Valid from May 25, 2018
2. Contacts of ERRA:
Regarding data control, our users may contact ERRA on the below contacts:
Name: Energy Regulators Regional Association (ERRA)
Registered seat: Logodi utca 44/B, 1012 Budapest, Hungary
Registry number: KKM/17399/1/2016/Adm.
Registry organization: Ministry of Foreign Affairs and Trade
Tax number: 18173194-2-41 (EU format: HU18173194)
3. Scope of the controlled personal data:
3.1. During its activity ERRA controls the user’s personal data that are necessary for obtaining their service, ERRA provides all the necessary information at the start of obtaining such service.
3.2. Technical details: During providing their service, ERRA chooses and operates their technical equipment so that the below principals of data control shall be fulfilled:
Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
3.3. ERRA protects all personal data with the appropriate security measures against unauthorized access, modification, forwarding, publication, deletion, abolition or accidental abolition. ERRA protects the security of data control with the appropriate technical and organizational measures that secures the appropriate defense level for data control, according to the relevant risk level. ERRA keeps confidentiality during data control: protects all information so that only authorized persons shall have access; keeps data integrity, protects the accuracy and completeness of information and methods of control; provides availability: provides access for the users to the requested information.
3.4.1. Cookies collect information of the users and their devices; remember the custom settings of users which may be used e.g. during online transactions therefore no repeated typing is needed; facilitates the use of services; provide quality user experience. For providing custom service, a small data package (so-called cookie) is placed onto the user’s device and during a later browsing the cookies will be recognized. If the web-browser sends back a previously saved cookie, the service provider that generated that cookie may link the actual browsing of the user with the previous browsing history but only with regards of such service provider’s own content.
3.4.2. Session cookies: using session cookies helps the users to obtain a better user experience while using the service, and all of its functions. Such cookies expire by the end of a session and by closing the web-browser it will be automatically deleted from the browsing device.
3.4.3. Analytics cookies used by third parties: ERRA uses the cookies of third party Google Analytics. By providing statistical service, Google Analytics collects information about the user’s browsing habits. ERRA uses such information to improve their services and the user experience. Such cookies also expire by the end of a session and will be automatically deleted from the browsing device or can be deleted by the user.
4. Record of processing activities:
ERRA maintains a record of processing activities that fall under its responsibility. That record shall contain all of the following information:
a) the name and contact details of the controller;
b) the purposes of processing;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organization;
e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards;
f) where possible, the envisaged time limits for erasure of the different categories of data;
g) where possible, a general description of the technical and organizational security measures.
5. The purpose, method and basis of data processing:
5.1. General data processing directives:
The basis of data processing of ERRA is the freely given consent of the users, or a legal regulation. In case of the freely given consent, the data subject may withdraw such consent at any time of the data processing. In specific cases, the processing, storing and transferring of personal data are regulated by the law, of which cases we inform our users, if required. We inform persons who transmit personal data of a different person to ERRA that such data transmission requires the consent of the data subject. The data processing principals of ERRA are harmonized with the valid legal regulations regarding data protection, especially with:
- Act CXII. of 2011 on Informal Self-Determination and Freedom of Information (Privacy Act);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
6. Physical storage of personal data:
The personal data of users (namely the personal data that can be connected to a specific user) can be processed by ERRA in connection with obtaining the services of ERRA; meanwhile some technical data are generated automatically in the technical devices, and also the user may submit his or her name, contacts or other details that are necessary for obtaining the service. The personal data are physically stored on ERRA’s own devices and on the devices of data processors of ERRA.
7. Data transferring, data processing, scope of entities that become aware of personal data:
7.1. ERRA may obtain the services of the following data processing service providers: Zengo Kft. (6724 Szeged, Kossuth Lajos sgt. 72/B.); the data processing of such data processors is governed by their own privacy policies.
7.3. The following extensions are built into the code of the Website:
Gravity Form, Woocommerce, Google Analytics
The following extensions are embedded into articles published on the Website:
YouTube, Twitter, Facebook
8. Rights and exercise of rights of the data subject:
8.1. The data subject may request information about processing his or her personal data, and has the right to rectification, and – with the exception of binding and enforceable data processing – the right to erasure, withdraw, data portability and object, by the method indicated at the date of recording and at the above contacts of the data controller.
8.2. Right for information: ERRA shall take appropriate measures to provide any information referred to in GDPR Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
8.3. Right of access by the data subject: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; the envisaged period for which the personal data will be stored; the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; any available information as to data source; the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The controller shall provide information on action taken on a request within one month of receipt of the request.
8.4. Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
8.5. Right to erasure: The data subject shall have the right to obtain from ERRA the erasure of personal data concerning him or her without undue delay and ERRA shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; the personal data have been collected in relation to the offer of information society services. The erasure of personal data cannot be initiated, to the extent that processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; for the establishment, exercise or defense of legal claims.
8.6. Right to restriction of processing: The data subject shall have the right to obtain from ERRA restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
8.7. Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
8.8. Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and also including profiling based on those provisions. In such case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
8.9. Automated individual decision-making, including profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
8.10. Right to withdraw: The data subject shall have the right to withdraw his or her consent at any time.
8.11. Right to seek a judicial remedy: If the rights of the data subject are violated, the data subject shall have the right to seek a judicial remedy. The court acts in an out of turn procedure.
8.12. Data protection official procedure: Claims can be submitted at the Hungarian National Authority for Data Protection and Freedom of Information: registered seat: Hungary 1125 Budapest, Szilágyi Erzsébet fasor 22/C., Postal address: 1530 Budapest, Pf.: 5., Phone: 0613911400, Fax: 0613911410, E-mail: firstname.lastname@example.org, website: http://www.naih.hu
8.13. A person under 16 may record data only with the consent of his or her legal representative. The statement of an under-age data subject above 16 is valid without the consent of his or her legal representative.
9. Other regulations:
10.1. To receive our newsletter and other information about our services, our users may sign up for our newsletter, at signing up we request the following personal data of our users:
- e-mail address
10.2. By signing up for our newsletter, the data subject gives his or her written consent to personal data control and processing.
10.5. All of our (news)letters contain detailed information about signing off.
11.1. Our Website contains links directing to other service provider’s website. We inform our users that such links directs the users to the website of other service providers.