IOTA Privacy Policy

1. Background

During the PCP Forum held in Rome on 24-25 February 2011, “the participants of the Forum shared experiences, discussed challenges and exchanged good practices relating to the promotion of IOTA among their administrations. In addition, the PCPs discussed the question of the use of Facebook and other modern social media tools for the promotion of IOTA activities. The majority of PCPs welcomed the use of such tools and agreed that any issues of personal identity will be addressed by a special disclaimer attached to the invitation package.”

During the EC meeting in Berlin on 29-30 March 2011, the Council decided that there is a need for detailed protocol on the use of Facebook and other ITC tools and asked the Secretariat to draft a relevant document for the next meeting of the body in Norway.

Following the best practice of such organisations as the European Commission, OECD, World Bank and CIAT as well as best experience stemming from the application of Regulation (EC) no 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the community institutions and bodies and on the free movement of such data, the Executive Council of IOTA has adopted this policy to make sure that personal data of participants is processed fairly and lawfully.

The policy (updated on 1 September 2016) will be available to any participants prior to all IOTA events and undertakings. By registering to such events or undertakings, participants agree to this policy.

2. Definitions

For the purposes of this document:

  • ‘Authority’ shall mean the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság; http://www.naih.hu/; registered seat: 1125 Budapest Szilágyi Erzsébet fasor 22/c, post address: 1530 Budapest, Pf.: 5., Telephone: +36 (1) 391-1400).
  • controller’ shall mean a natural or legal person, or organization without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor.
  • ‘data control’ shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronizing or connecting, blocking, erasing and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings;
  • ‘data processing’ shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data.
  • ‘Data Protection Act’ shall mean the Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
  • ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to specific personal data. In relation of this Privacy Policy, the natural person users shall be considered data subjects. The data subjects are the participants and any visitors making a registration on the website.
  • ‘participant’ shall mean any person taking part in IOTA events or undertakings;
  • ‘personal data’, as specified in the Data Protection Act: shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject. The specific personal data subject to this Privacy Policy are listed in Article 3 (Types of Personal Data) of this Privacy Policy.
  • ‘social media’ shall mean any media for social interaction, using highly accessible and scalable communication techniques, web-based and mobile technologies to turn communication into interactive dialogue, for example, Facebook or Twitter.

3. Types of Personal Data

During the delivery of IOTA services, IOTA collects general information about participants that take part in activities organised by IOTA and users of the IOTA website and other Internet-based tools. The general information includes:

  • Event registration information about participants, such as their names, positions, addresses and contact details;
  • Photographs, video or recording of participants;
  • Information that is used to establish a profile of registered user of the IOTA website as well as information that is automatically recognised by the ITC tools used by IOTA: the date and time, the originating IP address, the domain name, the type of browser and operating system used (if provided by the browser), the URL of the referring page (if provided by the browser), the object requested and the completion status of the request
  • level of English skills.

4. Collection of Personal Data

The purpose of data control is to provide the services of IOTA to the members.

The duration of data control: the data will be processed for the duration required by law, otherwise for the period when the account of the participant is active and for a further 30 days after the respective account is deleted or after IOTA becomes aware that the position of the participant is terminated.

Event registration information about participants, such as their names, positions, addresses and contact details are submitted to IOTA by IOTA principal contact persons, participants themselves or other individuals authorised by participants.

Photographs, video or recording of participants are taken during IOTA events by the members of the IOTA Secretariat, participants themselves or other individuals authorised by IOTA. Please note that attendance at any IOTA event is conditional on the attendee accepting that any photographs, video or recording made of them by the IOTA Secretariat members and hosting administration or any individuals authorised by the IOTA Secretariat, at any time during the period of the event, become the property of IOTA. IOTA reserves the right to publish photos, videos and recordings taken at its event. IOTA may use these in its publications, leaflets, newsletters, on its website, social media, presentations, etc. By submitting a registration form, participants agree to these conditions.

Information, which is used to establish a profile of registered user of the IOTA website, is provided by a website user in the course of registration for the IOTA website.

Information, which is automatically recognised by the ITC tools used by IOTA, such as the date and time, the originating IP address, the domain name, the type of browser and operating system used (if provided by the browser), the URL of the referring page (if provided by the browser), the object requested and the completion status of the request, is collected while using the ITC tools offered by IOTA.

5. Use of Personal Data

5.1. IOTA will use the collected personal information for the purpose set out only in this Privacy Policy. IOTA will not use personal information for any other purpose without first seeking consent of an individual, unless authorised or required by law. IOTA will only use and disclose personal information as follows:

  1. To establish and maintain a participant’s involvement with IOTA, including providing a participant with newsletters;
  2. To provide the products or services a participant has requested from IOTA;
  3. To answer a participant’s inquiry;
  4. To register a participant for IOTA events;
  5. To promote IOTA products or services;
  6. To provide a participant’s personal information to other participants with a view to establishing contacts.

