PRIVACY POLICY

For Creators

MuveszTerem.hu

 

This privacy policy is Art Room Ltd.as Data Controller operated by, the www.muveszterem.hu Persons registering in the database and entering into a contract with the Data Controller as defined in the GTC (hereinafter referred to as: Data Subject) It applies to the processing of your personal data during the performance of the contract.

1. Legal background and purpose of data protection

When developing this policy, we took into particular consideration the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.), Act VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on 28 January 1981, as well as Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter: GDPR), and the recommendations of the “ONLINE PRIVACY ALLIANCE”.

Hungarian law shall apply to this data protection policy and to issues related to data protection. In the event of any legal dispute arising within the framework of data protection, the courts of Hungary shall have jurisdiction and the Hungarian courts of the registered office of the Data Controller(s) shall have exclusive jurisdiction.

The purpose of this data protection policy is to ensure that, in all areas of our services, every individual, regardless of nationality or place of residence, has their rights and fundamental freedoms, in particular the right to privacy, respected when their personal data is processed automatically (data protection).

2. Data controller's data

Name: Art Room Ltd.

Headquarters: 1053 Budapest, Museum Square 35.

Tax number: 32355189-1-42

Company registration number: 01-09-419804

3. Definitions

personal data: any information relating to an identified or identifiable natural person (hereinafter referred to as: Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

data management: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

data transfer: if data is made available to a specific third party;

disclosure: if data is made accessible to anyone;

data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

data deletion: making data unrecognizable in such a way that its recovery is not possible;

4. Data protection principles

In accordance with Article 5 of the GDPR, the Data Controller ensures that personal data is processed in accordance with the following:

the)	processing must be carried out lawfully and fairly, and in a manner that is transparent to the Data Subject (“lawfulness, fairness and transparency”);
b)	collected only for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes (“purpose limitation”);
c)	they must be adequate and relevant in relation to the purposes of the processing and limited to what is necessary (“data economy”);
d)	they must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”);
e)	shall be stored in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data are processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of Data Subjects as provided for in this Regulation (‘storage limitation’);
f)	must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage to the data ("integrity and confidentiality"), by applying appropriate technical or organisational measures.

5. Additional guarantees protecting the data subject

Everyone has the right to

• receive information about their data and data processing (the Data Subject's right of access);

• The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies: (a) the Data Subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data; (b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the Controller no longer needs the personal data for the purposes of the processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims; or (d) the Data Subject has legitimately objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Controller override those of the Data Subject;

• in justified cases, have these data rectified or erased without delay (the right to be forgotten). The Data Controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon request of the Data Subject, the Data Controller shall inform the Data Subject of these recipients;

• during data processing based on consent, you will receive the personal data concerning you, which you have provided to Művészterem Kft., in a structured, commonly used and machine-readable format, and you will also have the right to have Művészterem Kft. transmit these data to another data controller. The exercise of this right may not violate the right to be forgotten and may not adversely affect the rights and freedoms of others;

• to have legal recourse if the request for information or, in justified cases, for disclosure, correction or deletion as provided for in the legislation is not fulfilled. At the request of the Data Subject, the Data Controller shall provide information on the data processed by it or by the processor it has commissioned, the purpose of data processing, its legal basis, duration, the name, address (registered office) of the data processor and its activities related to data processing, as well as on who receives or has received data and for what purpose. The Data Controller shall provide the information in writing and in a plain language as soon as possible after the submission of the request, but no later than 30 days. The Data Subject may, in the event of a violation of his or her rights, file a complaint with the Data Controller. The Data Controller shall compensate for any damage caused to others by the unlawful processing of the Data Subject's data or by the violation of technical data protection requirements. The Data Controller shall also be liable to the Data Subject for any damage caused by the Data Processor. The data controller is exempt from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. Damages do not have to be compensated to the extent that they resulted from the intentional or grossly negligent conduct of the injured party.

