The purpose of this information notice (hereinafter referred to as „Information Notice”) is to set out the data protection and management principles applied by the Lexis Foundation (registered office: 2092 Budakeszi, Hársfa utca 12; registration number: 1400/Pk.60133/2002; hereinafter referred to as „Foundation”), as the owner of the website www.lexisalapitvany.hu, as the provider of the Foundation’s newsletter, which the Foundation, as the data controller, acknowledges as binding for itself in connection with the newsletter service, fundraising and the provision of support.
When drafting the provisions of the Information Notice, the Foundation has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.) and Act V of 2013 on the Civil Code (Civil Code Act).
The Foundation is the controller of your personal data, i.e. the Foundation is responsible for the lawful processing of your personal data. You can contact us using the contact details below:
The Foundation complies with the rules of data management in all respects, and the personal data it obtains in the course of its activities in connection with the programmes it organises, the tenders it invites, as well as personal data relating to its employees and all its staff and volunteers, shall be treated confidentially in accordance with the applicable legislation and shall not be disclosed or made available to third parties.
The Foundation shall process personal data lawfully and fairly and in a transparent manner for the data subject („lawfulness, fairness and transparency”).
Personal data shall be collected only for specified, explicit and legitimate purposes and shall not be processed by the Foundation in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) of the Data Protection Regulation (‘purpose limitation’).
The Foundation ensures that personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed („data minimisation”).
The Foundation shall ensure that personal data are accurate and, where necessary, kept up to date; it shall take all reasonable steps to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay („accuracy”).
Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data shall be kept for longer periods only if the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Data Protection Regulation, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of data subjects („limited storage”).
The Foundation processes personal data in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage („integrity and confidentiality”), by implementing appropriate technical or organisational measures.
The Foundation is responsible for compliance and must be able to demonstrate such compliance („accountability”).
1. To provide support for athletes, musicians, artists, Ukrainian refugees and people in need. Support for Hungarian small communities across the border, for those in need in Hungary, for small communities, in a non-political way.
2. The Foundation provides one-time support (in cash or in kind) up to the limit of an annual donation to persons in crisis situations, who may be able to solve their temporary problems in the long term with the help of this one-time support.
3. The Foundation will provide longer-term, target-driven support to help an applicant in a situation of social need or social protection to achieve its objectives. This may take the form of one-off or regular grants (cash, in kind), scholarships or long-term donations.
4. The Foundation is involved in the implementation of sports education and training programmes aimed at creating social outlets for individuals and small communities through education/education. In this context, the Foundation organises and finances programmes and invites applications from socially disadvantaged individuals with talent and excellence in their professional field.
5. indirectly, by promoting the values represented by the Foundation (such as community responsibility, selfless help to others), to identify and accept social and societal differences, to improve social sensitivity, to strengthen social involvement, to develop a future- and community-conscious and health-conscious mindset.
The purpose of the Foundation’s data processing:
The purpose of the Foundation’s data management is to maintain contact with the participants in the programmes organised by the Foundation, to fulfil the contractual obligations undertaken by the Foundation, to check compliance with the conditions of the application, to evaluate the applications received from the applicants, to contact the applicants, to contact the applicants, to deliver the grants to the beneficiaries, to check the use of the grants, publicising the results of programmes and applications, publishing the identity of the applicants, their applications, the amount of the grant awarded and the beneficiary’s report on the results of the grant in his/her later life on the Foundation’s website, in its reports, publications or otherwise in the Foundation’s exemplary programme.
Description of the processing scope, purpose of the processing
Donation:
Beneficiary data processing:
Duration of data processing
Description of the data processing scope
If you consent, your name will be listed on our website as a donor.
Legal basis and purpose of processing
The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.
Duration of data processing
We process your data until your consent is withdrawn.
Description of the data processing scope
Processing of data of applicants to the Foundation and other beneficiaries of the Foundation.
Legal basis and purpose of processing
The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.
