General Data Processing Guidelines of the Magyar Nemzeti Bank
The Magyar Nemzeti Bank (hereinafter: MNB) processes the personal data collected or recorded during its activities according to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR) and of Act CXII of 2011 on information self-determination and freedom of information (hereinafter: Information Act), as follows.
Purpose and Scope of the Guidelines
These Guidelines lay down the data protection and processing principles as well as the data-protection and processing policy of MNB, which MNB (as controller) regards as binding, and provide information on MNB’s data processing activities (excluding certain processing activities in its employer role), the rights related to processing as well as the legal remedies.
MNB as data controller, informs all affected parties of the general information on personal data processing by publishing these Guidelines.
Data controller:
Magyar Nemzeti Bank
Registered Office: 1013 Budapest, Krisztina krt. 55.
Client service: 1122 Budapest, Krisztina krt. 6. (phone: (+36 80) 203-776)
Data Protection Officer of MNB: Dr Tivadar János Marton (email: martont@mnb.hu).
MNB’s processing principles:
MNB and MNB’s organisation and systems may process personal data lawfully, fairly and transparently only.
Processing is lawful only if at least one of the legal grounds specified in Article 6(1) of the GDPR apply.
A procedure is fair and transparent if data subjects get easily accessible and non-technical information regarding the way of collection and use of their data, the scope of persons entitled to access them and the way of such access, or any other ways of processing.
Personal data may be processed for clearly defined and lawful purposes. Personal data may not be processed in a way incompatible with such purposes.
Processing must be justified in terms of its purpose and must be limited to the extent most necessary.
Data processing must be accurate; inaccurate processing in terms of the relevant purpose must be rectified immediately, i.e., all reasonable measures must be taken to erase or rectify personal data that are inaccurate in terms of the purpose of the processing.
Data must be stored in a way that allows data subject identification only to the extent necessary for achieving the relevant goal.
Appropriate technical or organisational measures must ensure the appropriate personal data security during processing, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage of data.
General principles for the duration of processing:
For data processed by MNB, the processing terms specified in these Guidelines shall be understood for data processed in structured databases. Data erased from the databases may be found in the archiving systems specified in Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives; MNB must, however, process these data until their scrapping or archiving as required by that act.
Data security measures:
Personal data maintained in an electronic format are stored on the servers of MNB, external data processors are used in certain cases only. In all data processing outsourcing cases, MNB ensures that the contracted service provider meets the requirements for data management. MNB applies appropriate measure to protect personal data (among others) from unauthorized access and modification.
Use of conversion service:
In the course of its activities, the MNB may use the hybrid conversion and delivery service of Magyar Posta Zrt. (hereinafter: “Service Provider”), subject to the interests of its clients and its obligations under Act CCXXII of 2015 on the General Rules for Electronic Administration and Trust Services. When using the service, the MNB’s documents, which may contain personal data, will be forwarded to the Service Provider in order to convert the electronic documents into authentic paper documents. The Service Provider may only know the content of the transmitted or converted messages sent to the extent necessary for the implementation of the service. The audited and logged management methodology developed by the Service Provider shall guarantee the strict preservation of the confidentiality of correspondence.
Processor:
???????Magyar Posta Zrt. Registered seat: 1138 Budapest, Dunavirág utca 2-6., company registration number: Cg: 01-10-042463
These Guidelines inform you about processing activities in which natural persons contacting MNB might be data subjects; these are the following.
1. Data processed during visiting the MNB website.
2. Cookie management on mnb.hu.
3. Data managed with regard to the operation of the Career Portal.
4. Data processed with regard to the operation of the Client Service.
5. Operation of security cameras.
6. Entrance into the building.
7. Body temperature measurement upon entry to MNB buildings
8. Data processed in the authority procedures of MNB.
9. Data processed during MNB events.
10. Contact persons’ data, and data processed during communication activities.
11. Inspection of suspected counterfeit banknotes.
13. Activities of the Financial Arbitration Board.
14. Data processed in MNB’s calls for applications and educational activities.
16. Data processed concerning trainings and exams regulated by public authorities.
17. Data processed in connection with agency contracts.
18. Data processed during public opinion surveys
20. Central bank’s information system and processing for statistical purposes, research room.
21. Data processed in connection with the operation of the MNB Money Museum mobile application
22. Data processed in connection with the awarding and presentation of prizes established by the MNB
24. Personal data processed in relation to the protection of classified data
These Guidelines provide information on the assertation of the following data subject rights:
Right of information and right to access.
