Privacy Notice

(Last modified on: 2019)

Peter Karasz-Kiss photographer as data controller (hereinafter referred to as “Data Controller”) hereby notifies all persons visiting his website or photographed (hereinafter referred to as “Data Subject”, “You” or “Visitor”) on the personal data which are being processed by it, its practice followed when processing personal data, furthermore on the means and opportunities through which Data Subjects can exercise their rights.

The website which is available under the domain name of www.swdiary.com is the Data Controller’s own website.

The Data Controller acknowledges to be legally bound by the content of the present legal notice relating to the processing of personal data carried out within the framework of him photography activities. The Data Controller shall keep confidential and secure all personal data and shall carry out all the necessary developments and modifications, depending on changes in the legal and technical framework. The Data Controller reserves the right to modify the present Privacy Notice (hereinafter referred to as “Notice”) and  publishes the Notice in force on his website.

By using the website, the Visitor acknowledges the content of the Notice, therefore we ask you to read the notice carefully before using the Website.

1. DEFINITIONS

• “Data subject”: an identified or identifiable natural person based on any mode;
• “Personal data”: means any information relating to the data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her effigy, the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

• “Data processing”: means any operation or set of operations – irrespective the procedure applied – which is performed on personal data or on sets of personal data, whether or not by automated means, such as in particular recording, registering, organisation, collecting, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; as well as preventing their future use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, iris scans);
• “Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; makes and executes decisions concerning data processing or have it executed by a data processor;
• “Data transfer”: means ensuring access to the data for a third party;

• “Consent”: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• “Data process”: means performing technical tasks in connection with data processing

operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

• “Data Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

• “Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• “Photo”: photography made by the Data Controller with his individual and original view, visualization, technical solutions.
• “Third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
• „Website”: www.swdiary.com 

  II.DATA CONTROLLER’S MAIN DATA AND CONTACT DATA

The owner and manager of the Website: Peter Karasz-Kiss photographer

Postal address: H-5600 Békéscsaba, Andrássy Street 51/A. 1/33.

1. E-mail: kkp@swdiary.com III.SCOPE OF DATA PROCESSING

On the Website exlusively that kind of photograpic works shall be displayed, which are reflect the Data Controller’s individual view, visualization, technical solutions. The Data Controller shall record and process personal data fairly manner. The Data Controller shall process personal data only for specified, explicit purposes. Personal data processed by the Data Controller shall be adequate, relevant and limited to what is necessary regarding the extent and duration of the processing. The processing of the personal data of a child below the age of 16 years, the consent shall be given or authorised by the holder of parental responsibility over the child.

1. PERSONAL DATA OF VISITORS OF THE WEBSITE

• Scope of processing: ID number, date and time of the visit, IP address of the Visitor’s computer at the time of visit.
• Purposes of processing: use of the Website, monitoring of the functioning of services in relation to visits to the Website, customized services, prevention of any misuse.
• Legal basis of processing: consent freely given by the Visitor based on Art. 6 (1) (a) of GDPR.
• Data Subjects concerned: visitors of the Website.
• Period for which personal data are processed, time limit for erasure: within 60 days of viewing the Website.

2. PROCESSING OF PERSONAL DATA RELATED TO PHOTOGRAPHY

• Scope of processing: effigy, name, e-mail address (which needs not to include any personal data), phone number.
• Purposes of processing: publishing the photos on the Website, performance of the license agreement, communication, artistic expression.     
• Legal basis of processing: consent freely given by the Data Subject based on Art. 6 (1) (a) or (b) of GDPR.
• Data Subjects concerned: natural persons visible in the photos, contractual partner.
• Period for which personal data are processed, time limit for erasure: until the Data Subject’s request for erasure. The Data Controller shall communicate electronically to the Data Subject the erasure of any personal data related to the Data Subject, in accordance with Art. 19 of GDPR. If the Data Subject’s request for erasure includes his or her e-mail address, the Data Controller shall erase, after sending the communication, the e-mail address as well.
• Identity of data controllers entitled to access to personal data, recipients of personal data: personal data shall be processed by the data controller. The Data Controller shall not disclose personal data, which are being processed by it, to third persons other than the data processor specified in the present Notice.

