Privacy Policy

BEHOLDER Project

Privacy Policy

Introduction to the BEHOLDER project
Summary of data processing activities across the project
Responsibilities of processing
Overview of the legal bases and purposes of data processing
Categories of personal data processing and their legal bases
Data processing parties
Principles and processes of data management
The rights of data subjects

INTRODUCTION OF THE BEHOLDER PROJECT

The BEHOLDER project, under which personal data will be processed according to this privacy notice, aims to mitigate chemicals, biological, radiological, nuclear and explosive (CBRN-E) threats and risks cities in the European Union face today. Enhancing security in public spaces and urban environments is essential to create safer, more liveable conditions and to shaping a compelling future vision for the territory of the EU, which benefits us all. To achieve these goals, the BEHOLDER project shall keep an eye on the bigger picture rather than relying on isolated actions of separated actors. Broad participation and close collaboration between the project’s partners, along with the involvement of stakeholders, external experts and the general public, are necessary, during which both retrospective and real-time processing of a wide range of personal data is inevitable. The EU, under whose auspices the BEHOLDER project and the related data collection will be conducted, acknowledges the importance of data security by establishing a robust framework to safeguard personal information, which provides guidance and outlines the responsibilities and regulations for every project partner. These responsibilities will be detailed and properly communicated to the partners through various documents, including this notice, over the course of the project, ensuring that all individuals with access to personal data are sufficiently trained and familiar with the applicable legal standards.

The following privacy notice outlines how personal data collected under the BEHOLDER project is processed in connection with the services offered by Székely Family and Company Non-profit Kft. (hereinafter referred to as: “SFC”, “the controller” or “the company”), acting as the main data controller, in accordance with the legal framework established by the EU; especially the European General Data Protection Regulation (GDPR), which serves as the core of this privacy notice. Due to the complex and multifaceted nature of the project, it is inevitable that other partners also process personal data as data collectors or processors. These processing activities will likewise be governed and limited by the provisions of this privacy notice.

The primary goal of this notice is to inform individuals (data subjects), whose data may be collected under the BEHOLDER project, about the processing activities and their rights related to this processing as well as the legal obligations and responsibilities of the data controller. The notice defines the fundamental principles for the protection of personal data by establishing and imposing a strict guideline on the data controller and other data processing entities who are also involved in the implementation of the project – while ensuring that data subjects have control over their personal data. By requiring project partners to comply with the regulations detailed in this privacy notice, we ensure that data collection, handling, processing, storage and termination are carried out under explicitly and transparently defined parameters. To provide adequate and comprehensible information on the listed topics, this notice aims to offer simple and clear explanations, presenting the legal framework within which data processing takes place. In case of any ambiguity or dispute regarding interpretation, the company’s Data Protector Officer (DPO) will be happy to provide further assistance at the request of the data subject.

SUMMARY OF DATA PROCESSING ACTIVITIES ACROSS THE PROJECT

To provide data subjects with a comprehensive overview, the following table summarizes the purposes and legal bases on which the consortium of the BEHODLER project intends to collect and process different types of data.


Activity	Categories of personal data collected	Purpose of data processing	Legal bases
Logs of the project team members	Names, contact information, position, payment informations	To meet contractual obligations towards employees or to protect a partner’s legitimate interests, certain personal data of employees will be processed during the project.	The data is collected based on two main legal grounds: fulfilling the contractual obligations of the involved parties, and protecting legitimate interests closely related to those obligations [Article 6(1)(b) and (f) of the GDPR].
Contact list produced by the involvement of practitioners and/or external stakeholders	Names, contact information (e.g. email address, phone number)	Data might be collected based on the collector’s legitimate interest from individuals who might potentially become participants in the project. Such data will be deleted upon the individual's request or once it is no longer necessary (e.g. after the project ends).	Data might be collected based on the collector’s legitimate interest from individuals who might potentially become participants in the project [Article 6(1)(f) of the GDPR].
Contract between data subjects (practitioners, stakeholders) and the controller	Name, contact information, postal address, tax or other unique ID (depending on national rules), birthdate	Data from contractual partners will be collected to comply with contractual obligations.	To fulfil the obligations and counter-obligations arising from the concluded contract, the partners will process certain categories of personal data. [Article 6(1)(b) of the GDPR].
Engagement of stakeholders and other consortium members	Name, contact information, electronic contact (e.g. Facebook), recordings (e.g. pictures, videos) on workshops, affiliation	By participation in events organized throughout the project’s lifetime, individuals consent to the processing of certain personal data. Detailed information on the extent of such processing will be provided in the invitation or notification of the events.	Regardless of whether the event in question requires registration, the project partners may only process any personal data of a participant based on their informed consent, which must be obtained prior to the collection of the data (e.g. before taking a photo or video). [Article 6(1)(a) of the GDPR].
Internal communication and milestone coordination of the consortium	Names, phone number, email address	Consortium members must stay in close contact to ensure effective teamwork. To support collaboration, their personal contact information might be managed and shared with others in the project, especially when organizing meetings or assemblies based on the member’s legitimate interest and contractual obligations.	The facilitation of internal communication is primarily based on contractual obligations of the consortium and its members. In exceptional cases, it may also take place on the grounds of legitimate interest. [Article 6(1)(b) and (f) of the GDPR].
Cookies (trackers)	IP-address, username, browser type or version, names, electronic contact	Upon visiting the BEHOLDER website essential and non-essential cookies might track certain types of data. Consent of the visitor will be requested before the use of the latter and the consent can be withdrawn at any time.	The operation of all trackers used by the website, including cookies, is contingent upon the visitor’s prior informed consent. [Article 6(1)(a) of the GDPR].
BEHODLER newsletter	Name, email address, phone number, electronic contact	This data is provided by the data subject when signing up for the BEHOLDER newsletter. Processing is based on informed consent. The purpose of processing is to inform people about the progress of the project.	The sending of a newsletter may only be based on the participant’s informed consent, and accordingly, they must voluntarily provide the necessary data to the project partners. [Article 6(1)(a) of the GDPR].
Attendance at scientific conferences and workshops	Name, contact information, electronic contact, recordings (e.g. pictures, videos) on workshops	Members of the scientific community are welcome to attend our events and special conferences organized to enhance their engagement. Recordings at the event require the informed consent of the individuals who appear in them	Participation in scientific events is voluntary, and only individuals who have explicitly given their prior informed consent may appear in recordings made at these events. [Article 6(1)(a) of the GDPR].
Publications	Name, scientific identifier	The project’s scientific outcomes will be published in research journals, including only the minimal amount of personal data necessary, in accordance with the principle of data minimization and the requirements of Open Science.	The publication of materials related to the project requires either the publisher's consent or a contractual basis. [Article 6(1)(a) and (b) of the GDPR].
Accidental findings of personal data	Names, contact information, etc.	It may happen during the project that members come across data not directly connected to the project, which cannot be legally processed for any purposes. A prompt decision must be made regarding whether this data can be processed on any legal basis, and if not, it must be deleted without delay.	The data can be retained until a decision is made regarding the legal basis for its processing. Meanwhile, it may be processed or handled under the members’ legitimate interests. [Article 6(1)(f) of the GDPR].

