Data Subject. Therefore, for the purpose of identification, it will be necessary to provide personal data, and the Data Subject’s complaint regarding data processing will be available in the CERS email account. We will keep these complaints for 5 years.
CERS will respond to complaints regarding data management within 30 days at the latest.
Access to personal data and information
The Data Subject has the right to receive feedback from the CERS as to whether his/her personal data is being controlled and, if so, the right to:
receive access to the personal data controlled and
be informed by the CERS of the following information:
the purposes of the management;
the categories of personal data controlled about the Data Subject;
information on the recipients or categories of recipients to whom the personal data have been or will be disclosed by the CERS;
the planned period for which the personal data will be stored or, if that is not possible, the criteria for determining this period;
the Data Subject has the right to request from the CERS the rectification, erasure or restriction of management of personal data concerning the Data Subject and, in the case of management based on legitimate interests, to object to the management of such personal data;
the right to lodge a complaint with a supervisory authority;
if the data were not collected from the Data Subject, all available information regarding their source;
the fact of automated decision-making (if such a procedure is applied), including profiling, and at least in these cases, understandable information about the logic used and how such data management is carried out
The purpose of exercising the right may be to establish and verify the lawfulness of data management, therefore, in the event of multiple requests for information, the CERS may charge a fair fee in exchange for providing the information.
The CERS ensures access to personal data by sending the managed personal data and information to the Data Subject by e-mail after identifying the Data Subject.
Please indicate in your request whether you are requesting access to personal data or information related to data management.
Right to rectification
The Data Subject has the right to obtain from the CERS, upon request, the rectification of inaccurate personal data concerning the Data Subject without undue delay.
Right to restriction of management
The Data Subject has the right to obtain from the CERS, upon request, the restriction of data management where one of the following applies:
The Data Subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling us to verify the accuracy of the personal data, if verification is not necessary, no restriction shall be applied;
The management is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
The CERS no longer needs the personal data for the purposes of the specified management, but the Data Subject requires them for the establishment, exercise or defence of legal claims; or
the Data Subject has objected to the management, but the legitimate interests of the CERS may also justify it, in which case the management must be restricted until it is determined whether the legitimate interests of the CERS override those of the Data Subject.
If the process is restricted, such personal data, with the exception of storage, may only be controlled with the consent of the Data Subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the European Union or a Member State.
The CERS will inform the Data Subject in advance (at least 3 working days before the lifting of the restriction) of the restriction on the management.
Right to erasure – right to oblivion
The Data Subject has the right to obtain from the CERS the erasure of personal data concerning the data subject without undue delay where one of the following grounds applies:
the personal data are no longer necessary for the purposes for which they were collected or controlled by the CERS;
the data subject withdraws his/her consent and there is no other legal basis for the management;
the data subject objects to the management based on legitimate interest and there is no overriding legitimate reason (i.e. legitimate interest) for the management;
the personal data have been unlawfully management by the CERS and this has been established on the basis of a complaint;
the personal data must be erased for compliance with a legal obligation to which the CERS is subject under European Union or Member State law.
Where the CERS has made personal data about the Data Subject public for any legitimate reason and is obliged to erase them for any of the reasons indicated above, it shall take reasonable steps, taking into account available technology and the cost of implementation, including technical measures, to inform other data controllers processing the data that the Data Subject has requested the erasure of links to or copies or replications of those personal data.
Erasure shall not apply where the processing is necessary:
for the exercise of the right to freedom of expression and information;
for compliance with an obligation under European Union or Member State law to which the CERS is subject to processing of personal data or for the performance of a task carried out in the public interest;
for the establishment, exercise or defence of legal claims.
Right to object
The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on legitimate interest. In such a case, the CERS shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to portability
If the data processing is necessary for the performance of a contract or if the data processing is based on the voluntary consent of the Data Subject, the Data Subject has the right to request the CERS to transfer the data provided to him/her or to another data controller indicated by him/her.
Legal remedies
If the Data Subject believes that the CERS has violated a statutory provision on data processing or has not fulfilled a request, he/she may initiate an investigation procedure with the National Authority for Data Protection and Freedom of Information in order to terminate the presumed unlawful data processing (correspondence address: 1530 Budapest, Pf.: 5., e-mail: ugyfelszolgalat@naih.hu).
In the event of a violation of the statutory provisions on data processing or if the CERS has not fulfilled a request of the Data Subject, a civil lawsuit may also be initiated against the CERS in court.
Data security
When operating IT systems, CERS ensures the necessary authorization management, internal organizational and technical solutions so that unauthorized persons cannot obtain the data of the Data Subject, and that unauthorized persons cannot delete, remove or modify the data. CERS also enforces data protection and data security requirements against data processors.
CERS keeps records of any data protection incidents, and if necessary, informs the Data Subject about any incidents that arise.
Other provisions
The CERS reserves the right to amend this data management information in a way that does not affect the purpose and legal basis of data management. The Data Subject accepts the amended data management information by using the website after the amendment comes into force.
If the CERS intends to carry out further data management in relation to the collected data for a purpose other than the purpose of their collection, it shall inform the Data Subject before further data management about the purpose of data management and the following information:
the duration of storage of personal data, or if this is not possible, the criteria for determining the duration;
the right that the Data Subject may request from the CERS access to personal data concerning the Data Subject, their correction, deletion or restriction of processing, and in the case of data processing based on legitimate interest, may object to the processing of personal data, and in the case of data processing based on consent or a contractual relationship, may request the right to data portability;
in the case of data processing based on consent, that the Data Subject may withdraw consent at any time,
the right to lodge a complaint with a supervisory authority;
whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract and whether the Data Subject is obliged to provide the personal data and what possible consequences may arise from failure to provide the data;
the fact of automated decision-making (if such a procedure is used), including profiling, and at least in these cases, understandable information on the logic involved and the significance of such data processing and the expected consequences for the Data Subject.
Data processing may only begin after the information has been provided. If the legal basis for data processing is consent, the Data Subject must also consent to the data processing in addition to the information.