Privacy Notice
Event Organization
The protection of personal data is extremely important to us. Therefore, in this Privacy Notice, we explain what personal data we process about you, for what purpose, and on what legal basis. This Privacy Notice also contains information about your rights.
Data Controller Information
Data Controller: Business Council for Sustainable Development in Hungary (BCSDH) (hereinafter: “Data Controller”)
Registered office: 1118 Budapest, Ménesi út 9/a, Hungary
Registration number at the Metropolitan Court: 12329
Tax number: 18126927-2-43
Website: www.bcsdh.hu
Contact details of the Data Protection Officer: ivett.takacs@bcsdh.hu
General Legislation Forming the Basis of Data Processing
- Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary)
- Act V of 2013 on the Civil Code (Hungary)
- Act CXXVII of 2007 on Value Added Tax (VAT Act)
- Act C of 2000 on Accounting
- Act CLV of 1997 on Consumer Protection
- Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct Marketing Purposes
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
Definitions
Personal Data
Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical personal data include, in particular: name, address, place and date of birth, and mother’s maiden name.
Data Processing
Any operation or set of operations performed on personal data or data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Controller
A natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its designation may also be determined by Union or Member State law.
Data Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
Recipient
A natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether a third party or not.
Principles
When processing personal data, the Data Controller observes the following principles. Personal data shall be:
- processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (lawfulness, fairness, and transparency)
- collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) GDPR shall not be considered incompatible with the initial purposes (purpose limitation)
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay (accuracy)
- kept in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; longer storage is only permitted for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to appropriate technical and organizational measures (storage limitation)
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality)
- processed under the responsibility of the Data Controller, who must be able to demonstrate compliance with these principles (accountability)
Data Processing Activity
- registration for events organised via bcsdh.hu and https://circulareconomyhotspotbudapest.com/
|
Purpose of Data Processing
|
The purpose of registration is to enable participation in the available conferences and events. |
| Legal Basis for Data Processing |
Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract.
|
| Categories of Data Subjects | Bármely természetes személy |
| Categories of Personal Data | Title, last name and first name, email address, phone number, company name, job title, unique code (optional), sector, interpretation request, event participation fee, currency, payment method (credit card, bank transfer), billing type (company, private individual), billing address, email address for electronic invoice, contact person’s name and email address, registration status, content of the pro forma invoice, participation ticket(s) for the relevant event, confirmation of having reached the age of 16 |
| Data Retention Period | Until the end of the first year following the event. |
| Data Transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place. |
| Recipients | Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of Data | The source of the personal data is the registered participant. |
| Method and Consequences of Providing Data | Providing the data is necessary. If you do not provide the required data, you will not be able to use the service related to the registration. |
2. photographs and video recordings taken at the event
| Purpose of data processing | Taking photographs and video recordings during the event, as well as using these recordings for the documentation of the event. |
| Legal basis for data processing | Article 6(1)(a) of the GDPR: consent. |
| Categories of data subjects | Any natural person attending the events. |
| Categories of personal data | Photographs and video recordings of the natural person. |
| Data retention period: | Until the withdrawal of consent. |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place. |
| Recipients | Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of the data | The source of the personal data is the natural person. |
| Method and consequences of providing data. | Providing the data is voluntary. If you do not give your consent, you will not appear in the photographs taken at the event. |
3. signing the attendance sheet for participation.