3. COMMUNICATION WITH CUSTOMERS

Should you have any question related to the activities of the Data Controller, you can contact the Data Controller by using the contact data indicated in the present Notice and on the Website, by filling the contact us form under the “Contact” menu item. The Data Controller shall delete all messages received, together with the sender’s name, e-mail address, date and time and other personal data disclosed in the message, at the latest after 2 years counted from the providing of such data.

IV.DATA PROCESSOR ASSIGNED

The Data Controller shall be entitled to assign data processors in relation to its activities. Data Processors shall record and process personal data which are given to them by the Data Controller and are being processed by them in accordance with the provisions of the GDPR, and they shall declare same to the Data Controllers. When operating IT systems, the Data Controller shall assign the following Data Processor: 

1. Hosting Service Provider
   1. Activity pursued by the Data Processor: hosting services
   2. Name and contact data of the Data Processor:

   Name: Viacom Informatikai Kereskedelmi és Szolgáltató Kft.

   Seat: H – 2225 Üllő, Gyár utca 8.

   Website: https://viacomkft.hu/

   3. Scope of processing: all personal data disclosed by the Data Subject.
   4. Purpose of processing: providing availability and appropriate performance of the Website. /Hosting services/
   5. Period for which personal data are processed, time limit for erasure: until the agreement concluded by and between the Data Controller and the Hosting Service Provider terminates, or until the Data Subject sends a request for erasure to the Hosting Service Provider.

   V. PROCESSING OF TECHNICAL DATA AND COOKIES

Technical data are data related to the computer used by the Visitor when logging in which are generated in the course of visiting and are recorded by the Service Provider’s system as an automatic result of technical processes, including but not limited to the date and time of visits, the IP address of the Visitor’s computer and the type of its web browser. Automatically recorded data are automatically logged at the time of signing in and signing out, without the Visitor’s specific declaration or act. Unless otherwise provided by law, these data shall not be combined with other personal data of the Visitors. The Data Controller shall have exclusive access to such data. In order to provide customized services, the Data Controller and the abovementioned third service providers place small files, each consisting of a sequence of characters, so-called cookies on the Visitor’s computer and read them back. If the web browser sends back a cookie that has been saved earlier, the service provider handling the cookie will be able to combine data relating to the Visitor’s current visit with earlier data, however, only in relation to its own content.

The following cookies are in use:

• Secure cookies;
• Temporary (session) cookies: these files are deleted automatically after the Visitor’s visit. These cookies serve the secure and effective operation of the Service Provider’s Website, i.e. they are essential for the proper operation of certain applications, as well as certain functions of the Website;
• Persistent cookies: these files are stored for a longer period by the web browser.  The exact period depends on the settings applied by the Visitor in his or her web browser.

A part of these cookies serve the secure and effective operation of the Data Controller’s Website, thus they are essential for the proper operation of certain functions of the Website and certain applications, while other cookies are placed in order to provide better customer experience (e. g. optimized web navigation).

The functions “Help” or “Settings”, which can be found on the menu bar of most web browsers, provide information to the Visitor, in respect of his or her own web browser, on

• how to ban cookies,
• how to accept new cookies,
• how to send a command to the web browser to set a new cookie, or
• how to disable other cookies.

Information on the processing of frequency visits to the Website and other independent measurement data is provided by the policies applying to such services. They are available at: www.google.com/analytics/; https://analytics.facebook.com/; https://analytics.twitter.com).

If the Visitor does not want the above data to be measured by the external service providers for the purposes and by the means detailed above, he or she shall install a browser extension blocking such measurements.

 VI. MEANS OF DATA PROCESSING

The Data Controller shall store the personal data provided by the Visitor for specified purposes. Processing of automatically recorded data serve the following purposes: compilation of statistics, technical development of the Website, protection of the Visitor’s rights. Statistical accounts shall not include, in any form, other data which can be used to identify the Visitor, thus it shall be considered neither as processing nor as transmission of data. The Data Controller shall not use the personal data disclosed for purposes other than specified in the present Notice, and neither shall it be entitled to do so. The Data Controller shall not disclose personal data, which are being processed by it, to third persons other than the Data Processors specified in the present Notice. Should You have any questions or problems related to the Data Controller’s activities, you may contact the Data Controller by using the contact data available on the Website. The Data Controller shall delete the received e-mails, together with the senders’ name, e-mail address and other personal data disclosed in the message, within 2 years counted from the disclosure of such data.

