Privacy Policy

Privacy Policy

The Privacy Notice of


Our data protection and data processing principles are set out below, which we undertake to comply with.

Details of the Controller

Data controller is MNB-EduLab Kft. (“Controller”)


Registered seat:            H-1013 Budapest, Krisztina körút 55.

Represented by:           HERGÁR Eszter Márta managing director


Data protection officer

Name: Dr. DÁVID Péter

Email:   adatvedelem@mnb-edulab.hu

The Controller is responsible for preparing this Privacy Notice (hereinafter referred to as “Notice”) and ensuring that its provisions are complied with and controlled as well as for making any necessary amendments. This Notice as amended is accessible at the Controller’s registered seat and also at the website penzmuzeumpanoramaterasz.hu(hereinafter referred to as “Website”). The Controller informs the data subjects that the domainspenzmuzeumterasz.hu and penzmuzeumskybar.hu will automatically load the website under the domain penzmuzeum.hu/en

1. Data processed by the Controller on the website at penzmuzeum.hu/en operated by the controller

The Controller, on the Website it operates, performs the following types of processing concerning the users visiting the site (hereinafter referred to as “Data Subjects”):

Personal data

Purpose of processing

Legal basis

Duration of processing

Other personal data provided by the Data Subject in the text message sent by the Data Subject

·   communication, primarily with the purpose of informing the Data Subjects, swift and efficient handling of any issues that might arise;

·    providing information related to the services, carrying out informational tasks.

GDPR Article 6(1)(a) by sending their personal data, the data subject grants their consent for the processing thereof.

Controller shall process the personal data while the purpose of the processing exists, mainly for communication, for providing services, and until the Data Subject requests the erasure of their data or revokes their consent.

Data Subjects may only provide their own personal data. If they provide personal data other than their own, the provider of the data must obtain the data subject’s consent.

2. Accessibility of the personal data

Only the Controller shall have the right to access the personal data.

The Controller shall make every reasonable technical measure to ensure the safe storage of the Data Subjects’ data. The information generated when the data specified in clause 1. are submitted shall be processed by the Controller with utmost care, strictly confidentially.

3. Transmission of data

By accepting this Privacy Notice, the Data Subjects, in observance of the principles of data protection, expressly consent to the fact that Controller may transmit the data it has received to the service providers that it engaged through a direct contractual relationship. The data transmitted may only be used by any of the affected parties for the purpose of performing the contractual tasks, they shall not have the right to store such data for later use or disclose such data to a third party in any form whatsoever.

They shall not make the data stored accessible to any third party, except in the cases stipulated in law (e.g. in a criminal proceeding) or when performing the Controller’s contractual tasks.

The Controller does not forward any data during the operation of the Website.

4. Data and contact details of the processor

The Controller shall use only processors providing sufficient guarantees to comply with the provisions of the data protection regulations applicable to processing in effect at any given time, ensure the priority protection of the rights of the data subjects, furthermore, implement appropriate technical and organisational measures to protect the personal data.

The following partner will act as Processor during the processing for the Controller:

Name:                          Websupport Magyarország Kft.

Registered seat:            H-1132 Budapest, Victor Hugo utca 18-22.

Email:                           support@websupport.hu

The purpose of engaging the processor: Web hosting services related to the operation of the website at penzmuzeumpanoramaterasz.hu.

5. The rights of the Data Subjects

Upon the request of the Data Subjects, the Controller shall provide information on their data being processed by it, on the source of such data, the purpose, the legal basis and the duration of the processing, and furthermore—where the personal data of the Data Subject is transmitted—the legal basis and the recipient of the transmission. For information, write to adatvedelem@mnb-edulab.hu via email or send a letter to the following address: MNB-EduLab Kft. H-1013 Budapest, Krisztina körút 55., in both cases indicate your personal identity and postal address. The Controller will reply in writing within 25 (twenty-five) days upon receipt of your query.

The Data Subjects have the right to request the rectification of their personal data (by indicating the correct data) via email at adatvedelem@mnb-edulab.hu or by post at the following address: MNB-EduLab Kft. H-1013 Budapest, Krisztina körút 55., in both cases indicate your personal identity and postal address. The Controller shall, without delay, rectify the data in its records and notify the data subject of this fact in writing.

