Privacy Notice concerning the processing of personal data related to the use of the UD Studyversity Application

 The present Privacy Notice (hereinafter: Privacy Notice) contains the principles of data controlling pertaining to the the scope of personal data, as determined herein, of the users (hereinafter: the Users) of the UD Studyversity Application (hereinafter: the Application) operated by the University of Debrecen (registered seat: 4032 Debrecen, Egyetem tér 1, tax number: 15329750-4-09, institutional identifier: 17198), as the controller of personal data (hereinafter: Controller), in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Information Act), as well as the Internal Data Protection Policy of the University of Debrecen, and the notice on data protection given to the Users.

The particulars of the Controller

The  purpose of this Privacy Notice

The purpose of the present Privacy Notice is to inform persons whose personal data are affected by the data controlling concerning the principles, requirements and conditions of the processing by the Controller, as well as to provide information to such data subjects on the nature, objective and legal basis of the processing, the duration of the processing, the identity of the persons entitled control and process the data, the scope of persons entitled to receive the data, and the possibilities of legal remedy.

The principles of processing by the Controller

The Controller declares that it processes the data of natural persons in accordance with the Privacy Notice, and complies with the relevant provisions of law, with special attention to the following:

Personal data shall be processed lawfully and fairly, in a manner that is transparent to data subjects. Personal data may only be collected for certain, clear and lawful purposes. The purpose of the processing of personal data shall be relevant and only to the necessary extent.

The personal data shall be accurate and up to date, and any inaccurate personal data shall be deleted without delay.

Personal data shall be stored in such a way that data subjects may be identified only for the necessary length of time. The storage of personal data for a longer time may only take place for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Personal data shall be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The principles of data protection shall apply to any information concerning any identified or identifiable natural person.

 

The scope of the data subjects

All Users who downloaded and use (are logged into) the Application.

The scope of the processed data

Pursuant to this Privacy Notice, the Controller shall primarily display such personal data in the Application that the User has provided to the University of Debrecen (hereinafter: the University) in the context of theFsay legal relationship of being a registered student of the University. Such data are stored on the User’s device only, and the Controller does not process, transmit or otherwise dispose over this information.

These are the following:

The Application uses web analytical services from third parties that may collect information for the identification of Users. The privacy policies of third-party service providers used by the Applications can be reached via the following external links:

In addition to the data provided by the User, the Application may collect data through automatic data collection tools (cookies). A “cookie” is a small data file that the given service sends to the User’s device when the User uses the service, requests information or customizes the service. The various cookies help to identify the functions/services that may be of most interest to the User, enhance the user experience by storing the User's preferred information while using a particular service. Cookies cannot identify the User personally. If you accept cookies, you may provide access to information about your browsing habits, which we may use to customise your user experience. Temporary cookies are valid during a session and are deleted from the device when the browser is closed. Permanent (persistent) cookies remain on your device until they are deleted or expire. Most browsers automatically accept cookies by default, but you can reject or select cookies by changing your browser’s security settings. If you decide to reject cookies, some parts of the Application may not be used.

The data recorded in a cookie may include the following:

While using the Application, the User has the possibility to record various types of personal information:

This information (the User’s indication of his/her mood) is stored on the Controller's server. If the User, based on his/her indication, is in a bad or good mood a certain number of times, the Application will offer to fill in a questionnaire available on an external website, which will be evaluated by an external expert. The Controller will grant the external expert access to these data stored on its server.

When using the Application, the User may receive “push messages”: push messages are sent to the phone of the User according to the categories he/she has selected from those offered by the Application. The User may deactivate these push messages at any time, except in the case of the UD Community Space function, where the automatic and mandatory sending of push messages is part of the standard operation of the function.

The following data are stored for the purpose of sending push messages:

When using the UD Community Space function, the User can enter the following social data about himself/herself through a wizard:

The UD Community Space function can only be used after activation by the User, during which a declaration is required.