6. Legal basis, purpose, scope, and time of data processing

1. Legal basis for data processing

The regulations related to data management and the protection of visitors' personal data apply exclusively to natural persons, given that personal data can only be interpreted in relation to natural persons (based on Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information), therefore this data protection policy is binding only with regard to the processing of personal data of natural persons registering on the website.

1. 1. The processing of data optionally provided when completing the Creator data form is based on the voluntary and explicit consent given by the Data Subject in knowledge of this information. The Data Subject has the right to withdraw his voluntary consent at any time.

   2. The legal basis for data processing with regard to the personal data required to be provided when filling out the Creation form is the performance of the Contract concluded between the Data Subject and the Data Controller, and the enforcement of the rights and obligations arising from the Contract, pursuant to Article 6(1)(e) of the GDPR.

   3. When sending a newsletter, the legal basis for data processing is the legitimate interest of the Data Controller, which is based on Article 6(1)(f) of the GDPR. In order to comply with the referenced provision, the Data Controller has performed a balancing test, as a result of which it has determined the following:

• • The Data Controller – in its judgment – has a legitimate interest in sending a newsletter to the Data Subjects (to the e-mail address provided by them);

  • The purpose of data management is to send an electronic newsletter about news, changes and other related content related to the Data Controller and its activities, services, the operation of the Database, in order to inform the Data Subjects and thereby ensure the most comprehensive use of the Data Controller's services;

  • The Data Subject's rights to the protection of his or her personal data and privacy are proportionately limited by the legitimate interest of the Data Controller as defined in this section, and by data processing based on legitimate interest. The Data Controller has examined all means and options that can be taken into account in order to achieve the desired goal - and specified in this Policy - and has considered that sending the electronic newsletter can be considered the least restrictive solution possible and thus meets the requirements of necessity and proportionality.

To this end:

• • • newsletters are sent to each Data Subject only a limited number of times (maximum 2 times per month);

    • The Data Controller sends newsletters to the Data Subject exclusively in connection with its own activities, services and the Database it operates;

    • The Data Controller complies with legal obligations in all cases;

    • The Data Controller shall, under all circumstances, provide Data Subjects with the opportunity to object to the use of their personal data for this purpose and to exercise the additional rights specified in this Notice.

2. Purpose of data processing and scope of data processed

Personal data may only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. Data processing must comply with this purpose at all stages. Only personal data may be processed that is essential for the purpose of data processing, suitable for achieving the purpose, and only to the extent and for the period necessary to achieve the purpose.

The data controller uses the data for the following purposes:

1. 1. The purpose of the data processing carried out when filling out the Creation form is for the Data Subject to indicate their intention to use the services provided by the Data Controller as specified in the GTC and for the Data Controller to be able to assess the registration request and maintain contact with the Data Subject. If the Data Controller accepts the registration after submitting the Creation form, the Data Subject has the opportunity to upload the Creation form.

The following personal data can be entered on the Creator data sheet:
(data marked with * are mandatory):

• Email address* (not public)

• Full name*

• Display name (Artist name)

• Address* (not public)

• Phone number* (not public)

• Name of completed/ongoing art schools and majors, year of completion of training (expected year of completion in case of ongoing studies)

• Type of work (painting, sculpture, graphics, photography, other)*

• Introductory text*

• Ars poetica / “Quote from the creator”*

• Header photo*

• Side photo*

• Portfolio images

• Solo exhibitions

• Group exhibitions

• Press releases

• Awards, prizes

When filling out the Creator data form, the Data Subject must accept this Privacy Policy by "ticking" the appropriate field, after which the registration request can be sent.

1. 2. The purpose of processing the data provided when filling out the Creation data form is to display the Creation in the Database and to enable the Data Controller to fulfill the Contract, i.e. to complete the sale of the Creation. The purpose of processing the optionally provided data is to facilitate the sale of the Creations, to present the Creation and the Data Subject who created the Creation, and to facilitate contact with the Data Subject.