We process personal and specific data:
(the processing of these data is essential for the assessment of need),
(the processing of these data is essential for assessing eligibility),
We will process it with your consent for the purposes of the grant, on the basis of the contract concluded and for the purposes of performance:
For all programmes and tenders for which the Foundation does not process special categories of personal data within the meaning of Article 9 of the Data Protection Regulation, the legal basis for the processing of personal data is Article 6(1)(b) of the Data Protection Regulation, which states that the processing of personal data is lawful if and insofar as it is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into a contract. For the purposes of this point, a grant application or application form sent to the Foundation constitutes a request by the Data Subject and a legal relationship between the Data Subject and the Foundation on the basis of an application or application for a grant decided by the Foundation, or a grant contract.
As a special category of personal data, the Foundation may, on a case-by-case basis, process Health Data in line with the purpose of the programmes and applications. In the case of any application for which the Foundation also processes special category personal data (Health data) pursuant to Article 9 of the Data Protection Regulation for the purposes of the stated processing purposes, the legal basis for the processing of the special category personal data processed is Article 9. In accordance with Article 9(2)(a) of the Data Protection Regulation and having regard to the authorisation granted to the Member States for sectoral legislation under paragraph (4), the legal basis for the processing of special category personal data is the consent of the Data Subjects, based on appropriate information, given voluntarily and with a clearly expressed will and in a manner that can be regarded as credible proof that a proper declaration has been made, in accordance with Article 4(3) of Act XLVII of 1997 on the processing and protection of personal data concerning health and related matters.
In all cases where the legal basis for the processing is the express written consent of the Data Subject, participants, applicants or third parties, when applying for or participating in a programme organised by the Foundation or submitting an application for a programme organised by the Foundation, give their express written consent, in a private document with full probative value, to the processing of their personal data by the Foundation to the extent and for the purposes described above.
If the Data Subject gives his or her consent in a written statement that also relates to other matters, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language.
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed of this before consent is given. The Foundation shall make it possible to withdraw consent in the same simple way as it makes it possible to give it.
Where the applicant, programme participant or beneficiary is under 18 years of age, the processing of personal data of children is lawful only if and to the extent that the personal data have been provided by the person having parental authority over the child or have been authorised by the parent by giving consent.
Duration of processing:
The data of unsuccessful applicants and their parents/guardians will be deleted after 5 years following the admission procedure and will be kept confidential until then.
The data of beneficiaries will be processed until their consent is withdrawn.
Description of the data processing scope
On our website you can contact the Foundation via a form. The form will contain your name, email address, telephone number and the content of the message sent to us.
Legal basis and purpose of processing
The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.
Duration of processing
The only persons who have full access to the data we process, other than the auditing bodies, are the Founder, the Board of Trustees, the Supervisory Board and the employees of the Foundation who are bound by confidentiality.
Newsletter.
Donation. The scope of the data transmitted: surname, first name, country, telephone number, email address.
Purpose of the data transfer: customer service assistance to users, confirmation of transactions and fraud monitoring for the protection of users.
Beneficiary data management:
The register of beneficiaries allows for an anonymous professional and financial analysis of their data, grants, benefits, services, scholarships, and their use for planning purposes, while also allowing for the identification of all grants awarded to a specific person. It can also be accessed by the Foundation’s accounting service for the purpose of recording and later identifying the beneficiaries. The processing of grantee data is necessary for the purpose of accounting to the donors and for tax obligations. Where we use a tutor or volunteer to deliver the sessions, the beneficiary’s identification details, school grade and achievements during the period of the grant may be known to that person. If they specifically agree to this in the grant contract, we will publish photos and videos of children in our sessions or at events we organise on our website, Facebook page and publications. For media appearances (radio, television, written press, campaign films, posters and flyers), we ask for specific permission, declarations and consents.
