The processing of personal data in the online management of the editorial process of Belügyi Szemle/Academic Journal of Internal Affairs (AJIA); the audio recording of Editorial Committee meetings, consultations, round tables, interviews, discussion forums for persons not employed by the Ministry of the Interior.

1. Information about the Data Controller, the concept of personal data and the Data Subject
The Data Controller is the legal person that determines, alone or jointly with others, the purposes and means of the processing of personal data. In the context of this notice
Data Controller: Ministry of Interior, Editorial Board of Belügyi Szemle/Academic Journal of Internal Affairs (AJIA) (hereinafter referred to in this notice as: Data Controller)
Headquarters: 1051 Budapest, József Attila utca 2-4.
Mail address: 1903 Budapest, Pf. 314.
Website: https://belugyiszemlejournal.org
E-mail: szerkesztoseg@belugyiszemle.hu
Telephone: +36 (26) 795-922
Actual place of processing data: 2090 Remeteszőlős, Nagykovácsi út 3.
Data Protection Officer:
Contact: the current managing editor of the journal (From 15 July 2024: József Krenner)
krenner.jozsef@bmkszf.hu
Personal data for the purposes of this Notice is any information relating to an identified or identifiable natural person (the Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, number, an identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person).
2. The legal basis of the Privacy Notice
The main legal provisions applicable to the processing under the Notice and their abbreviations used:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR);
• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act);
• Act of V of 2013 on the Civil Code (Civil Code).
In preparing this Notice, the National Authority for Data Protection and Freedom of Information's Recommendation on the “Data Protection Requirements for Prior Information” (hereinafter: the Recommendation) has been taken into account.
3. Legal basis of the Data Controller's processing
According to Article 6(1)(a) to (c) and (e) of the General Data Protection Regulation, processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Thus, the legal basis for the processing by the Data Controller is primarily Article 6(1) of the General Data Protection Regulation
• a) (processing based on consent),
• b) (processing necessary for the performance of a contract),
• c) (processing required for compliance with a legal obligation) and
• d) processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
To avoid unnecessary duplication of specific normative text, the Data Controller does not set out basic concepts separately. The terms and descriptions used in this Privacy Notice are in accordance with the GDPR and the Privacy Act.
4. Purpose of the Data Controller's processing
The system is operated by the Data Controller for the purpose of online management of Belügyi Szemle/Academic Journal of Internal Affairs (AJIA). The online management includes, inter alia, the management of the manuscript (paper) submission, the proofreading process, the
management of the editing and copyediting of the article accepted for publication, the liaison with contributors, the publication of final issues, the publication, the accessibility of articles, the dissemination to the scientific and general readership, and the storage of archival issues of this
journal.
4.1. User registration via the website, contact and communication with the editorial staff. Activity carried out by the data controller: by creating a profile with the user (carrying out operations related to registration, contacting, maintaining contact, notifying about the publication). (If the data subject wishes to receive separate notifications about the publication, they must indicate this separately by ticking the box marked for this purpose). Registration also allows the data subject to connect to the journal's editorial board and administrators via the OJS (Open Journal System) and to send and receive manuscripts, and reviews.
4.2. Processing of data relating to manuscripts accepted for publication by the Editorial Board.
4.3. Personal data of editorial board employees processed in relation to the publishing process, where the activity of the controller is the operation of the online publishing system.
4.4. The following categories of personal data may be processed in connection with the use of advertised roundtable discussions, discussion forums, interviews, and Editorial Committee and Editorial Board meetings and activities:
• recording the audio recordings of meetings,
• recording of conference proceedings,
• recording of the sound recordings of other meetings and discussions,
• recordings of interviews and discussion forums.
Further detailed information on data processing can be found in the table in point 8 of the Notice.
