PRIVACY POLICY
INFORMATION ON DATA PROCESSING RULES
Entered into force on the 1st of August 2023
1. INTRODUCTION
This Privacy Policy shall describe how we collect and process your personal data. It shall provide information on the purposes and the legal basis of the processing, the scope of the data to be processed, the identity of the data controllers and data processors, the duration of said processing, and your rights and remedies regarding data processing.
This Privacy Policy is designed to comply with the General Data Protection Regulation of the European Union, the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC) and Act CXII of 2011 on Freedom of Information, the Information Act.
We reserve the right to unilaterally amend this Policy at any time. Naturally, we will notify data subjects of any changes by publishing the amended Privacy Policy on hangveto.hu, mostmusic.eu, upbeat-platform.eu. By using the service after the amendment has come into force, the user accepts the amended Privacy Policy. The data will be treated confidentially and all security, technical and organisational measures will be taken to ensure the security of the data.
2. THE DATA CONTROLLER
Hangvető Zenei Terjesztő Társulás Kft.
Location: 1027 Budapest, Margit körút 62. V. 1.
Cg. 01-09-719984
Tel.: +361 209 8828
www.hangveto.hu
e-mail: hangveto@hangveto.hu
Hangvető Ltd. is mainly engaged in the organisation of folk and world music events, in the course of which it regularly contacts the artists and their managers, suppliers, co-organisers and sponsors. Regularly organised events are Budapest Ritmo Festival, Pont Festival, WOMEX The World Music Expo, Trilla Festival. HANGVETŐ Kft. is also engaged in the retail and wholesale of sound recordings, and in this activity, it also operates a webshop, where it interacts with suppliers and customers.
3. DATA PROCESSING
3.1. Processing of data in the case of event management activities
3.1.1. Artists
The extent of the data processed: artists wishing to perform at certain festivals usually contact us themselves, either by sending us an audio file or by providing a link to the audio file. We process the names of artists (or band members) who contact us, occasionally their manager, contact email address, telephone number, introductory material, images and audio recordings.
A document called Deal Sheet will be sent to the artists we wish to contract to perform at our event. The Deal Sheet will contain the following personal data: name of the artist, name of the company (address of registered office, tax number, company registration number) that represents the artist in the contracting process; name, e-mail address, telephone number of the person authorised to represent the artist; name, e-mail address, telephone number of the tour manager; names of other artists who will be performing in the show, and any food sensitivities of the artists (if catering is required). At the same time with the Deal Sheet, the artist will send, if necessary, additional information required for booking accommodation and purchasing flight tickets: name, address, date and place of birth, mother’s name, and passport number.
We record the artists’ performances at the events we organise, in the form of visual and/or audio material.
In all cases, we receive promotional materials and photos from the artists. These materials shall always include the name of the photographer who took the photos and the name of the editor who otherwise contributed to the production of the material, which will also be handled the same way as explained above.
The purpose of processing: for artists with whom we do not have a contract, do not perform at our events but request us to process their data, we store the material they provide as part of their application, in order to include them in our selection process for a future event, in the hopes that we will be able to contract them and keep in touch with them based on the contact details we have available.
For the artists to whom we send a Deal Sheet, the purpose of processing is to conclude the contract, the performance at the event, the adequacy of the catering service related to the performance (prevention of allergic reactions), flight tickets and accommodation reservations, contacting, coordination of organisational issues.
The visual and/or audio material of the artists’ performances is intended to be used for news coverage or other promotional purposes.
Promotional material is intended to promote the event and the performers to the public through publication.
Legal basis for processing: In the case of artists with whom we do not have a contract, the legal basis for data processing is the consent form received from the artists.
For the artists with whom we obtain a contract, the legal basis for processing their data is the conclusion and performance of the contract and our legitimate interest in complying with and verifying our legal obligations in relation to the contract concluded.
The legal basis for processing visual and/or audio material of the artists’ performances is the artists’ consent.
The indication of the names of the authors of said promotional material is also required by copyright law, so the legal basis for this processing in promotional material is the fulfilment of our legal obligations.
