Privacy notice

PRIVACY NOTICE

EXPO 2025 Hungary Non-Profit Ltd. (Company registration number:01-09-921721; VAT number:18089996-4-41, Registered office:H-1037 Budapest, Bokor utca 23-25., central e-mail address: info@osaka2025.hu, represented by: Ákos Kristó managing director, contact details of the data protection officer: Levente Papp, privacy@mtu.gov.hu, hereinafter: Company, Controller is committed to respect the privacy and right to the protection of personal data of the visitors to the Website (hereinafter: Data subjects) and to proceed in its operation in compliance with the EU Data Protection Regulation (hereinafter: GDPR, Regulation), the Hungarian Data Protection Act (hereinafter referred to by the Hungarian abbreviation as: Infotv.) and other legislation, guidelines and the established data protection practices, also taking into account the major international recommendations on data protection. 

The Controller considers the contents of this legal notice to be binding. It undertakes to ensure that the data processing related to its services meets the requirements set out in this notice and in all applicable legislation. The terms used in the Privacy Notice correspond to the terms defined in the Infotv. and the Regulation, and their interpretation.

THE PROCESSING ACTIVITIES OF THE COMPANY ARE IN COMPLIANCE WITH THE FOLLOWING LEGAL REGULATIONS ON DATA PROTECTION:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
  • Act V of 2013 on the Civil Code (hereinafter: ‘Civil Code’);
  • APPI Japanese Data Protection Act – the Act on the Protection of Personal Information (Act No. 57 of 2003) 

Personal data may be processed if, 

  • the Data Subject has given consent to the processing of their personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the Data Subject or other natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • is necessary for the enforcement of the legitimate interests of the Controller or a third party. 

PURPOSE OF THE PROCESSING 

The Controller may use the IP addresses of visitors for the following purposes:

  • to check the use and technical operation of the Website, to check the security and integrity of the Website and the business operation of the Company.

LEGAL GROUND FOR DATA PROCESSING

We process data related to, and ensuring, the secure technical operation of the website, including the IP address of visitors, on the basis of legitimate interests.

SCOPE OF PROCESSED DATA

During the operation of the Website, we process as technical data the IP address of each visitor’s (Data Subject’s) computer or mobile device and their approximate geographical location deducted from that; the type, features and version number of the operating system; the type and version number of the browser; the activity on the Website; the exact time of the visit; the time spent on the Website; the use of a function or service used on the Website and we may also create cookies on the Data Subject’s device.

RETENTION PERIOD OF THE PERSONAL DATA

We process log data related to, and ensuring, the secure technical operation of the website, including the IP address of each visitor, for one year.

RECIPIENTS OF PERSONAL DATA AND RECIPIENT CATEGORIES

The authorized users of the Controller and Processor companies engaged in partner relationships and customer services and, in the case of data relating to technical operation, the IT staff members.

PROCESSORS CONTRACTED BY THE CONTROLLER:

  • Hello Digital Studio Kft. (Registered office: H-1036 Budapest, Kiskorona utca 6. 8th floor. door 43.; company registration number: 01-09-426792)
  • Hosting service provider: Kinsta Inc. Attn: Privacy and Data Protection Team 8605 Santa Monica Blvd #92581 West Hollywood, CA 90069 United States of America (https://kinsta.com/)

USE OF COOKIES

Similarly to other commercial websites, the Company also uses the general technology known as cookies and webserver technical log files in order to obtain information about how the data subjects use the Website.

With the help of the cookies and webserver log files, the Company can monitor the visits to the Website and adjust its content to your personal needs.

A cookie is a small information package (file) which often carries an anonymized individual ID. When you visit a website, the website asks your computer to store that file in a part of the hard disc of your computer which is expressly used to store cookies.

Each individual website you visit can send a cookie to your computer if the settings of your browser allow it. However, in order to protect your data, your browser will only allow the particular website to access only the cookie that it sent to your computer, i.e., one website cannot have access to cookies embedded by other websites. In general browsers are set up to accept cookies.

However, if you do not wish to accept cookies, you can set up your browser to reject their acceptance. In that case, some components of the website may not function as effectively when you browse on it. The cookies cannot obtain other information from the hard disc of your computer and do not carry viruses. 

