Privacy Notice on data processing by

Personal data protection is extremely important for us, therefore we inform you by way of this Privacy Notice about the personal data we process, as well as the purpose and legal basis of processing. The Privacy Notice also contains the rights you are entitled to.

  1. Details of the Data Controller

Data Controller: Deák 17 Gyermek és Ifjúsági Művészeti Galéria (hereinafter: Data Controller)

Registered seat: 1052 Budapest, Deák Ferenc utca 17. I. emelet

Registration ID: 826808

Tax number: 15826800-1-41


Telephone: +36 1 266 0482

Contact details of the Data Protection Officer:

  • General legislative provisions serving as a legal basis for data processing
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Act on Privacy)
  • Act V of 2013 on the Hungarian Civil Code (Civil Code).
  • Definitions

Personal data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data includes in particular: name, address, place and date of birth, mother’s name.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

  • Principles

In the course of processing personal data, the following principles are taken into account by the Data Controller so that personal data is:

  1. processed lawfully, fairly and in a transparent manner in relation to the Data Subject (lawfulness, fairness and transparency)
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1) of the GDPR, not be considered to be incompatible with the initial purposes (purpose limitation)
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
  5. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject (storage limitation)
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality)
  7. the Data Controller shall be responsible for compliance with the foregoing, and must be able to demonstrate such compliance (accountability)
  • Data processing activities during the visit of the website
  1. Personal data processed when visiting the website

The website operates on its own platform. As part of this, certain data of yours provided through the website may be stored in the database. We guarantee that our own data processing practices comply with the requirements of the GDPR and that we securely store all data.

All other data processing is solely executed in accordance with the privacy policy. In addition, your personal data will only be processed if you provide it to us voluntarily, for example for the purpose of subscribing to a newsletter, contacting us or fulfilling a contract.

Purpose of data processingThe personal data of visitors to the website is processed to ensure the proper and secure operation of the service and the site. We process the data for data security purposes as well as to optimize and improve the website and the (online) services.
Legal basis of data processingLegitimate interest of the Data Controller (Article 6 (1) f) of the GDPR) It is in our legitimate interest to protect the website and improve our services.  
Categories of Data SubjectsVisitors of the website
Scope of personal dataBy visiting the website, your IP address, the date of the website visit, the visited URL and the type of browser is processed.
Data retention periodPersonal data obtained by visiting the website will be archived weekly, the last 52 events will be stored for a period of 1 year from the date of its creation and will be deleted automatically thereafter.  
Data transferData transfer is not performed on the basis of Articles 44-49 of the GDPR.  
RecipientsWebsite operator: Greenformatics Solutions Kft. (registered seat: 1132 Budapest, Visegrádi utca 31., tax number: 23080814-2-41, corporate registration number: 01-09-952019)
Source of personal dataThe source of personal data is the visitor of the website.  
Method and consequences of data provisionProvision of data is voluntary. If you choose not to provide your personal information, there will be no consequences other than that you may not be able to use the service. We will only retain the personal data provided on the website for as long as it is necessary to achieve the purpose of the data processing, and, in the event of consent, until the consent is revoked.  
  • Social media platforms

The Data Controller is present on the following platform:





  1. Facebook and Instagram:

In addition to the Data Controller, according to the GDPR, the operator of Facebook and Instagram (hereinafter collectively: social media) is also considered as an independent data controller. The Data Controller has only limited influence on the data processing performed by the operators of social media interfaces. In places where it can influence and parameterize the processed data, the Data Controller will do everything in its power to ensure that data processing is in compliance with the Regulation.

On social media interfaces, your data shared with the Data Controller, such as comments, articles, videos, images, links to a page, etc., is made public and accessible by the given media interface. If the Data Controller considers that a given content is not suitable for disclosure to the public on its own page, it will delete it from its page. Otherwise, it makes the content visible on its site if the social media interface allows it. You can also use the chat interface to exchange messages instantly. The legal basis of data processing is legitimate interest based on Article 6 1) f) of the GDPR. The purpose of data processing is to keep in touch with visitors and potential customers. You always have the opportunity to send your questions to the contact details indicated by the Data Controller in point 1 of this privacy notice.

