Privacy Notice 

Event Organization 

The protection of personal data is extremely important to us. Therefore, in this Privacy Notice, we explain what personal data we process about you, for what purpose, and on what legal basis. This Privacy Notice also contains information about your rights.

Data Controller Information

Data Controller: Business Council for Sustainable Development in Hungary (BCSDH) (hereinafter: “Data Controller”)

Registered office: 1118 Budapest, Ménesi út 9/a, Hungary

Registration number at the Metropolitan Court: 12329

Tax number: 18126927-2-43

Website: www.bcsdh.hu

Contact details of the Data Protection Officer: ivett.takacs@bcsdh.hu

General Legislation Forming the Basis of Data Processing

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary)
  • Act V of 2013 on the Civil Code (Hungary)
  • Act CXXVII of 2007 on Value Added Tax (VAT Act)
  • Act C of 2000 on Accounting
  • Act CLV of 1997 on Consumer Protection
  • Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct Marketing Purposes
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities

Definitions

Personal Data

Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical personal data include, in particular: name, address, place and date of birth, and mother’s maiden name.

Data Processing

Any operation or set of operations performed on personal data or data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller

A natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its designation may also be determined by Union or Member State law.

Data Processor

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

Recipient

A natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether a third party or not.

Principles

When processing personal data, the Data Controller observes the following principles. Personal data shall be:

  • processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (lawfulness, fairness, and transparency)
  • collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) GDPR shall not be considered incompatible with the initial purposes (purpose limitation)
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay (accuracy)
  • kept in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; longer storage is only permitted for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to appropriate technical and organizational measures (storage limitation)
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality)
  • processed under the responsibility of the Data Controller, who must be able to demonstrate compliance with these principles (accountability)

Data Processing Activity

  1. registration for events organised via bcsdh.hu and https://circulareconomyhotspotbudapest.com/
Purpose of Data Processing
The purpose of registration is to enable participation in the available conferences and events.
Legal Basis for Data Processing
Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract.
Categories of Data Subjects Bármely természetes személy
Categories of Personal Data Title, last name and first name, email address, phone number, company name, job title, unique code (optional), sector, interpretation request, event participation fee, currency, payment method (credit card, bank transfer), billing type (company, private individual), billing address, email address for electronic invoice, contact person’s name and email address, registration status, content of the pro forma invoice, participation ticket(s) for the relevant event, confirmation of having reached the age of 16
Data Retention Period Until the end of the first year following the event.
Data Transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place.
Recipients Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/
Source of Data The source of the personal data is the registered participant.
Method and Consequences of Providing Data Providing the data is necessary. If you do not provide the required data, you will not be able to use the service related to the registration.

2. photographs and video recordings taken at the event

Purpose of data processing Taking photographs and video recordings during the event, as well as using these recordings for the documentation of the event.
Legal basis for data processing Article 6(1)(a) of the GDPR: consent.
Categories of data subjects Any natural person attending the events.
Categories of personal data Photographs and video recordings of the natural person.
Data retention period: Until the withdrawal of consent.
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place.
Recipients Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/
Source of the data The source of the personal data is the natural person.
Method and consequences of providing data. Providing the data is voluntary. If you do not give your consent, you will not appear in the photographs taken at the event.

3. signing the attendance sheet for participation.

Purpose of data processing Maintaining an attendance sheet of conference and event participants, which serves as the basis for invoicing and handling other claims or complaints.
Legal basis for data processing Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of data subjects Any natural person.
Categories of personal data Title, last name and first name, company name, signature, name, date and location of the conference/event.
Data retention period Until the end of the first year following the event.
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place.
Recipients Contact details of the Data Processors
Source of the data The source of the personal data is the registered participant.
Method and consequences of providing data Providing the data is necessary. If you do not provide the required data, we will not be able to prove, in the event of a complaint or claim, that you attended the event.