Our website uses the following types of cookies during its operation:

Cookies that are indispensable for the operation of the website and cookies saving the settings

Cookie IDCookie providerPurposeData processing time
CookieConsentMy cookiesThis cookie is responsible for saving the cookie settings in the pop-up window1 year
CrossConsentMy cookiesThis cookie is responsible for saving the cookie settings in the pop-up window1 year
wordpress_test_cookieMy cookiesPress room password required for accessDuring the visit
wp-postpass_*My cookiesPress room password required for access10 days
wp-wpml_current_languageMy cookiesDetermines the display language based on the visitor’s parameters.During the visit 
wp_langMy cookiesDetermines the display language based on the visitor’s parameters.During the visit
wpml_browser_redirect_testMy cookiesSaves the user’s preferred language on the website.During the visit
_icl_visitor_lang_jsMy cookiesSaves the user’s preferred language on the website.1 day

Statistical cookies

Cookie IDCookie providerPurposeData processing time
_ga_ga#Google AnalyticsAnonymous statistics2 years
_gat_gid1 day
_gat_gtag_*Google Tag ManagerAnonymous statistics1 hour

Further information: https://support.google.com/analytics/topic/2919631?hl=hu&ref_topic=1008008

Marketing cookies from third parties

Cookie IDCookie providerPurposeData processing time
More information on the full list:
https://business.safety.google/adscookies/
YouTubeCookies set by YouTube playerBased on the description in the link:
https://business.safety.google/adscookies/

How can I allow or block cookies?

You can adjust the settings in the pop-up window of the website and/or in the browser. As each

browser is different, the preferences and their deletion can be set individually, by using the

tools of the browser. For more information on those settings, visit the Help section of your browser or click directly on the links detailed below (Ctrl+left mouse click).

Link to the cookie settings guide of Microsoft.
Link to the cookie settings guide of Mozilla Firefox.
Link to the cookie settings guide of Google Chrome.
Link to the cookie settings guide of Opera
Link to the cookie settings guide of Apple Safari.

SECURITY OF THE DATA PROCESSED BY US

Our Company arranges for the creation of backups that are suitable according to the IT data and the technical environment of the Website. The backups are stored according to the criteria applicable to the retention period of the specific data, thereby guaranteeing the availability of data during the retention period, after which they will be finally erased.

The IT system and the integrity and operability of the environment storing the data are checked with advanced monitoring techniques and the required capacities are provided constantly.

The events of the IT environment are registered with complex logging functions, thus ensuring subsequent detectability and legal proof of any data breach.

We use a high broadband, redundant network environment to serve our websites, with which any load can be safely distributed among the resources.

The disaster tolerability of our systems is scheduled and guaranteed, and we use organizational and technical instruments to guarantee high-level business continuity and constant services to our users.

A key priority is the controlled installation of security patches and manufacturer updates that also ensure the integrity of our information systems, thus preventing, avoiding and managing any access or harmful attempt involving the abuse of vulnerability.

We apply regular security tests to our IT environment, during which the detected errors and weaknesses are corrected because enhancement of the security of our information system is a continuous task.

Our staff are also set high-security requirements, which also include confidentiality, and compliance with those is ensured through regular training. During our internal operation, we seek to use well designed and controlled processes.

Any personal data breach detected during our operation, or reported to us, is investigated transparently, alongside responsible and strict principles, within 72 hours. Any actual data breaches are all processed and recorded. 

During the development of our services and IT solutions, we arrange for compliance with the principle of installed data protection, as data protection is a priority requirement even in the design phase. 

HANDLING AND REPORTING OF PERSONAL DATA BREACHES

All incidents which result in the unauthorized processing or controlling of personal data, in particular unauthorized or accidental access, alteration, disclosure, erasure, loss or destruction of personal data processed, transferred, stored or processed by the Controllers, or in their accidental destruction or damage, are considered personal data breaches The individuals responsible for data protection immediately investigate the indicated or detected data breach then, within 72 hours of becoming aware of the data breach, make a proposal on the measures to be taken for the rectification and handling of the data breach.

The Controllers warrant that processing always complies with the effective legislation.

If the terms and conditions of processing change, the Companies will inform the Data Subjects of the amendments.

INFORMATION REGARDING THE RIGHTS OF THE DATA SUBJECTS
You have the following rights in relation to processing:
RIGHT TO TRANSPARENT INFORMATION:

You have the right to receive transparent information regarding the facts and information about the processing, prior to its start. One of the reasons why this Privacy Notice was created was to guarantee that right.

