Privacy Policy
The Privacy Notice of
penzmuzeum.hu/en
1. General Information on Data Processing by MNB-EduLab Nonprofit Kft.
MNB-EduLab Nonprofit Kft. (hereinafter: “EduLab” or “Data Controller”) processes personal data obtained or recorded in the course of its activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”), as well as Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: “Infotv.”), as set out below.
Purpose and Scope of this Notice:
The purpose of this Notice is to set out the data protection and data processing principles, as well as the data protection and data processing policy applied by EduLab, which EduLab, as the Data Controller, acknowledges as binding upon itself. This Notice also provides information on the data processing activities carried out by EduLab — excluding certain employer-related data processing — the rights of data subjects in relation to such processing, and the available legal remedies.
By publishing this Notice, EduLab, as the Data Controller, informs data subjects of the general rules and conditions governing the processing of personal data.
Data Controller
MNB-EduLab Nonprofit Kft.
Registered seat: 1122 Budapest, Krisztina körút 6–8.
Customer Service: 1122 Budapest, Krisztina körút 6.
Phone: (+36 80) 203 776
Data Protection Officer
Dr. Márton András Homoki
Phone: +36 30 199 2248
Email: adatvedelem@penzmuzeum.hu
EduLab’s Data Processing Principles
Personal data processed by EduLab, whether within its organisation or through its systems, may only be processed in a lawful, fair, and transparent manner.
Data processing is considered lawful only if at least one of the legal bases set out in Article 6(1) of the GDPR is fulfilled.
Processing is deemed fair and transparent if data subjects are provided with clear, accessible, and comprehensible information regarding the ways in which their personal data are collected, used, accessed, or otherwise processed.
Personal data may only be processed for specific, explicit, and legitimate purposes, and must not be processed in a manner incompatible with those purposes.
Processing activities must be necessary and proportionate to the purpose for which the personal data are processed.
Personal data must be accurate, and any inaccurate personal data must be rectified without undue delay. All reasonable steps must be taken to ensure that personal data which are inaccurate, in relation to the purposes of the processing, are deleted or rectified.
Personal data must be stored in a form that permits the identification of data subjects only for as long as is necessary for the purposes for which the data are processed.
When processing personal data, appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
2. Data Processed by the Data Controller
This section provides information on the data processing activities that may concern natural persons who contact EduLab. The relevant categories of data processing are as follows:
In order to fully access and use the services of the penzmuzeum.hu website and mobile application (hereinafter: “Website”), users of the Website (hereinafter: “User”) are required to register. The Data Controller processes the personal data provided by the User during the registration process as set out below.
2.1. Data Processed During Visits to the Money Museum Website
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name | To enable EduLab to provide access to its online services, to make use of all functionalities available through the Website, to obtain feedback from data subjects regarding its core activities, and to ensure that all necessary information can be communicated to data subjects. In the case of technical data collected during visits to the Website, the purpose is to improve the quality of the service. |
The processing of personal data is based on the User’s voluntary consent, given with full knowledge of this Privacy Notice. |
For technical data collected during visits to the Website: for the period strictly necessary for the purpose, but no longer than two years. |
Email address | |||
Password | |||
In the case of group visits: job title, institution, and technical data collected during the visit |
2.2. Data Processed in Relation to the Money Museum Commemorative Coin Printing Service
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Image of the data subject (photograph) | To verify the appropriateness of the images/photos uploaded during the coin-printing process and to restrict the use of images/photos that do not meet content requirements. | The processing of personal data is based on the User’s voluntary consent, given with full knowledge of the information provided during registration. |
For images/photos that pass the content review: 30 days.
|
2.3. Use of the Chatbot
This Website uses Tidio, a chat platform that connects Users with the Data Controller’s customer service. When using the chatbot, only the User’s name is collected — and only with the User’s explicit consent — for the purpose of initiating the chat conversation. Messages and data exchanged during the chat session are stored within the Tidio application.
For additional information regarding Tidio, please refer to the Privacy Policy available on Tidio’s website.
The Data Controller uses the messages and data solely for the purpose of tracking and managing Users’ reported issues or inquiries.
Data Transfer:
For the operation of the chatbot, personal data are transferred to Tidio Poland Sp. z o.o., registered seat: Wojska Polskiego 81, 70-481 Szczecin, Poland.