Right to erasure (right to be forgotten).
Right to restriction of processing.
1. The scope of the processed data in relation to visiting the webpage of MNB.
1. The purpose of data processing and the scope of the processed data:
The purpose of data processing is that MNB – in order to perform its tasks - may ensure all options provided by the Internet in order to create accessibility to its services; may collect information on the opinions of the date subjects in relation to its basic tasks, and that it may provide all necessary information for the data subjects. Technical data collection during the visitation of the website serves to improve the quality of the service. Development of the electronic data reception system, improvement of the forms of contact, integration of users’ suggestions to make the system user-friendly.
Scope of processed data: username, password, phone number, position, institute in certain cases and technical data collected during visit. The electronic data reception system also collects the mother’s name, place and date of birth, citizenship, email address and workplace telephone number. In the case of needs assessment questionnaires for the development of the electronic data reception system, the name of the organisation represented by the person completing the questionnaire.
2. Legal basis of data processing:
In the case of the electronic data reception system and the interface for viewing content requiring registration, the performance of the MNB’s tasks in the public interest pursuant to Article 6(1)(e) of the GDPR, and in the case of event registration, the interfaces operated by the MNB’s Education Department, or, in cases not specified herein, the user’s consent pursuant to clause (a).
3. Term of data processing:
In case of technical data collected at the time of the website visit: the time defined in relation to the purpose of the collection; in case of registration data until permission is revoked but not longer than two years.
4. Data transfer:
This kind of data processing does not involve any data transfer.
2. Cookie Management at mnb.hu
5. The following link provides further information regarding cookie management:
3. Data managed with regard to the operation of the Career Portal
6. The purpose of data processing and the scope of the processed data:
The purpose of data processing is human resources management at MNB, filling vacant positions with the best possible candidates and communication with the candidates.
Scope of processed data: personal data which applicants submitted during registration and data that are available in their uploaded CVs and documents and which may identify them as natural persons and are related to their education, qualifications, professional experience, skills, and competences. Any information submitted by you beyond those requested for the actual application are based on the data subject’s free decision. Data subjects shall get further guidelines in the further stages of the selection process.
7. Legal basis of data processing:
Consent of the applicant, candidate—based on Article 6(1)(a) of the GDPR.
8. Term of data processing:
MNB will process these data for up to one year following the registration.
9. Data transfer:
Data are not forwarded, but MNB engages a processor during processing. MNB stores applicant data on the servers of the processor, Nexum Magyarország Kft. (6726 Szeged, Temesvári krt. 15.). MNB and Nexum Magyarország Kft. take appropriate measures to ensure the protection of personal data, from unauthorized access or change, among others.
4. Data processed with regard to the operation of the Client Service, data processed with regard to the operation of the telephone client service
10. The purpose of data processing is data processing within the context of performing tasks related to providing written client service information for clients within the scope of performing the statutory tasks of MNB;
Data processing related to the management of notifications in public interest falling within the scope of competence of the client service and market surveillance notifications falling within the scope of competence of the market surveillance area;
data processing related to the management of notifications in the public interest, falling within the scope of competence of the client service;
pre-screening submissions to MNB, initiation of consumer-protection control procedures launched at requests;
pre-screening of submissions to MNB with regard the procedure of the Financial Arbitration Board launched at requests or under the principles of equity.
Scope of processed data: name, contact details, gender, name, contact details of proxy of the person submitting the request or inquiry.
11. Legal basis of data processing: the data processing is performed, based on Article 6(1)(e) of the GDPR, within the context of exercising the public powers vested in MNB and performing its tasks in the public interest.
12. Personal data are stored for 5 years.
13. Data transfer:
Data are not transferred within the scope of responsibilities of the client service. In the case of market surveillance notifications falling within the competence of the market surveillance area, data may be transmitted on the basis of a request from the public authorities.
14. The purpose of data processing is recording phone calls between clients and the client service within the context of performing tasks related to the provision of information by the telephone client service—with a view to quality assurance and complaint handling.
Scope of processed data: the phone call between the client service and the client, the voice of the client.
15. Legal basis of data processing: the consent in Article 6(1)(a) of the GDPR.
16. Personal data are stored for 5 years.
17. Data transfer:
Based on inquiries of public authorities.
