For the users of Semmelweis University Alumni Platform (including Semmelweis University Alumni Staff)
According to Section 16 of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (InfoAct) and Article 12 (1) of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)
Semmelweis University hereby inform the data subjects (alumnus - see Semmelweis University Organizational and Operational Regulations - and our student who will be graduate in the near future) about processing their data in the Semmelweis University Alumni System. The information about data processing is continuously available on the Semmelweis University ALUMNI website (semmelweis.hu/alumni).
Purpose of data processing:
Improving and facilitating communication and cooperation amongst Semmelweis University University and the members of the Alumni Community in particular with sharing information and news about Alumni card, events, benefits, discounts, activities related to alumni issues.
More particularly:
A.) In case of Semmelweis University graduates:
a) promoting lifelong learning, further training, and gaining knowledge for registered alumni within the framework of Semmelweis, following and supporting their careers and for providing on-demand support;
b) enabling Semmelweis University graduates with a high level of expertise to share their knowledge and experience on a regular basis with other alumni, current students and instructors;
c) preserving and continuously enhancing Semmelweis University’s national and international reputation and attractiveness both as a university and an Alma Mater;
d) draws attention to the trainings of Semmelweis University and maintaining the interest in it,
e) treasuring and increasing the value of the Semmelweis University degree;
f) for further development of training-education systems, research opportunities and methods;
g) assisting the work of teachers, students, researchers and providing the most effective, up-to-date, marketable knowledge for students;
h) supporting the study and research of talented students and researchers;
i) nurturing university traditions more widely and at a higher level;
j) giving information about all of these on a regular basis by means of continuous communication according to the spirit of Semmelweis;
k) collecting donations on a voluntary basis to foundations which actively cooperate with Semmelweis University;
l) recruiting volunteers and coordinating voluntary work for voluntary based organisations complying with the concept of Semmelweis University;
m) awarding honorary titles for outstanding performances, donations, and voluntary work complying with the concept of Semmelweis University;
n) providing space and framework for high quality external projects and developments complying with the concept of Semmelweis University, under continuous monitoring;
o) providing diverse communication opportunities for registered Alumni according to their interest.
B.) In case of Semmelweis University Alumni Staff: power to edit/moderate, check/verify eligibility
By registering members agree that their first name and family name, the start and end of studies (year), the faculty, degree and level will be visible for other members.
Which of your data are processed by the University?
A.) In case of Semmelweis University graduates
For the registration, the following data are required:
• first name, family name, date of birth (for identification)
• beginning of studies (year), end of studies or planned end of studies (year), faculty, department (to verify the relation to Semmelweis, and to find fellow-students more easily)
• e-mail address (for contacting)
During registration and at profile settings menu you can specify the following data according to your choice:
• address (to optimize news and send Alumni Card)
• in case of previously received degrees, the faculty, department and the beginning of studies (to find fellow students more easily and to optimize the news)
• the date of receiving degree/degrees (to request Alumni Card, to find fellow students more easily, to optimize the news)
• phone number (to contact)
• job, photo (these are recommended and important data for communication)
• preferences (to optimize the news)
B.) In case of Semmelweis University Alumni Staff:
first name, family name
email address and phone number (for contacting)
birth data (for identification)
The system automatically stores the date of registration. Password management is confidential, automated.
The privacy settings for your personal information will be available here after registration: alumni.semmelweis.hu/my-profile / preferences / confidentiality
Why do we process your data? (Legal basis (claim) of the processing of data):
GDPR Article 6 a) Because you have agreed to this by registering. You can withdraw your consent at any time (by deleting your registration). The withdrawal of consent shall not affect the legality of the data processing carried out on the basis of the consent prior to the withdrawal.
Who is the Data Controller and the Data Processor?
Data Controller:
Semmelweis University University
1085 Budapest, ÜllÅ‘i út 26.
Postal address: 1428 Budapest pf.: 2.
Telephone: +36-1-459-1500
Website: http://semmelweis.hu
Data Processor- Operator:
MEVIA 93-97 rue Eugene Caron, 92400 Courbevoie
mevia.fr and alumnforce.com, support @alumnforce.com
Duration of data processing:
Until withdrawal of consent.