RESPONSIBILITIES OF PROCESSING

Data controller responsible for data management

Székely Family and Company Non-profit Ltd.,
1191 Budapest Fő utca 11. 7/20.,
info@szekely.family

The task of data management in the BEHODLER project is led by SFC, acting as the data controller. However, given the nature of the project and regarding the cooperation among consortium members, it may occur that the SFC forwards the data it collects and processes to other members to ensure smooth operation. In these scenarios, the data subject must be adequately informed about this possibility before data collection begins. The information provided must include the contact details of the consortium member(s) to whom the data may be forwarded, and their respective privacy policies must be made accessible to the data subject (e.g. via an internal link). SFC is responsible for ensuring that the data subject acknowledges and understands the potential for such data sharing.

In greater detail, internal data forwarding for the members of the consortium will be regulated by the Consortium Agreement, Grant Agreement and this privacy notice.

Data Protection Officer (DPO)

Bence Juhász
sustainability@szekely.family

Data processors

Additionally, the project will engage multiple data processors that will facilitate the storage and processing of the data handled:

Google (e.g. using Google Forms for event registration)
Microsoft (e.g.: using Word to write scientific reports including personal data)

All of this data is stored in servers in the EU.

OVERVIEW OF THE LEGAL BASES AND PURPOSES OF DATA PROCESSING

We would like to provide clear and accurate information to the individuals involved in the BEHOLDER project regarding the processing of their data, regardless of the purpose for which the processing might take place. Therefore, this privacy notice first presents the legal framework within which the consortium will operate. It will then outline the purposes and legal bases for any processing of personal data of the subjects as well as the conditions under which such data might be accessed by any member of our consortium or third parties.

Data subjects can find out why their data is being collected and how it will be used from the legal basis and obtain information about the specific purpose behind data processing (e.g. ensuring communication between the data subjects and the collector, fulfilling obligations arising from a contract, sending out our newsletter).

You can find an overview of legal bases and purposes of data processing:

If ‘the data subject has given informed consent to the processing of his or her personal data for one or more specific purposes’ [Article 6(1)(a) of GDPR], the controller will process data for various purposes as detailed in the consent form (e.g. business networking, subscription to our newsletter, visiting our website, usage of cookies, to appear in recordings). The objective is to create user-friendly communication channels (e.g. newsletters, event invitations) and ensure the dissemination of the project’s outcomes and milestones. This involves the collection of individual’s names and email addresses to inform them upon the state of the project. This method of data processing facilitates the proper functioning of the consortium and smooth communication between the parties.
Data will be processed where ‘processing is necessary for the performance of a contract between the data subject and the controller or where it is necessary to take action at the request of either one of the parties prior to the conclusion of the contract’ [Article 6(1)(b) of the GDPR]. For example, when the company drafts a contract or monitors its progress, issues certification of performance or invoices, we use the data to generate documents in this context and for these purposes. During the BEHOLDER project the consortium members aim to create long-lasting partnerships with external experts and other partitioners founded on the mutual will and interest of both parties.
To manage and operate the company, the controller will process data if ‘the processing is necessary to fulfil the legal obligation of the controller’ [Article 6(1)(c) of the GDPR]. This includes, for example, tax returns, payrolls, registers of safety training, employee registration, other documents and protocols required by Hungarian Law.
In order to pursue our legitimate interests, we process the data where ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ [Article 6(1)(f) of the GDPR]. This includes the contact information of potential experts and practitioners with whom the consortium whish to enter into a contract in the future, the use of data of our website’s visitors or employees to pursue legal and/or financial claims, recorded dispute settlement teleconferences or meetings, disclosing information about possible criminal acts or security threats to the authorities.

Data processed on the basis of legitimate interest may serve a wide range of purposes, which, without aiming to provide an exhaustive list, may primarily include the following:

Responding appropriately to a request or inquiry sent by a visitor using the contact information provided (e.g. sending a response email to the sender’s address).
Forwarding a visitor’s personal data to a partner in the BEHOLDER project to enable them to establish direct communication and provide more detailed and extensive information.
Reserving the right to take legal action, defend the partners in legal proceedings and enforce legal claims.
Ensuring the security of our website, social media channels, products, and services against misuse and unlawful activities.
Marketing and promoting our products, services, and brands to ensure their successful commercialization.
Storing the contact details of certain external participants in order to have the possibility to get in touch with them in the hope of a future collaboration.
In rare and exceptional cases, project partners may become aware of personal data that is not related to the project and therefore they are not authorized to process it. Under these circumstances, the data in question may be processed temporarily on the basis of the partner’s legitimate interest, solely to determine whether a valid legal basis or purpose for processing exists. If necessary, the opinion of the DPO or the Ethics Advisory Board will be sought during this assessment. If the final decision confirms that none of the partners has a legitimate interest justifying the processing, the data must be permanently deleted.