As an employer, the Foundation processes personal data of persons in employment or other legal relationships with it (employee data) as labour data processing. Pursuant to the mandate for national sectoral legislation in Article 88 of the Data Protection Regulation, the Foundation may process personal data of employers only in the scope of the Act I of 2012 on the Labour Code (hereinafter referred to as the „Labour Code”), in particular with regard to the provisions of the Labour Code. 10 (1) and (3), and in compliance with further legal provisions on data processing and taking into account the guidelines of the supervisory authorities.
Purpose of processing:
The Foundation, as an employer/employee, processes the personal data of Data Subjects in order to fulfil the rights and obligations arising from the legal relationship with the employed persons and to fulfil other legal obligations applicable to this legal relationship.
We will delete the data after the contact has been established, unless a further contact is established which involves the processing of personal data, in which case we will provide you with further information on the processing.
Scope of data processed:
Personal data necessary for the purpose of the employment relationship, in particular: name at birth/last name, place/date of birth, mother’s name, tax identification number, social security number, pension fund number, health fund number, etc. membership, nationality, number of children, marital status, organisation, position, job title, degree of incapacity, legal working hours and working schedule, basic salary, basic allowances, allowances, supplements, fees, other allowances, amounts payable under a final court order (personal data of the beneficiary/obligor), bank account number, data required for the provision of occupational health care, occupational health classification data, working time data, on-call data, on-call data, absence data, study contract data, training costs.
Legal basis for processing:
With regard to personal data of employees processed as employers/employees, the legal basis for processing is Article 6(1)(b) of the Data Protection Regulation, which states that the processing of personal data is lawful if and insofar as the processing is necessary for the performance of a contract to which the data subject is a party or is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract.
The Foundation uses a data processor to carry out its accounting and payroll activities.
The rights and obligations of the data processor in relation to the processing of personal data are defined by the Foundation. The Foundation shall be responsible for the lawfulness of the instructions given for the processing operations. The processor shall be responsible for the processing, modification, deletion, transmission and disclosure of personal data within the scope of its activities and within the limits set by the Foundation.
The processor shall not use other processors in the performance of its activities. The processor shall not take any substantive decisions regarding the processing of personal data, shall process personal data of which it becomes aware only in accordance with the provisions of the Foundation, shall not process personal data for its own purposes and shall store and retain personal data in accordance with the provisions of the controller.
The data processor must report to the Foundation within 24 hours if he/she becomes aware of a data breach or of unauthorised access to personal data under his/her responsibility.
Purpose of data processing by the data processor:
Accounting, payroll activities related to the remuneration of employees/employees, performance of obligations towards the authority.
Scope of data processed:
Name at birth/last name, place/date of birth, mother’s name, tax identification number, social security number, pension fund number, health fund number, etc. Nationality, number of children, marital status, job title, degree of incapacity for work, legal working hours and working schedule, basic salary, basic allowances, allowances, supplements, fees, other allowances, amounts payable under a final court order (personal data of the beneficiary/obligor), bank account number, data required for the provision of occupational health care, data on the health classification of the occupation, data on the recording of working hours, data on standby duty, on-call duty, data on absence.
Data processing related to voluntary activities
The Foundation, as a host organisation, employs volunteers to carry out its tasks in the public interest in accordance with Act LXXXVIII of 2005 on Voluntary Activities in the Public Interest, in the course of which it processes personal data.
The purposes of the processing are: to identify the volunteer, to draw up a written contract for the performance of voluntary activities in the public interest, to keep a register of volunteers, to provide the possibility of contact necessary for the performance of voluntary activities, to comply with legal obligations related to employment.
Legal basis for processing:
The processing of the above personal data is necessary for the fulfilment of the legal obligation of the Foundation [Article 6 (1) (c) of the Data Protection Regulation] pursuant to Article 6 and 14 of Act LXXXVIII of 2005 on Voluntary Activities in the Public Interest and Article 169 of Act C of 2000 on Accounting. With regard to the personal data referred to in points 6 to 7, the processing is necessary for the performance of a contract to which the data subject is a party [Article 6(1)(b) of the Data Protection Regulation].
