Privacy Notice of the Museum of Ethnography in connection with the data processing related to Archive of the Present

The Archive of the Present is a community project initiated by Museum of Ethnography, which collects and publishes photographs and personal stories from the 1990s to the present day on its website and social media platforms. Through this work, it contributes to contemporary research and the preservation of social and cultural heritage.

This Privacy Notice provides detailed information about the data processing activities carried out in connection with the Archive of the Present project, in accordance with the relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR).

Data Controller: Museum of Ethnography 

Seat: 1146 Budapest, Dózsa György str. 35.

Address: 1146 Budapest, Dózsa György str. 35.

Represented by: Dr. habil. Kemecsi Lajos Zoltán DSc director

E-mail: info@neprajz.hu

Phone: + 36 1 474 2100

Dr. Hegyi Áron Antal

Seat: 1071 Budapest, Damjanich str. 48.

E-mail: central@hegyiaron.hu

A. Personal data processed during user registration

During the data processing defined in Section A, the purpose of processing personal data is to enable the Data Controller to manage the personal data provided by the user for the identification of the data subject, to ensure communication, and to maintain the smooth operation of the services.

The legal basis for processing the personal data during user registration is the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

The scope of the personal data processed by the Data Controller under Section A:
Name: the surname and first name provided by the data subject during registration
Email address: the email provided by the data subject during registration

Duration of data processing: until the withdrawal of consent, but no later than the completion of the Archive of the Present project.

As a general rule, the Data Controller does not transfer personal data to third parties, except when required by law or an official order. The data are used solely for the internal processes of the Data Controller and for the provision of services. Registration on the website can be completed directly or via a Google account; in the latter case, personal data are also shared with the hosting provider (Virgo Systems Kft.), acting as a data processor, and with Google LLC.

B. Data processing related to handling and publication of photos uploaded by the user

The purpose of the data processing defined in Section B is to collect and display photos uploaded by users within the framework of the Archive of the Present project, for the implementation of the community project.

The legal basis for the processing of personal data under Section B is the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR).

The scope of the personal data processed by the Data Controller under Section B:
The photo uploaded by the user, which may contain a personal image.

Duration of data processing: for the duration of the Archive of the Present project, but no longer than 15 years following the upload. After 15 years, the photos will be transferred to an archival repository.

The Data Controller does not transfer personal data to third parties, except where required by law or an official order. The Data Controller shares the personal data (photos) with the public through the www.jelenarchivumhu website and may also share them with social media service providers (Facebook, Instagram – META Platforms Ireland Ltd; YouTube – Google LLC). The photos uploaded to the website are also shared with the hosting provider (Virgo Systems Kft.), acting as a data processor.

C. Data processing related to handling and publication of stories shared (uploaded) by the user

The purpose of the data processing defined in Section C is to collect and display the stories uploaded by users within the framework of the Archive of the Present project, in order to implement the community project.

The legal basis for processing the personal data under Section C is the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR).

The scope of the personal data processed by the Data Controller under Section C:
The story uploaded by the user, which may contain personal data.

Duration of data processing: for the duration of the Archive of the Present project, but no longer than 15 years following the upload. After 15 years, the stories will be transferred to an archival repository.

The Data Controller does not transfer personal data to third parties, except when required by law or an official order. The Data Controller shares personal data with the public through the www.jelenarchivum.hu website and may also share them with social media service providers (Facebook, Instagram – META Platforms Ireland Ltd; YouTube – Google Ireland Ltd). The stories uploaded to the website are also shared with the hosting provider (Virgo Systems Kft.), acting as a data processor.

D. Data processing related to contact and responding to inquires

The purpose of the data processing defined in Section D is to enable the data subject to contact the Data Controller and to allow the Data Controller to respond to questions submitted through the contact details provided on the website, as well as to maintain communication with the data subject if necessary.

The legal basis for processing the personal data under Section D is the data subject’s voluntary consent (Article 6(1)(a) of the GDPR).

The scope of the personal data processed by the Data Controller under Section D:
Name, contact email address, mailing address, telephone number, and the content of the inquiry or request.

Duration of data processing: until the inquiry or request has been answered.

The Data Controller does not transfer personal data to third parties, except where required by law or an official order.

E. Use of cookies on the website

The Data Controller uses the following cookie on its website:

Name: CRAFT_CSRF_TOKEN

Description: A security token that protects against CSRF (Cross-Site Request Forgery) attacks. Its purpose is to prevent malicious websites from sending requests to the Data Controller as if they originated from the data subject, thereby protecting the website from fraudulent or unlawful requests. This cookie is set by the Craft CMS when the website is opened and is deleted immediately upon closing the website (session cookie). The cookie does not contain any personal data, does not identify the user, and is linked to the browsing session; however, it is essential for the proper functioning of the website.