Your rights: (detailed in the appendix of this privacy notice):
1. Transparent information, communication and modalities for the exercise of the rights of the data subject – You can ask for information concerning your data at any time;
2. Right of access by the data subject – You can access your data at any time;
3. Right to erasure (‘right to be forgotten’), right to restriction of processing – Did you find a mistake? Tell us, we will correct!
4. Information to be provided where personal data have not been obtained from the data subject – We inform you, if your data are forwarded;
5. Right to data portability (if we process your data on the basis of your consent/contract
the processing is carried out by automated means.) – if you need, we will give you your data;
6. Right to object - you can object, at any time to processing of your personal data ;
7. The right not to be subject to a decision based solely on automated processing, including profiling – tell us, if you are concerned!
8. The right to legal remedy: in the case of breach of your rights, you can turn to the data protection officer, to the National Authority for Data Protection and Freedom of Information, or you can file suit in court.
If you need legal remedy or you have questions, please turn to the :
Data Protection Officer of the University:
Dr. Trócsányi Sára
1085 Budapest, ÜllÅ‘i út 26.
Postal address: 1428 Budapest Pf.: 2.
Telephone: +36-1/224-1547
Website: https://semmelweis.hu/jogigfoig/adatvedelem-betegjog/
E-mail: jog@semmelweis-univ.hu
National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/c.
www.naih.hu
Tel.: +36-1-391-1400
The court:
You can file suit in court of the place of residence.
APPENDIX to privacy notice
Details concerning the rights of data subjects
For the purposes of this information sheet (and of GDPR), ’data subject’ shall mean a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly; ’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4. ff GDPR and Section 3. of InfoAct).
Rights of the data subject according to Chapter III. of the GDPR
1. Transparent information, communication and modalities for the exercise of the rights of the data subject;
2. Right of access by the data subject;
3. Right to erasure (‘right to be forgotten’), right to restriction of processing;
4. Information to be provided where personal data have not been obtained from the data subject;
5. Right to data portability (if we process your data on the basis of your consent/contract
the processing is carried out by automated means. );
6. Right to object;
7. The right not to be subject to a decision based solely on automated processing, including profiling;
8. The right to legal remedy: in the case of any breach of your rights, you can turn to the data protection officer of Semmelweis University University, to the National Authority for Data Protection and Freedom of Information, or you can sue a claim to the court.
You can read the explanation of the rights below:
1. Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12-14 of GDPR)
With this information sheet, the controller provides the information relating to processing to the data subject referred to in GDPR.
If the data subject asks, further detailed oral information can be given, if the data subject proves his or her identity.
2. Right of access by the data subject (Article 15 of GDPR)
The data subject have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Rectification and erasure (Article 16 of GDPR )
3.1. Right to rectification (Article 16 of GDPR )
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3.2. Right to erasure (‘right to be forgotten’) (Article 17 of GDPR )
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of GDPR, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR.
3.3. Right to restriction of processing (Article 18 of GDPR)
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) of GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. (Article 12.3 of GDPR)
4. Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 of GDPR)
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR Article 16, Article 17(1) and Article 18, to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
5. Right to data portability (Article 20 of GDPR)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent or on a contract; and
(b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of this right shall be without prejudice to the right to be forgotten.
6. Right to object ( Article 21 of GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
7. Automated individual decision-making, including profiling (Article 22 of GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This provision shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
In this case, he data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
8. Legal remedy – alternative possibilities
8.1. Data protection officer (Article 24 of InfoAct, Article 39 of GDPR)
The data protection officer has to monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits (Article 39 of GDPR)
Email: jog@semmelweis-univ.hu
8.2. Investigation of the National Authority for Data Protection and Freedom of Information (Article 52-58 of InfoAc), 57., 77. Article of GDPR
Any person shall have the right to notify the Authority and request an investigation alleging an infringement relating to his or her personal data or concerning the exercise of the rights of access to public information or information of public interest, or if there is imminent danger of such infringement.
The Authority may refuse the notification without examination thereof as to merits if the infringement alleged in the notification is considered minor, or the notification is anonymous. You can find further reasons for rejection in Section 53. of the InfoAct.
National Authority for Data Protection and Freedom of Information
1125 Budapest,
Szilágyi Erzsébet fasor 22/c.
www.naih.hu
Tel.: +36-1-391-1400
8.3. Right to an effective judicial remedy against a controller or processor (Section 22. Of InfoAct. Article 79 of GDPR )
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.