Purpose of processing:
Conclusion and performance of the contract
Scope of data processed:
Name, title of legal representative
Legal basis for processing:
Article 6(1)(b) of the Data Protection Regulation, processing is necessary for the conclusion and performance of a contract.
Purpose of processing:
Contacts in order to facilitate the performance of the contract
Data processed: name, position, telephone number, e-mail address, postal address of the contact person
Legal basis for processing:
Article 6(1)(f) of the Data Protection Regulation, processing is in the legitimate interest of the partner and the Foundation.
Processing of portrait photographs
The Foundation may, subject to the consent of the Data Subject at an event organised by the Foundation
Purpose of processing:
The purpose of data processing (a) is to document and support the Foundation’s activities in accordance with its basic objective as defined in its Statutes and to provide evidence to the public authorities.
The purpose of processing (b) is to provide information about the Foundation’s activities, to promote the Foundation’s activities in accordance with its basic purpose, to arouse sympathy for the Foundation, to deepen public trust and to strengthen the Foundation’s reputation.
Scope of data processed:
Legal basis for processing:
Article 6(1)(a) of the Data Protection Regulation, consent of the Data Subject.
Processing in relation to bulk photography.
The Foundation takes photographs at events organised by it, which are considered crowd shots according to Article 2:48 of the Civil Code, in which case the persons in the picture appear as a crowd in the picture. The Foundation publishes the photos on its website (www.lexisalapitvany.hu), keeps them and uses them as necessary to promote and justify the public benefit activity.
Purpose of processing:
To document and support the Foundation’s activities in accordance with its objectives as set out in its Statutes and, if necessary, to provide evidence to the authorities. In addition, the purpose of data processing is to provide information on the Foundation’s activities, to promote the Foundation’s activities in accordance with its objectives, to arouse sympathy for the Foundation, to deepen public trust and to strengthen the Foundation’s reputation.
Scope of data processed:
Mass survey with the participation of the Data Subject
Legal basis for processing:
Article 6(1)(f) of the Data Protection Regulation, processing is in the legitimate interest of the Foundation.
Such transfers take place in particular, but not exclusively, in the following cases:
by law, e.g. to tax authorities, social security bodies, other authorities, etc.;
In the cases provided for by law, the Foundation is obliged to transfer certain employment data to other Recipients (public authorities, courts, other public bodies), which, when processing the data transferred, act and are liable in accordance with the applicable legislation.
the transfer of data in the course of proceedings brought in order to protect the legitimate interests of the Foundation (e.g. in proceedings before public authorities, courts);
in the event of an emergency (e.g. fire brigade, ambulance service, mine police, mining authority, police, etc.) where the health or safety of an employee or other person is at risk.
We use data processors for the processing of data:
– Our website is operated by Megjelenésmentor Limited Liability Company.
For the purposes of monitoring the lawfulness of its data management activities and informing the Data Subject, the Foundation keeps a Data Management Register, which includes:
The Foundation shall keep a Data Protection Incident Register for the purposes of monitoring the measures taken in relation to the data protection incident and informing the Data Subject, in which it shall be mandatory to record all data protection incidents, with at least the following level of detail:
the scope of the personal data concerned,
the scope and number of data subjects affected by the data breach,
the date, circumstances, effects and consequences of the personal data breach
the measures taken to remedy it; and
other data specified in the legislation providing for the processing
The Data Processing Register and the Data Protection Incident Register shall be kept by the designated Data Protection Officer of the Foundation.
The data protection officer of the Foundation shall notify a data protection incident to the Authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to his or her attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
The obligation to register a personal data breach shall also apply where the personal data breach does not have to be notified to the Authority because it is unlikely to pose a risk to the rights and freedoms of natural persons.
If the notification is not made within 72 hours, the notification shall be accompanied by the reasons justifying the delay.