Transfer of data: The data of the performing artists will be transferred to the extent necessary to our partners involved in the organisation of the events: the accommodation organiser, the accommodation provider, the travel organiser, the airline, and the co-organiser. We will only transfer the data to our partners who provide sufficient guarantees to implement appropriate technical and organisational measures to ensure compliance of the processing with the requirements of the GDPR and to protect the rights of the data subjects.
Deadline for deletion of data: We will keep the data for as long as it is justified for accounting and tax procedure reasons, for 8 years after the completion of the last document (Section 169 (2) of the Act on Accounting). If a legal dispute arises in connection with the contract or its performance, the data will be kept for the duration of the legal dispute.
For artists with whom we have not concluded a contract, but who have consented to the processing of their data, the period of data processing is 3 years, expiring on 30 June of the 3rd calendar year following the date of receipt of the consent to the Privacy Policy by us.
3.1.2. The speakers and participants of conferences
The scope of the data processed: a Deal Sheet is sent to speakers and participants with whom we wish to contract to speak or participate in our conferences. The Deal Sheet will contain the following personal data: the name of the speaker, the name of the company (registered office, tax number, company registration number) that represents the speaker in the contracting process, the name of the person authorised to represent this company, e-mail address, telephone number. At the same time with the Deal Sheet, the speaker or participant sends, if necessary, additional information essential for booking accommodation and purchasing flight tickets: name, address, date and place of birth, mother’s name, and passport number.
Purpose of the processing: to organise the conference, and to present the speakers and participants.
Legal basis for processing: Our legal basis is the conclusion and performance of contracts with those performers and participants, and our legitimate interest in complying with, and proving our legal obligations in relation to the contract concluded.
Transfer of data: we will transfer the data of speakers and participants to the extent necessary to our partners involved in the organisation of the events: the accommodation organiser, the accommodation provider, the travel organiser, the airline, and the co-organiser. We will only transfer the data to our partners who provide sufficient guarantees to implement appropriate technical and organisational measures to ensure compliance of the processing with the requirements of the GDPR and to protect the rights of the data subjects.
The time limit for deletion of data: We will keep the data for as long as it is justified for accounting and tax procedure reasons, for 8 years after the completion of the last document (Section 169 (2) of the Act on Accounting). If a legal dispute arises in connection with the contract or its performance, the data will be kept for the duration of the legal dispute.
For artists with whom we have not concluded a contract but who have consented to the processing of their data, the period of data processing is 3 years, expiring on 30 June of the 3rd calendar year following the date of receipt of the consent to the Privacy Policy by us.
3.1.3. Suppliers, co-organisers
Scope of data processed: for suppliers and co-organisers with whom we work during our events, personal data processing is carried out by processing the names, e-mail addresses and telephone numbers of the contact persons and their contact details. Our suppliers are selected by invitation to tender or, failing that, by request for proposal, on the basis of the excellent cooperation we have experienced in the past.
Purpose of the processing: To liaise with our suppliers and co-suppliers through their designated employees in order to fulfil our contracts.
Legal basis for data processing: for suppliers and co-organisers with whom contracts are concluded, the legal basis for data processing is the contract itself and its performance, compliance with legal obligations related to performance, and the legitimate interest in the smooth and high-quality organisation of events and thus our professional reputation.
In the case of applicants who wish to become suppliers but with whom we do not have a contract, any personal data we may hold is based on the consent of the data subject.
Transfer of data: we do not transfer the contact details of our suppliers and co-organisers without their explicit and prior consent.
Deadline for data deletion: In the case of our suppliers and co-organisers with whom we have not concluded a contract, but who have consented to the processing of their data, the period of data processing is 3 years, which expires on 30 June the 3rd calendar year following the date of receipt of the declaration of consent to data processing by us.
3.1.4. Guests and invitees
Scope of data processed: we invite guests to our events, to whom we send personalised invitations. Such guests may be public officials or otherwise well-known persons, professionals, members of the press or partners of our company. We will store the following information about the invitee: name, company or institution, position held, telephone number, and e-mail address. The data of these persons can be found on the Internet, in the information material of the institutions that serve as their workplace, and in public promotional material handed out, as they are well-known persons whose aim is to be accessible.