5. Operation of security cameras
18. The purpose of data processing and the scope of the processed data:
The purpose of data processing is ensuring the security level expected from MNB, an institution discharging prominent public functions, for performing its statutory tasks and protecting the property managed by MNB and the property of MNB itself, and ensuring an appropriate level of work safety. With a view to personal and property protection, another purpose is the detection of violations, catching perpetrators in the act, prevention of violations and providing evidence to promote potentially necessary measures or the effectiveness of investigations.
Scope of processed data: the image of the data subject.
19. Legal basis of data processing: in the performance of its statutory tasks, the MNB processes data on the basis of Article 6(1)(e) of the GDPR, as required for the security of the performance of its tasks carried out in the public interest.
20. Term of data processing
3 days for the data recorded with surveillance cameras surveilling public spaces as well.
60 days for the data recorded with surveillance cameras not surveilling public spaces.
At least 180 calendar days and up to 3 years for cash handling areas (e.g. banknote processing, auditing) in the cash logistics centre, at least 30 calendar days and up to 1 year for recordings of internal cash handling in the retail cashier’s office, and 60 calendar days for other recordings of the cashier’s office that concern the client area.
365 days for the data recorded with the surveillance cameras in the rooms for processing and managing the banknote and coin collection.
60 days in the cashier in Kiss Ernő Street.
365 days for the data recorded with the surveillance cameras in the research room.
If procedural action results from the use of the recordings, then the term of data processing will be extended as required.
21. Data transfer:
If an authority procedure is initiated, then data may be transferred to the competent authority.
6. Entrance into the building
22. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to protect the facilities and site of MNB; prevent, avert the consequences of and facilitate the investigation of extraordinary events; detect violations, catching perpetrators in the act; and prevent violations and ensure property protection.
Scope of the data processed: for visitors, personal data of the entering individual, name, place and date of birth, home address, and personal ID number. Name, place and date of birth, mother’s name, address, ID card number for persons entering the buildings of the MNB premises for the purposes of work under a service contract with the MNB.
23. Legal basis of data processing:
In the performance of its statutory tasks, the MNB processes data on the basis of Article 6(1)(e) of the GDPR, as required for the security of the performance of its tasks carried out in the public interest. For persons entering the buildings of the MNB for the purposes of work under a service contract with the MNB, compliance with a legal obligation under Article 6(1)(c) of the GDPR following the provision of the service.
24. Term of data processing:
Data are erased after 24 hours if the event specified in the purpose does not occur. For persons entering the buildings of the MNB for work purposes under a service contract with the MNB, 8 years after the contractual performance of the service included in the contract.
25. Data transfer:
If an authority procedure is initiated or a public authority requests data, then data may be transferred to the competent authority.
7. Body temperature measurement upon entry to MNB buildings
Data processing is carried out by the MNB as necessary during an emergency. Thermal imaging cameras are placed in a way that they are clearly visible to everyone.
26. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to ensure the smooth performance of the MNB’s essential public tasks and to create a healthy and safe working environment for MNB employees. Scope of the data processed: the body temperature data provided by the thermal imaging cameras are, by default, recorded exclusively in the IT storage space of the thermal imaging cameras, but in the case of data other than the normal value as defined by the MNB, the name of the data subject and the fact that based on the control measurement his/her body temperature – 35.9-37.6 °C for persons under 65 years of age and 35.8-37.5 °C for persons over 65 years of age – was outside the normal range will be recorded.
27. Legal basis of data processing:
The MNB, as a body performing tasks carried out in the public interest, processes the data on the basis of Article 6(1)(e) of the GDPR and Article 9(2)(b) of the GDPR in order to ensure the smooth performance of its public tasks, subject to its statutory obligation to create a healthy working environment.
28. Term of data processing:
The data recorded by the thermal imaging cameras in their own storage space independent of the MNB’s other systems will be processed by the system for up to 24 hours. The fact of the measurement of body temperature outside the specified range and the name of the data subject in this context shall be retained by the controller for a maximum period of 30 days.
29.Data transfer:
None. However, the MNB uses a processor in the course of data processing. Processor: MNB Biztonsági Zrt. Registered Office: 1123 Budapest, Alkotás utca 50. C. ép. V. em. The processor may engage another processor.