   3. If the Data Controller has accepted the Data Subject's registration request, it will inform the Data Subject about this by e-mail and send them a link, with the help of which the Data Subject can upload Creations to the Data Controller's system. When filling out the Creation form, after providing the e-mail address, the following data and information can be provided:

(data marked with * are mandatory):

• Email address*

• Title of creation*

• Creation photo*

• Information about the Creation (category, material/technique, style, orientation, size)*

• Storage location (city)*

• Creation description

• Purchase price (in HUF)*

When filling out the Creation form, in order to conclude the Contract, the Data Subject must accept this Privacy Policy, as well as the GTC and the annexes to the GTC by “ticking” the appropriate box. The condition for concluding the Contract is that the Data Controller approves the uploading of the Creation.

1. 4. During the performance of the Contract, the Data Controller processes all data provided on the Creator data form and Creation data forms completed by the Data Subject.

The Data Subject has the option to fill out the Creation data form at any time during the term of the Contract and send it to the Data Controller in order for the Creation uploaded in this way to be included in the Database.

1. 5. When sending a newsletter, the purpose of data processing is to send an electronic newsletter or advertising message to the e-mail address provided by the Data Subject about news, changes, promotions and other related content related to the Data Controller and its activities, services, and the operation of the Database.

The Data Controller also uses the Data Subject's full name and e-mail address to send newsletters in accordance with the conditions set out in this Notice.

3. Duration of data processing

   1. The data processed in accordance with point 2 will be processed until the end of the 5th year following the termination of the contract between the parties pursuant to Section 6:22 of Act V of 2013 on the Civil Code.

   2. If the Data Controller does not accept the Data Subject's registration request, the Data Controller will delete the data provided on the Creator's data form filled out in order to submit the registration request immediately after informing about the rejection.

If the Data Controller does not accept the Data Subject's request to upload a work and thus no Contract is concluded between the parties, the Data Controller will delete the data provided on the Creation Data Form completed in order to submit the request to upload a work immediately after informing about the rejection.

1. 3. The Data Controller will delete the Data Subject's data within 14 working days if the Data Subject notifies the customer service of this data deletion request.

   4. Data processing for the purpose of sending newsletters lasts until the Data Subject unsubscribes, which can be done at any time by clicking on the "Unsubscribe" link at the bottom of the newsletter, or you can also notify our customer service of your request to unsubscribe, in which case the unsubscribe will take place automatically within 14 working days.

4. OTP SimplePay

The Creator acknowledges that Művészterem Kft., 1053 Budapest, Múzeum krt. 35., as data controller, www.muteszterem.hu The following personal data stored in the user database will be transferred to OTP Mobil Kft., as the data processor. The scope of data transmitted by the data controller is as follows: Name, address of the creator, purchased product. The nature and purpose of the data processing activity carried out by the data processor can be viewed in the SimplePay Data Processing Information, at the following link:

https://simplepay.hu/adatkezelesi-tajekoztatok/

7. Data security

The data controller or, within the scope of its activities, the data processor is obliged to ensure the security of the data and is also obliged to take the technical and organizational measures and establish the procedural rules that are necessary for the enforcement of the data protection law and other data and confidentiality protection rules. The data must be protected in particular against unauthorized access, alteration, disclosure or deletion, as well as damage or destruction.

8. Privacy Policy

The Data Controller undertakes to publish a clear, eye-catching and unambiguous statement (data protection statement) before collecting, recording or processing any data of the Data Subject, informing him/her about the method, purpose and principles of data collection. In addition, the Data Controller draws the Data Subject's attention to the voluntary nature of data provision. The Data Subject must be informed about the purpose of data management and who will manage or process the data. All employees and senior officers of the Data Controller are entitled to learn about the data managed by the Data Controller. Information about data management also occurs if a law provides for the collection of data by transmission or linking from existing data management.

In all cases where the Data Controller intends to use the provided data for a purpose other than the original purpose of data collection, it is obliged to inform the Data Subject thereof and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.

The Data Controller shall comply with the restrictions set out in the basic principles when collecting, recording and processing data and shall inform the Data Subject of its activities by electronic mail upon request. The Data Controller undertakes not to impose any sanctions on a Data Subject who refuses to provide non-mandatory data.

