Data Processing Notice
Purpose of the data processing information
The purpose of this data processing information is to set out the data protection and data processing
principles applied by the KUTYÁVAL EGY MOSOLYÉRT ALAPÍTVÁNY (KEMA, hereinafter: Foundation) in the
course of its activities and to provide information about these to data subjects.
The Kutyával Egy Mosolyért Foundation was established in 2011 with the aim of providing dog therapy and
training assistance dogs in accordance with the provisions of SZMM Decree No. 27/2009. (XII.03.). The aim
of the Foundation is to make dog therapy available to as many people as possible and to help as many
people in need as possible to improve their quality of life through the training of assistance dogs.
Legal background:
The basic concepts of data processing are defined in Act CXII of 2011 on the right to self-determination in
relation to information and freedom of information (hereinafter: lnfotv.), and Regulation (EU) 2016/679 of
the European Parliament and of the Council on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(GDPR, hereinafter: General Data Protection Regulation).
The Foundation performs its tasks in accordance with its Articles of Association, and the training, testing and use
of assistance dogs is governed by Decree No. 27/2009. (XII.03.) of the Ministry of Social Affairs and Labour.
Key terms
Essential basic concepts for the interpretation of this information sheet:
Data controller: a natural or legal person, public authority, agency or any other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data
; where the purposes and means of processing are determined by Union or Member State law, specific
criteria for the designation of the controller or processor may also be laid down by Union or Member
State law.
Data controller: Kutyával Egy Mosolyért Alapítvány (With Dogs for a Smile Foundation)
Registration number: Pk.60.156/2011 Tax
number: 18279166-1-03
Registered office and postal address: 6000 Kecskemét, Petúr bán u 2/a
Contact details:
e-mail: kutyavalegymosolyert@gmail.com
Email address for data management: adatkezeles@kema.hu
The Foundation’s website address: www.kutyavalegymosoIyert.hu
The data controller is also the person named as the data controller in relation to the service described in
this notice.
Recipient: the natural or legal person, public authority, agency or any other body with whom or which
personal data is shared.
Data subject: the identified or identifiable natural person whose data is processed during data processing.
Natural person: a living person who may be entitled to personal rights, such as the right to the protection of
personal data. In the case of data processing carried out on the basis of this information notice, this refers to
natural persons who, pursuant to Decree 27/2009. (XII.03.) SZMM, participate in the training, use and
examination of assistance dogs, or who participate in the work of the Foundation as volunteers in any other
way.
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
Data processing: any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, organising, structuring, storing,
adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.
Restriction of processing: marking stored personal data for the purpose of restricting their future processing.
Filing system: any structured set of personal data which are accessible according to specific criteria, whether
centralised, decentralised or dispersed at different functional or geographical sites.
Consent of the data subject: the freely given, specific, informed and unambiguous indication of the data subject’s
wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.
Special data: any data belonging to special categories of personal data, i.e. personal data revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as
genetic data, biometric data for the purpose of uniquely identifying a natural person, health data and
personal data concerning the sex life or sexual orientation of a natural person.
Biometric data: any personal data relating to the physical, physiological or behavioural characteristics of a
natural person, which can be obtained by specific technical means and which enables or confirms the unique
identification of a natural person, such as facial images or dactyloscopic data.
Health data: personal data relating to the physical or mental health of a natural person, including data
relating to health services provided to a natural person that contain information about the natural person’s
health status.
Data breach: a breach of data security resulting in the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure or disclosure of personal data transmitted, stored or otherwise processed, or unauthorised
access to such data.
General provisions
General principles relating to the processing of personal data
The Foundation processes the data of data subjects in accordance with the principles set out in Article 5 of
the General Data Protection Regulation, which are as follows:
lawfulness, fairness and transparency,
purpose
limitation, data
minimisation,
accuracy,
storage limitation, integrity and
confidentiality, accountability.
The Foundation shall not use the personal data provided for purposes other than those specified in this
notice.
The personal data provided will be processed until the data subject requests its deletion from the
Foundation. The data controller shall assess the data subject’s request for deletion as soon as possible after
receiving it, but no later than within 25 days, and shall notify the data subject of its decision in writing or, if the
request was submitted electronically, by electronic means. If the data subject’s request for erasure is
granted, the erasure shall be carried out as soon as possible.