CATEGORIES OF PERSONAL DATA PROCESSING AND THEIR LEGAL BASES

After providing a broad overview of the general objectives and purposes of data processing, we would like to present the specific types of data that may be handled throughout the lifetime of the BEHOLDER project. To ensure seamless and uninterrupted execution of multiple activities and tasks, effective collaboration among participants and full compliance with legal and any other obligations, the project’s partners (consortium members) will collect and process various types of data. Nevertheless, any data collection and processing must be carried out solely for the purposes and on the legal basis set forth in this privacy notice. All consortium members hereby commit to fully comply with these requirements.

Special categories of personal data

Under the GDPR, certain types of personal data are classified as special category data, the collection and processing of which are permitted only under limited circumstances. This category includes information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, data concerning sexual orientation as well as the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person. The BEHOLDER project is not expected to involve the processing of any data that falls within this special category.

Since the BEHOLDER project collects data on a larger scale from multiple sources and is designed to manage a rather extensive database, it is important to consider potential “what-if” scenarios involving the inadvertent inclusion of special category data. In such unlikely cases, data processing must follow an alternative procedure that ensures the data subject is notified and can exercise their rights as effectively as in any other instance of processing. By establishing a clear procedure for handling such situations, data processors and participating partners are also made aware of their responsibilities. If a partner, a data subject or a third party identifies the presence of special category data, the collector, the Ethics Advisor Board or the Data Protection Officer (DPO) must be notified. The DPO will evaluate the relevance of the disclosed data and determine whether continued processing is necessary, appropriate within the context of the BEHOLDER project, or justified by any of the legal bases outlined below. If the data in question does not meet these criteria, it must be permanently terminated. However, if the further processing of such data is legally justified, the collector is not obligated to delete it. For example, such cases might arise when the data subject gives explicit and informed consent for the processing of their data for a specific purpose.

We would like to reiterate that the occurrence of such situations is highly unlikely, as the BEHODLER project does not collect personal data without the data subject’s knowledge. Regardless of the legal basis for processing, data subjects will always be informed in advance about the scope of the data being collected.

Data protection during the execution of work tasks

Every employee engaged in the BEHOLDER project under a valid employment or other legally binding contract with one of the project partners is obligated to adhere to the following requirements, which are intended to improve the quality of data security. Devices (e.g. phones, laptops, tablets) must be secured with strong PIN-codes or passwords, and an auto-lock mechanism must be enabled when devices are left unattended. Internal meetings within a partner’s organization, especially if personal data is discussed, must not be recorded without an explicit permission. If such recordings are made, they are subjected to the same principles and requirements outlined in this privacy notice.

The collector may maintain logs of data access by its employees and their activities can be monitored within legal boundaries (e.g. data stored on work-related devices can be checked by a supervisor appointed by the controller).

If an employee of the controller is not assigned any work tasks related to the project, access to the data processing connected to the project must be strictly prohibited and effectively prevented. Even if an employee is involved in the project, they may only access data to the extent and within the scope necessary for carrying out the previously assigned tasks.

In addition, all beneficiaries participating in the BEHOLDER project must maintain records of their employees who are involved in activities related to the implementation of the project and who have been authorized to access classified information. Information from these records may be retrieved if an issue related to unauthorised disclosure or processing arises or if a legitimate interest arises on the part of a consortium member in connection with a beneficiary’s employee (e.g. for the purpose of conducting a legal dispute).

The personal data of employees participating in the BEHODLER project will be processed by the respective consortium member employing them under an employment contract, as well as by the project coordinator (DISSS) at a higher level. The legal basis for this processing includes, on one hand, the fulfilment of contractual obligations (e.g. salary transfers), and on the other, compliance with financial transparency and budgeting requirements, as the BEHOLDER project is funded by the European Union. This data may also be processed by the parties when there is a legal obligation to do so (e.g. reporting to an EU body on the project’s financial status or to submit data to various national authorities).

Consortium management

Members of the BEHOLDER project’s consortium are required to maintain close contact with one another to maximize cooperation and enhance the success of teamwork. To establish effective collaboration, it is necessary to manage the contact information (personal data) of consortium members and, where appropriate, share it with other members of the BEHODLER project. Certain personal data (e.g. phone number, email address) might be shared to facilitate communication or provided to the organizing party when internal meetings or semi-annual assemblies (e.g. General Assemblies), whether held physically or in a hybrid format, are being arranged. Primarily the project coordinator (DISSS), and additionally any consortium member seeking to communicate with another, reserves the right to collect and process the personal data of the members on the basis of their legitimate interest, limited strictly to what is necessary for effective internal communication.

Beside internal communication, responding to external opportunities is equally important for the project to succeed. Within the context of project management, methodologies and roles may be defined by the task leader (OpenRemote) to support external research and innovation activities. As part of these activities, ongoing patent and intellectual property rights (IPR) research and the implementation of IPR protection measures might involve processing of relevant personal data, which will be managed in accordance with the applicable data protection requirements detailed in this privacy notice.

Data related to practitioners and citizens

The BEHODER project is built on the principle of close cooperation among various external partners, as its main goal, to create a safer urban environment, can only be effectively achieved through teamwork. Following this approach, the involvement of different stakeholders, partitioners and citizens is essential.