4. processing of speakers’ data related to the conference/event

Purpose of data processing Processing the personal data of individuals participating as speakers at the conference/event during the organization and implementation of the conference/event
Legal basis for data processing Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract
Categories of data subjects Natural persons participating in the event as speakers
Categories of personal data Title, last name and first name, email address, phone number, company name, position, photographs and video recordings
Data retention period Until the end of the fifth year following the conference/event
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/
Source of the data The source of the personal data is the speaker
Method and consequences of providing data Providing the data is necessary. If you do not provide the required data, you will not be able to participate in the event/conference as a speaker

5. complaint handling

Purpose of data processing Handling any complaints related to any event
Legal basis for data processing Article 6(1)(c) of the GDPR: compliance with a legal obligation, pursuant to Section 17/A (6) of Act CLV of 1997 on Consumer Protection
Categories of data subjects Any natural person
Categories of personal data Name, email address, phone number, username, the content of the complaint, in the case of a complaint submitted by phone the voice recording of the complainant, and any other personal data provided in the complaint
Data retention period 3 years pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients Contact details of the Data Processors:
Source of the data The source of the personal data is the complainant
Method and consequences of providing data Providing the data is necessary. If you do not provide the required data, we may not be able to investigate your complaint

6. billing

Purpose of data processing Issuing an invoice for the participation fee of the event/conference
Legal basis for data processing Article 6(1)(c) of the GDPR: compliance with a legal obligation pursuant to Section 159(1) of the VAT Act
Categories of data subjects Customer
Categories of personal data Name, address, ordered service, fee, invoice date, payment deadline, invoices related to previously used and paid services
Data retention period 8 years pursuant to Sections 169(1) and (2) of the Accounting Act
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients The billing service provider is Billingo Technologies Zrt. (1133 Budapest, Árbóc utca 6. I. emelet, Company registration number: 01-10-140802).

Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat

The Data Controller provides data to National Tax and Customs Administration in accordance with Point 1 of Annex 10 to Act CXXVII of 2007 on Value Added Tax (VAT Act)
Source of the data The source of the personal data is the customer
Method and consequences of providing data Providing the data is mandatory. If you do not provide the required data, we will not be able to issue the invoice

7. payment of the service fee

Purpose of data processing Payment of the service fee via online credit card payment.
Legal basis for data processing Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract
Categories of data subjects Customer
Categories of personal data Name, service identifier, bank account number, amount of the transfer, date and time of the transfer
Data retention period 8 years pursuant to Sections 169(1) and (2) of the Accounting Act
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients Recipients: The provider of the online credit card payment service is Stripe Technology Company Limited

(registered office: One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland).

Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/

Source of the data The source of the personal data is the customer
Method and consequences of providing data Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to provide the service to you

8. subscription to current updates

Purpose of data processing Sending news and current updates
Legal basis for data processing Article 6(1)(a) of the GDPR: consent
Categories of data subjects Persons subscribing to the newsletter
Categories of personal data Name, email address
Data retention period Until the withdrawal of consent or for 30 days following the date of unsubscribing from the subscription
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/
Source of the data The source of the personal data is the person subscribing to the newsletter
Method and consequences of providing data Providing the data is voluntary. If you do not provide the data required for the subscription, we will not be able to send you updates and current information

9. contractual contact management

In the case of its contracted Partners (suppliers, customers), the Data Controller communicates and maintains business relations through the contact person designated in the contract Purpose of data processing: Maintaining communication and ensuring cooperation for the proper performance of the contract between the Data Controller and the Partner
Legal basis for data processing Article 6(1)(f) of the GDPR: legitimate interest
Categories of data subjects Employees of the Partner (sole proprietorship, limited liability company, limited partnership, private company limited by shares) designated as contact persons
Categories of personal data Name, position, phone number, email address
Data retention period Until the end of the fifth year following the performance or termination of the contract
Data transfer No data transfer pursuant to Articles 44–49 of the GDPR takes place
Recipients Contact details of the Data Processors: https://bcsdh.hu/adatkezelesi-szabalyzat/
Source of the data The source of the personal data is the Partner’s contact person
Method and consequences of providing data Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to communicate and coordinate with the Partner

Access to the data

The personal data may be accessed by the competent employees of the Data Controller to the extent necessary for the performance of their duties. The Data Controller allows visitors of the events to purchase participation tickets for other persons through their own user account. In such cases, the owner of the user account provides the personal data necessary for the registration of the additional ticket holders. Furthermore, if the additional ticket holder already has their own user account, the owner of the user account may access the data stored by the Data Controller relating to the additional ticket holder, but may not modify such data. The Data Controller reasonably assumes that persons purchasing tickets for third parties have obtained the consent of those third parties for accessing the data stored by the Data Controller relating to them. The Data Controller expressly excludes any liability arising from the absence or incompleteness of such consent.