Purpose of data processing: for representational purposes and to maintain good relations, we give persons who have some connection with our operations the opportunity to learn about our activities.
Legal basis for processing: We inform our invitees about the processing and draw their attention to the fact that they may object to the processing and request the termination of the processing, and the deletion of their data.
We do not transfer this data.
Deadline for deletion of data: the period of data processing is 3 years, which expires on 30 June of the 3rd calendar year from the date of the start of data processing.
3.1.5. Websites, newsletters
Scope of the data processed: on the website we operate, it is possible for interested parties to subscribe to receive our newsletter by providing their name and e-mail address.
Purpose of data processing: sending e-mail newsletters to interested parties about events and festivals organised by us. In the case of subscribing to the newsletter, we may send newsletters to subscribers at a frequency of our own choice.
Legal basis for processing: voluntary consent of the data subjects.
Transfer of data: the data will not be transferred, but may be contacted by the service provider operating our websites. Our newsletter database and the sending of newsletters are carried out by Mailchimp’s newsletter-sending service.
Deadline for deletion of data: the data provided will be processed until the data subject who has subscribed to the newsletter has unsubscribed and has prohibited the use of the data for this purpose. You can unsubscribe from the newsletter by clicking on the unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days of receipt of the request.
3.1.6. Online ticket sale
Scope of data processed: for some of our events, it is possible to purchase tickets online in advance. If the customer also requests a VAT invoice, we will also ask for the other data necessary for issuing the invoice (name, address, VAT number, and e-mail address of the customer to whom the invoice is issued). Failure to provide this information will result in the ticket sale being cancelled.
The purposes of the processing are: to ensure the provision of the online ticketing service on the website, to process the order, to document the purchase and payment, and to fulfil the accounting obligation. Furthermore, the purpose of the processing is to identify the user as a ticket purchaser and to fulfil the service ordered, to send the ticket and related notifications, to enable the payment to be processed via the payment service provider, and to comply with the rules for admission to the festival.
Transfer of data: the personal data provided when purchasing tickets online is also processed by our contractual partners providing the online shop service and online payment. These partners are Zászlóshajó Kft. (A38 – sales platform, located at 36/C Irinyi József u., 1117 Budapest), N-Ware Informatikai és Tanácsadó Kft. (Billzone – invoicing, located at 26 Gömb str., 1139 Budapest), Barion Payment Zrt. (online payment, located at 5. floor 5 of building I, Infopark sétány 1, 1117 Budapest).
Deadline for deletion of data: we will keep the data for as long as it is justified for accounting or tax procedure reasons, i.e. for 8 years after the last document has been completed (Section 169 (2) of the Act on Accounting). If a dispute arises in connection with the contract or its performance, the data will be kept for the duration of the dispute.
3.1.7. Registration
Scope of data processed: for some of our events, it is possible to pre-register for certain programmes. As such, we may have special events for which we may require registration data such as name and email address.
The purpose of data processing: is to pre-register for the advertised programme and to identify the registrant in order to participate in the selected programme.
Legal basis for the processing: to fulfil the contract for the organisation of the festival and our legitimate interest in fulfilling and proving our legal and contractual obligations in this respect.
Transfer of data: the personal data provided during online registration may also be processed by our contractual partners providing the online web service and those involved in the organisation of the event.
Deadline for deletion of data: data will be processed until the end of the programme to which the registration relates.
3.1.8. Course application
Scope of data processed: we organise courses which are available online or in person. When applying for our courses, we ask you to provide the following personal data: name, date and place of birth, mother’s name, e-mail address, telephone number, and address. If the applicant is a minor, we will also record the name, e-mail address and telephone number of the parent. If this information is not provided, it will not be possible to register for the course.
The purpose of data processing is to enable you to register in advance for the course, to keep a record of course participants and to contact them in order to complete the course.
Legal basis for processing: performance of the service contract for the course, our legitimate interest in fulfilling and certifying our related application and contractual obligations.
Transfer of data: personal data provided during online registration may also be processed by our contractual partners providing online web services.
Deadline for deletion of data: data will be deleted within 90 days of the completion of the course (including any continuation or other additional courses that the same student may wish to take) and the administration associated with the completion.