In order to make the results of the research carried out under the BEHOLDER project applicable in real-world settings, the project seeks to engage multiple practitioners (e.g. local government managers, urban planners, general public). The data collector may process the personal data of those involved in the practical aspects of the project for various purposes and on different legal bases. Based on the legitimate interest of the collector, names and contact information of potential external practitioners, may be collected and processed. After contacting a potential practitioner (candidate), an offer to enter into a contract may be made. From this initial preparatory step, which is known to both parties, the legal basis and the extent of data processing will be adjusted accordingly. This means that different categories of data may be collected from the data subject if such processing is necessary for the performance of the contract. The content of the contract concluded between the data subject and a member of the consortium may not be limited solely to ensuring participation but may also include a non-disclosure agreement (NDA).

Stakeholders’ engagement

The BEHOLDER project’s structure was designed to support wide-ranging participation, extending beyond the involvement of various partners and internal consortium members. Success also requires a multi-stakeholder engagement from public and private actors. At the outset, the active engagement of all partners and stakeholders is essential to refine and gather the specific needs we intend to address by the end of the project. Throughout the project’s duration, multiple collaborative workshops (online and hybrid), expos, conferences, and regular consultations will be held to connect the consortium with diverse end-users and stakeholders, while showcasing the project’s progress and achievements. The project aims to conduct multiple user feedback sessions to collect s from practitioners across the field (e.g. to refine the GUI design) and to incorporate stakeholders’ proposals and feedback into ongoing developments, ensuring their perspectives are considered as the project evolves. To establish contact with potential stakeholders (e.g., city authorities) who may be invited to submit proposals in the future, the consortium needs to access a limited set of their personal data (e.g., email addresses and other contact information). This data will be processed based on the consortium’s legitimate interest and will be deleted if no cooperation is established and the data is no longer necessary for future collaboration, or if a new legal basis applies (e.g., a contract is concluded between the parties).

Attendance at the events organised by the project’s partners is voluntary. If individuals choose to attend, their personal data may be collected based on the legal bases of informed consent. At some events short videos and pictures will be taken and posted of the project’s website and/or other social media channels. Mini video interviews with project partners may also be conducted, subject to their informed consent. In these situations, the scope of consent is determined by the individual who gave it, which means that they may agree to certain data processing activities (e.g. participation in a group photograph) while refusing others (e.g. personal interviews).

At events where registration is required, participants may voluntarily register after reading the provided and adequate information published on the website where registration can be submitted. In some cases, participants may also be notified via confirmation emails about the extent of data collection and processing during the event (e.g. that recording may take place). For events open to the public without registration, appropriate information about data collection will still be available. For example, this may include notices posted on the event’s promotional website, announcements displayed on event materials, cautionary signs at the venue, or verbal notifications made during the event. In such situations, the notice informs participants about the possibility of recordings being made during the event. Attendance with awareness and understanding of this possibility is generally interpreted as consent to appear in the recording. Nonetheless, participants must be allowed to define the limits of their consent, being featured in photos and other recordings must not be a precondition for attending the event. If someone does not wish to appear In such media, they must be given the opportunity to express their will explicitly and cannot be compelled to appear in recordings solely on the basis of attending the event.

In certain cases, data collection and processing may also be carried out based on the legitimate interest of the consortium or a third party. For example, this may include collecting data for statistical purposes, such as participation numbers or attendance figures. Data collection may sometimes be required by legal obligations during events, such as when an accident occurs and the appropriate authorities need to be notified.

The project’s partners might reach out to specific stakeholders for direct engagement, although processing of their personal data only occurs if informed consent has been obtained or they have previously entered into a contract. Even in this case, the collector may only process data that fall within the applicable legal basis.

Website and dissemination materials

To support the adoption and the integration of the BEHOLDER project’s results among relevant stakeholders and the general public, dissemination, exploitation, innovation uptake activities and the maintenance of continuous communication channels must remain a central focus and will not be overlooked. The key communication tools include short videos, infographics, banners, posters and (scientific) publications. While the project aims for constant and regular communication with the public, ad-hoc or emergency communication might also happen if required (e.g. sending out a notification in the event of an unforeseen circumstance).

A publicly available, open-access BEHOLDER website will be created and launched by the project to reach the general public and share information on the project’s objective(s). Upon visiting the website, cookies and similar tracking technologies will be used to enhance functionality and to analyse usage. These trackers might collect certain types of personal data (e.g. IP-address, browsing behaviour). The website clearly distinguishes between different categories of cookies, such as essential (strictly necessary) and non-essential (e.g. preference, marketing) ones. Essential cookies ensure the functionality of the website and cannot be disabled via the cookie consent tool. They are used based on legitimate interest, as the website and its specific services (e.g., logging in) would not function correctly without them. The use of non-essential cookies requires the visitor’s informed consent, which must be obtained prior to the activation of any such cookies.

Before accessing our website, visitors will be provided with accurate and specific information about the categories of data each cookie tracks and the purpose of such processing, presented in plain and easily comprehensible language. A cookie consent popup will inform visitors about their option to give informed consent, the extent of data processing while browsing the pages of the website and the opportunity to access more detailed information about trackers used. Visitors will be able to manage their cookie preferences at any time through the website settings. Non-essential cookies, which require consent, which require consent, will cease data tracking if visitors withdraw their consent.

Beside the website, several social media channels (e.g. LinkedIn, YouTube channel) will be set up to produce, publish and post content in accordance with the project’s progress status. For example, recordings made at the events, as mentioned above, will be posted on these platforms. SFC is responsible for developing and maintaining both the website and the media channels, who therefore primarily has access to the personal data necessary for their smooth operation (e.g. data tracked by cookies), Nevertheless, all partners will have the opportunity to provide partner introduction, posts on project activities and post news on their own or the project’s media account. In this case, if another consortium member has a legitimate interest, they might also gain access to the acquired data. For example, a guest who created an account on the website could receive an invitation to an event from any member via the email address provided or get notified through their social media account.