Unless expressly prohibited by law, in the event of unlawful or misleading use of personal data, or in the
event of a criminal offence or attack against the system committed by the data subject, the Association
shall be entitled to delete the data subject’s data immediately upon termination of their registration.
However, in the event of suspicion of a criminal offence or civil liability, it shall also be entitled to retain
the personal data for the duration of the proceedings.
In certain cases specified by law — official court or police requests, legal proceedings, copyright, property
or other infringements, e.g. harm to the interests of the data controller, jeopardising the performance of its
tasks, etc., or in cases of reasonable suspicion thereof — make the data subject’s available data accessible to
authorised third parties. The data controller is entitled and obliged to transfer all personal data at its
disposal and stored by it in accordance with the rules to the competent authorities, if such data transfer is
required by law or by a legally binding official decision. The data controller cannot be held liable for such
data transfer and the consequences thereof.
As a data controller, the Foundation shall process the personal data in its possession in accordance with
the relevant legislation detailed in Section 1.1 and this notice, and shall not transfer such data to third
parties, except in the cases mentioned above.
In all cases where the data controller wishes to use the personal data provided for a purpose other than that
for which it was originally collected, it shall inform the data subject thereof and obtain his or her prior
express consent or provide him or her with the opportunity to prohibit such use.
The Foundation shall take into account the nature, scope, context and purposes of the data processing, as well
as the rights and freedoms of natural persons.
taking into account the varying likelihood and severity of risks to the rights and freedoms of data subjects,
both when determining the means of processing and when implementing the processing, appropriate
technical and organisational measures shall be implemented and enforced, which are designed to ensure
compliance with data protection principles and to incorporate the necessary safeguards into the processing to
protect the rights and freedoms of data subjects. and, on the other hand, to incorporate the guarantees
necessary to meet the requirements of the General Data Protection Regulation and to protect the rights
of data subjects into the data processing process.
The Foundation protects the data with appropriate measures, in particular against unauthorised access,
alteration, disclosure, erasure or destruction, as well as accidental destruction and damage.
Data processing for technical reasons
Data automatically recorded during the operation of the Foundation’s IT system are stored in the system
for a period of time justified by the need to ensure the operation of the system, starting from the time of
their generation. The data controller ensures that this automatically recorded data cannot be linked to other
users’ personal data, except in cases required by law. If the data subject has withdrawn their consent to the
processing of their personal data, they will no longer be identifiable from the technical data.
Purposes of data processing and information on data processing for each purpose
The purposes of personal data processing by the FOUNDATION are as follows:
In accordance with MATESZE regulations, the representative, contact person, assistance dog trainer, handler
and supervisor of the assistance dog training organisation shall comply with the conditions set out in Section
3 of Decree 27/2009. (XII.03.) SZMM.
Legal basis for data processing: the consent of the data subject and Decree 27/2009. (XII.03.) SZMM.
Persons authorised to access the data (recipients): Members of the KEMA Board of Trustees and
MATESZE.
Scope of data processed: name, birth name, place of birth, date of birth, mother’s name, position held in
the organisation, in the case of assistance dog trainers, documents certifying professional qualifications,
telephone number, e-mail address.
Duration of data storage:
In general, for 5 years from the date of data recording, until revoked.
Registration of individuals
KEMA records the data of natural persons on its IT platform for the purpose of subsequently assigning
them to documents required for the training of assistance dogs, to applications for the issuance of assistance
dog trainer certificates, or to applications for the organisation of examinations.
At the same time as the natural person’s data is entered into the Foundation’s IT system, the natural
person’s consent form for data processing is also uploaded. The natural person must provide their own email
address and telephone number on the consent form. The natural person providing the telephone number
and email address is solely responsible for the accuracy of the information provided. When providing an
email address, the person doing so also assumes responsibility for ensuring that only they use the service
associated with that email address. Any responsibility related to correspondence sent from a given email
address lies solely with the person who provided the email address.