In order to only provide you advertisements that match your interests, the Data Controller will use for the advertisements the demographic, interest-based, behaviour- or location-based target group definitions provided by the social media interface operator. There is no personal identification by the Data Controller. We have limited influence in the page statistics provided to us by the media interface operator and cannot turn them off. The data obtained in this way are kept for 30 days.

Data processing by the Data Controller when using Facebook Messenger chatbox

Scope of personal data processed: Data Subject’s surname and first name provided to Facebook Messenger; gender, Messenger ID; e-mail address, telephone number, questions and answers, content of correspondence.

Legal basis of data processing: consent by the Data Subject (Article 6 (1) a) of the GDPR) The data processing starts after the chatbot available in the Messenger application is launched, with the relevant consent of the Data Subject. After the chatbot starts, the entire conversation with the Data Subject is recorded as an incoming message on Deák 17 Galéria’s page. The chatbot provides an opportunity for instant dialogue during a conversation.

Data processing by the social media interface operator

The social media interface operator uses targeted marketing. Targeted marketing means that based on several aspects and target groups, we can set who we want an ad for, who to appear to, regardless of whether they are logged in or registered on the social media interface. The Data Controller has no influence on the targeting performed by the social media, its legal basis is determined by the operator of the social media interface, it has an independent responsibility with regard to the legal basis. Targeting cannot be turned off or changed by the Data Manager.

We would like to inform you that the operator of the social media interface has the opportunity to use your profile and behavioural data in order to evaluate your habits, personal relationships and preferences. We have no decision-making power in this regard, we have no influence over it.

For more information on the operator’s data processing or on objection to data processing, please refer to the service provider’s following privacy policy:



The website contains links to pages that do not navigate to pages managed by the Data Controller. The Data Controller is not responsible for the data contained therein or for any damages caused by visiting or using external sites.

  • YouTube

YouTube is operated by Google, which qualifies as an independent data controller under the Regulation. For more detailed information and configuration information about the platform, see the platform privacy statement:

Purpose of data processingCommunication and sharing information about the Galéria through its YouTube channel.
Legal basis of data processingThe legal basis for the data processing is your consent in accordance with Article 6 (1) (a) of the Regulation.
Categories of Data SubjectsVisitors to the YouTube channel
Scope of personal dataThe username used for the YouTube account and the information made public by the user.
Data retention periodYou have the option to delete the data according to the platform policy.
Data transferData transfer is performed for Google on the basis of Articles 44-49 of the GDPR.  
Source of personal dataThe source of personal data is the natural person who visits the YouTube channel.  
Method and consequences of data provisionProvision of data is voluntary. If you do not provide the required information, you will not be able to watch videos uploaded to the Galéria’s YouTube channel.
  • Pinterest

We created our account based on the business account terms of use (, the aim of which is to present our activity to those interested. We are solely responsible for the content posted on our site in accordance with Pinterest’s terms of use.

Pinterest’s privacy notice is available in Hungarian language at

  • Cookies

A cookie is a set of information sent from the server to the browser, then every time there is a request the browser sends it back to the server with the data content specified by the server. This is designed to save the settings on the website you visited, so if you visit the site again from the same device, the page will remember the set parameters.

Cookies are most often used for personalizing advertisements and services, and analysing website traffic. In light of the current legislation in force, we can only store cookies on your terminal device if this is strictly necessary, essential for the operation of the website; these are called necessary cookies. We need your consent to use any other types of cookies.

The legal basis for personal data processed on the basis of necessary cookies is Article 6 (1) (f) GDPR, i.e. legitimate interest. In the case of additional cookies, the data will be processed on the basis of your consent, that is, in accordance with Article 6 (1) (a) of the GDPR.

You can view and set the cookies currently used on the website in a pop-up window when accessing the website.

  • Access to data

Personal data can be accessed by the competent staff of the Data Controller to the extent necessary for the performance of their duties.

  • Data security measures

The Data Controller shall ensure adequate IT, technical and personnel measures to protect the processed personal data, including the protection of the personal data against unauthorized access or unauthorized modifications.