Dissemination activities have a fundamental importance throughout the BEHOLDER project to share the benefits with the general public and receive feedback. Engagement of stakeholders, the scientific community and public actors (e.g. inventors, NGO’s) is essential for the exploitation and dissemination of the project’s outcomes. We aim to motivate and incentivise stakeholder to initiate further cooperation, conduct market analysis and to carry out needs assessment. During these activities the consortium might collect data of the potential participants based on its legitimate interest and reach out to them to offer the possibility of entering into a contract to qualified candidates. The requirements for such data processing are identical to those applied when the consortium seeks to engage with external practitioners.

To properly inform the interested public, the BEHODLER project will distribute an electronic newsletter at regular intervals. Subscription to the newsletter will be available online via our website. When a data subject signs up, certain types of data must be provided in order for the project members to establish contact with the individual. The processing of this data is based on informed consent given electronically by the data subjects themselves. Subscribers to the newsletter will have the option to unsubscribe at any time. By unsubscribing, data subjects withdraw their consent, and their data related to the newsletter will be deleted.

Scientific community and publications

The support and involvement of the scientific community are vital to the success of the BEHOLDER project. Multiple research institutions will be approached in order to request their insights and collaboration in advancing the project. To enhance their engagement, several scientific conferences and dedicated workshops will be organized. Participation in these types of events will be subject to the same data collection regulations as previously outlined.

Publications of research outcomes will be ensured in high-impact journals. Since the BEHOLDER project is implemented within the framework of the Horizon programme, it adheres to the established principles such as Open Science. Researchers publishing their work under the project must comply with transparency, accessibility and reproducibility promoted by Open Science. For example, open access to research data implies that the data supporting publications will be shared in repositories like Zenodo after appropriate safeguards for personal data security have been applied. When individuals are involved in a research-focused part of the project, we ensure that their data is anonymized or pseudonymized before publication whenever possible. Participants will be informed about the potential for open publication, and only data necessary to validate or understand the research findings is made publicly available. Research publications will not include personally identifiable information unless explicit and informed consent has been obtained, such consent can be withdrawn at any time for future use. Prior to the release of any external publications, SFC will present a detailed publication and quality assurance process to which our research partners will be informed and adhere. This quality assurance process is subjected to internal peer reviews and the approval of the project coordinator. During these quality assessments, it is possible that the project coordinator or other members of the consortium may gain access to a researcher’s personal data. However, even in such cases, these data will not be processed beyond what is necessary for the processors’ legitimate interest (e.g. storing email addresses for future cooperation), for fulfilling contractual obligations (e.g. transferring agreed remuneration to a bank account specified in the contract), or for complying with legal obligations (e.g. submitting data to tax authorities after payment has been made).

DATA PROCESSING PARTIES

As the BEHOLDER project relies on extensive collaboration, teamwork among consortium members and task division, the data controller and processor of personal data may be more than one member depending on the specific activity in connection with the personal data in question is processed by the project partners. This means that the identity of the data controller may change based on which consortium member is responsible for managing the specific task at any given time. For example, dissemination and sharing of the project’s tangible outcomes with the general public are managed by SFC; therefore, any data collected in connection with these activities (e.g. website, newsletter, social media posts) will primarily be processed by them acting as the data controller.

A designated group has been appointed to be responsible for data management, a task led by the SFC. Personal data will mainly be handled by the members participating in the execution of this task during the project (e.g. OpenRemote, UW). However, this arrangement does not exclude the possibility that other members may also access, handle and process the incoming data. The framework for internal data transfers is governed by the project’s Consortium Agreement among the partners. This document ensures that all members and their affiliates act in compliance with EU legal standards, including in matters of data processing and transfers. For example, in the case of data transmission, the principle of data minimisation is particularly upheld, ensuring that only the data strictly necessary for the execution of a specific task within the project is processed.

The BEHOLDER project has a central coordinator (DISSS) who will have the ability to access all processed data, regardless of which partner collected them, as they review the workflows and monitor the progress of every task. Nevertheless, data transfers among the consortium members must comply with the legal requirements outlined in this privacy notice. Therefore, the coordinator itself and any other member may only access such data if there is a valid legal basis that underpins its action (e.g. legitimate interest in establishing contact or explicit consent). For example, by giving consent, a data subject may agree that their data can be accessed and processed by all consortium members when participating in an event, providing insights, conducting a review, or publishing their findings regarding the project outcomes. As a general practice, the data subject should expect that their data, processed on any lawful basis, may be handled by any member of the consortium, unless they were explicitly informed otherwise at the beginning of the processing (e.g. due to a contractual restriction).

Even if different members contribute to data processing, this collaboration and sharing of responsibilities does not change the fundamental requirement that all data processing must remain purpose-bound. This means that membership in the consortium alone does not grant the right to access personal data. At least one of the previously stated purposes must apply to the specific situation in which a member wishes to process the collected personal data. For example, this may include the intention to establish further contact or to enter into a contract with an external expert, sending their own message through media channels (e.g. via the newsletter, to those who have previously provided their contact information), transferring data to their relevant national authority (e.g. to national statistical institutes) or when a legitimate interest arises for any member (e.g. enforcement of a legal and/or a financial claims). Even when a valid purpose is identified, only members who guarantee adherence to the necessary data security requirements, such as taking technical and organizational measures, are permitted to handle the data.

The data subject will be notified in advance at least about the possibility of internal forwarding of their data before the processing begins. If such an internal transfer occurs and the data starts to be processed by another consortium member, a personal and specific notification will be sent to one of the contact addresses.

