SzikApp
SzikApp
Name: Saint Ignatius Jesuit College of Advanced Studies Representative: Nevelős Gábor SJ, rector Address: 1085 Budapest, Horánszky utca 18. Tax number: 18217995-1-42 Contact: iroda@szentignac.hu
The purpose of this document is to ensure the application of the principles of data protection and the requirements of data security with regard to the data managed by Szent Ignác Jesuit College as a data controller. It also aims to inform those individuals who are affected by the data processing of the SzikApp application developed by Szent Ignác Jesuit College on how their personal data is handled.
Personal data means any information relating to an identified or identifiable natural person (in other words, the data subject, such as yourself), such as name, address, contact details, areas of interest, etc. - We speak of an identified person when the data controller has determined who the person is based on the information. - However, a person is identifiable if they can be directly or indirectly identified, particularly by reference to an identifier (such as name, identification number, factors related to their intellectual, economic, cultural, or social identity).
This statement applies to all data processing carried out by the data controller in the operation of the SzikApp application. Therefore, this document informs individuals affected by data processing about the actual data processing carried out by the data controller in accordance with the principles of data protection and data processing considerations.
The data controller carries out data processing in compliance with the following principles:
- Principle of lawfulness, fairness, and transparency: The processing of personal data must be done in a lawful and fair manner, and in a transparent manner for the data subject. - Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and not processed in a manner that is incompatible with those purposes. - Data minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. - Accuracy: Personal data must be accurate and kept up-to-date. - Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. - Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. - Accountability: The Data Controller is responsible for ensuring and being able to demonstrate compliance with the above principles and requirements.
The above principles are only excerpts of the principles of data protection, as we do not want to burden you, as the data subject, with overly detailed paragraphs. Therefore, if you would like to learn more about these principles in detail, you may want to consult their source (i.e. GDPR).
The data controller's primary objective is to carry out data processing in such a way that it fully complies with the data protection requirements set out in the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.) by the state of Hungary and the Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
This provides appropriate information on the following data processing in accordance with the provisions of the Data Protection Act and the GDPR, as well as the relevant NAIH resolutions: - Use of the SzikApp application Section 5 of this document and the attached table provide transparent information on these processes. This table will help you to fully understand the legal basis of the processing, the source of the data and the duration of the processing.
The data controller informs the data subjects in more detail about the data processing set out in point 4 above.
The SzikApp application developed and operated by the Data Controller is a regular application available on the Android, iOS and web platforms. The application
- can be used without registration; - does not require logging into the system for use, but after registration and login, a wider range of functions become available to the user; - the majority of its content can be browsed without providing personal data; - its basic functionality does not require the provision of personal data by the users; - its additional functionality requires the user to authenticate using Google or Apple Single Sign-On services. That is, the user must log in using their personal Google or Apple account. - during further development of the application, relevant anonymous information (e.g. anonymous usage statistics) is stored.
The purpose of the application is to provide an easy connection for supporters of the College of Advanced Studies and for those interested in the activities of the college to its programs and events; to provide communication opportunities to the college's alumni and supporters; and to offer internal members functions that facilitate and make administration more convenient.
The application becomes available for use by downloading it to a mobile phone. The interface consists of various sub-pages that can be navigated through. The main screen of the application displays the most important highlighted events and, if logged in, notifications and profile highlights. All functions can be easily accessed from the menu, but the number of menu items and, therefore, the number of additional features available varies depending on the user's membership status (unregistered user, registered guest, registered user with a membership, tenancy or employment relationship with the Collegium).
The main functions can be viewed without logging in, in which case no personal data is collected from users, only anonymous usage statistics, which do not allow the identification of individual users.
For menu items accessible after logging in, the application requests the user's clear consent in a pop-up window to the processing of the data necessary for the proper functioning of these functions, before the user logs in.
Detailed information about the data stored about logged-in users can be found in the attached table.
The legal basis for data processing is always the user's consent, which can be given upon logging into the application. After downloading the app, you will be greeted by a few static screens that provide information about the application. Then you can reach the screen where you can log in. Here, you must declare that you have read the privacy policy and the terms of use, and consent to the data processing described therein. Unfortunately, without this, we cannot allow the use of certain functions of the application.
For guest users (not in a legal relationship with the College), the personal data required for using the application with login is kept until deletion upon the user's request. The request for deletion can be made through the 'delete account' menu option.
For users who are in a legal relationship (membership or membership-like relationship, or employment relationship) with the College, the personal data required for using the application with login is kept until deletion upon the user's request, but no longer than 3 years following the termination of the user's legal relationship with the Data Controller. The request for deletion can be made through the 'delete account' menu option.
During the development process, information security and data protection experts were also involved, who ensured that the protection of personal data possibly processed by the application was taken into account.
