Data protection notice
The hatter.hu website is operated by Háttér Society. With this statement, the association informs the visitors of the website and the users of the services provided by the association about its data processing practices, the organisational and technical measures taken to protect the data, and the users' options for legal enforcement.
1. The data controller
Háttér Society (head office: 1136 Budapest, Balzac u. 8-10. fszt. 1., registration number: 11958/1995)
2. The Data Protection Officer
dr. Tamás Pfiszter, e-mail: adatvedelem@hatter.hu
3. The scope of the managed data
When visiting the website, the start and end time of the user's visit is automatically recorded, and in some cases - depending on the settings of the user's computer – also the browser, operating system data and the IP address of the user, as well as the name of the page from which the user came. The system automatically generates statistical data from this data. The operator does not link this data with other personal data, but only uses it to compile statistics. The website sends a cookie to the visitor's computer. The cookie is necessary, among other things, to display automatic messages to users. The data controller does not use cookies for commercial purposes. Anyone can visit the website without having to enter personal data beyond the technically automated data processing.
The individual services of the association differ in terms of whether they manage personal data.
Information and counselling hotline service. No personal data is required to use the service. Telephone and Skype calls are not recorded. The operators do not know the telephone numbers of the callers who connect via the telephone line, but the system retains a call list containing the telephone numbers and the time of the calls. For Skype calls, the system displays the user name and/or telephone number of the caller, for calls via the telephone line, the system stores the call list with the telephone numbers and the time of the calls. A separate data protection notice applies to calls made via the lelkisegely.hatter.hu interface.
Personal counselling service. In order to use the service, it is necessary to provide the user's contact information (email and/or telephone number). The user is not obliged to enter their real name; they can also use the service under a nickname of their choice. Enquiries, email communications with users and notes from meetings are stored by the data controller.
Legal aid service. In order to use the service, it is necessary to provide the user's contact information (email and/or telephone number). When calls are made to the telephone number of the service, the system displays the telephone number and stores a call list containing the telephone numbers and the time of the calls. For legal information and advice, users are not obliged to provide their real name; they can also use the service under a nickname of their choice. In order to use higher-level legal services (drawing up applications and documents, legal representation), it is also necessary to provide the user's name and other personal data required for the procedure. The processing of special categories of personal data is based on the express consent of the user of the service. Enquiries and documents created during the handling of the case are stored by the data controller. A separate data protection notice applies to reports made via the jelentsd-a-homofobiat.hu interface.
HIV Peer Support Service. In order to use the service, it is necessary to provide the user's contact information (email and/or telephone number). Users are not obliged to enter their real name, they can also use the service under a nickname of their choice. Enquiries and email communications with users are stored by the data controller. The coordinator prepares anonymized statistics on the supporting events.
HIV Hotline. No personal data is required to use the service. Calls are not recorded. The operators do not know the telephone numbers of the callers, but the system stores the call list containing the telephone numbers and the time of the calls.
Newsletters. To use the service, users must enter their email address. The users are not obliged to enter their real name, they can also use the service under a nickname of their choice. The provision of further personal data is voluntary.
Events and training courses. In order to participate in some events and training courses, it is necessary to provide personal data (name and contact information) and complete an attendance form. For other events and trainings, the provision of personal data and the completion of the attendance form is voluntary. Before participation in the event or training course, the data controller will inform the participants whether the provision of personal data is required for participation.
Research. Completion of the online questionnaires is anonymous, and it is not necessary to provide any information that would allow the person to be identified. All personal data provided by the participants will be anonymised during the research. A separate data processing information sheet applies to interview research and will be presented to the participants before the interview begins.
Correspondence. Háttér Society stores all e-mails, messages and transcripts of telephone enquiries received not related to other data processing, together with the name, e-mail address/telephone number, date, time and other personal data provided in the message.
4. Purpose and legal basis of data processing
The time of the visit to the website, the IP address, and the collection and storage of browser and operating system data are characteristics of the operation of the system, their management is technically essential, and is carried out exclusively for statistical purposes.
The purpose of processing part of the personal data (contact details) provided to the data controller is to enable the staff of the services operated by the association to contact the users at their express request. The purpose of processing the other part of the data (demographic data) is to enable the data controller to obtain a more accurate picture of the social background of the LGBTQI people who come into contact with the services by analysing of the data obtained in this way. The aim of the research is to find out the opinions of LGBTQI people and to assess the knowledge and attitudes of professionals who come into contact with them. The purpose of processing the data on the attendance lists is to keep the records required by the funder and the tax authorities.