Requirements concerning the content of the notification:
describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
the name and contact details of the contact person who will provide further information;
describe the likely consequences of the data breach;
describe the measures taken or envisaged by the Foundation to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
Where it is not possible to provide the information at the same time, it may be provided in detail to the Authority at a later stage without further undue delay.
The data processor shall notify the data protection incident to the Foundation without undue delay after becoming aware of it, and no later than 24 hours after becoming aware of it.
If the data breach is likely to result in a high risk to the rights of natural persons, the Foundation shall inform the Data Subject of the data breach without undue delay.
The Data Subject need not be informed if any of the following conditions are met:
the Foundation has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
the Foundation has taken additional measures following the data breach to ensure that the high risk to the rights of the Data Subject is no longer likely to materialise;
disclosure would require a disproportionate effort. In such cases, the Data Subjects shall be informed by means of publicly disclosed information or by means of a similar measure that ensures similarly effective information to the Data Subjects.
The Foundation appoints a Data Protection Officer to ensure the lawfulness of its data processing activities, subject to the requirements of the Data Protection Regulation.
The Foundation shall ensure that the DPO is involved in all matters relating to the protection of personal data in an appropriate and timely manner.
The Foundation shall ensure that the DPO shall not accept instructions from any person in the performance of his or her duties. The Foundation shall not dismiss or sanction the DPO in the performance of his or her duties. The DPO shall be directly accountable to the Foundation’s Board of Trustees.
Data Subjects may contact the DPO in all matters relating to the processing of their personal data and the exercise of their rights under this Regulation.
The Data Protection Officer shall perform at least the following tasks:
provide professional support in the performance of the obligations arising from the exercise of the data subject’s rights;
provide information and professional advice to the Foundation’s entities or to the data processor and to the staff carrying out the processing in relation to their obligations under the data protection provisions;
monitor compliance with the law and the controller’s or processor’s internal rules relating to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in data processing operations, and related audits;
carry out, upon request, a data protection impact assessment or provide technical advice on a data protection impact assessment and monitor the performance of the impact assessment;
cooperate with the Supervisory Authority; and
act as a point of contact with the Supervisory Authority on matters relating to data processing and consult it on any other matter as appropriate.
The Foundation is committed to improving the data protection awareness of its employees by organising mandatory training on the lawful and intended purpose of the processing of personal data, the need to protect and store accurate and up-to-date information, and the confidentiality of data accessible by employees.
Authorised users shall comply with the provisions of this Code and the Foundation shall take appropriate labour law measures in accordance with the applicable legislation if access to, processing or use of personal data is incompatible with the requirements of this Code.
During the period of processing, you have the following rights under the Regulation:
If you wish to exercise your rights, this will involve identifying yourself and we will need to communicate with you. Therefore, in order to identify you, you will be required to provide personal data (but identification will only be based on data that we already process about you) and your complaint about the processing will be available in our email account for the period of time specified in this notice in relation to the complaint. We will respond to complaints about processing within 30 days at the latest.
Right to withdraw consent
You have the right to withdraw your consent to data processing at any time, in which case the data will be deleted from our systems.
Access to personal data and information
You have the right to receive feedback as to whether your personal data is being processed and, if it is being processed, the right to:
have access to the personal data processed; and
inform you of the following information:
the purposes of the processing;
the categories of personal data processed about you;
information about the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed;
the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
your right to request the rectification, erasure or restriction of the processing of personal data relating to you and, in the case of processing based on legitimate interests, to object to the processing of such personal data;
the right to lodge a complaint with a supervisory authority;
if the data have not been collected from you, any available information about their source;
the fact of automated decision-making (if such a process is used), including profiling, and, at least in these cases, clear information on the logic used and the significance and likely consequences for you of such processing.
The purpose of exercising the right may be to ascertain and verify the lawfulness of the processing, and we may charge a reasonable fee for providing the information in exchange for repeated requests for information.
Access to your personal data will be ensured by sending you, by email, the personal data and information processed after you have been identified. Please indicate in your request whether you want access to the personal data or information about the processing.