If there is any change in the personal data provided, the data subject is obliged to notify the Foundation
within 15 days and sign a new consent form with the updated data.
The text of the consent form can be downloaded here: (link 1)
The purpose of personal data processing by the Foundation: to continue assistance dog training, to submit an
application for certification or to organise an examination.
The legal basis for data processing: the consent of the data subject and Decree 27/2009. (XII.03.) SZMM.
Persons authorised to access the data (recipients): Board of Trustees of the Foundation, representatives,
employees and agents of the Hungarian Association of Therapy and Assistance Dogs.
Scope of data processed: name, birth name, place of birth, date of birth, mother’s name, telephone number,
e-mail address. Data retention period:
Until consent is withdrawn.
Rights of data subjects and possibilities for enforcing their rights
Personal data processing of data subjectsfrom from the Foundation as
data controller adatkeze1es@kutyava1esymoso1yert.hu by email, they may request
information about the processing of their personal data (right of access),
the rectification of their personal
data, the erasure of their personal
data,
restriction of data processing,
transfer their personal data to another data controller, object to the
processing of their data,
withdraw their consent to data processing, and, if necessary,
lodge a complaint with the supervisory authority.
Within one year of the death of the data subject, the right of access, rectification, erasure, restriction and
objection may be exercised by the representative designated by the data subject during his or her lifetime
The data subject must forward the statement designating the representative to the data controller. In the
absence of an authorised representative, the right to rectification and objection, as well as the right to
erasure and restriction, if the data processing was already unlawful during the data subject’s lifetime or
the purpose of the data processing has ceased to exist with the death of the data subject, may be exercised
by a close relative of the data subject (spouse, direct relative, foster parent, stepchild, foster child, stepparent,
adoptive parent or sibling) may exercise the right to rectification and objection, as well as the
right to erasure and restriction, if the data processing was unlawful during the data subject’s lifetime or
the purpose of the data processing has ceased to exist due to the death of the data subject. The data
controller shall request the representative or close relative wishing to exercise the rights of the deceased
data subject to prove their identity and the death and date of death of the data subject. Only a death
certificate or a court decision establishing the fact of death shall be accepted as proof of the fact and
date of death: in the absence of these, the data controller shall not comply with the request of the
authorised representative or close relative.
The data controller shall consider the request for information sent by letter to be authentic and lawful if
the data subject can be clearly identified on the basis of the request sent.
The data controller shall only consider a request for information sent by e-mail to be authentic if it is sent
from the e-mail address provided by the data subject.
If there is any doubt as to the eligibility of the person requesting the information, the data controller may
ask the person requesting the information to prove their identity. The personal data used for identification
purposes shall be used solely for the purpose of identification and for the duration of the identification
process.
The data controller shall assess the request within the shortest possible time after receiving it, but no later
than 25 days, and shall notify the data subject of its decision in writing or, if the request was submitted
electronically, by electronic means.
Right of access (Article 15 of the General Data Protection Regulation)
The right of access does not mean direct access to the data or to the physical or IT systems storing them,
but rather that, at the request of the data subject, the data controller shall inform him or her whether it
processes his or her personal data; if so, he or she shall have access to the following information:
the purposes of the processing;
the categories of personal data concerned;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in
third countries or international organisations; where applicable, the envisaged period for which the personal
data will be stored, or if that is not possible, the criteria used to determine that period;
the right of the data subject to request from the data controller the rectification of personal data concerning him
or her,
erasure or restriction of processing, and to object to the processing of such personal data; the right
to lodge a complaint with a supervisory authority;
if the data were not collected from the data subject, any available information as to their source;
whether automated decision-making takes place,
the circumstances surrounding the occurrence of data protection incidents in connection with the processing
of the data subject’s personal data, their effects and the measures taken to address them.