5. Data security
The Data Controller undertakes to ensure the security of the personal data they process. Taking into account the state of science and technology and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, they shall take the technical and organisational measures and establish the procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. The Controller also undertakes to require any third party to whom it transfers or discloses the data on any legal basis to comply with the requirement of data security. The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The data processed may only be accessed by the Data Controller and its employees or by the Data Processor(s) employed by the Data Controller, according to the level of authorisation. The Data Controller shall not disclose them to third parties who are not authorised to access the data. The employees of the Controller and the Processor shall have access to the personal data in a specific manner, according to the job functions defined by the Controller and the Processor and according to the level of access rights. In order to ensure the security of the IT systems, the Data Controller protects the IT systems with a firewall and uses antivirus and anti-virus software to prevent external and internal data loss. The Data Controller has also ensured that incoming and outgoing communications in any form are properly monitored to prevent misuse. The Controller and the Processor shall classify and process personal data as confidential. The Data Controller shall ensure that, in order to protect the electronically processed data files in the different registers, the data stored in the registers cannot be directly linked and attributed to the Data Subject, subject to the exceptions provided for by law.
The Controller shall ensure a level of data security appropriate to the level of risk, including, where applicable:
• ensuring the continued confidentiality, integrity, availability and resilience (operational and development security, intrusion protection and detection, prevention of unauthorised access) of the systems and services used to process personal data;
• in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner (data leakage prevention; vulnerability and incident management);
• a procedure to regularly test, assess and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of data processing (business continuity, protection against malicious code, secure storage, transmission and processing of data, security
training of employees). In determining the appropriate level of security, explicit account should be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise
processed. If the Data Controller becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or transmission of or access to personal data transmitted, stored or otherwise processed by it (hereinafter collectively referred to as "data breach"), it shall comply
with Articles 33-34 of the GDPR. and to notify the data protection incident to the National Authority for Data Protection and Freedom of Information and to inform the data subject or data subjects of the data protection incident where it is likely to result in a high risk to the rights and freedoms of natural persons. The Controller shall keep a record of the personal data breach. In the case of a personal data breach, the Data Controller shall keep the data relating to the personal data breach for 5 years, and in the case of a personal data breach, the Data Controller shall keep the data relating to the personal data breach for 20 years.
6. Data Processors
Data Processor is a natural or legal person who processes personal data on behalf of the Data Controller. The following companies and persons act as data processors (Data Processors) in relation to the personal data of the Data Subjects:
Data processor name, location: Editorial Board of Belügyi Szemle/Academic Journal of Internal Affairs (AJIA) 2090 Remeteszőlős, Nagykovácsi út 3.
Activity carried out by the Data Processor: The tasks and activities set out in the Journal Policies.
Source: https://belugyiszemlejournal.org/index.php/belugyiszemle/libraryFiles/downloadPublic/1
7. Data process
7.1. Rights relating to data processing
The Data Subject may request the Data Controller on:
• information on the processing of their personal data (before the processing starts or during the processing)
• access to their personal data (access to their personal data by the controller),
• rectification or integration of their personal data,
• erasure or restriction (blocking) of personal data, except for mandatory processing,
• the right to data portability,
• object to the processing of their personal data.
The Data Subject may submit a Data Subject's Request to the Data Controller using the contact details set out in point 1 above. The Data Controller shall comply with the Data Subject's lawful request within a maximum of one month and shall notify the Data Subject thereof by sending a letter to the contact details provided by the Data Subject.
7.1.1. Right to request information (under Articles 13-14 of the GDPR)
The Data Subject may request the Controller in writing to inform them that
• what personal data,
• on what legal basis,
• for what purpose,
• from what source,
• for how long it is processed,
• whether it employs a data processor, and if so, the name and address of the Datata Processor, if any, and its activities in relation to the processing,
• to whom, when, under what law, to which personal data the Controller has granted access or to whom the Controller has transferred the personal data,
• the circumstances of any data breach, its effects and the measures taken to remedy it.
7.1.2. Right of access (Article 15 of the GDPR)
The Data Subject has the right to receive feedback from the Controller as to whether or not their personal data are being processed and, if such processing is ongoing, the Data Subject has the right to obtain access to the personal data processed and may request this in writing from the Controller in accordance with point 7.1.1. The Controller shall provide the Data Subject with a copy of the personal data which are the subject of the processing, unless there are other legal obstacles. If the Data Subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the Data Subject requests otherwise.
7.1.3. Right to rectification (under Article 16 of the GDPR)
The Data Subject may request in writing that the Controller amend any of their personal data (for example, they may at any time change their email address or postal address or request that the Controller correct any inaccurate personal data processed by the Controller). Taking into account the purposes of the processing, the Data Subject has the right to request that their incomplete personal data processed by the Controller be duly completed.