Information relating to any data processing which has not been mentioned in the present Notice shall be provided by the Data Controller when recording the respective data. The Data Controller shall be obliged, upon any authority’s exceptional request or the request of other entities authorised by law, to provide information, to disclose or transmit data, as well as to hand over documents. In such cases – if the requesting authority or entity has indicated the specific purpose and the scope of data – the Data Controller shall disclose personal data only if and to the extent that it is necessary to fulfil the purpose of the request.

 
VII. DATA SUBJECT’S RIGHTS RELATED TO THE DATA PROCESSING

1. Right to access – Data Subject shall be entitled to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information set out in the Regulation.
2. Right to rectification – Data Subject shall be entitled to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.
3. Right to erasure – Data Subject shall be entitled to obtain from the Data Controller the erasure of personal data – concerning him or her – including the edgy – without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the rounds applies set out in the Regulation.
4. Right to be forgotten – In the case that the Data Controller has made the personal data public and is obliged to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform data processors that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
5. Right to restrict the processing – Data Subject shall be entitled to obtain from the Data Controller restriction of processing where one of the conditions applies of Art. 18 (1) of GDPR (the processing is unlawful, disputing the accuracy of the personal data).
6. Right to data portability – Data Subject shall be entitled to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
7. Right to object – Data Subject shall be entitled to object at any time to the processing of personal data concerning him or her.

Information request

Data Subject shall be entitled to request information at any time from the Data Controller relating to the processing of his or her personal data. The Data Subject may request access to, erasure or alteration of personal data, as well as restriction of the processing of personal data, portability of data, further he or she may object to any processing of data by the following means:

– by mail, under the address: H-5600 Békéscsaba, Andrássy Street 51/A. 1/33.

– by e-mail, to be sent to e-mail kkp@swdiary.com

Time limit for measures

The Data Controller shall inform the Data Subject in writing about the measures taken upon the above requests, without undue delay but at the latest within 30 days counted from the receipt of the request. If the Data Controller does not take measures upon the Data Subject’s request, it shall inform the Data Subject in writing, without delay but at the latest within one month counted from the receipt of the request, on the legal and factual grounds for rejecting the request, as well as on the possibility that the Data Subject may lodge a complaint with the competent competent Member State of Data Protection Authority or may seek judicial remedy.

VIII. COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT

The Data Controller shall communicate, in clear and plain language, the personal data breach to the Data Subject without undue delay, if the personal data breach is likely to result in high risk to the rights and freedoms of the Data Subject(s).

In the communication the Data Controller shall describe the nature of the personal data breach, the likely consequences of the personal data breach, as well as the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. The communication to the Data Subject shall not be required if any conditions of Art 34 (3) GDPR are met. E.g. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

IX. POSSIBILITIES OF ENFORCING RIGHTS

1. The Data Subject may send any observation relating to the processing of personal data concerning him or her to the Data Controller contact by mail, post detailed in point II above.
2. In case of the Data Controller’s infringement, a complaint may be lodged with the competent Member State of Data Protection Authority regard to Art. 56 of GDPR.
3. If the Data Subject’s rights have been infringed, the Data Subject may file a lawsuit against the Data Controller. The court shall hear the case as a matter of urgency.

X. MISCELLANEOUS PROVISIONS

1. The Data Controllers commits to secure personal data, to take all technical measures ensuring the protection of any personal data recorded, stored or processed, as well as to take all necessary steps to prevent the destruction, unlawful use or unlawful alteration of such data.
2. The Data Controller declares that circumstances set out in Art. 37 (1) of GDPR do not exist; therefore, no data protection officer has been designated.

When processing personal data, the Data Controller shall pay attention to proceeding in accordance with legal provisions in force relating to data protection, as well as in line with the well-established practice of the data protection authority. The Data Controller’s principles of data processing are in accordance with legal provisions in force relating to data protection, including but not limited to the Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The present Privacy Notice shall enter into force on 2019.