The data controller may only refuse to provide information to the data subject in the cases specified in the
General Data Protection Regulation and the Infotv. The refusal to provide information may be justified by
if the rights of the data subject specified in this chapter (information, correction, deletion) are necessary
for the external and internal security of the state (e.g. national defence, national security, the prevention or
prosecution of criminal offences, the security of the execution of penalties), as well as the economic or
financial interests of the state or local government, the significant economic or financial interests of the
European Union, and disciplinary and ethical offences related to the exercise of professions, for the purpose
of preventing and detecting breaches of labour law and occupational safety obligations (including, in all
cases, control and supervision), as well as for the protection of the rights of the data subject or others, as
restricted by law, and if the person submitting the request for information is not the data subject and does not prove their right to
submit the request.
In the event of a refusal to provide information, the data controller shall inform the data subject in writing of
the reasons for the refusal.
The data controller shall provide the requested information in writing at the express request of the data
subject within the shortest possible time, but no later than 25 days from the date of submission of the request.
The data controller shall make a copy of the processed data available to the data subject free of charge on
the first occasion and thereafter in return for reimbursement of the costs of making the copy.
Right to rectification (Article 16 of the General Data Protection Regulation)
The data subject shall have the right to obtain from the controller without undue delay the rectification of
inaccurate personal data concerning him or her. Taking into account the purpose of the processing, the data
subject shall have the right to obtain the completion of incomplete personal data, including by means of
providing a supplementary statement (Article 16 of the General Data Protection Regulation).
Right to erasure (Article 17 of the General Data Protection Regulation)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him
or her without undue delay and the controller shall have the obligation to erase personal data concerning
the data subject without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise
processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the
processing;
legal basis for processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the
processing; the personal data have been unlawfully processed;
personal data must be erased in order to comply with a legal obligation under EU or Member State law
applicable to the data controller;
it has been ordered by a court or supervisory authority, its
legal basis has ceased to exist and there is no other
legal basis for it, and the period specified by law has
expired.
If the data controller has made the personal data public and is obliged to erase it, it shall take reasonable steps,
taking into account available technology and the cost of implementation, to inform data controllers who process
the personal data that the data subject has requested their erasure — including technical measures — to inform
data controllers who process the data that the data subject has requested the deletion of links to, or copies
or replications of, the personal data in question.
Personal data shall not be erased where processing is necessary:
for the purpose of complying with a legal obligation under Union or Member State law to which the data
controller is subject, or for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the data controller;
(The tasks and obligations of the Hungarian Association of Therapy and Assistance Dogs as a cooperating
organisation are defined in Decree 27/2009. (XII.03.) SZMM.)
to assert, enforce or defend legal claims. The data controller shall notify
the data subject of the deletion.
The data controller shall be entitled to restrict processing (Article 18 of the General Data Protection Regulation
Article 18)
The data subject shall have the right to obtain from the controller restriction of processing where one of
the following applies
the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period
enabling the controller to verify the accuracy of the personal data
the data subject contests the accuracy of the personal data, in which case the restriction shall apply
for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the
restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by
the data subject for the establishment, exercise or defence of legal claims;
due to unlawful data processing, the data should be deleted, but based on the data subject’s written
statement or the information available to the data controller, it can be reasonably assumed that the
deletion of the data would violate the legitimate interests of the data subject, for the duration of the
legitimate interest justifying the omission of deletion,
due to unlawful data processing, the data should be deleted, but the data controller or another body
performing public tasks, or with their participation, must retain the data as evidence in the course of
investigations or proceedings specified by law, in particular criminal proceedings, until the final and legally
binding conclusion of such investigations or proceedings;
the data should be deleted due to unlawful data processing, but it is necessary to retain the data for the
purpose of fulfilling documentation obligations for criminal prosecution, until the date specified in Section
25/F(4).
If data processing is restricted on the basis of the above, such personal data may only be processed, with
the exception of storage, with the consent of the data subject, or for the establishment, exercise or defence
of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of
important public interest of the Union or of a Member State.
The data controller shall inform the data subject whose data processing has been restricted on the basis of
the above in advance of the lifting of the restriction on data processing.
Data portability Article 20 of the General Data Protection Regulation
The data subject shall have the right to receive the personal data concerning him or her, which he or she has
provided to a controller, in a structured, commonly used and machine-readable format and have the right to
transmit those data to another controller.
receive the data in a structured, commonly used and machine-readable format, and have the right to transmit
those data to another data controller without hindrance from the data controller to which the personal
data have been provided, where:
the processing is based on the consent of the data subject, or
the processing is necessary for the performance of a contract to which the data subject is party, or it is
necessary for taking steps at the request of the data subject prior to entering into a contract, and the
processing is carried out by automated means.