When we transfer data, we ensure that the requirements specified by law are met, that are:
Before the transfer of personal data, the Data Controller, or the data processor acting on their behalf or under their instructions, examines the accuracy, completeness, and up-to-dateness of the personal data to be transferred. If the data controller receives personal data under a legal obligation arising from a law, an international agreement, or a mandatory legal act of the European Union, the data controller or data processor transferring the data shall, at the same time as the data transfer, indicate the possible purposes, duration, recipients, restrictions on the data subject's rights provided for in the relevant legislation, or other conditions of the data processing. The data processor receiving the personal data shall process the personal data to the extent and in the manner provided for in the data processing conditions, and shall ensure the data subject's rights in accordance with the data processing conditions.
Only those who have a specific relationship with the data controller (such as membership or employment) can access the personal data provided by users and automatically collected technical data. Access to this data is strictly based on the explicit authorization of the data controller.
As a data processor for automatically generated data, Google Firebase has access as the application's development platform. With regard to the data they handle, the Google Privacy Policy is applicable.
https://policies.google.com/privacyWe store the personal data provided by the user on a logically separated server located in the Oracle Cloud server farm. Its physical location is in Frankfurt, Germany, but according to the legislation the data controller does not implement the transfer of personal data to third parties through data storage.
The data controller does not transfer personal data to third parties, except when the user provided their personal data for a specific purpose.
The user is entitled to exercise the following rights under the conditions specified by the Data Protection Act with regard to their personal data processed by the data controller:
- the right to be informed about the facts related to data processing before the start of data processing (right to prior information), - the right to access their personal data and the information related to their processing upon request from the data controller (right to access), - the right to request the rectification or completion of their personal data from the data controller in certain cases (right to rectification), - the right to request the restriction of their personal data processing from the data controller in certain cases (right to restriction of processing), - the right to request the erasure of their personal data from the data controller in certain cases (right to erasure), - the right to initiate proceedings with the Authority (right to lodge a complaint with the supervisory authority), - the right to initiate legal proceedings (right to a judicial remedy).
The data subject has the right to
- receive their personal data in a machine-readable format; - object to the processing of their personal data; - not be subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them.
In accordance with the above paragraph, you have the right to request
- information on the processing of your personal data; - rectification of your personal data; - erasure or blocking of your personal data - restriction of the processing of your personal data.
As a data subject, you have the right to request that the data controller restrict the processing of your personal data if any of the following applies:
- you dispute the accuracy of your personal data, in which case the restriction will apply for the period during which the data controller can verify the accuracy of the personal data; - the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use; - the data controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims; or - you have objected to the processing of your personal data, in which case the restriction will apply for the period until it is determined whether the legitimate grounds of the data controller override your grounds.
If the data subject has any questions or issues related to data processing, they can contact the data controller using the contact information provided in point 1 of this notice. The data controller will delete incoming emails, along with the sender's name and email address, and any other voluntarily provided personal data, after a maximum of 5 years from the date of submission. The data subject may file a complaint regarding the data processing procedure with the National Authority for Data Protection and Freedom of Information (NAIH):
Authority: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) Abbreviated name of authority: NAIH Address: 1024 Budapest, Szilágyi Erzsébet fasor 22/C. Webpage: www.naih.hu Email: ugyfelszolgalat@naih.hu
Regarding questions that are not defined in this notice, the provisions of the current data protection legislations shall apply. These are the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.) by the state of Hungary and the Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). The court, the prosecutor's office, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law may contact the data controller to provide information, disclose data, transfer data, or make documents available.
The data controller will only provide personal data to the authorities if the authority has specified the exact purpose and scope of the data, and only to the extent that is necessary to achieve the purpose of the request.
The data controller reserves the right to unilaterally modify this data processing notice, with notification to the data subjects. The data controller allows sufficient time between the announcement of the modification and its entry into force for the data subjects to become familiar with the modified notice content.
| Managed data | Purpose of data manage | Legal basis of data manage | Source of the data | Duration of data managea |
|---|---|---|---|---|
| Email address of the user | Using some features of the app | The data processing is based on the consent of the data subject, which can be given after the installation of the application. | Recorded directly from the user (when logging into the app) | Until erasure at the request of the data subject |
| Google profile of the user | Using some features of the app | The data processing is based on the consent of the data subject, which can be given after the installation of the application. | Recorded directly from the user (when logging into the app) | Until erasure at the request of the data subject |
| Name of the user | Using some features of the app | The data processing is based on the consent of the data subject, which can be given after the installation of the application. | Google profile of the user | Until erasure at the request of the data subject |
| Phone number of the user | Using some features of the app | The data processing is based on the consent of the data subject, which can be given after the installation of the application. | Recorded directly from the data subject (optional in the user profile) | Until the end of the user's legal relationship with the College or the user's request for cancellation |
| Birthday of the user | Using some features of the app | The data processing is based on the consent of the data subject, which can be given after the installation of the application. | Recorded directly from the data subject (optional in the user profile) | Until the end of the user's legal relationship with the College or the user's request for cancellation |