7.1.4. Right to erasure (under Article 17 of the GDPR)
The Data Subject may request the erasure of their personal data by the Controller in writing. In principle, the erasure of personal data may be requested if our processing is based on your consent, e.g. you have given your consent to the processing of your data (telephone number, e-mail address) for the purpose of contacting you. In this case, we will delete your personal data. If you have provided us with your personal data for the performance of a contract or on the basis of a law, the related processing of this personal data will not automatically cease upon termination of the contract, nor will we be able to comply with your request for erasure. In this case, we must continue to process your personal data after the termination of the contract in accordance with the applicable law for the
processing period set out in this Privacy Notice.
7.1.5. Right to restriction of processing (under Article 18 of the GDPR)
The Data Subject may request in writing that their personal data be blocked by the Controller (by clearly indicating the limited nature of the processing and ensuring that it is kept separate from other data). The blocking shall last as long as the reason indicated by the Data Subject makes it necessary to store the data. For example, the Data Subject may request the blocking of data if they believe that their submission has been unlawfully processed by the Controller, but it is necessary for the purposes of the administrative or judicial proceedings that they has initiated that the submission should not be deleted by the Controller. In this case, the Controller will continue to store the personal data (for example, the submission in question) until the authority or court requests it, after which it will delete the data.
7.1.6. Right to data portability (under Article 20 of the GDPR)
A Data Subject may request in writing to receive personal data relating to him or her which they have provided to the Controller in a structured, commonly used, machine-readable format, and may also have the right to transmit such data to another controller without hindrance from the Controller, if:
• the processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR, or
• a contract within the meaning of Article 6(1)(b); and
• the processing is carried out by automated means.
7.1.7. Right to object (under Article 21 of the GDPR)
A Data Subject may object to the processing of his or her personal data pursuant to Article 6(1)(f) of the GDPR necessary for the purposes of the legitimate interests pursued by the Controller or a third party, including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning them for such purposes, including profiling, where it is related to direct marketing. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
7.2. Remedies for data processing
Right to a judicial remedy
The Data Subject, the Controller or, in the context of processing operations within the scope of the Data Processor's activities, the Data Processor, may take legal action against the Data Subject, the Controller or a Data Processor acting on their behalf or at their instructions, if they consider that
the Controller or a Data Processor is processing their personal data in breach of the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union.
The Tribunal has jurisdiction to rule on the action. The lawsuit may also be brought, at the Data Subject's option, before the competent court in the place where the Data Subject resides or is domiciled. The Data Subject, the Controller or, in the context of processing operations within the scope of the Data Processor's activities, the Data Processor, may take legal action against the Data Subject, the Controller or a Data Processor acting on their behalf or at their instructions, if they consider that
the Controller or a Data Processor is processing their personal data in breach of the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union.
The Tribunal has jurisdiction to rule on the action. The lawsuit may also be brought, at the Data Subject's option, before the competent court in the place where the Data Subject resides or is domiciled. The Controller shall compensate the damage caused by unlawful processing of the Data Subject's data or by a breach of data security requirements, but shall be exempt from liability if the damage was caused by an unforeseeable cause outside the scope of the processing. The Controller shall not compensate the damage in so far as it has been caused by the intentional or grossly negligent conduct of the Data Subject. In case of violation of the personal rights of the Data Subject, the Data Subject may claim damages.
Initiation of the authority procedure
In order to assert their rights, the Data Subject may initiate an investigation or an official procedure at the National Authority for Data Protection and Freedom of Information (1055. Budapest Falk Miksa utca 9-11, website: http://naih.hu; postal address: 1396 Budapest, Pf. 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu), on the grounds that their personal data are being processed in violation of their rights or that there is an imminent threat of such a violation, in particular,
• if they consider that theController restricts the exercise of their rights as set out in point 7.1.1 or refuses to grant their request to exercise those rights (initiation of an investigation), and
• if they consider that, in the processing of their personal data, the Controller or a processor appointed or instructed by the Controller or a processor acting on its behalf infringes the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union (request for a public authority procedure).