Art. 13
1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
|
Art. 14
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
(c) the period for which the personal data will be stored;
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(f) the recipients or categories of recipients of the personal data;
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.
4. The controller shall provide the information referred to in paragraphs 1, 2 and 3:
(a) at the time when the personal data are obtained from the data subject; or
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.
5. Paragraphs 1 to 4 shall not apply, where:
(a) the data subject has already the information referred to in paragraphs 1, 2 and 3; or
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or
(c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.
6. In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's legitimate interests.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized-enterprises.
8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
|
Art. 14
1. Where personal data relating to a data subject are collected from the data subject, the controller shall (...), at the time when personal data are obtained, provide the data subject with the following information:
(a) the identity and the contact details of the controller and, if any, of the controller's representative ; the controller shall also include the contact details of the data protection officer, if any;
(b) the purposes of the processing for which the personal data are intended (...) as well as the legal basis of the processing.
1a. In addition to the information referred to in paragraph 1, the controller shall at the time when personal data are obtained provide the data subject with such further information that is necessary to ensure fair and transparent processing (...) , having regard to the specific circumstances and context in which the personal data are processed:
(a) (...);
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the recipients or categories of recipients of the personal data;
(d) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation;
e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data (...) as well as the right to data portability ;
(ea) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(f) the right to lodge a complaint to a supervisory authority (...);
(g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the data and of the possible consequences of failure to provide such data ;
(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning (...) the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
1b. Where the controller intends to further process the data (...) for a purpose other than the one for which the data were collected the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 1a.
2. (...)
3. (...)
4. (...)
5. Paragraphs 1, 1a and 1b shall not apply where and insofar as the data subject already has the information,
6. (...)
7. (...)
8. (...)
|
Art. 10
Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.
|
No (special) provision under Hungarian law.
|
Rights of data subjects; enforcement
§ 15 Data Protection Act
(1) Upon the data subject’s request the data controller shall provide information concerning the data relating to him, including those processed by a data processor hired by the data controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, the circumstances surrounding the privacy incident, its impact, and the actions taken to rectify the situation, and - if the personal data of the data subject is made available to others - the legal basis and the recipients.
(1a) The data controller shall keep records - by way of an internal data protection officer where applicable - for the purpose of monitoring actions taken in connection with privacy incidents and for information of the public and of data subjects, containing the data subjects’ personal data, the data subjects involved and their number affected by the privacy incident, the time when the privacy incident took place, its circumstances and impacts, the actions taken to rectify the situation, and other data provided for in the legislation on data processing.
(1b) Data controllers falling within the scope of the Act on Electronic Communications shall be able to meet the obligation provided for in Subsection (1a) by way of maintaining an inventory of cases of personal data breaches in accordance with the Act on Electronic Communications.
(2) With a view to exercising communication control and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
(3) The duration of retention of the data referred to in Subsections (1a) and (2) in the records, and the duration of the ensuing obligation of information may be limited by the legislation on data processing. The above-specified period of limitation shall not be less than five years in respect of personal data, and twenty years in respect of special data.
(4) Data processors must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than twenty-five days.
(5) The information prescribed in Subsection (4) shall be provided free of charge for any category of data once a year. Additional information concerning the same category of data may be subject to a charge. The amount of such charge may be fixed in an agreement between the parties. Where any payment is made in connection with data that was processed unlawfully, or the request led to rectification, it shall be refunded.
|