By using this function, Users can browse other users’ profiles in a list, where the Application offers further contacts organised according to their interests. Using the “I say hello” function, you can contact any any other User’s profile, which means that if User A opens User B’s profile, visits the above-mentioned social media profiles, and finds him or her sympathetic, then after clicking on the “I say hello” button, User B will receive a push message that User A is interested in connecting and User B may expect to be contacted one of the social media platforms. The User has the right to erase the data provided at any time by using the "Erase" function, as a result of which the User and his/her contact details will be permanently and irrevocably erased from the system. These Community Space data and the User’s network of contacts are stored on servers remote from the Controller’s Application, and

The Application may also contain links leading to other websites. If the User clicks on a third-party link, he or she will be taken to that website. The Controller undertakes no responsibility for the content of the website or service, or for the data protection policy or practice, of third parties.

The purpose of the processing by the Controller

The data specified above are necessary for the comprehensive use of the various services provided by the Application, the optimal operation of the Application, and ultimately for the purpose of providing the highest possible level of user experience, and for the achievement of other objectives as set forth in the present Privacy Notice.

The legal basis of the data processing

The legal basis for processing by the Controller is the User's voluntary consent (Article 6 (1) (a)  of the GDPR).

The duration of the data processing

The Controller shall, in accordance with the applicable legal provisions, store the personal data provided to it from the moment the consent is given until the consent is withdrawn or for as long as it is necessary to achieve the purposes for which the personal data was provided.

The scope of those having access to the data

The University of Debrecen

SIGHTSPOT NETWORK Kft. (Processor of data)

Data transmission

The Controller shall only transmit data to authorities in the event of a legal obligation.

The Controller shall not transfer data to third parties for commercial or marketing purposes.

The Controller shall keep a record of the data transmissions.

The use of a Processor

The Controller uses the following company as a Processor:

Short name: SIGHTSPOT NETWORK Kft.

Company registration number: 09-09-023291

Tax number: 23972188-2-09

Registered address: 4034 Debrecen, Vágóhíd utca 2. 6. ép. 2. em.

Mailing address: 4034 Debrecen, Vágóhíd utca 2. 6. ép. 2. em.

Phone: +36 20 404 9355

E-mail:  info@sightspot.hu

Website: sightspot.hu

 as the developer and operator of the Application (hereinafter: Processor)

The legal basis for the data processing: on the basis of the User’s consent pursuant to Article 6 (1) (a) of the GDPR, the Controller may use a data processor, subject to informing the User in advance. Upon having read this Privacy Notice, the User voluntarily consents to the use of the data processor with respect to the data provided to the Controller, by way of any of the way of consent described in the above sections.

The scope of the personal data concerned by the processing: The processing concerns all the data indicated in this Privacy Notice.

The purpose of the processing: Ensuring the functioning of the Application in the information technology sense for the User concerned, by processing the data necessary for the development and operation of the Application and the provision of the services through the Application.

The duration of the processing: The same as the periods of processing by the Controller, as indicated for each type of processing of the different scopes of data, according to the various purposes.

The processing of the data shall be limited to the technical operations necessary for the further development and operation of the Application in the information technology sense. No processing shall be carried out for any other purpose.

The Controller does not use any processor other than the Processor identified above.

Security measures

In compliance with its obligation under Section 7 of the Information Act, the Controller shall make all efforts to ensure the security of the Users’ personal data. Further, the Controller shall take the necessary technical and organisational measures, and shall introduce such procedural rules that are necessary for the enforcement of the provisions of the Information Act, as well as other rules of data protection and confidentiality. Accordingly, the personal data of the User shall only be processed by the Controller, and with the exception of the mandatory cases prescribed by law, only the employees of the Controller and the Processor may have access to and process such data. Under no circumstances may the Controller disclose or transmit the Users’ personal data to third parties, or publish the same in any form. The sole exception from the above provision shall be the performance of data disclosure obligations based on statutory obligation, or one required by a competent court or authority.

Voluntary consent

By accepting the present Privacy Statement, the User confirms that he/she is fully aware and acknowledges the provisions of this Privacy Notice, and accepts these as binding, and that in possession of the necessary information he/she voluntarily consents to the processing by the Controller of his/her personal data specified herein, for the above purposes, in compliance with the relevant provisions of the Information Act and of this document. Further to the above, the User declares that he/she is of at least 16 years of age, and is not restricted in his/her legal capacity.