RIGHT OF ACCESS BY THE DATA SUBJECT:

The Data Subject has the right to receive feedback from the Controller as to whether or not their personal data are being processed and, if such processing is ongoing, the right to access that personal data:

• personal data and categories of personal data, purpose of processing;

• the recipients or categories of recipients to whom, or with whom, the personal data have been, or will be, disclosed by the Controller,

• the intended retention period of the personal data or, if that is not possible, the aspects of determining such a retention period; 

RIGHT TO RECTIFICATION:

The data subject may request the Company to rectify or supplement any inaccurately or incompletely recorded personal data. Prior to the rectification of any erroneous data, the Company may inspect the authenticity and accuracy of the data subject’s data.

RIGHT TO WITHDRAW CONSENT:

When processing is based on consent, the Data Subject may withdraw their consent at any time, though it shall not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.

RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’):

The data subject has the right to request of the Controller the erasure of their personal data without any unjustified delay and, upon receiving such a request, the Controller shall immediately perform the requested erasure. In the case of processing based on a legal obligation, you do not have that right

RIGHT TO RESTRICTION OF PROCESSING (RIGHT TO BLOCKING):

The Data Subject has the right to have the Controller restrict the processing upon their request in the following cases:

• the accuracy of the personal data is contested by the data subject, the restriction applies to a period during which the controller can verify the accuracy of the personal data;

• the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims,

• the Data Subject objected to the data processing; in such cases the restriction shall only apply to the time period necessary to determine whether the controller’s justified needs precede the needs of the data subject.

RIGHT TO DATA PORTABILITY:

The Data Subject shall have the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format, and the Controller shall have the right to transfer those data to another controller without hindrance from the Controller to which the personal data have been provided. The Data Subject shall have the right to data portability if:

• the processing is based on the data subject’s consent or consent to the processing of special categories of personal data for one or more specific purposes or a contract within the meaning of Article 6(1)(b) of the GDPR, and

• the processing is carried out by automated means.

RIGHT TO OBJECTION:

The Data Subject shall have the right to object to the data handling of their personal data at any time for reasons related to their situation, if the data handling is necessary for the performance of a task in the public interest or to perform a task in the exercise of official authority vested in the Controller, or the data handling is necessary to protect the legitimate interests of the Controller or of a third party Controller, also including profiling. In the case of an objection, the Controller shall not terminate the processing when that is justified by compelling legitimate reasons which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defense of legal claims. 

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING:

The data subject has the right to excuse themselves from the force of resolutions which are based exclusively on automated data processing (including profiling) and would have legal effect on them or would affect them in any other way to a similar extent. The Company does not use automated decision-making.

COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT:

When a potential personal data breach is likely to result in a high risk to your rights and freedoms, the Controller shall inform you of the personal data breach without any undue delay.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY:

If a Data Subject has any grievance regarding the processing of their personal data, in order to resolve the matter more quickly and efficiently they should contact the Controller and submit a request to exercise the respective data subject rights before filing a complaint. You have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data infringes the legal regulations on data processing.

National Authority for Data Protection and Freedom of Information

Registered office: H-1055 Budapest, Falk Miksa utca 9-11.

Postal address: H-1363 Budapest, PO Box: 9. 

Phone: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391 1400

Fax: +36 (1) 391-1410 

Official gateway: Short name: NAIH, KR ID: 429616918

E-mail: ugyfelszolgalat@naih.hu

RIGHT TO EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY:

You have the right to effective judicial remedy against a legally binding decision of the supervisory authority concerning you.

RIGHT TO EFFECTIVE JUDICIAL REMEDY AGAINST A CONTROLLER OR PROCESSOR:

Without prejudice to the right to lodge a complaint, the Data Subject has the right to effective judicial remedy by bringing a civil action, if they consider that their rights have been infringed as a result of the improper processing of their personal data. The case will be heard by the Budapest Capital Regional Court but the data subject may also choose to bring the case before the court competent at their place of residence.

HANDLING AND REPORTING OF PERSONAL DATA BREACHES

All incidents which result in the unauthorized processing or controlling of personal data, in particular unauthorized or accidental access, alteration, disclosure, erasure, loss or destruction of personal data processed, transferred, stored or processed by the Controller, or in their accidental destruction or damage, are considered personal data breaches. The individual responsible for data protection shall immediately investigate the indicated or detected data breach and then, within 24 hours of becoming aware of the data breach, make a proposal regarding the measures to be taken for the rectification and handling of the data breach.

The Controller warrants that processing always complies with the effective legislation.

If the terms and conditions of data processing change, the Company will publish the changed privacy policy on the Website.

This Privacy Notice is effective from 09.01.2024.