Privacy Policy
HFDA HUNGARIAN FASHION & DESIGN AGENCY Nonprofit Private Limited Company (Company registration number: 01-10-049808, Tax number: 26338972-2-43, Registered office: 1126 Budapest, Istenhegyi út 18, represented by: Zsófia Jakab, CEO, Central email address: info@hfda.hu, Central telephone number: +36 20 272 2351; Contact details of the data protection officer: Takács, Kiss and Partners Law Firm, dpo@tkpartners.hu; (hereinafter: the “Agency” or “Data Controller”) is committed to respecting the right to privacy and the right to the protection of personal data of visitors (hereinafter: “Data Subjects”) to the budapestdesignweek.hu website (hereinafter: the “Website”), and to operating in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: “Info Act”), other applicable legislation, relevant guidance, and established data protection practices, taking into account key international recommendations related to data protection.
The Agency, as the Data Controller, acknowledges that the contents of this legal notice are binding upon itself. It undertakes that the processing of personal data in connection with its services complies with the requirements set out in this notice and in applicable legislation. The terms used in this Notice correspond to the definitions and interpretations set forth in the Info Act and the GDPR.
The Agency’s data processing activities are in compliance with the following data protection laws:
- GDPR;
- Info Act.;
- Act V of 2013 on the Civil Code (hereinafter: “Civil Code”).
Personal data may be processed if
- the Data Subject has given consent to the processing of their personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- the processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.
I. PURPOSE OF DATA PROCESSING:
The purpose of the data processing is to ensure the secure use and technical operation of the Website, as well as to monitor its functioning. The Data Controller collects technical data necessary for the use of the Website during a visit, and also collects data for the purpose of generating visitor statistics.
Please be advised that the Agency does not process personal data in connection with features accessed via icons of external service providers (Facebook, X, LinkedIn, Instagram) displayed on the Website; in such cases, the Data Controller is the external company providing the service.
II. LEGAL BASIS FOR DATA PROCESSING:
In relation to statistical cookies, the legal basis for data processing is Article 6(1)(a) of the GDPR, namely the voluntary consent of the Data Subject.
Cookies that are strictly necessary for the operation of the Website, as well as log data ensuring its secure technical functioning – including visitors’ IP addresses – are processed based on the legitimate interests of the Data Controller pursuant to Article 6(1)(f) of the GDPR.
III. SCOPE OF PROCESSED DATA
During the operation of the Website, the following technical data of visitors (Data Subjects) are processed: the IP address of their computer or mobile device and the approximate geographic location inferred from it; the type, characteristics, and version of the operating system; the type and version of the browser; activity on the Website; the exact time of the visit; the duration of time spent on the Website; and the use of specific functions or services on the Website.
During the use of the Website, cookies are also placed on the computer or mobile device used to access it. If cookies are declined, the Website will process only anonymised information that does not contain personal data (e.g., Google Analytics data for generating visitor statistics).
IV. DURATION OF PERSONAL DATA STORAGE
Data related to the secure technical operation of the Website – including the IP addresses of Data Subjects – is retained for 1 year.
V. RECIPIENTS OF PERSONAL DATA OR CATEGORIES OF RECIPIENTS:
The Data Controller and Data Processor companies, their authorised users performing partnership and customer service activities, and, in the case of data related to technical operations, their IT personnel.
VI. THE DATA PROCESSOR USED:
MEDIATOR GROUP KFT (Company registration number: 01-09-864793, Tax number: 13622215-2-44 Registered office: 1117 Budapest, Dombóvári út 25.)
VII. USE OF COOKIES
Like many other commercial websites, the Agency also uses the common technology known as cookies, as well as technical log files of the web server, in order to obtain information about how Data Subjects use the Website.
The use of cookies and web server log files allows the Agency to monitor Website traffic and tailor the content of the Website to the Data Subject’s personal needs.