5.2 When using social media, no physical and automatic connection will be established between the IOTA website and such media. IOTA will limit the content of information placed in such media to:

  1. Links to publicly available news items on the IOTA website;
  2. General information about IOTA (description, mission, website, location);
  3. Links to the pages of IOTA partners, incl. EC, OECD, CIAT;
  4. Information about IOTA products, which is publicly available on IOTA website for not registered users.

When using social media, IOTA will not use other personal data of participants than information already included in the above-mentioned points (5.2 a b c d).

5.3 Users can generally visit the IOTA website without revealing who they are or other personal information unless they log on or register with us. IOTA will not collect any personal information about visitors to the website except when they knowingly provide it. As described above, IOTA sometimes collect anonymous information from visits to our website to help the IOTA Secretariat provide better customer service. For example, IOTA keeps track of the domains from which users visit and also measures visitor activity on the IOTA site(s), but IOTA does so in ways that keep the information anonymous. IOTA uses the collected information to measure the number of visitors to the different areas of IOTA’s website, and to help the Organisation make its website more useful to visitors. This includes analysing these logs periodically to measure the traffic through our servers, the number of pages visited and the level of demand for pages and topics of interest.

6. Access to Personal Data

All personal contact data of a participant is available only on the IOTA website for the registered users of the website unless a participant has agreed otherwise.

A participant can request access to the personal information that IOTA holds about them by contacting IOTA as set out below.

If a participant wishes to change personal information that is out of date or inaccurate at any time, they should contact IOTA accordingly. After notice from a participant, IOTA will correct any of a participant’s information which is inaccurate, incomplete or out of date. If a participant wishes to have their personal information deleted, please let IOTA know about it and such information will be deleted wherever practicable and possible.

7. Security

IOTA intends to protect the quality and integrity of a participant’s personal information. IOTA has implemented technologies and security policies to protect the stored personal data of participants from unauthorised access, improper use, alteration, unlawful or accidental destruction and accidental loss. IOTA will continue to enhance its security procedures, as new technology becomes available.

8. Rights of the users as data subjects

Upon the data subject’s request the data controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and - if the personal data of the data subject is made available to others - the legal basis and the recipients. Furthermore, the data subject may request from the data controller the rectification of his personal data, and the erasure or blocking of his personal data, save where processing is rendered mandatory. Information is free of charge.

IOTA must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 25 days. If the data subject disagrees with the decision taken by the controller, or if the controller fails to meet the deadline, the data subject shall have the right to turn to court within 30 days of the date of delivery.

During the data control, IOTA will proceed with the greatest care, in compliance with the Data Protection Act, it will keep the data confidential and will grant no access to third parties, unless it is required to exercise their rights arising from agreements, or the provision of the data to authorities is required by law, or an order of an authority or court.

The data controller may refuse to provide information to the data subject in the cases specified by law. In case IOTA refuses to provide information, it will specify the provision of law allowing it to do so.

Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the data controller shall rectify the personal data in question.

Personal data shall be erased if (a) controlled unlawfully; (b) so requested properly by the data subject; (c) incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not prohibited by statutory provision of an act; (d) the purpose of controlling no longer exists or the legal time limit for storage has expired; (e) so ordered by court or by the Authority.

Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be controlled only for the purpose which prevented their erasure.

If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.

When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. The notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.

If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 25 days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

Parties agree and the data subject specifically accepts upon the acceptance of this Privacy Policy that emails and electronic communication between the Parties be considered written and Parties accept such correspondence as official in respect of their relationship and any declarations made in accordance herewith and their agreement.

9. Changes to this Privacy Policy

The Executive Council of IOTA may amend this Privacy Policy by having the amended version available at IOTA website at www.iota-tax.org. IOTA suggests that a participant visit IOTA’s website regularly to keep up to date with any changes.

10. Contact

If a participant would like any further information, or have any queries, problems or complaints relating to the IOTA Privacy Policy or information handling practices in general, please contact IOTA at [email protected].

11. Remedies and applicable law

Any person shall have the right to notify the Authority and request an investigation alleging an infringement relating to his or her personal data or concerning the exercise of the rights of access to public information or information of public interest, or if there is imminent danger of such infringement. The Authority shall carry out the investigation free of charge; the costs thereof shall be advanced and borne by the Authority.

In the event of any infringement of his rights, the data subject may turn to court action against the controller. The court shall hear such cases in priority proceedings. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located. Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements. The data controller shall also be liable for any damage caused by data processor acting on its behalf. The data controller may be exempted from liability if he proves that the damage was caused by reasons beyond his control. No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part of the aggrieved party. Should the data controller infringe the personality rights of the data subject with the illegal control of the data subject’s data or with the breach of data security requirements, the data subject may claim restitution from the data controller.

Any matters not stipulated in this Privacy Policy shall be governed by Hungarian law, especially the Data Protection Act that facilitates compliance with:

  1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information and repealing Council Directive 90/313/EEC;
  3. Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information;
  4. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
  5. Directive 2013/37/EU of the European Parliament and of the Council of 26 June 2013 amending Directive 2003/98/EC on the re-use of public sector information