The standard data transmission protocols outlined in this privacy notice should apply at all times, including during internal transfers of the members’ personal data between project partners. Data processing activities conducted within the internal network established under the BEHOLDER project are not exempt from data security regulations and must fully comply with them. Accordingly, if a consortium member intends to access the personal data of another member or one of their specific associates, they must demonstrate a valid purpose or legal basis for such a request. Nonetheless, general contact details may be shared among the members under a lower level of protection to facilitate smoother collaboration. For instance, this enables members to quickly obtain the necessary contact information of a colleague involved in joint tasks, enhancing a smooth communication when/if a work-related issue arises.

No data transfers outside the European Union will take place during the lifetime of the BEHOLDER project. The transfer of data within the European Economic Area (EEA) to third parties, as part of data processing activities, must comply with the same legal requirements established by the GDPR. Therefore, the existence of a valid legal basis is essential.

To summarize the possible reasons for data transfer, it may occur based on the following grounds:

Based on the data subject’s explicit, valid and informed consent that specifically covers both the relevant data and its transmission. For example, if the data subject agrees to hand over their email address to another member of the consortium or project partner so that direct personal contact can also be established with them.
Personal data processed on a contractual basis may be transferred if it is necessary for the fulfilment of obligations arising from the contract by either party. For example, an external contractor party may receive instructions from another consortium member, or their remuneration may be processed by a party other than their direct contractor, requiring the disclosure of their bank account details.
Data may be transmitted by the collector to another consortium member acting as the processor when such transfer is legally required under the basis of legal obligations. For example, when the other consortium member is also subject to obligations imposed by its national authority or European Union institution (e.g. financial reporting).
Data may be disclosed to public authorities by the data collector itself as required by its legal obligations (e.g. the tax identification mark of the employee to the tax authority).
If transmission is necessary to protect the legitimate interest of the controller, the processor, third parties or the data subject. This category may encompass a wide range of data processing scenarios, the full scope of which cannot be exhaustively listed in advance. When data is transferred on the basis of legitimate interest, a proportionality assessment will be conducted, weighing the interest of the involved parties. If the legitimate interest clearly outweighs the potential harm to the data subject, the transfer will be carried out. However, the data subject will be notified accordingly, if such a transmission is necessary and based on that notification, they will have the opportunity to contact the DPO and/or exercise their right to erasure, in accordance with the terms described in the relevant section below.

Regardless of whether the data is shared with internal (e.g. among the consortium members) or external (e.g. authorities) parties, the data subject will be informed about the third-party recipients of personal data at the time when data is collected (see more in “Right to be informed” section).

PRINCIPLES AND PROCESSES OF DATA MANAGEMENT

Székely Family and Company Non-profit Llc. as the BEHODLER project’s main data controller undertakes the responsibility to comply with legal obligations under the GDPR during its operations and ensures that all participants (consortium members) granted access to the collected data adhere to the relevant provisions laid down in this privacy notice. The primary purpose of the processing of personal data is to fulfil the collector’s contractual obligations, ensure smooth operations, protect legitimate interests and support the dispersion of the project’s achievements. In exceptional cases, data processing may also be carried out for the purpose of handling complaints or as required by a legal order or applicable law. Consequently, data processing will occur on the basis of mutual interests of the data subject and the controller or based on other explicitly stated legitimate purposes mandated by law or legal order that may also justify data processing. Consistent with the principle of purpose limitation, personal data will not be collected or processed for any purposes other than those specified above.

In accordance with the principles of data minimisation and storage limitation as stated in GDPR, the collector will refrain from processing any kind of data that is not necessary for the specified purposes. Already processed data will not be retained for longer than it is essential and will be either archived or permanently deleted without delay.

The controller ensures that personal data is accurate and up to date. Inaccurate data will be corrected or erased either on the collector’s own initiative or upon the data subject’s request. If such a request is submitted, the data will be updated (e.g. obtaining a doctorate) or be corrected (e.g. typing, recording error) or updated according to the changed situation (e.g. change of name due to marriage, change of address due to move, new email address). This can also be done by changing data through the data subject’s user profile on the web interface by the data subjects themselves. For security reasons, the change must be logged (the log file belongs to the company operations registration code) and notified to the data subject shall be sent.

Duration of data processing

The duration of processing depends on the legal basis under which the data will be processed.

Personal data collected based on informed consent will be processed for the duration of the valid consent. The data subject has the right to withdraw its consent, in which case the processing will be terminated. For more information about the withdrawal of consent, please refer to the relevant section in the privacy notice below.
The BEHOLDER project retains the option to further process previously collected personal data if the data subject withdraws its consent or invokes the right to erasure after the violation of the terms of use. This possibility extends to situations in which the violation causes harm or damage to a fellow user, a stakeholder, the BEHOLDER consortium or constitutes a legal violation serious enough to warrant legal action or an official investigation by the relevant authorities. If the previously collected data is necessary to pursue legitimate interest or to comply with legal obligations issued by an investigating authority, the withdrawal of consent does not interrupt the duration of data processing. Further processing of personal data in this scenario depends on the judgement of the DPO or the project’s Ethics Advisory Board. Even in these scenarios the interests or fundamental rights and freedoms of the data subject might overrule the legitimate interests listed above in which case a proportionality assessment between the two competing interests must be carried out by the Data Protection Officer.
If data processing can still be justified under a different legal basis following the withdrawal of consent, the data may only be processed within the scope of this newly defined basis. Such processing must not exceed what is necessary for the new purpose(s).
Data collected for the fulfilment of contractual obligations will be processed until the contract is terminated and will remain stored, under limited processing (archives), until the period of any claims or disputes arising from the contract has expired. In accordance with the limitation of claims rules set out in the Hungarian Civil Code, this period is five years. However, certain legislation or the Grant Agreement may require a longer retention period for specific contracts.
The data based on legal obligation will be processed by SFC for the duration of any applicable legal obligations and for as long as required by relevant legislation. Based on the legal provisions underlying the data collection, data will be retained for five years for taxation purposes and for eight years for accounting purposes, in accordance with the applicable laws. Following these periods, the data will be stored for an additional two years. If new legal obligations related to data retention arise in the future, SFC will handle them in accordance with the applicable regulations. In such cases, affected data subjects will be informed of the changes as outlined in this privacy notice.
SFC will only process data based on legitimate interest as long as it is strictly necessary based on the legitimate interest underlying the data collection or to achieve a specific, justified purpose arising from it. Data processing will cease if it is determined that it causes disproportionately greater harm to the data subject than the importance of the legitimate interest. The duration of data retention under this legal basis may vary depending on the purpose behind the collection. While it would be difficult to determine the exact retention period in advance, we will strive to process the data for the shortest time necessary.