Rights related to processing

The User may request the following from the Controller:

Right to request information (pursuant to Articles 13-14 of the GDPR)

At the request of the User, the Controller shall provide information to the User on the data processed by the Controller or the Processor used by the Controller, on the source of such data, the purpose, legal basis and duration of the processing by the Controller, the name and address of the Processor, as well as its activities related to processing, on the circumstances and impacts of any personal data breaches that may have occurred, the measures taken to avert the same, and further, in case of the transmission of the personal data of the User, on the legal basis and the addressee of such data transmission. The Controller shall provide the information without undue delay and within not more than one month after receipt of the request.

In the context of the right of access, the Controller shall provide the User with a copy of his/her personal data that are the subject of the processing, within not more than one month after the receipt of the request.

Right to data portability (pursuant to Article 20 of the GDPR)

The User shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. a) the processing is based on consent of the User or on a contract; and
  2. b) the processing is carried out by automated means.

In exercising his or her right to data portability in accordance with the above, the User shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to rectification or supplementation (pursuant to Article 16 of the GDPR)

The User may request the rectification of his/her personal data processed, which the Controller shall carry out without undue delay, but within not more than one month from the receipt of the request. Taking into account the purposes of the processing, the User shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to restriction (blocking) of processing (pursuant to Article 18 of the GDPR)

The Controller shall mark the personal data processed by it for the purpose of restricting the processing. The User shall have the right to obtain from the Controller restriction of processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the User, for a period enabling the Controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of his/her use instead;
  3. c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims;
  4. d) the User has objected to processing performed on the basis of the legitimate interest of the Controller; in such case, the restriction pertains to the period until it is verified whether the legitimate interests of the Controller override those of the data subject.

Each User shall have the right to object to or prohibit the inclusion of his/her name and address, as well as other contact details in a marketing list, the use of his/her data for direct marketing purposes or for a specific purpose within a specific list, the use of such data for sending newsletters or the transfer to a third party, and to request the restriction of his/her personal data in any other way, the termination of the processing of all or part of the data held by the Controller, including the data transferred to a third party. The Controller shall carry out the erasure without undue delay after receipt of the request, but within not more than 10 working days, and shall inform the User concerned in writing within a further 15 days after the execution of the request.

Right to erasure (pursuant to Article 17 of the GDPR)

The Controller shall erase the personal data if:

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the User withdraws the consent on which the processing is based, and where there is no other legal ground for the processing;
  3. c) the User objects to the processing and there are no overriding legitimate grounds for the processing or the User objects to the processing for direct marketing purposes;
  4. d) the personal data have been unlawfully processed;
  5. e) the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject;
  6. f) the personal data have been collected in relation to the offer of information society services referred.

Where the Controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers that are processing the personal data that the User has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The Controller shall notify fact of the rectification and erasure of data or the restriction of processing to the User and all parties to whom the data was transmitted. The notification may be omitted if it proves impossible or involves a disproportionate effort. The Controller shall inform the User about those recipients if the User requests such information.

Right to object (pursuant to Article 21 of the GDPR)

The User may object to the processing of his/her personal data pursuant to Article 6 (1) (f) of the GDPR, including profiling based on those provisions, necessary for the purposes of the legitimate interests pursued by the Controller or a third party. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The possibilities for the enforcement of rights and for legal remedies related to the processing

We suggest that prior to initiating judicial or other official proceedings, please send to the Controller your request or complaint regarding the processing of your personal data, so that the Controller can investigate, rectify or, if justified, respond to your request or complaint.

In case of the exercise of any right or request for information by the User related to the processing of data, or any objection or complaint to such processing, the Controller shall, without undue delay, investigate the matter, take action on the request and provide information to the User within the time prescribed by the applicable laws. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

In case of the alleged or actual injury of his or her rights, the User may initiate a proceeding to be conducted by the National Authority for Data Protection and Freedom of Information (registered address: 1055 Budapest, Falk Miksa utca 9-11; mail address:  1363 Budapest, P.O. Box 9, e-mail address: ugyfelszolgalat@naih.hu) to initiate a procedure or may submit a claim to the courts.

If submitting a claim to the courts, the User may decide, at his/her option, whether to bring an action before the competent regional court according to his/her address of permanent or temporary residence, or according to the the registered address of the Controller. The regional court based on the address of permanent or temporary residence can be found on the http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso page.

 

Debrecen, 27 January 2022