2.4. Cookie Management on the Website
For information regarding the management of cookies, please refer to the following page:
https://www.penzmuzeum.hu/en/cookie-information/
2.5. Data Processed During Money Museum / EduLab Events
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
Full name |
The purpose of the data processing is to enable the registration required for the organisation of events, to identify the participants, and to maintain contact with the participants. |
The processing of personal data is based on the User’s voluntary consent, given in full knowledge of the information provided at the time of registration. |
For the period specified in the detailed information notice provided during registration. In the case of data used for communication purposes, for no longer than five years following the event |
Email address | |||
telephone number | |||
job title / position | |||
billing information | |||
the data subject’s image |
The taking of still and moving images; The use and publication of such still and moving images on the controller’s website, social media platforms, promotional materials and in the course of its tendering activities.
|
Until the data subject withdraws their consent to the processing of their personal data, and provided that the data subject does not request the erasure of their data, but in any event no later than three years from the date on which the Image was created |
2.6. Operation of security cameras
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
the data subject’s facial image | The purpose of the data processing is to establish the level of security required for the performance of tasks by the Money Museum as an institution, to protect the assets held at the Money Museum, and to safeguard the Museum’s property, as well as to ensure an appropriate level of occupational safety. For the protection of persons and property, the purpose is to detect violations, apprehend offenders, prevent unlawful acts, and facilitate the effectiveness of any necessary measures or investigative actions by providing access to evidence | During the operation of security cameras, the processing of personal data is based on the legitimate interests of the data controller in accordance with Article 6(1)(f) of the GDPR.
Where personal data is processed on the basis of legitimate interests, a balancing test is conducted, which involves:
- identifying and recording the legitimate interest;
- identifying and recording the interests and rights of the data subject;
- assessing the necessity and proportionality of the processing, in line with the principles of purpose limitation, data minimisation, and limited storage;
- informing the data subject about the outcome of the legitimate interests assessment.
| “For data recorded by surveillance cameras covering public areas: 3 days. For data recorded by surveillance cameras not covering public areas: 30 days. For data recorded by cameras installed in the processing rooms of the coin and banknote collection: 365 days. For data recorded by cameras operating in the research room: 365 days. If any procedural action is carried out using the recorded footage, the retention period of the data may be extended as necessary.”
|
recording of moving images |
Data transfer:
In the event of initiating official proceedings, data may be transferred to the competent authority.
2.7. Data processed in connection with the Money Museum/EduLab’s applications and educational activities
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
full name
| In the case of applications announced and scholarship programmes established by EduLab in line with its tasks, processing is carried out for the evaluation of applications, the awarding of scholarships, and, in the context of educational activities, for identification necessary to access the educational platform and for access to educational materials. | In carrying out its legally mandated tasks, EduLab processes personal data as follows: for the announcement and evaluation of applications and for the educational platform, based on the participants’ consent in accordance with Article 6(1)(a) of the GDPR; and for the accounting of paid fees, based on compliance with a legal obligation in accordance with Article 6(1)(c) of the GDPR. For registrants under the age of 16, processing is valid only with the consent of the parent or legal guardian of the data subject. | EduLab retains data in the case of study competitions until the evaluation of applications is completed, but no longer than the end of the subsequent financial year. In the case of scholarship programmes and other applications, data are retained for five years following the conclusion of the programme. For the educational platform, data are retained until consent is withdrawn. |
place and date of birth
| |||
address
| |||
email address
| |||
telephone number
|
Data transfer:
As specified at the time of programme announcement, data may be transferred to partner organisations and educational institutions.
2.8. Data processed in connection with the use of the webshop on the Money Museum’s website
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
username |
For the delivery of products purchased in the webshop, for communication during the ordering process, and for handling any complaints that may arise. | Based on the data subject’s consent in accordance with Article 6(1)(a) of the GDPR; for registrants under the age of 16, processing is valid only with the consent of the parent or legal guardian of the data subject. |
Until the withdrawal of registration/consent. |
email address | |||
date of birth | |||
telephone number | |||
delivery address |
Data transfer:
In the case of home delivery and invoicing, data may be transferred to the delivery company and to the company responsible for invoicing.