The data controller does not process personal data for purposes other than those described above.
The legal basis for data processing related to the use of services is that it is either necessary in order to take the steps requested by the data subject prior entering into the contract or that it is necessary in order to to fulfill the contract for the provision of the service. The processing of special categories of personal data is based on the express consent of the data subject. The legal basis for the processing of the data on the attendance lists is that it is necessary to fulfill a legal obligation. The legal basis for data processing in connection with the newsletter and research is the voluntary consent of the user.
5. The duration of data processing
The so-called session IDs which enable the identification of website users are automatically deleted when the browser is closed. The user can delete their own cookies at any time. Cookies are automatically deleted after 24 days.
The data controller deletes the call list of the Skype line of the information and personal assistance service within 3 months of the call. The data controller deletes the call lists of the HIV hotline and the legal aid service within 12 months of the call.
In the case of the personal assistance service and the legal aid service, the personal data will be deleted by the controller within 5 years after the end of the use of the service (substantial closure of the case).
The personal data on the attendance lists will be deleted immediately by the data controller after the expiry of the retention period required by the funder or after the expiry of the statutory retention period.
In the case of newsletters, personal data is processed until the user unsubscribes from the newsletter. The user can do this at any time.
In the case of correspondence, personal data that is not affected by other data processing will be deleted by the data controller after a maximum of three years from the date of communicating the data.
6. The circle of persons with access to the data, data processors
Only the data controller’s employees, volunteers and contractual partners bound to confidentiality, as well as by the service providers offering storage, email and document management services, have access to the personal data provided by the users, as well as to data automatically acquired due to technical operation. The hosting service is provided by 3 in 1 Hosting Bt. (http://megacp.com/), the email and document management service is provided by Google Cloud EMEA Limited (http://google.com), the newsletter service is provided by Elastic Email SP Z OO (https://elasticemail.com).
The data controller will only disclose personal data to third parties if the user has given the data controller their express written consent to do so.
After anonymisation, the data controller prepares analyses of the users of the services and makes these analyses publicly accessible. The data disclosed does not contain any personal data.
In the case of data transfers required by law, the data controller examines each personal data item whether the legal basis for the data transfer actually exists before fulfilling each official data request, and if necessary, obtains an opinion from the National Authority for Data Protection and Freedom of Information.
7. Rights of users in relation to the management of their personal data, erasure of data
All users are informed about the handling of their personal data. Within 30 days of a request for access, the data controller shall provide the data subject with written information about the data it processes, the purpose, legal basis and duration of the data processing, the name and address (head office) of the data processor and its activities related to the data processing, as well as who receives or has received the data and for what purpose. Anyone can request this information via the postal address of the data controller or via the e-mail address hatter@hatter.hu, stating their postal address.
Users may object to the processing of their personal data and, in this context, may also request the correction and deletion of their personal data by writing to the postal address of the data controller or to the e-mail address hatter@hatter.hu.
The data controller does not carry out automated decision-making or profiling as part of its data processing.
8. Options for legal enforcement
We ask users to contact us if they believe that the data controller has violated their right to the protection of personal data so that we can remedy the possible violation. We hereby inform the users that they may assert their claim before a civil court (at their choice before the competent court of their place of residence or domicile), or they may also initiate proceedings before the National Authority for Data Protection and Freedom of Information (head office: 1055 Budapest, Falk Miksa utca 9-11; e mail: ugyfelszolgalat@naih.hu). The detailed legal provisions regarding this and the obligations of the data controller, are contained in Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and in Section 13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services.
If you have any further questions regarding personal data protection, please send them to the e-mail address hatter@hatter.hu or contact the Data Protection Officer of Háttér Society by e-mail (pfiszter.tamas@hatter.hu).
9. Clause
The data controller reserves the right to amend its data protection notice. This may occur in particular if the range of services is expanded or if this becomes necessary due to a change in legislation or an individual obligation. A change in data processing may not result in personal data being used for a different purpose. The data controller will publish the relevant information on its website 15 days in advance.
Last modified: November 14, 2023.
The sample data protection notice was provided to us by the Hungarian Civil Liberties Union.