A cookie is a small package of information (file) that often carries an anonymised unique identifier. When the Data Subject visits a website, the website requests permission from their computer to store this file in a section of the Data Subject’s hard drive that is specifically designated for storing cookies.
Each website the Data Subject visits is able to send cookies to their computer if their browser settings allow it. To protect the Data Subject’s data, however, their browser only allows the specific website to access the cookie that it has sent to their computer, meaning that one website cannot access cookies sent by other websites. Browsers are typically configured to accept cookies.
However, if the Data Subject does not wish to accept cookies, the Data Subject can adjust their browser settings to reject cookies. In this case, some elements of the website may not function properly during browsing. Cookies cannot retrieve any other information from your computer’s hard drive and do not carry viruses.
The website uses the following cookies:
- Necessary category: Necessary cookies help make the website usable by enabling basic functions such as page navigation and secure access.
The website will not function properly without these cookies.
| COOKIE NAME | SERVICE PROVIDER | TYPE | EXPIRATION |
| viewed_cookie_policy
cookielawinfo-checkbox-necessary cookielawinfo-checkbox-analytics wp-wpml_current_language |
budapestdesignweek.hu
budapestdesignweek.hu budapestdesignweek.hu budapestdesignweek.hu |
http
http http http |
11 months
11 months 11 months 1 day |
- Statistical category:
Statistical cookies help website operators understand how visitors use the site by collecting anonymous information.
| COOKIE NAME | SERVICE PROVIDER | TYPE | EXPIRATION |
| _PK_SES# | Matomo | http | 30 minutes |
| _PK_ID# | Matomo | http | 13 months |
Further information: https://matomo.org/faq/general/faq_146/
VIII. SECURITY OF THE DATA WE PROCESS
The Agency ensures appropriate data backups for IT data and the technical environment of the Website. These backups are operated in accordance with the parameters determined by the respective data retention periods, guaranteeing availability during the retention period and ensuring that data are permanently deleted upon expiry.
The integrity and operability of the IT systems and data storage environment are monitored using advanced techniques, and the necessary capacities are continually maintained.
Events occurring in the IT environment are logged using comprehensive logging functionalities, thereby enabling the subsequent investigation of potential incidents and providing legally valid proof if necessary.
A high-bandwidth, redundant network environment is continuously provided to serve the Websites, securely distributing any load across resources.
The systems’ disaster resilience is ensured by design, and business continuity and, consequently, uninterrupted service to users, is maintained at a high level through organisational and technical measures.
Priority is given to the controlled installation of security patches and manufacturer updates that ensure the integrity of IT systems, thereby preventing, avoiding, and mitigating attempts to exploit vulnerabilities for unauthorised access or damage.
The IT environment is regularly subjected to security testing. Any identified errors or vulnerabilities are corrected, and the continual strengthening of IT security is treated as an ongoing responsibility.
Strict security expectations, including confidentiality obligations, are established for employees, and their compliance is supported through regular training. In its internal operations, the Agency strives to maintain planned and controlled processes.
Any incidents affecting personal data, whether detected internally or reported to the Agency, are investigated transparently, responsibly, and rigorously within 72 hours. All such incidents are appropriately managed and recorded.
In the development of its services and IT solutions, the Agency ensures compliance with the principle of data protection by design, treating data protection as a key requirement from the planning stage onwards.
IX. INFORMATION ON THE RIGHTS OF DATA SUBJECTS
The rights of the Data Subject in relation to data processing are as follows:
- Right to transparent information:
The Data Subject has the right to receive information about the facts and details of data processing before the processing begins. We have created this Privacy Notice to ensure this right.
- Right of access by the Data Subject:
The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the following information:
- the personal data being processed and the categories of personal data, as well as the purposes of the processing;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- Right to rectification:
The Data Subject has the right to request the Data Controller to rectify or complete any personal data that is inaccurate, incorrect, or incomplete. Before rectifying any incorrect data, the Agency may verify the accuracy and truthfulness of the data provided.