Data Subject Information Disclosure

Data subjects will be provided with all relevant information regarding data processing before the activity begins. The form of notification depends on the situation in which the data subject encounters the project and data collection becomes necessary. For example, when visitors open the website, a pop-up window will inform them about the cookies and other trackers used by the server. By clicking the “Accept all cookies” button, visitors can give consent to the operation of non-essential identifiers (cookies). Of course, visitors will also have the option to learn more by clicking “Read more” and to change their cookie preferences at any time afterward. Data subjects may receive the necessary information in written form (e.g. by signing a consent form when attending an event or upon entering into a contract) as well as verbally when appropriate. The data subjects also have the right to request additional information about the processing of their personal data on any occasions.

Determination of legal basis

Before initiating data processing, it is necessary to examine and identify the legal basis on which the data subject’s personal data will be processed. The data subjects must be informed about the applicable legal basis at the time when their data will be collected. This information will be included in the specific notification relating to the particular case (e.g. cookie pop-up) presented above or may also be provided verbally to the data subject. Even if data processing is based on several legal bases, the amount of data processed in each case must remain within the permitted limits. Upon the termination of a specific legal basis, processing of the data associated to that basis must cease, unless the processing can be continued under a different, valid legal basis. For example, where the legal basis is informed consent, contact information cannot be processed any further if the consent was withdrawn, except in cases where processing is justified on another legal basis, for example, a legal claim related to future contact. If no valid legal basis can be identified for the data processing, the processing must be terminated and the data in question must be deleted.

Data recording and classification

There are two ways to start data processing: by recording the data submitted by the data subject or by tracking the data subject with its informed consent. An example for the first case is providing data to conclude a contract; example of the second case includes the use of cookies on a website or making recordings during an event. In both cases, a valid legal basis must be identified. For example, if an informed consent was given for the participation in a group photograph or in an interview.

All collected data will be classified according to the framework established in this privacy notice. Only data supported by an identifiable legal basis will be processed.

Data storage, management and termination

Personal data collected from a data subject will not be stored longer than it is necessary and beyond the retention period specified in the ‘Duration of Data Processing’ section. Data collected based on one of the legal bases will be processed automatically, although manual (human) processing may also take place where necessary. The protection requirements outlined in this privacy notice apply to both processing methods. As a result of processing, it is possible to carry out various transactions involving the data subject. For example: performance of a contract, sending of a newsletter, provision of services, payment of wages, issuing of invoices. Data processors may also be involved in the processing of personal data, storing and handling the data on behalf of the data controller.

Data will be deleted or restricted once the applicable retention period has expired.

There may be instances where data cannot be permanently deleted due to its necessity for further measures, such as archiving, dispute resolution, legal defence or asserting potential future claims. In such cases, the data will remain stored but will not be used or processed any further for any purposes. Restricted data will be encrypted, anonymized and segregated in our system and automated processing will be blocked.

Anonymization will be applied when identification of a data subject is no longer necessary, but retention and analysis of data is required solely for statistical or archiving purposes. For example, for long-term trend analysis. Anonymized data is no longer subject to the provisions of the GDPR.

Encryption will be used to ensure a level of security appropriate to the risk and implementing suitable technical measures. When assessing the necessary precautionary safeguards, we will take care to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data stored or processed.

Data will be erased once the purpose of processing is fulfilled and the retention period has expired. Additionally, data will be deleted if there is no further legal obligation to retain it (e.g. for taxation or accounting purposes), it cannot be processed based on another legal basis and there is no retention obligation.

Personal data is protected regardless of the technology used for processing (technology-neutral approach). If the data also exists on physical media, it must be securely overwritten or, if it is not possible, physically destroy the carrier (e.g. smashing a DVD) to ensure permanent deletion. Physical destruction must be carried out in an environmentally responsible manner (e.g. plastic media must not be burned outdoors). This process will permanently terminate the processing of the data. The data subject shall be informed of the erasure before it begins.

Systematic procedures for data deletion or restriction will be integrated into the processing activities. In the event of a data breach, SFC will contact the relevant authorities within 72 hours and promptly inform all data subjects affected by the data breach.

Data security

The consortium will take appropriate measures to ensure data security, protect data against unauthorized access, and comply with GDPR. A dual approach will be implemented. On one hand, technical measures (e.g. encryption) will be taken to safeguard personal data from unauthorized access or other damage. On the other hand, every member of the consortium commits to organizational measures, ensuring that only those who are properly trained in legal compliance will be able to access and handle the data – if these activities are necessary for their specific work tasks.

Tools for the processing of personal data

We process personal information on laptops and mobile devices with up-to-date operating systems and software that are protected by passwords, biometrics or two-stage authentication, devices also have a drive-level encryption. Storage is encrypted and is stored in a redundant and synchronized cloud that tracks the activity. The network connections used during processing are also encrypted. We do not install unsigned or unlicensed software or connect to open, unencrypted WiFi networks. Paper-based personal information documents are kept in a lockable room, where people are only allowed to stay with our permission and supervision, and in the event of transport, we use a courier or state post office. The destruction of the media is carried out with a shredder.