2.9. Data processed in connection with newsletter subscription
Personal Data | Purpose of Processing | Legal Basis | Retention Period |
full name
|
To send electronic newsletters from time to time regarding our services, current and upcoming exhibitions, events, and other news. | Based on the data subject’s consent in accordance with Article 6(1)(a) of the GDPR; for registrants under the age of 16, processing is valid only with the consent of the parent or legal guardian of the data subject. |
Until the data subject requests the deletion of their data or withdraws their consent. |
email address |
For the sending of our newsletters, we use the MailChimp online newsletter service operated by The Rocket Science Group LLC d/b/a MailChimp. In this process, the name, email address, and selected newsletter list data are transferred to The Rocket Science Group LLC d/b/a MailChimp.
The Rocket Science Group LLC d/b/a MailChimp is a company registered in the United States of America (USA) and has incorporated into its contractual terms the Standard Contractual Clauses approved by the European Commission for use between data controllers and data processors. Accordingly, the transfer of data to The Rocket Science Group LLC d/b/a MailChimp is carried out based on appropriate safeguards in accordance with Article 46 of the GDPR.
3. Data security measures:
The Data Controller undertakes to ensure the security of personal data and to implement the technical and organisational measures, as well as procedural rules, necessary to ensure that collected, stored, and processed data are protected, and to prevent their destruction, unauthorised use, or unauthorised alteration. The Data Controller also undertakes to require any third parties to whom data are transferred or disclosed, based on the Users’ consent, to comply with data security requirements.
The Data Controller ensures that unauthorised persons cannot access, disclose, transmit, modify, or delete the processed data. Data may be accessed exclusively by employees of the Data Controller and are not disclosed to any third party without authorisation.
The Data Controller takes all reasonable measures to prevent accidental damage or loss of data. This obligation also applies to employees involved in data processing activities.
The Data Controller does not collect any special categories of data, i.e., data revealing racial or ethnic origin, political opinions or party affiliation, religious or other beliefs, membership in trade unions or interest representation organisations, health status, addictions, sexual life, or criminal convictions.
In the event of a personal data breach, the Data Controller shall notify the supervisory authority without undue delay, and no later than 72 hours after becoming aware of the breach, except where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If notification is not made within 72 hours, the Data Controller shall provide reasons for the delay.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall also inform the data subject without undue delay.
When informing the data subject about a personal data breach likely to result in a high risk, the Data Controller shall:
clearly and understandably explain the nature of the personal data breach;
provide information on the name and contact details of any other contact person who can provide further information;
outline the likely consequences of the personal data breach;
explain the measures taken or planned by the Data Controller to address the breach, including, where applicable, measures aimed at mitigating any potential adverse effects of the breach.
4. Details and contact information of the data processor
The Data Controller engages only such data processors who provide adequate guarantees for compliance with applicable data protection laws at all times, in particular ensuring the protection of the rights of data subjects, and who implement appropriate technical and organisational measures to safeguard personal data.
In the course of processing data on behalf of the Data Controller, the following partners act as Data Processors:
Name: The Rocket Science Group LLC (www.mailchimp.com)
Registered office: 675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, US
Categories of data transferred: name, email address
Purpose of data transfer: newsletter service”
Name: OTP Mobil Szolgáltató Kft.
Registered office: 1138 Budapest, Váci út 135-139, Building B, 5th floor
Categories of data transferred: name, email address, telephone number, billing information
Purpose of data transfer: payment service provider
Name: KBOSS.hu Kft. (számlázz.hu)
Registered office: 1031 Budapest, Záhony utca 7
Categories of data transferred: name, email address, billing information
Purpose of data transfer: issuance of electronic invoices
Name: Zengo Kft.
Registered office: 6721 Szeged, Szent István tér 10
Categories of data transferred: name, email address
Purpose of data transfer: registration
Purpose of engaging the data processor: To establish the level of security required for the performance of the Money Museum’s institutional tasks, to protect the assets held at the Money Museum and the Museum’s property, and to ensure an appropriate level of occupational safety.
5. Data transfer
By accepting this Privacy Policy, the User explicitly consents, acknowledging our data protection principles, to the Data Controller transferring data to service providers with whom it has a direct contractual relationship. Transferred data may be used by the relevant recipients solely for the performance of the contractual task and may not be retained for any other purpose or disclosed to any third party in any form.