The Data Controller undertakes to ensure the security of the data, to take technical and organizational measures and to establish procedural rules that ensure that the data recorded, stored and processed are protected and to prevent their destruction, unauthorized use and unauthorized modification. It also undertakes to call on any third party to whom it may transmit or transfer data to fulfill its obligations in this regard.

Although Művészterem Kft. does not offer services intended for persons under the age of 16, it hereby declares that it does not collect or process personal data from persons under the age of 16.

When Data Subjects visit our sites, they can generally do so without having to reveal their identity or provide any personal data. Of course, when providing their name and email address, Data Subjects have the option of using a pseudonym instead of their real name when registering. However, in this case, the Data Controller may not be able to effectively ensure the Data Protection objective.

Anonymous information that is collected without personal identification and cannot be linked to a natural person is not considered personal data, nor is demographic data that is collected without being linked to the personal data of identifiable persons, and thus cannot be linked to a natural person, considered personal data.

As a general principle, we state that in all cases where we request personal data from our visitors, they are free to decide whether to provide the requested information after reading and understanding the necessary information. However, we must note that if someone does not provide their personal data, they may not be able to use the given service that requires the provision of personal data.

This privacy policy concerns the protection of visitors' personal data that is not intended to be made public but is made available to the Data Controller. If someone voluntarily makes their own personal data or part of it public, such information is not covered by the scope of this privacy policy.

In each case, we indicate which data, for what purpose and under what conditions, we ask you to provide as “mandatory” during registration. The term mandatory in this case does not refer to the mandatory nature of the data collection, but to the fact that there are records without which the registration cannot be completed successfully, so leaving certain fields blank or filling them out incorrectly may lead to the registration being rejected.

Under no circumstances will we pass on the personal data provided to us by our visitors to third parties without authorization.

If the authorized authorities request the service provider to provide personal data in the manner prescribed by law (e.g. on suspicion of a crime, in an official data seizure decision), the Data Controller will provide the requested and available information, in compliance with its legal obligation.

If Data Subjects provide us with personal data, we will take all necessary steps to ensure the security of this data - both during network communication (i.e. online data management) and during the storage and safeguarding of the data (i.e. offline data management).

The Data Controller ensures that visitors can access, correct and supplement their personal data through the same communication channels and by providing the same options through which their personal data was previously made available to us. By doing so, we want to ensure that the personal data of Data Subjects is always fresh, accurate and up-to-date. If any Data Subject requests that we delete their personal data from our own system (of course, in certain cases, assuming that they will no longer be able to use the service to which these data belonged), we will do so without delay.

9. Within this framework, the rules applied by the Data Controller during data collection

1. Data suitable for individual access by Data Subjects.

We use data (such as e-mail addresses) that are suitable for individual access to Data Subjects exclusively for purposes previously approved by the Data Subject and will not, under any circumstances, be transferred to a third party without the prior written permission of the Data Subject, except for exceptions provided for by law.

2. Data suitable for physical access by Data Subjects

We use data exclusively for purposes previously approved by the Data Subject and, except for exceptions provided for by law, we do not transfer it to third parties.

At the request of the Data Subject, the Data Controller shall provide information about the data of the Data Subject processed by it, the purpose, legal basis, duration of the data processing, the name, address (registered office) of the data processor and its activities related to the data processing, as well as who receives or has received the data and for what purpose. The information shall be info@muveszterem.hu can be requested at.

 

If the Data Subjects believe that their right to the protection of their personal data has been violated, they may file a claim with the court or request the National Data Protection and Freedom of Information Authority (1125 Budapest, Szilágyi Erzsébet fasor 22/c, www.naih.hu) help too.

 

The court shall proceed with the case out of turn. The court shall have jurisdiction over the case. The case may also be initiated – at the Data Subject's choice – before the court of the Data Subject's place of residence or residence.  

Detailed legal provisions regarding legal remedies and the obligations of the Data Controller are contained in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

Budapest, September 27, 2024.

Art Room Ltd.