Data Protection Regulation
European Transplant and Dialysis Sports Federation (ETDSF)
In the course of its activities, European Transplant and Dialysis Sports Federation (ETDSF)
(hereinafter referred to as: controller) considers the protection of personal data to be of particularly high importance. This data protection regulation has been created based on the Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter referred to as: Information Law), the purpose of which is to define the basic rules for handling data for the protection of the privacy of natural persons by data controllers, and the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter referred to as: Regulation), that applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
Controller assumes responsibility for handling the personal data provided to it at all times in compliance with applicable laws. Furthermore it ensures data security, it institutes technical and organizational measures and it develops procedural rules required to enforce the relevant provisions of law.
Data controller summarizes its policies regarding data management required for its activity in this regulation and recognizes its content as compulsory.
Data controller upholds its own right to change the data protection regulation after notifying the data subject in advance.
The terms defined in the above regulation, which are relevant to the present data management:
any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
„restriction of processing”:
the marking of stored personal data with the aim of limiting their processing in the future;
any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
: any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
„consent of the data subject”:
any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;
„personal data breach”:
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
„data concerning health”:
personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
DATA PROCESSING PRINCIPLES
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject („lawfulness, fairness and transparency”);
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes („purpose limitation”);
- Personal data shall be adequate, relevant and limited to the purpose for which they are processed („data minimisation”);
- Personal data shall be accurate and, where necessary, kept to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay („accuracy);
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for no longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject („storage limitation”);
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures („integrity and confidentiality”).
The controller shall be responsible for, and be able to demonstrate compliance with the principles („accountability”).
THE PERSONAL DATA, THE PURPOSE OF PROCESSING, THE LEGAL BASIS AND PERIOD OF PROCESSING, THE SAFETY OF PROCESSING, THE RIGHTS OF THE DATA SUBJECTS AND THE ENFORCEMENT OF THESE RIGHTS
Processing shall be lawful only if and to the extent that the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The controller must be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. Where a child is below the age of 16 years, processing of the personal data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Processing of genetic and biometric data for the purpose of uniquely identifying a natural person, and data concern health shall be prohibited. This prohibition shall not apply if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. The prohibition shall not apply furthermore if the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
Data subject shall give his or her consent to processing in writing by filling out the Consent to processing form. Completion of this form is a prerequisite for applying for sports competitions organized by the controller. By completing this form data subject shall give consent to the processing of the following personal data in accordance with this regulation:
- phone number,
- e-mail address,
- date of birth,
- data concerning health,
- blood type,
Processing of above data shall always be based on a voluntarily given consent.
The controller shall take appropriate measures to provide all information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using a clear and plain language. The information shall be provided in writing or by electronic means.
The controller is entitled to keep the data of the data subject on its own server until the end of the program organized by the controller. The controller shall protect the data in particular from unlawful access, alteration, transfer, disclosure, erasure or destruction, and accidental destruction and damage. After the closure of the program controller shall delete the data.
The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed,
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the data subject may request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- to which supervisory authority the data subject may lodge a complaint
If the data subject requests, the controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing;
- the personal data have been unlawfully processed.
The controller shall communicate any rectification or erasure or personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. In such case the controller shall no longer process the personal data. When personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the processing requirements detailed above and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
The controller and the processor shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
In case of a breach of data committed by the controller a complaint may be made to the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, P.O. box 5.
Phone: +36 -1-391-1400 Fax: +36-1-391-1410
DATA AND CONTACT DETAILS OF CONTROLLER
Name: European Transplant and Dialysis Sports Federation
Seat: 1146 Budapest, Ajtósi Dürer sor 25/A. fszt. 1.
Phone: +353 1 620 5306
Representative: Colin White - ETDSF Secretary