8. Data processed in the authority procedures of MNB
30. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to conduct the authorisation procedure, the control procedure, the consumer-protection control procedure, the market supervision procedure and the supervisory control falling (hereinafter together: Proceedings) within the scope of the obligation specified in Act CXXXIX of 2013 on the Magyar Nemzeti Bank (hereinafter: MNB Act).
Scope of processed data: data specified in the MNB Act and the sectoral legislature, including but not limited to the identification data of individuals involved in the Proceedings (including the direct owner and the actual owner), citizenship, qualifications, position and data required for the establishment of good business reputation. The MNB notes, that in compliance with its statutory obligation, it shall verify the authenticity of data included in the submitted statements via the contacted institutions.
31. Legal basis of data processing:
the data processing is performed, based on Article 6(1)(e) of the GDPR, within the context of exercising the public powers vested in MNB and performing its tasks in the public interest
32. Term of data processing:
Data processed in relation to the legal relationships falling within the scope of the authorisation and registration obligation are processed for a maximum duration of five years after the termination of the legal relationship of the person concerned and falling within the scope of the authorisation and registration obligation. Data falling outside of the scope of the foregoing are processed for the period specified in the sectoral laws; if there is no such period, then for the period necessary for closing the procedure; archived data are processed for the archiving period agreed with the National Archives under the relevant laws. If a legal obligation is performed, MNB will review the lawfulness of the processing every three years.
33. Data transfer:
Data processed in public authority procedures may be transferred to other public authorities, in particular courts, law enforcement agencies, tax authorities, foreign partner authorities, a supervised institution subjected to inspection and issued with a consumer protection warning in procedures initiated upon request or on the basis of a client’s indication. Data may be transferred on a mandatory basis in the cases defined by legislature, or due to public interest resulting from the MNB’s functions related to public power. The MNB is a signatory to the ‘Administrative arrangement for the transfer of personal data between Each of the European Economic Area (“EEA”) Authorities set out in Appendix A and Each of the non-EEA Authorities set out in Appendix B’, developed by the International Organisation of Securities Commissions (IOSCO) and the European Securities and Markets Authority (ESMA), which provides appropriate data protection safeguards in relation to the exchange of personal data for supervisory and enforcement purposes between financial supervisory authorities of EU Member States and third countries.
9. Data processed during MNB events
34. The purpose of data processing and the scope of the processed data:
The purpose of data processing is the registration required for the event, attendee identification and communication with the attendees.
Scope of processed data: personal data provided in the registration, including but not limited to the name, address, email address, phone number, position, invoicing data.
35. Legal basis of data processing:
Pursuant to Article 6(1)(a) of the GDPR, MNB performs the processing based on the clear consent the attendees provide in the registration process.
36. Term of data processing:
For the period specified in the detailed information material provided during registration. Data used for communication are processed for a maximum period of five years following the event.
37. Data transfer:
The MNB may forward the data to a third party on the basis of the relevant legislation concerning the fight against terrorism and, in case of international conferences, in line with the regulations of Act CXXV of 1995 on the National Security Services, as well as to the organisations in charge of admission to the events related to the conference.
10. Contact persons’ data, and data processed during communication activities
38. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to maintain the business and communication relations of MNB, including the press, and to ensure continuous operation.
Scope of processed data: identification data necessary for communication, including but not limited to name, email address, phone number, position, organisation.
39. Legal basis of data processing:
In the performance of its statutory tasks, the MNB processes data for the performance of its tasks carried out in the public interest pursuant to Article 6(1)(e) of the GDPR.
40. Term of data processing:
Duration of the relationship and/or until the partner organisation provides new data. With a view to keeping data updated, MNB reviews the database of contact persons continually and erases obsolete data.
41. Data transfer:
None.
11. Inspection of suspected counterfeit banknotes
42. The purpose of data processing and the scope of the processed data:
The purpose of data processing is carrying out technical and other tasks, including but not limited to money-counterfeiting expert tasks, delegated to MNB by the law in relation to the protection of Hungarian and foreign legal tenders from counterfeiting. Use in criminal procedures launched in relation to means of payment found counterfeited in expert investigations.
Scope of processed data: first and last names, home address, ID card type and number of the individual providing or holding suspected counterfeit means of payment.
43. Legal basis of data processing:
MNB processes data pursuant to Article 6(1)(c) of the GDPR, with a view to performing its statutory obligation.