| Purpose of data processing | Maintaining an attendance sheet of conference and event participants, which serves as the basis for invoicing and handling other claims or complaints. |
| Legal basis for data processing | Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract. |
| Categories of data subjects | Any natural person. |
| Categories of personal data | Title, last name and first name, company name, signature, name, date and location of the conference/event. |
| Data retention period | Until the end of the first year following the event. |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place. |
| Recipients | Contact details of the Data Processors |
| Source of the data | The source of the personal data is the registered participant. |
| Method and consequences of providing data | Providing the data is necessary. If you do not provide the required data, we will not be able to prove, in the event of a complaint or claim, that you attended the event. |
4. processing of speakers’ data related to the conference/event
| Purpose of data processing | Processing the personal data of individuals participating as speakers at the conference/event during the organization and implementation of the conference/event |
| Legal basis for data processing | Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract |
| Categories of data subjects | Natural persons participating in the event as speakers |
| Categories of personal data | Title, last name and first name, email address, phone number, company name, position, photographs and video recordings |
| Data retention period | Until the end of the fifth year following the conference/event |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of the data | The source of the personal data is the speaker |
| Method and consequences of providing data | Providing the data is necessary. If you do not provide the required data, you will not be able to participate in the event/conference as a speaker |
5. complaint handling
| Purpose of data processing | Handling any complaints related to any event |
| Legal basis for data processing | Article 6(1)(c) of the GDPR: compliance with a legal obligation, pursuant to Section 17/A (6) of Act CLV of 1997 on Consumer Protection |
| Categories of data subjects | Any natural person |
| Categories of personal data | Name, email address, phone number, username, the content of the complaint, in the case of a complaint submitted by phone the voice recording of the complainant, and any other personal data provided in the complaint |
| Data retention period | 3 years pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | Contact details of the Data Processors: |
| Source of the data | The source of the personal data is the complainant |
| Method and consequences of providing data | Providing the data is necessary. If you do not provide the required data, we may not be able to investigate your complaint |
6. billing
| Purpose of data processing | Issuing an invoice for the participation fee of the event/conference |
| Legal basis for data processing | Article 6(1)(c) of the GDPR: compliance with a legal obligation pursuant to Section 159(1) of the VAT Act |
| Categories of data subjects | Customer |
| Categories of personal data | Name, address, ordered service, fee, invoice date, payment deadline, invoices related to previously used and paid services |
| Data retention period | 8 years pursuant to Sections 169(1) and (2) of the Accounting Act |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | The billing service provider is Billingo Technologies Zrt. (1133 Budapest, Árbóc utca 6. I. emelet, Company registration number: 01-10-140802).
Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat |
| The Data Controller provides data to National Tax and Customs Administration in accordance with Point 1 of Annex 10 to Act CXXVII of 2007 on Value Added Tax (VAT Act) | |
| Source of the data | The source of the personal data is the customer |
| Method and consequences of providing data | Providing the data is mandatory. If you do not provide the required data, we will not be able to issue the invoice |
7. payment of the service fee
| Purpose of data processing | Payment of the service fee via online credit card payment. |
| Legal basis for data processing | Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract |
| Categories of data subjects | Customer |
| Categories of personal data | Name, service identifier, bank account number, amount of the transfer, date and time of the transfer |
| Data retention period | 8 years pursuant to Sections 169(1) and (2) of the Accounting Act |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | Recipients: The provider of the online credit card payment service is Stripe Technology Company Limited
(registered office: One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland). Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of the data | The source of the personal data is the customer |
| Method and consequences of providing data | Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to provide the service to you |
8. subscription to current updates
| Purpose of data processing | Sending news and current updates |
| Legal basis for data processing | Article 6(1)(a) of the GDPR: consent |
| Categories of data subjects | Persons subscribing to the newsletter |
| Categories of personal data | Name, email address |
| Data retention period | Until the withdrawal of consent or for 30 days following the date of unsubscribing from the subscription |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of the data | The source of the personal data is the person subscribing to the newsletter |
| Method and consequences of providing data | Providing the data is voluntary. If you do not provide the data required for the subscription, we will not be able to send you updates and current information |
9. contractual contact management
| In the case of its contracted Partners (suppliers, customers), the Data Controller communicates and maintains business relations through the contact person designated in the contract | Purpose of data processing: Maintaining communication and ensuring cooperation for the proper performance of the contract between the Data Controller and the Partner |
| Legal basis for data processing | Article 6(1)(f) of the GDPR: legitimate interest |
| Categories of data subjects | Employees of the Partner (sole proprietorship, limited liability company, limited partnership, private company limited by shares) designated as contact persons |
| Categories of personal data | Name, position, phone number, email address |
| Data retention period | Until the end of the fifth year following the performance or termination of the contract |
| Data transfer | No data transfer pursuant to Articles 44–49 of the GDPR takes place |
| Recipients | Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/ |
| Source of the data | The source of the personal data is the Partner’s contact person |
| Method and consequences of providing data | Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to communicate and coordinate with the Partner |
Access to the data
The personal data may be accessed by the competent employees of the Data Controller to the extent necessary for the performance of their duties. The Data Controller allows visitors of the events to purchase participation tickets for other persons through their own user account. In such cases, the owner of the user account provides the personal data necessary for the registration of the additional ticket holders. Furthermore, if the additional ticket holder already has their own user account, the owner of the user account may access the data stored by the Data Controller relating to the additional ticket holder, but may not modify such data. The Data Controller reasonably assumes that persons purchasing tickets for third parties have obtained the consent of those third parties for accessing the data stored by the Data Controller relating to them. The Data Controller expressly excludes any liability arising from the absence or incompleteness of such consent.