Purpose of data transfer: to provide Users with personalised services, to optimise the services provided to them by the Data Controller’s partners, and to fulfil the contractual obligations of the Data Controller. Stored data will not be made accessible to any other third party except in cases defined by law (e.g., in the context of criminal proceedings) or for the fulfilment of EduLab’s contractual obligations.
In all cases, the specific purpose of processing is indicated at the relevant section.
6. Data Protection Officer:
The Data Protection Officer (DPO) performs the following tasks:
a) provides information and professional advice to the Data Controller or Data Processor, as well as to employees involved in data processing, on data protection matters;
b) monitors compliance with the GDPR and internal data protection policies, including the designation of responsibilities, raising awareness and training of employees involved in data processing activities, and conducting related audits;
c) provides professional advice, upon request, regarding data protection impact assessments and monitors their implementation;
d) cooperates with the supervisory authority;
e) acts as a point of contact for the supervisory authority on matters relating to data processing and, where applicable, engages in consultation on any other related issues.
7. User Rights
Upon request, the Data Controller shall provide the User with information regarding the personal data it processes, the source of such data, the purpose and legal basis of processing, the retention period, and—where personal data are transferred—the legal basis and recipients of the data transfer. Requests for information may be submitted by email to adatvedelem@penzmuzeum.hu or by post to MNB-EduLab Nonprofit Kft., 1122 Budapest, Krisztina körút 6., in both cases accompanied by proof of identity and a correspondence address. The Data Controller shall respond in writing within 30 (thirty) days from receipt of the request.
The User has the right to request the correction of their personal data (specifying the correct data) via adatvedelem@penzmuzeum.hu or by post to MNB-EduLab Nonprofit Kft., 1122 Budapest, Krisztina körút 6., in both cases with proof of identity and a correspondence address. The Data Controller shall promptly correct the data in its records and notify the User in writing upon completion.
Additionally, the User may request the deletion or restriction of the processing of their personal data at any time, free of charge, without justification, via adatvedelem@penzmuzeum.hu or by post to MNB-EduLab Nonprofit Kft., 1122 Budapest, Krisztina körút 6., accompanied by proof of identity and a correspondence address. Upon receipt of a deletion request, the Data Controller shall immediately terminate processing and remove the User’s data from its records.
Instead of deletion, the Data Controller shall restrict the processing of personal data if requested by the User. When processing is restricted, such personal data may only be processed—except for storage—with the consent of the data subject, for the establishment, exercise, or defence of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.
If the Data Controller does not comply with a User’s request for correction, restriction, or deletion, it shall provide written justification of the factual and legal reasons for refusal within 30 days of receiving the request. In such cases, the Data Controller shall inform the User of the possibility of judicial remedy and of lodging a complaint with the National Authority for Data Protection and Freedom of Information.
The User may object to the processing of their personal data:
where the processing or transfer of personal data is solely necessary for compliance with a legal obligation of the Data Controller or to safeguard the legitimate interests of the Data Controller, the recipient, or a third party, except where processing is mandatory;
where personal data are used or transferred for direct marketing, public opinion polling, or scientific research; and
in other cases provided by law.
The Data Controller shall examine the objection without undue delay, and in any event within 15 days of receipt, make a decision regarding its validity, and notify the User in writing. If the User disagrees with the Data Controller’s decision, or if the Data Controller fails to meet the above deadline, the User may bring the matter before a court within 30 days from notification of the decision or from the last day of the deadline.”
8. Legal Remedies
If, in your opinion, the processing of your personal data does not comply with legal requirements, you may initiate proceedings or bring the matter before a court.
In addition, anyone may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) to initiate an investigation, on the grounds that a violation has occurred or that there is a direct risk of violation in connection with the processing of personal data or the exercise of related rights.
Contact details of the National Authority for Data Protection and Freedom of Information (NAIH):
Postal address: 1363 Budapest, Pf.: 9
Office address: 1055 Budapest, Falk Miksa utca 9-11
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu”
9. Miscellaneous Provisions
This Privacy Policy is governed by Regulation (EU) 2016/679 (the ‘GDPR’), as well as by Hungarian law, in particular Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
The Data Controller reserves the right to amend this Privacy Policy unilaterally at any time, with prior notification to the data subjects.