  Data processing-related Data Subject rights  Content of Data Subject rights relating to data processing
Right to be informed /GDPR, Article 13-14./You have the right to be provided information about the fact and purpose of data processing at the time when personal data are obtained. The Data Controller provides you with additional information that are necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of the personal data processing. You must also be informed about the fact of profiling and its consequences.
Right of access /GDPR, Article 15/You are entitled to receive confirmation as to whether your personal data are being processed, and if such data processing is in progress, you will be entitled to be granted access concerning: what personal dataon what legal basisfor what processing purposesfor how long are processed by the Data Controller who to, when, and based on which legislation did the Data Controller provide access to your personal data or who were they transmitted towhat source do personal data originate from (if it was not you that provided them to the Data Controller)whether you apply automated decision-making and its logic, including profiling as well.
Right to rectification /GDPR, Article 16/You have the right to receive from the Data Controller upon request the rectification of inaccurate personal data concerning you or to have incomplete personal data completed. Therefore, you may ask the Data Controller to modify some of your personal data (for example, you can change your email address or other contact details at any time).
Right to erasure (“right to be forgotten”) /GDPR, Article 17/You have the right to obtain from the Data Controller the erasure of your personal data where one of the following grounds applies: your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed you withdraw your consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and there is no other legal ground for the processingyou object to data processing on the basis of Article 21 (1), and there is no overriding legitimate reason for the processing of data, or you object to data processing on the basis of Article 21 (2)your personal data have been unlawfully processedyour personal data must be deleted in order to comply with a legal obligation imposed by EU or Member State law applicable to the Data Controllerthe collection of your personal data is performed in connection with offering information society services as referred in Article 8 (1).
Right to restriction /GDPR, Article 18/You have the right to obtain from the Data Controller the restriction of your personal data where one of the following grounds applies: The accuracy of your personal data is contested by you (in this case the restriction applies to the time period which allows the Data Controller to verify the accuracy of the personal data)the data processing is unlawful and you oppose to the erasure of the data and request the restriction of their use insteadthe Data Controller no longer needs the personal data for the purpose of data processing, but you require them to present, exercise or defend a legal claim in light of Article 21 (1) you objected to data processing (in this case the restriction applies to the time period that is necessary to determine whether the Data Controller’s legitimate reasons override your legitimate reasons).
Right to data portability /GDPR, Article 20/You have the right to receive the personal data concerning you, which you have provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where: the processing is based on consent according to point (a) of Article 6 (1), or point (a) of Article 9 (2), or on a contract within the meaning of point b) of Article 6 (1), and the processing is carried out by automated means. You also have the right – if this is technically feasible – to request that your personal data are directly transferred among Data Controllers.
Right to object /GDPR, Article 21/You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on the referred provisions. In this case the Data Controller shall not continue to process your personal data, except where the Data Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
Right to withdraw consent /GDPR, Article 7 (3)/You have the right to withdraw your consent at any time. Withdrawing your consent does not affect the lawfulness of the data processing performed based on consent provided before the withdrawal. You are required to be informed of this before consent is granted. It must be as easy to withdraw as to give consent.
  • Legal remedies for Data Subjects relating to data processing, and their content
Legal remedyContent of the remedy
Right to lodge a complaint with a supervisory authority /GDPR, Article 77/If your right to the protection of personal data is infringed, you may lodge a complaint to the following Authority: Hungarian National Authority for Data Protection and Freedom of Information address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C. postal address: H-1530 Budapest, Pf.: 5 telephone: +36 (1) 391-1400 website:  
Right to effective judicial remedy against a Data Controller or Data Processor (initiation of court proceedings) /GDPR, Article 79/You are entitled to go to court against the Data Controller or the Data Processor if you experience the unlawful processing of your personal data. The court will hear the case without delay. In this case you are free to decide whether to submit your request with the tribunal of your domicile or your residence. The court of jurisdiction by the registered office of the Data Controller is the Budapest-Capital Regional Court, contact details: 1055 Budapest, Markó u. 27., tel.: +36 1 354 6000. Contact details of the tribunals:  
  1. Updates to the Privacy Notice

The Data Controller reserves the right to unilaterally modify this Privacy Notice. The modification of this Notice may be particularly executed if it is necessary due to changes in legislation, official data protection practices, business needs or other circumstances. At the request of the Data Subject the Data Controller sends a copy of the Privacy Notice in force to the Data Subject in the arranged format.