Data security measures
The Data Controller shall implement appropriate IT, technical, and organizational measures to ensure that the personal data processed by it are protected, including against unauthorized access and unauthorized alteration.
Data subject rights related to data processing and their content
| Data subject rights related to data processing
Data subject right |
Description of the data subject right related to data processing |
| Right to be Informed
(Articles 13–14 GDPR) |
You have the right to receive information at the time your personal data are obtained regarding the fact and purposes of the data processing. The Data Controller shall also provide you with additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of the processing of personal data. You must also be informed about the existence of profiling and its consequences. |
| Right of Access /Article 15 of the GDPR/ |
You are entitled to request information as to whether the processing of your personal data is ongoing, and if such processing is taking place, you have the right to know:
|
| Right to Rectification /Article 16 of the GDPR/ |
You have the right to request that the Data Controller correct inaccurate personal data concerning you, or complete incomplete personal data. In other words, you may request the modification of your personal data (for example, you may update your email address or other contact details at any time). |
| Right to Erasure (“Right to be Forgotten”)
/Article 17 of the GDPR/ |
You have the right to request that the Data Controller erase your personal data without undue delay where one of the following grounds applies:
|
| Right to Restriction of Processing
/Article 18 of the GDPR/ |
You have the right to request that the Data Controller restrict the processing of your personal data where one of the following applies:
|
| Right to Data Portability
/Article 20 of the GDPR/ |
You have the right to receive the personal data concerning you, which you have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data were provided, where:
You also have the right to request the direct transfer of your personal data between Data Controllers, where technically feasible. |
| Right to Object
/Article 21 of the GDPR/ |
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In such cases, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct marketing. |
| Right to Withdraw Consent
/Article 7(3) of the GDPR/ |
You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this before giving consent. It shall be as easy to withdraw consent as it is to give it. |
Remedies and Rights of the Data Subject in Relation to Data Processing
| Legal Remedies | Content of Legal Remedies |
| Right to Lodge a Complaint with a Supervisory Authority
/Article 77 of the GDPR/ |
If you consider that your rights relating to the protection of your personal data have been infringed, you have the right to lodge a complaint with the following supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) |
| Right to an Effective Judicial Remedy Against the Data Controller or Data Processor (Court Proceedings)
/Article 79 of the GDPR/ |
You have the right to bring proceedings before a court against the Data Controller or Data Processor if you consider that your rights under the GDPR have been infringed as a result of unlawful processing of your personal data. The court shall act on the case without delay. You may choose to bring the action before the court of the Member State in which the Data Controller or Data Processor has an establishment, or before the courts of the Member State of your habitual residence. Information on courts is available at: www.birosag.hu/torvenyszekek |
Updates to the Privacy Notice
The Data Controller reserves the right to unilaterally amend this Privacy Notice. Such amendments may be made in particular where required due to changes in legislation, supervisory authority practices, business needs, or other circumstances. Upon the data subject’s request, the Data Controller shall provide a copy of the currently effective Privacy Notice in a mutually agreed format.
30 April 2026