Data security measures

The Data Controller shall implement appropriate IT, technical, and organizational measures to ensure that the personal data processed by it are protected, including against unauthorized access and unauthorized alteration.

Data subject rights related to data processing and their content

Data subject rights related to data processing

Data subject right

Description of the data subject right related to data processing
Right to be Informed

(Articles 13–14 GDPR)

You have the right to receive information at the time your personal data are obtained regarding the fact and purposes of the data processing. The Data Controller shall also provide you with additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of the processing of personal data. You must also be informed about the existence of profiling and its consequences.
Right of Access
/Article 15 of the GDPR/
You are entitled to request information as to whether the processing of your personal data is ongoing, and if such processing is taking place, you have the right to know:

  • which of your personal data are being processed,
  • on what legal basis,
  • for what purpose,
  • for how long they are processed,
  • to whom, when, under what legal provision, and which of your personal data have been made accessible or transferred,
  • from what source your personal data originate (if you did not provide them to the Data Controller),
  • whether automated decision-making is applied, including profiling, and the logic involved therein.
Right to Rectification
/Article 16 of the GDPR/
You have the right to request that the Data Controller correct inaccurate personal data concerning you, or complete incomplete personal data. In other words, you may request the modification of your personal data (for example, you may update your email address or other contact details at any time).
Right to Erasure (“Right to be Forgotten”)

/Article 17 of the GDPR/

You have the right to request that the Data Controller erase your personal data without undue delay where one of the following grounds applies:

  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed
  • you withdraw your consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal ground for the processing
  • you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2)
  • your personal data have been unlawfully processed
  • your personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject
  • your personal data were collected in relation to the offer of information society services referred to in Article 8(1)
Right to Restriction of Processing

/Article 18 of the GDPR/

You have the right to request that the Data Controller restrict the processing of your personal data where one of the following applies:

  • you contest the accuracy of your personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data
  • the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use
  • the Data Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defence of legal claims
  • you have objected to processing pursuant to Article 21(1), in which case the restriction applies for the period necessary to determine whether the legitimate grounds of the Data Controller override your interests
Right to Data Portability

/Article 20 of the GDPR/

You have the right to receive the personal data concerning you, which you have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data were provided, where:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2), or on a contract pursuant to point (b) of Article 6(1), and
  • the processing is carried out by automated means.

You also have the right to request the direct transfer of your personal data between Data Controllers, where technically feasible.

Right to Object

/Article 21 of the GDPR/

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In such cases, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct marketing.

Right to Withdraw Consent

/Article 7(3) of the GDPR/

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this before giving consent. It shall be as easy to withdraw consent as it is to give it.

Remedies and Rights of the Data Subject in Relation to Data Processing

Legal Remedies Content of Legal Remedies
Right to Lodge a Complaint with a Supervisory Authority

/Article 77 of the GDPR/

If you consider that your rights relating to the protection of your personal data have been infringed, you have the right to lodge a complaint with the following supervisory authority:

National Authority for Data Protection and Freedom of Information (NAIH)
Registered seat: 1055 Budapest, Falk Miksa utca 9–11, Hungary
Postal address: 1363 Budapest, P.O. Box 9, Hungary
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu

Right to an Effective Judicial Remedy Against the Data Controller or Data Processor (Court Proceedings)

/Article 79 of the GDPR/

You have the right to bring proceedings before a court against the Data Controller or Data Processor if you consider that your rights under the GDPR have been infringed as a result of unlawful processing of your personal data. The court shall act on the case without delay.

You may choose to bring the action before the court of the Member State in which the Data Controller or Data Processor has an establishment, or before the courts of the Member State of your habitual residence.

Information on courts is available at: www.birosag.hu/torvenyszekek

Updates to the Privacy Notice

The Data Controller reserves the right to unilaterally amend this Privacy Notice. Such amendments may be made in particular where required due to changes in legislation, supervisory authority practices, business needs, or other circumstances. Upon the data subject’s request, the Data Controller shall provide a copy of the currently effective Privacy Notice in a mutually agreed format.

30 April 2026

Privacy Policy | Cookie Policy | Impressum | © Copyright – Circular Economy Platform Hungary
Designed & built by  Zerda Web Solutions