1. Identity of the controller and place of processing

Name of the controller: National Media and Infocommunications Authority (hereinafter referred to as the “NMHH” or “controller”)

• registered office: 1015 Budapest, Ostrom utca 23-25.;
• tax number: 15775883-2-41;
• contact: sajto@nmhh.hu;
• telephone number: +36 1 457 7945;
• represented by: Dr. András Koltay President

The NMHH operates an internet information and assistance service (hereinafter referred to as “Internet Hotline”) in the framework of its public interest tasks pursuant to Sections 149/B–149/D of Act of 2003 on Electronic Communications (hereinafter referred to as the “Electronic Communications Act”) in order to promote the achievement of the public interest objective of safe internet use. For the performance of its tasks, personal data are processed by persons who have a civil service or other employment relationship with the NMHH and who may have access to the personal data to the extent necessary for the operation of the Internet Hotline.

2. Contact details of the Data Protection Officer (DPO)

• Address: 1015 Budapest, Ostrom utca 23-25.
• E-mail address: info@nmhh.hu

The DPO will assist with any questions or comments related to processing.

3. Purpose of the processing

The purpose of the processing is to operate the Internet Hotline in the framework of the non-authoritative activities regulated by the Electronic Communications Act in order to ensure the safe use of the internet, to protect minors, to increase awareness, to reduce violent, inciting or otherwise abusive internet content.

The assistance of the Internet Hotline can be requested for the following types of online abuse:

• content published without consent,
• child pornography,
• online harassment,
• racist content, content that incites hatred against a community,
• phishing content,
• content promoting or encouraging the use of illegal psychoactive substances,
• content inciting or promoting violent or illegal conduct,
• other content harmful to minors.

4. Legal basis of the processing

The processing is based on Article 6(1)(e) of the GDPR, as a public interest task of the NMHH, in particular in light of the provisions of Section 149/C of the Electronic Communications Act, according to which to the necessary extent the NMHH is entitled to process and transfer certain personal data that come to its knowledge on the basis of notifications pursuant to Section 149/B(5) of the Electronic Communications Act.

5. Categories of personal data concerned

Personal data relating to the notifier, if provided by the notifier, as well as the notified URLs, IP addresses, names included in the notification, online names, other identifying data, images, sound recordings, screenshots, website addresses, website names, usernames and passwords used to access the notified content, if they can be linked to an identified or identifiable natural person.

6. Recipients of personal data, categories of recipients

In the performance of its tasks, in accordance with the rules of procedure of the IH, the NMHH may disclose personal data to national or international bodies and organisations competent in the field of child protection and crime prevention, in particular:

• courts, prosecutors' offices, investigating authorities or the body conducting the preparatory procedure, and the national security service,
• INHOPE (International Association of Internet Hotlines) and its member organisations.

7. Period of storage of personal data

Pursuant to Section 149/C of the Electronic Communications Act, the NMHHH shall delete personal data from its records two years after the case has been closed, unless a different retention period is specified by law.

8. Main rights of the data subject in relation to processing

The data subject may, in connection with the processing, at any time:

• request information on the processing of his or her data,
• request access to data processed concerning him or her,
• request the rectification of incomplete data or the completion of inaccurate data,
• object to the processing of his or her data,
• request the restriction of processing.

On the basis of a request for information, the data subject may, unless it is restricted by a legitimate interest, find out whether his or her personal data are being processed by the controller and has the right to obtain information about the processing of data relating to him or her, in particular

• the purposes for which the controller processes them,
• what authorises the controller to process the data (legal basis),
• when and for how long the controller will process his or her data (duration),
• what data are processed by the controller and a copy of the data processed shall be made available to the data subject,
• the recipients of the personal data and the categories of recipients,
• transfer to a third country or international organisation,
• his or her rights as a data subject in relation to the processing,
• about his or her legal remedies.

The controller shall respond to requests for information and access within one month at the latest. The controller may charge a reasonable fee based on administrative costs for additional copies of personal data concerning the data subject that are requested.

In the case of a request for rectification (modification) of data, the data subject must substantiate the accuracy of the data requested to be modified and must also prove that he or she is the person entitled to request the modification. This is the only way for the controller to assess whether the new data is real and, if so, to modify the old data.

If it is not clear whether the data processed is correct or accurate, the controller will not rectify the data, but only mark it, i.e. indicate that it has been objected to by the data subject, but it may not be incorrect. The controller shall rectify inaccurate personal data or supplement the data concerned by the request without undue delay after confirming the authenticity of the request. The controller shall notify the data subject of the rectification or marking.

In case of a request for erasure or blocking of data, the data subject may request the erasure of his or her data, which means that the controller is obliged to erase the data relating to the data subject without undue delay if:

• the personal data have been unlawfully processed,
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
• the personal data are no longer necessary for the purposes for which they were processed,
• the controller is under a legal obligation to erase the data and has not yet done so.

The data subject may request the restriction of processing, which the controller will comply with where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to the processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of Article 6(1)(e) of the GDPR. In such a case, the controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

In addition to the above, the controller may order the data to be processed as confidential or is obliged to ensure that the data are processed as confidential. Such a legal provision is contained in Section 149/C of the Electronic Communications Act, which, in relation to notifying online abuse, allows the NMHH to treat the notification as confidential if the content of the notification is harmful to the public interest or to a legitimate private interest.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The controller shall inform the data subject in advance of the lifting of the restriction on processing.

If the data subject considers that the processing infringes the provisions of the GDPR or Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, or that the way in which the controller processes his or her personal data is prejudicial, we recommend that he or she should, in the first instance, contact the controller directly with the complaint. Your complaint will always be investigated.

If, despite your complaint, you are still dissatisfied with the way your data is processed by the controller, or you wish to contact the data protection authority directly, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu).

You have the right to apply to a court for protection of your data, which will rule on the matter as a matter of urgency. In this case, you are free to choose whether to bring your claim before the regional court (https://birosag.hu/torvenyszekek) of your domicile (permanent address) or residence (temporary address). You can find the regional court of your domicile or residence at https://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.