3.1.9. Data processing during the operation of the webshop
Our webshop is currently not in operation.
3.1.10. Cookie management on our websites
The following data are processed: ID number, date, time and the page previously visited.
In order to provide you with personalised service, we place a small data package, a so-called cookie, on your computer, which is read back by our system during a subsequent visit. If the browser returns a previously saved cookie, we have the option to link the user’s current visit to previous visits, but only for our own content.
For further details, please see our Cookie Policy at https://hangveto.hu/wp-content/uploads/2023/09/hangveto-cookie-policy-20230922.pdf
If you do not agree to our use of cookies, certain features will not be available to you. For more information on how to delete cookies, please click on the links below:
Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11
Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
Chrome: https://support.google.com/chrome/answer/95647?hl=en
The purpose of data processing is: to identify and distinguish users, identify users’ current session, store the data provided during the session, prevent data loss, identify and track users, to measure web analytics.
Legal basis for processing: voluntary consent of the data subjects.
4. DATA STORAGE, DATA SECURITY
Our computer systems and other data storage facilities are located at our headquarters, at our IT service providers and our data processors.
4.1. Paper documents
We have a large number of written, paper-based contracts. These are stored in folders in the office. Our more recent contracts and other documents are also stored digitally in a scanned form.
4.2. Musical material
We receive a large amount of musical material in the course of our activities. These are stored in our office on media, labelled and categorised.
4.3. Technical conditions
The IT tools used to process personal data in the provision of the service are selected and operated in such a way that the data processed:
a) is accessible to those authorised to access it (availability);
b) has its authenticity and authentication is ensured (authenticity of processing);
(c) its integrity is verified (data integrity);
d) is protected against unauthorised access (data confidentiality).
Appropriate measures will be taken to protect the data especially against unauthorised access, alteration, forward, disclosure, erasure or destruction, accidental destruction, damage or loss, and inaccessibility resulting from changes in the technology used.
We use Google Drive for all our work and to manage our documents and our daily work database. This ensures remote access to all our documents. Our documents are protected by Google’s system, including GDPR-compliant data protection. Our employees also work in the office via online access to Google Drive. Access to Google Drive is granted via a dedicated account to which individual access rights can be assigned. Our stored directory structure is backed up and stored on an external storage medium.
We provide our employees with a company mobile phone and a telephone number. Contact details of partners, customers and suppliers are stored on these phones. The phones are also used to view email accounts and for correspondence, so email addresses and data received via email are also processed in accordance with this Privacy Notice.
We do not use access control or camera surveillance systems.
The databases of the websites, the webshop and the newsletter are stored in the storage space of Websupport Magyarország Kft. (1132 Budapest, Victor Hugo utca 18-22.; www.websupport.hu). The Mailchimp system itself stores the data lists required for sending the newsletter.
5. THE RIGHTS OF DATA SUBJECTS
Data subjects have the right to access their personal data processed by us, i.e. they can request information, in particular, about the scope, purpose, duration, source and sharing of data and their data protection rights. The request for information is free of charge, but we are entitled to charge a fee for any further requests for information concerning the same data.
If the data we process is not accurate, the data subject may request that it be corrected. The data subject may also request the erasure of personal data we process or the restriction of our processing, provided that this is not restricted by law.
Where the processing is based on consent, the data subject may withdraw his or her consent at any time in the future.
As part of their right to data portability, data subjects may request that we provide them a copy (a machine-readable and a conventional format) of their personal data provided to us on the basis of their consent or processed for the performance of a contract, or that we transfer it to another controller upon their request.
The data subject has the right to object to the processing and use of his/her personal data in our legitimate interests.
The data subject has the right to file a complaint about our data processing. Complaints shall be sent to hangveto@hangveto.hu e-mail address. We shall respond to a complaint received as soon as possible but, in any event, within 30 days. Complaints may also be filed with the competent authority (National Authority for Data Protection and Freedom of Information, NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu) or with the competent court in the place of residence or domicile of the data subject.
The data protection policy of Hangvető Ltd. complies with the requirements of the GDPR.