The purpose of the data processing defined in Section E is to maintain the security and integrity of the www.jelenarchivum.hu website and its users (data subjects), protect personal data, and ensure information security (e.g., preventing unauthorized registrations, uploads, or requests) against CSRF attacks.

The Data Controller has a legitimate interest in ensuring the proper operation of the website, the protection of data subjects, and the prevention of unauthorized uploads. The legal basis for processing the personal data under Section E is the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR).

The scope of the personal data processed by the Data Controller under Section E: as a rule, no personal data are processed. However, certain data may be stored during the visit (e.g., IP address, start and end time of the visit, type and language of browser and operating system in some cases, device parameters, user-defined settings, and visited pages).

Duration of data processing: automatically deleted when each browsing session ends.

The Data Controller does not transfer personal data to third parties.

The current list of cookies can be checked in Google Chrome by clicking on “More tools” → “Developer tools” in the upper-right corner of the browser.

The Data Controller applies the following data security measures to protect personal data processed within the framework of the Archive of the Present project:

Data encryption: The Data Controller stores data in encrypted form to prevent unauthorized access.

Access permissions: Access to data processing systems is granted only to persons with the necessary authorization. In public social media groups (e.g., Facebook), only museum staff are allowed to upload or share photographs, and only those images may be shared for which the Data Controller has lawfully obtained the rights.

Secure storage: The Data Controller stores data on secure, protected servers to ensure their integrity.

Regular data backups: Personal data are regularly backed up by the Data Controller to allow recovery in the event of accidental data loss.

Supervision of external service providers: In all contractual relationships with external data controllers or data processors, the Data Controller ensures that they comply with data protection requirements.

Continuous monitoring: The Data Controller continuously monitors data processing activities and adjusts security measures as necessary.

Training and education: The Data Controller’s employees participate in training sessions to ensure compliance with GDPR requirements.

These measures guarantee the secure handling of personal data uploaded to the Archive of the Present.

The Museum of Ethnography does not use decision-making based solely on automated data processing, including profiling. Should the Museum of Ethnography introduce such automated decision-making procedures in the future, it will provide prior notification by email about the logic, methodology, and main principles applied, and will ensure that data subjects have the opportunity to request human intervention, express their views, or object to the decision made by the Museum of Ethnography.

Right to withdraw consent: The data subject has the right to withdraw their consent at any time without affecting the lawfulness of the processing carried out before the withdrawal. Withdrawal of consent does not affect the legality of data processing based on consent before its withdrawal.

Right of access: The data subject has the right to obtain information about the personal data being processed, the purposes, legal basis, and duration of the processing, as well as about the recipients or categories of recipients who receive or have received their data and for what purpose.

Right to rectification: The data subject has the right to request the correction of inaccurate or incorrectly processed personal data.

Right to erasure (“right to be forgotten”): The data subject has the right to request the deletion of their personal data if such data are no longer necessary for the purposes for which they were collected, or if the processing is unlawful.

Right to restriction of processing: The data subject has the right to request the restriction of processing of their personal data, for example, if the accuracy of the data is contested by the data subject, if the processing is unlawful, if the Data Controller no longer needs the data, or if the data subject has objected to the processing.

Right to data portability: The data subject has the right to receive a copy of their personal data in a structured, commonly used, and machine-readable format, and, if technically feasible, to request the transfer of such data to another data controller.

Right to object: The data subject has the right to object to the processing of their personal data if it is carried out for direct marketing purposes or if the legal basis for the processing is the legitimate interest of the Data Controller. If the objection is upheld, the Data Controller must cease processing the personal data concerned.

In addition, the data subject has the right to lodge a complaint with

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa str. 9-11.

www.naih.hu

Phone: +36 (1) 391-1400

Telefax:+36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

or to enforce their rights related to the processing of personal data before a court with jurisdiction and competence in accordance with Act CXXX of 2016 on the Code of Civil Procedure.

You can find the competent court at the following link:

https://birosag.hu/birosag-kereso

You may exercise the rights listed in this Privacy Notice at any time by contacting the Data Controller via email or in writing by other means. In connection with your request, you may be asked to identify yourself or to provide additional information relating to your person, which is necessary to verify your entitlement to exercise these rights.

You can contact the Data Controller using the contact details provided in Section 1.

Museum of Ethnography

Data Controller

Date of last modification: August 1, 2025.