When exercising the right to data portability, the data subject shall have the right to request the direct transfer
of personal data between data controllers, where technically feasible. The right to data portability shall not
adversely affect the rights and freedoms of others.
Right to object (Article 21 of the General Data Protection Regulation)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at
any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article
6(1) of the General Data Protection Regulation, including profiling based on those provisions.
(Article 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller”);
Point (f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or
by a third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in particular where the data subject
is a child.”)
In this case, the data controller may no longer process the personal data unless the data controller demonstrates
compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data
subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to
object at any time to processing of personal data concerning him or her for such marketing, which includes
profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing
of personal data for direct marketing purposes, the personal data shall no longer be processed for that
purpose.
The Kutyával Egy Mosolyért Alapítvány (A Smile for a Dog Foundation) does not process data for direct marketing
purposes.
According to Article 22 of the General Data Protection Regulation, the data subject shall have the right not
to be subject to a decision based solely on automated processing, including profiling, which produces legal
effects concerning him or her or similarly significantly affects him or her.
The Kutyával Egy Mosolyért Alapítvány (A Smile for a Dog Foundation) does not carry out automated data processing.
Right to withdraw consent
The data subject has the right to withdraw their consent to data processing at any time. The withdrawal of
consent does not affect the lawfulness of data processing based on consent before its withdrawal (General Data
Protection Regulation, Article 7(3)).
If the data subject withdraws their consent, which forms the basis for data processing, and there is no other
legal basis for data processing, the data must be deleted. However, if there is another legal basis, such as
Decree 27/2009. (XII.03.) SZMM defining the tasks of the Association as a cooperating organisation, the
Association is not obliged to delete the data.
If the data subject withdraws their consent to data processing, this may have a negative impact on the
data subject, for example, in the absence of consent, the Association will not be able to perform the tasks
assigned to it by law.
Submission of a complaint to the supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right
to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal
data relating to him or her infringes the General Data Protection Regulation (General Data Protection
Regulation, Article 77(1)).
Name of the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) Postal address:
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Informing the data subject about any data protection incidents (Articles 33 and 34 of the
General Data Protection Regulation)
If a data breach has occurred and the data breach is likely to result in a high risk to the rights and freedoms
of natural persons, the data controller shall inform the data subject of the data breach without undue
delay.
This notification must clearly and comprehensively describe the nature of the data protection incident
and must include at least the following information:
the name and contact details of the data protection officer or other contact person providing further
information;
the likely consequences of the data protection incident;
the measures taken or planned by the data controller to address the personal data breach, including,
where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The data subject shall not be informed of the data protection incident if any of the following conditions are
met:
the data controller has implemented appropriate technical and organisational protection measures,
and these measures have been applied to the data affected by the data breach, in particular
measures, such as encryption, that render the data unintelligible to any person who is not authorised to access it;
the data controller has taken further measures following the personal data breach to ensure that the high
risk to the rights and freedoms of data subjects is no longer likely to materialise;
the provision of information would involve a disproportionate effort.
In such cases, the data subjects shall be informed by means of publicly available information or by similar
measures that ensure that the data subjects are informed in a similarly effective manner
Entry into force and amendment of the Data Processing Notice
This Policy shall enter into force on 10 February 2021. The Foundation shall provide information on data
processing operations not listed in this Policy (ad hoc data processing) at the time of data collection.
The Association reserves the right to amend this Data Processing Notice at any time by unilateral
decision, but the amended Data Processing Notice must also comply with the provisions of the General
Data Protection Regulation and the lnfotv. Following any amendment to the data processing notice, the
data subject must be informed in an appropriate manner (e.g. by e-mail). In the absence of any objection,
the data subjects shall be deemed to have accepted the amended data processing rules, and no further
consent shall be required.
Dated: Kecskemét, 10 February 2024.
Represented by the WDSF
Foundation: Chairwoman RékaJuharos