In addition to the above, the Data Subjects may at any time request the erasure or restriction of processing of their data via email at adatvedelem@mnb-edulab.hu or by post at MNB-EduLab Kft. H-1013 Budapest, Krisztina körút 55. free of charge, without explanation, by indicating their personal identity and postal address. Upon receipt of a request for erasure, the Controller shall, without delay, ensure that the processing is discontinued and erase the Data Subjects from its records.

The controller shall restrict the processing of the personal data instead of erasure if this is required by the Data Subjects. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the Controller fails to fulfil the Data Subjects’ request for the rectification, restriction of processing or erasure, it shall communicate the factual and legal reasons for rejecting the request for rectification, restriction of processing or erasure within 25 days of receipt of the request.

In cases where the request for the rectification, erasure or the restriction of processing is denied, the Controller shall inform the Data Subjects of the available legal remedies and the possibility of appealing to the National Authority for Data Protection and Freedom of Information.

The Data Subjects may object to the processing of their personal data,

·       where the processing or transmission of the personal data is necessary only for the purpose of fulfilling a legal obligation that the Controller is subject to, or for the purpose of pursuing the legitimate interest of the Controller or the recipient of the data or of a third party, except where processing is mandatory;

·       where the personal data is used or transmitted for the purposes of direct marketing, public opinion polls or scientific research; and

·       in other cases stipulated in law.

Data controller shall review the objection within the shortest possible time after the request has been submitted, but not later than within 15 days, and shall decide on the merits of the case and shall inform the requester of its decision in writing. If the Data Subjects disagree with the Controller’s decision, or if the Controller misses the above deadline, the Data Subjects—within 30 days of the date the decision has been communicated or the last day of the deadline—may turn to the courts.

6. Links

The Controller shall not assume any liability for the content, the data and information protection practices of the external websites accessible from the Website as a landing page. If the Controller becomes aware that a website to which a link it displays or the displaying of the link infringes upon the rights of third parties or the legal regulations in effect, it shall remove the link from the Website without delay.  

7. Data security

Controller undertakes to ensure the security of the data and to take the necessary the technical and organisational measures, and to create the procedural rules, that ensure that the data obtained, stored or processed are protected and it also undertakes to prevent the destruction, the unauthorised use and the unauthorised modification of the data. The Controller also undertakes to demand each third party to whom the data are transmitted or handed over based on the Data Subjects’ consent to fulfil the requirements of data protection.

The Controller shall ensure that no unauthorised parties shall have access to processed data, and that no unauthorised party can disclose, transmit, modify or delete the processed data. The processed data shall only be accessible to the Controller’s employees, and the Controller shall not reveal such data to any third parties who are unauthorised to access the data.

The Controller shall do everything in its power to ensure that the data are not damaged or destroyed even by accident. The Controller shall also ensure that all of its employees participating in data processing operations comply with the above obligation.

Under no circumstances shall the Controller collect sensitive data, meaning data that refer to racial origin, national or ethnic minority, political opinion or party affiliation, religious or philosophical beliefs, trade union membership or criminal convictions.

In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In the unexpected cases where the notification is not made within 72 hours, the Controller shall also indicate the reasons for the delay in the notification.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Controller shall communicate the personal data breach to the data subject without undue delay.

In the information provided to the data subject in connection with a personal data breach that is likely to result in a high risk the Controller shall:

·       communicate in a clear and comprehensible language the nature of the personal data breach;

·       communicate the name and contact details of the contact person providing further information;

·       communicate the likely consequences resulting from the personal data breach;

·       describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Legal remedies

The Controller shall do everything in its power to ensure that the personal data are processed in accordance with the legal regulations. If you believe it fails to do so, please, send an email to adatvedelem@mnb-edulab.hu or contact us by post at: MNB-EduLab Kft. H-1013 Budapest, Krisztina körút 55.

If you believe your right to protect your personal data has been infringed upon, you may seek legal remedy, in accordance with the legal regulations in effect, at the competent organisations

·       National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.)

·       or at the courts.

9. Miscellaneous provisions

This Notice is governed by the provisions of Regulation (EU) 2016/679 (“GDPR”) and the laws of Hungary, in particular, Act CXII of 2011 on Informational Self-Determination and the Freedom of Information.

The Controller maintains the right to unilaterally amend this Privacy Notice at any time, after informing the data subjects in advance.