THE RIGHTS OF DATA SUBJECTS

The consortium of the BEHOLDER project will facilitate the exercise of data subject rights as follows. If a submitted request is received, the controller will provide information on the actions taken without undue delay and in any event within one month of receipt of the request.

Right to be informed

Data subjects have the right to be adequately informed about the collection and use of their personal data at the time of collection. This information includes the purpose of processing, the retention period for their personal data and the identity of any third parties with whom the data will be shared. As a standard practice, privacy information will be provided uniformly through the web interface upon visiting (e.g. cookie pop-ups), email or social network (e.g. newsletter), enabling data subjects to understand what data is being processed. In the event of a specific issue affecting a particular stakeholder or at the request of a data subject, individual notification will also be provided through one of the data subject’s contact details. In both instances, the information must be transparent, intelligible, easily accessible and using a clear and plain language, all of which the collector must ensure. In the case of Artificial Intelligence (AI) used for data processing, prior notifications will be provided explaining the purpose behind the application of AI. The data subject will receive a targeted and specific notification, if the collector intends to further process the collected data for a purpose other than that for which it was originally collected.

Consortium members must be informed about the processing of their personal data in the same manner as an external individual, even if the data is only shared with internal partners of the project. This means that all project participants must be aware of which consortium member, colleague, supervisor, or employee of another participating entity may access their data, and which specific data are accessible to them. For example, if their name and contact details are shared on the project’s internal communication servers.

Right of access and rectification

Data subjects have the right to obtain confirmation as to whether their personal data is being processed by the controller, and if so, to access that data. Upon request, the controller will provide a copy of the personal data held about the data subject, along with the following set of information:

The purposes for which your data is being processed
The categories of personal data involved
The recipients or categories of recipients to whom your data has been or will be disclosed
The retention period or criteria used to determine how long your data will be stored
Your rights related to your data and how to exercise them

If any personal data seems to be inaccurate, incomplete or misleading, the data subjects have the right to request to promptly correct or complete the data in question. To make a request, please contact the DPO, who will be pleased to assist You.

Where processing is based on the data subject’s consent and it is carried out in an automated way, the data subject also has the right to obtain (get a copy of) their personal data in a structured, commonly used, and machine-readable format and to ask for it to be transferred to another controller (right to data portability). This is in addition to their right to access their personal data and receive information about the processing (right of access).

Right to erasure and processing limitation

The data subjects have the right to request termination of processing, and the deletion of the data held at the time the request is received. In the case when data is processed based on the data subject’s consent, this also includes the withdrawal of it. The deletion must be carried out as soon as possible, without undue delay. However, the controller reserves the right to retain data to fulfil further legal obligations or to protect potential legal claims. For example, upon request, data collected based on a contract between an external partitioner and a member of the consortium will be deleted if neither party has any claims against each other and there are no more legal requirements (e.g. disclosure of data to authorities) to preserve the data.

If no such request is submitted, the data will be processed in accordance with the data processing policy outlined above and will be deleted once there is no longer a legitimate purpose or legal basis for its continued processing.

Instead of requesting the termination of processing, the data subjects have the right to request the restriction or suppression of their personal data, in which case the controller will be prohibited from using the data. This option is available in the following cases:

the accuracy of the data is contested,
the request is based on unlawful processing,
the data is no longer needed, or
the data subject has exercised their right to object and a decision is still pending.

For instance, if the accuracy of a data subject’s email address that was used for communication or newsletter distribution, is in doubt, the controller must refrain from sharing the address with other project partners or using it for its own purposes until the matter is resolved.

Withdrawal of consent

Where data collection is based on individual consent, we should ensure that all data subjects are provided with a practical, easily accessible and low-effort method for withdrawing their consent. A withdrawal initiated voluntarily by the data subjects must not be interrupted, prevented or obstructed in any way (e.g. persuasion, creating unnecessary delays). For example, if visitors of our website subscribe to the newsletter and provide their email address, they must be able to unsubscribe just as easily by a simple one-step procedure (e.g. by clicking on an “unsubscribe” button or link in emails, or by withdrawing consent through one’s account settings on the website).

The withdrawal of consent must not cause any unjustified disadvantage or detriment. For example, an external participant cannot be excluded from all future public events solely because they once refused to appear in a photograph or other recording. However, the legal consequences outlined in a contract, employment agreement or terms of participation, such as the termination of a particular service or the cancellation of registration for an event, shall not be considered unjustified disadvantages.

Following the withdrawal of consent, an assessment will be carried out by the DPO to determine whether any of the data can continue to be processed under an alternative legal basis. After the DPO completes this assessment, it will be shared with the project coordinator who makes the final decision in this regard that must be communicated to the data subjects as well so that they can take appropriate actions to terminate any other applicable legal basis if desired (e.g. by ending a contract). If the data cannot be classified under another valid legal basis, processing must be terminated.

Right to object and lodge a complaint

If the data subjects’ personal data is processed under the basis of legitimate interest, they have the right to object at any time, regardless of which consortium member’s legitimate interest is at stake. The objection can be specified and limited to defined boundaries. For example, the data subject may identify the particular set of data they do not wish to be processed or request that processing be restricted to a specific purpose only. If the data subject does not wish to receive direct marketing (e.g. product promotions via newsletter), this right may also be exercised.

Beyond the specified cases above, the collector strives to proactively address the problems encountered and to ensure seamless cooperation with data subjects and other stakeholders. In case the data subject has a complaint or comment about the processing, it shall contact the DPO first using the contact details provided above. Nevertheless, the data subject has the right to complain to the National Data Protection and Freedom of Information Authority (www.naih.hu).

Changes to this privacy notice

The consortium of the BEHOLDER project reserves the right to revise or update its policy at any time. For example, if new features are introduced on our website that require additional data collection and processing. In this event, data subjects will be notified of significant changes, and the updated version of this notice will be posted on this page of the website.

Effective day: 2025.07.24.