44. Term of data processing:
The MNB processes data until the closing of the criminal procedure at hand with the non-appealable and decisive court decision or the final and non-decisive court order and the non-challengeable decision of the prosecutor or the investigating authority terminating the procedure. If the investigation of the MNB founds that the means of payment is not counterfeit, then MNB erases the personal data it became aware of immediately after closing the money-counterfeiting expert’s investigation.
45. Data transfer:
In cases of money counterfeiting, MNB may transfer the data mentioned to the official bodies acting in the course of the criminal procedure.
12. Inquiries of the public concerning the cash in circulation and data regarding the authorisation of cash-processing activities.
46. The purpose of data processing and the scope of the processed data:
The purpose of data processing is data processed in relation to the inquiries of the public concerning the cash in circulation and submitted to MNB. It is typically about fulfilling requests (provision of positions) received from public authorities and concerning cash payments. Authorisation of cash-processing activities. Authorisation of money reproductions by individuals, client relations and issuance of official positions.
Scope of processed data: name and email address. Name and home address/notification address for inquiries received sent by post. For the authorisation of money-processing: Name, place and date of birth, mother’s name, home address. For client inquiries: personal data provided by the client.
47. Legal basis of data processing:
MNB processes data pursuant to Article 6(1)(c) of the GDPR, with a view to performing its statutory obligation.
48. Term of data processing:
For data related to positions and inquiries: a period of maximum 30 days. Data may not be scrapped in case of money-processing authorisations; the term of data processing is the period of maximum 5 years following the statute of limitations.
49. Data transfer:
No data are transferred within the scope of this kind of data processing.
13. Operation of the Financial Arbitration Board (hereinafter PBT)
50. The purpose of data processing and the scope of the processed data:
Performance of the tasks of the Financial Arbitration Board, as specified in the MNB Act, in which the PBT offers the consumers and the financial service providers supervised by the MNB a chance to settle their legal disputes in consumer financial matters.
Scope of processed data: identification data of the requester, provided in the request, including but not limited to the name, mother’s name, place and date of birth, home address, email address and data of his or her representative.
51. Legal basis of data processing:
MNB processes data pursuant to Article 6(1)(c) of the GDPR, with a view to performing its statutory obligation.
52. Term of data processing:
Having regard to the obligation laid down in Points (a) and (b) of Section 107 of the MNB Act, requiring the PBT to assess requests and to reject them if it is to be established that the parties have initiated procedures at the Financial Arbitration Board regarding the same right arising from the same factual grounds, the PBT will process the data in its system for the period of 50 years after the closing of the procedure.
53. Data transfer
None.
14. Data processed in MNB’s calls for applications and educational activities
54. The purpose of data processing and the scope of the processed data:
Application assessment and grant awarding in case of calls for applications of, and grants created by the MNB in accordance to its tasks.
Scope of processed data: MNB processes the personal identification data of applicants such as name, place and date of birth, home address and email address.
55. Legal basis of data processing:
In the performance of its statutory tasks, the MNB processes data on the basis of the consent of the data subjects pursuant to Article 6(1)(a) of the GDPR with regard to the publication and evaluation of tenders, and on the basis of compliance with its legal obligation pursuant to Article 6(1)(c) of the GDPR with regard to the settlement of fees paid.
56. Term of data processing:
MNB processes the data until application assessment in case of academic competitions, but until the closing of the subsequent financial year at the latest. It processes the data for five years after programme closing in case of grant programmes and other applications.
57. Data transfer:
As described in the programme notices, towards partner organisations and educational institutions.
15. Recording of phone calls received by MNB in the central system outside of the client service.
58. The purpose of data processing and the scope of the processed data:
Beyond phone calls with the client service, MNB records phone calls received outside of the central system for quality assurance and organisational purposes.
Scope of processed data: the phone call with the caller and the voice of the caller.
59. Legal basis of data processing:
In performing its statutory tasks, MNB processes data based on the legitimate interest in Article 6(1)(f) of the GDPR.
60. Term of data processing:
MNB processes the data of the central voice-recording device for a period of maximum 30 days.
61. Data transfer:
If an authority procedure is initiated or a public authority requests data, then data may be transferred to the competent authority.
16. Data processed concerning trainings and exams regulated by public authorities
62. The purpose of data processing and the scope of the processed data:
Performing the tasks of MNB in relation to its role as a public authority controlling trainings and examinations regulated by public authorities, conducting the application procedure for trainings and exams regulated by public authorities and the issuing and reissuing of public authority certificates for successful exams.
