Details concerning the rights of data subjects
For the purposes of this information sheet (and of GDPR), ’data subject’ shall mean a natural person who has been
identified by reference to specific personal data, or who can be identified, directly or indirectly; ’personal data’ means
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4. ff GDPR and
Section 3. of InfoAct).
Rights of the data subject according to Chapter III. of the GDPR
- Transparent information, communication and modalities for the exercise of the rights of the data subject;
- Right of access by the data subject;
- Right to erasure (‘right to be forgotten’), right to restriction of processing;
- Information to be provided where personal data have not been obtained from the data subject;
- Right to data portability (if we process your data on the basis of your consent/contract
the processing is carried out by automated means. );
- Right to object;
- The right not to be subject to a decision based solely on automated processing, including profiling;
- The right to legal remedy: in the case of any breach of your rights, you can turn to the data protection officer
of Eötvös Loránd University, to the National Authority for Data Protection and Freedom of Information, or
you can sue a claim to the court.
You can read the explanation of the rights below:
- Transparent information, communication and modalities for the exercise of the rights of the data subject (Article
12-14 of GDPR)
With this information sheet, the controller provides the information relating to processing to the data subject
referred to in GDPR.
If the data subject asks, further detailed oral information can be given, if the data subject proves his or her identity.
- Right of access by the data subject (Article 15 of GDPR)
The data subject have the right to obtain from the controller confirmation as to whether or not personal data
concerning him or her are being processed, and, where that is the case, access to the personal data and the following
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular
recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria
used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of
processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to theirsource;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of GDPR
and, at least in those cases, meaningful information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the data subject.
- Rectification and erasure (Article 16 of GDPR )
3.1. Right to rectification (Article 16 of GDPR )
The data subject shall have the right to obtain from the controller without undue delay the rectification of
inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data
subject shall have the right to have incomplete personal data completed, including by means of providing a
3.2. Right to erasure (‘right to be forgotten’) (Article 17 of GDPR )
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or
her without undue delay and the controller shall have the obligation to erase personal data without undue delay
where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collectedor
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or
point (a) of Article 9(2) of GDPR, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding
legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State lawto
which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in
Article 8(1) of GDPR.
3.3. Right to restriction of processing (Article 18 of GDPR)
The data subject shall have the right to obtain from the controller restriction of processing where one of the
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controllerto
verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the
restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by
the data subject for the establishment, exercise or defense of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) of GDPR pending theverification
whether the legitimate grounds of the controller override those of the data subject.
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without
undue delay and in any event within one month of receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and number of the requests. The controller shall inform
the data subject of any such extension within one month of receipt of the request, together with the reasons for the
delay. Where the data subject makes the request by electronic form means, the information shall be provided by
electronic means where possible, unless otherwise requested by the data subject. (Article 12.3 of GDPR)
- Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 of
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried
out in accordance with GDPR Article 16, Article 17(1) and Article 18, to each recipient to whom the personal data
have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform
the data subject about those recipients if the data subject requests it.
- Right to data portability (Article 20 of GDPR)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided
to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data
to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent or on a contract; and
(b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data
transmitted directly from one controller to another, where technically feasible.
The exercise of this right shall be without prejudice to the right to be forgotten.
- Right to object ( Article 21 of GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to
processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR,
including profiling based on those provisions. The controller shall no longer process the personal data unless the
controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and
freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Automated individual decision-making, including profiling (Article 22 of GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly affects him orher.
This provision shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable
measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
In this case, he data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms
and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his
or her point of view and to contest the decision.
- Legal remedy – alternative possibilities
8.1. Data protection officer (Article 24 of InfoAct, Article 39 of GDPR)
The data protection officer has to monitor compliance with GDPR, with other Union or Member State data
protection provisions and with the policies of the controller or processor in relation to the protection of personal
data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing
operations, and the related audits (Article 39 of GDPR)
Data protection officer of the University:
1053 Budapest, Ferenciek tere 6.
8.2. Investigation of the National Authority for Data Protection and Freedom of Information (Article 52-58 of
InfoAc), 57., 77. Article of GDPR
Any person shall have the right to notify the Authority and request an investigation alleging an infringement relating
to his or her personal data or concerning the exercise of the rights of access to public information or information
of public interest, or if there is imminent danger of such infringement.
The Authority may refuse the notification without examination thereof as to merits if the infringement alleged in
the notification is considered minor, or the notification is anonymous. You can find further reasons for rejection in
Section 53. of the InfoAct.
National Authority for Data Protection and Freedom of Information
Szilágyi Erzsébet fasor 22/c.
8.3. Right to an effective judicial remedy against a controller or processor (Section 22. Of InfoAct. Article 79 of
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint
with a supervisory, each data subject has the right to an effective judicial remedy where he or she considers that
his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the
controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of
the Member State where the data subject has his or her habitual residence, unless the controller or processor is a
public authority of a Member State acting in the exercise of its public powers.