- Right to withdraw consent:
Where processing is based on the Data Subject’s consent, they have the right to withdraw that consent at any time. Such withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.
The Data Subject may withdraw their consent to data processing at any time by notifying the Data Controller in an informal manner.
- The right to erasure (“right to be forgotten”):
The Data Subject has the right to request the erasure of their personal data without undue delay, and the Data Controller is obliged to comply with such a request. However, this right does not apply where data processing is based on a legal obligation.
- Right to restriction of processing (right to blocking):
The Data Subject has the right to request that the Data Controller restrict the processing of their personal data in the following cases:
- if the Data Subject contests the accuracy of the personal data, processing shall be restricted for a period enabling the Data Controller to verify the accuracy of the data;
- if the processing is unlawful and the Data Subject opposes the erasure of the data and instead requests the restriction of its use;
- if the Data Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires it for the establishment, exercise, or defence of legal claims;
- if the Data Subject has objected to the processing, in which case processing shall be restricted pending the verification of whether the Data Controller’s legitimate grounds override those of the Data Subject.
- Right to data portability:
The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format. Furthermore, the Data Subject has the right to transmit this data to another data controller without hindrance from the Data Controller to which the personal data was originally provided. This right shall apply where:
- the processing is based on the Data Subject’s consent, or on the consent given for the processing of special categories of personal data for one or more specific purposes, or on a contract pursuant to Article 6(1)(b) of the GDPR; and
- the processing is carried out by automated means.
- Right to object:
The Data Subject has the right to object at any time to the processing of their personal data for reasons related to their particular situation, if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or if the processing is necessary for the legitimate interests pursued by the Data Controller or a third party, including profiling. In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims.
- Automated decision-making in individual cases, including profiling:
The Data Subject has the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them. The Data Controllers do not use automated decision-making.
- Notification of the data subject in case of a data breach:
If a data protection incident is likely to result in a high risk to the Data Subject’s data, rights, and freedoms, the Data Controllers will inform the Data Subject of the incident without undue delay.
- Right to lodge a complaint with a supervisory authority:
If the Data Subject has a grievance regarding the processing of their personal data, it is advisable to contact the Data Controller prior to submitting a formal complaint, in order to facilitate a quicker and more efficient resolution of the matter.
The Data Subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data infringes data protection laws.
Supervisory authority:
Name: National Authority for Data Protection and Freedom of Information (hereinafter: ‘NAIH’)
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, PO Box 9
Phone: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391-1400
Fax: +36 (1) 391-1410
Official electronic portal: Short name: NAIH, KR ID: 429616918
E-mail: ugyfelszolgalat@naih.hu
- Right to an effective judicial remedy against a supervisory authority:
The Data Subject has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning the Data Subject.
- Right to an effective judicial remedy against the data controller or data processor:
Without prejudice to their right to lodge a complaint, the Data Subject has the right to an effective judicial remedy through civil proceedings if they believe their rights have been infringed as a result of the unlawful processing of their personal data. The case shall fall under the jurisdiction of the Budapest Metropolitan Court, although the Data Subject may also bring the proceedings before the competent court of their place of residence.
- HANDLING AND REPORTING OF DATA PROTECTION INCIDENTS
A data protection incident shall be deemed to mean any event concerning personal data processed, transferred, stored or otherwise handled by the Data Controller which results in the unlawful processing of such personal data. This includes, in particular, unauthorised or accidental access, alteration, disclosure, deletion, loss or destruction, as well as accidental destruction or damage. The data protection officer shall promptly investigate any reported or detected data protection incident and, within 24 hours of becoming aware of the incident, shall make recommendations for its mitigation and management.
The Data Controller guarantees that all data processing is carried out in full compliance with the applicable legal provisions.
Should the conditions of data processing change, the Company shall inform the Data Subjects of such changes.
This Notice is effective as of 12 August 2025.