Scope of processed data: Name, name at birth, mother’s name, place and date of birth, home address, personal identification code, and (for examiners) registration number and the date of de-registration.
63. Legal basis of data processing:
In performing its statutory tasks, MNB processes data pursuant to the legal obligation in Article 6(1)(c) of the GDPR.
64. Term of data processing:
MNB erases the data from its database after 15 years following the involvement of the relevant persons in the trainings and examinations regulated by public authorities; the scope of these erased data do not include, however, the data necessary for maintaining the database of certificates on the passing of exams regulated by public authorities.
65. Data transfer:
No data are transferred in direct relation to the data processing.
17. Data processed in connection with agency contracts.
66. The purpose of data processing and the scope of the processed data:
Performing tax liabilities in case of agency contracts made with individuals without contracts of services.
Scope of processed data: the data subject’s name, mother’s name, place and date of birth, home address, tax identification number, social security number and bank account number.
67. Legal basis of data processing:
In performing its statutory tasks, MNB processes data pursuant to the legal obligation in Article 6(1)(c) of the GDPR.
68. Term of data processing:
Regarding the deduction of social security contributions: five years after the retirement of the data subject; in any other cases: 5 years.
69. Data transfer:
18. Data processed during public opinion surveys
70. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to conduct public opinion surveys in accordance with the tasks of the MNB as set out in Act CXXXIX of 2013. Personal data collected for the purpose of a public opinion survey may only be used for the purpose of conducting the survey. The establishment of a link between the personal data and the data subject must be rendered permanently impossible as soon as the purpose of the survey permits. This data may be combined with other data only if it is necessary for the purpose of the survey and the data subject has given his or her consent thereto. The MNB may not disclose personal data.
Scope of the data processed: personal data enabling contact with the participants in the public opinion survey (address, telephone number, email address).
71. Legal basis of data processing:
In the performance of its statutory tasks, the MNB processes data for the performance of its tasks carried out in the public interest pursuant to Article 6(1)(e) of the GDPR.
72. Term of data processing:
The MNB processes the data until the end of the data collection phase of the public opinion survey.
73. Data transfer:
The MNB engages a processor in the course of data processing. Data may be transferred to the organisation conducting the survey as described in the survey notice. Processor: TÁRKI Társadalomkutatási Intézet Zrt. (registered seat: 1112 Budapest, Budaörsi út 45. X-XI.)
19. Data processed in connection with the prevention and combating of money laundering and terrorist financing, in the context of the mnb’s account management and in connection with the real-time gross settlement system (RTGS)
74. The purpose of data processing and the scope of the processed data:
The MNB carries out supervisory activities in the prevention and combating of money laundering and terrorist financing, and performs payment transaction activities to the extent necessary for the MNB to perform its statutory tasks as a central bank. Its activities include the management of foreign currency and forint payment transactions, custodian management, disposal over accounts and the operation of the RTGS system.
Scope of processed data:
a) Data accompanying the transfer of funds. For payment transactions: the name of the payer; their payment account number; and their address or official identity document number, client identification number or date and place of birth; the name of the payee; their address; payment account number and any other information indicated in the communication. In relation to the deposit service: name, identity card number, position, signature. In connection with the control of disposition over the account: Name, place and date of birth, signature, position, email address.
b) In connection with the operation of the RTGS system, during the establishment of a customer relationship or during customer due diligence: name, place and date of birth, mother’s name, number and type of identification document.
c) In relation to account management activities: name, place and date of birth, mother’s name, number and type of identification document.
75. Legal basis of data processing:
In the performance of its statutory public tasks, the MNB processes data pursuant to Article 6(1)(e) of the GDPR and in order to comply with a legal obligation pursuant to Article 6(1)(c) of the GDPR.
76. Term of data processing:
8 years.
77. Data transfer:
In the event of a request from a public authority, data may be transferred to the competent authority.
20. Central Bank’s information system and processing for statistical purposes, research room
78. The purpose of data processing and the scope of the processed data:
Operation of the MNB’s statutory central bank information system, preparation of statistical surveys and analyses for the MNB’s management and their publication, operation of a research room.