Right to rectification
You have the right to have inaccurate personal data relating to you corrected without delay at your request.
Right to restriction of processing
You have the right to restrict processing at your request if one of the following conditions is met:
You contest the accuracy of the personal data, in which case the restriction applies for the period of time that allows us to verify the accuracy of the personal data, if verification is not necessary, no restriction will be applied;
the processing is unlawful and you oppose the erasure of the data and instead request a restriction of their use;
we no longer need the personal data for the purposes for which they are being processed but you require them for the establishment, exercise or defence of legal claims; or
you have objected to the processing, but we may have a legitimate interest in the processing, in which case, pending a determination of whether our legitimate grounds override your legitimate grounds, the processing should be restricted.
Where processing is restricted, such personal data, other than for storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
You will be informed in advance (at least 3 working days before the restriction is lifted) of the lifting of the restriction on processing.
Right to erasure – right to be forgotten
You have the right to have your personal data erased without undue delay if one of the following grounds applies:
the personal data are no longer necessary for the purposes for which they were collected or processed;
You withdraw your consent and there is no other legal basis for the processing;
You object to the processing based on legitimate interests and there is no overriding legitimate ground (i.e. legitimate interest) for the processing,
the personal data have been unlawfully processed and this has been established on the basis of the complaint,
the personal data must be erased in order to comply with a legal obligation under EU or Member State law applicable to us.
If we have disclosed personal data we hold about you for any lawful reason and we are required to delete it for any of the reasons set out above, we will take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform other data controllers that you have requested the deletion of links to or copies of the personal data in question. As a general rule, your personal data will not be disclosed.
Erasure does not apply where the processing is necessary:
for the exercise of the right to freedom of expression and information;
to comply with an obligation under Union or Member State law to which we are subject to process personal data or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
for the establishment, exercise or defence of legal claims.
Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data on the basis of legitimate interests. In this case, we may no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Right to portability
If the processing is necessary for the performance of a contract or is based on your voluntary consent, you have the right to request that the data you have provided to us is provided to you in a machine-readable format, which we will make available to you in xml, JSON or csv format, and if technically feasible, you may request that we transfer the data in this format to another controller.
Remedies
If you believe that we have violated a legal provision applicable to data processing or have not complied with a request, you may initiate an investigation procedure with the National Authority for Data Protection and Freedom of Information to stop the alleged unlawful processing.
Contact details of the National Authority for Data Protection and Freedom of Information:
Postal address.
E-mail address: ugyfelszolgalat@naih.hu
Phone number: +36 1 391 1400
Fax number: +36 1 391 1410
For more information on data protection issues, please visit the Authority’s website: https://naih.hu/
You are also informed that you can bring a civil action before a court.
In the operation of our IT systems, we will ensure that your data cannot be accessed, deleted, modified or deleted from the system by unauthorised persons, by means of the necessary access control, internal organisation and technical solutions. We also enforce data protection and data security requirements with our data processors. We keep records of any data breaches and, where necessary, we will inform you of the incident.
We reserve the right to amend this privacy notice in a way that does not affect the purpose and legal basis of the processing. If, however, we intend to carry out further processing of the data collected for purposes other than those for which they were collected, we will inform you of the purposes of the processing and the information below before carrying out the further processing:
the duration of the storage of the personal data or, if this is not possible, the criteria for determining the duration;
the right to request access to, rectification, erasure or restriction of processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of personal data and, in the case of processing based on consent or a contractual relationship, to request the right to data portability;
in the case of processing based on consent, that you may withdraw your consent at any time,
the right to lodge a complaint with a supervisory authority;
whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for entering into a contract, whether you are under an obligation to provide the personal data and the possible consequences of not providing the data;
the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information about the logic used and the significance and likely consequences for you of such processing.
The processing may only start after this, if the legal basis for the processing is consent, and you must consent to the processing in addition to being informed.