Scope of processed data: Pseudonymised (encrypted) personal data of data subjects of the data processed by the data provider organisations. For survey respondents, their name, work location, position and job title within the company, email address, telephone number, video and audio recordings of the respondent. In the case of using a research room, the personal data provided in the application form, the name of the researcher, the type and number of their identity document, their date of birth, position, telephone number, email address, the name, position, postal and email address, telephone number of the representative of the research institution.
79. Legal basis of data processing:
Data reporting – in the case of data processing not falling within the scope of Article 30 of Act CXXXIX of 2013 on the Magyar Nemzeti Bank – in the performance of the MNB’s statutory tasks, performance of the MNB’s tasks carried out in the public interest pursuant to Article 6(1)(e) of the GDPR; in the case of data processing falling within the scope of Article 30 of Act CXXXIX of 2013 on the Magyar Nemzeti Bank, compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR. For survey respondents, consent in accordance with Article 6(1)(a) of the GDPR. Legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the operation of the research room.
80. Term of data processing:
In the case of statistical data, the time required to perform statistical tasks. For interviews and in-depth interviews, the retention period for image and audio recordings is 2 years, and for focus group surveys, up to 5 years. In the case of data processed during the operation of the research room, the research period included in the research room access contract; the retention period of the camera recordings is 365 days.
81. Data transfer:
TÁRKI Társadalomkutatási Intézet Zrt. (registered seat: 1112 Budapest, Budaörsi út 45. X-XI.)
21. Data processed in connection with the operation of the mnb money museum mobile application
82. The purpose of data processing and the scope of the processed data:
Operation of a mobile application to support access to the Money Museum operated by a company owned by the MNB.
Scope of processed data: For registration for the Money Museum mobile application: user name, email address, date of birth. For entries to prize competitions: first and last name, email address, date of birth, telephone number, delivery address.
83. Legal basis of data processing:
The consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
84. Term of data processing:
Time of use of the application.
22. Data processed in connection with the awarding and presentation of prizes established by the MNB
85. The purpose of data processing and the scope of the processed data:
The purpose of data processing in the case of award winners is the assessment and payment of tax advances and the issue of tax certificates in accordance with the regulations on the Hungarian rules of taxation. In the case of nominated awards, registration of nominations, awarding of the prize, and in the case of the nominator, conducting the nomination.
Scope of processed data: For Hungarian nationals: name, name at birth, place and date of birth, mother’s name, citizenship, address, tax identification number and social security number. In the case of foreign nationals: name, name at birth, date and place of birth, mother’s name, citizenship, address, copy of passport.
86. Legal basis of data processing:
In the case of award winners: compliance with a legal obligation under Article 6(1)(c) of the GDPR; in the case of nominees of open nominations awards, or, in the case of nominators, Article 6(1)(e) of the GDPR.
87. Term of data processing:
In the case of award winners, their data will be processed for five years in accordance with the regulations on the Hungarian rules of taxation, and in the case of nominees and nominators, until the award winners are selected.
88. Data transfer:
The MNB transfers the data to the recipients specified in the legislation, as part of administrative procedures or in the performance of its other tasks.
23. Personal data processed by the MNB in connection with the operation of the internal or separate abuse notification system operated under act XXV of 2023 on complaints, notifications of public interest and rules on the notification of abuse (whistleblowing)
89. The purpose of data processing and the scope of the processed data:
The controller shall process the personal data provided at the time of the notification, and the controller shall erase the data contained in the notification that are not necessary for the investigation. The purpose of data processing is to investigate the notification in accordance with the law and to remedy or terminate the activity covered by the notification.
Scope of processed data: The personal data provided in the notification concerning the notifier and the persons included in the notification. Personal data provided in the notification that are not necessary for the investigation shall be erased by the MNB.
90. Legal basis of data processing:
The legal basis for the processing of data is Article 6(1)(c) of the GDPR, which means that the processing is necessary for compliance with a legal obligation of the controller.
91. Term of data processing:
The MNB shall retain the data relating to the notification, the investigation conducted on the basis of the notification and the measures taken for five years from the end of the last investigative act or measure. If the investigation has led to the opening of proceedings, the data may be processed for more than five years until the proceedings are finally closed, after which they must be erased.
92. Data transfer:
The controller will not transfer the data of the notifier to third parties. In the event of complaints received through the separate notification system, the personal data included in the notification may be forwarded to the data subject or to the employer of the data subject.
24. Personal data processed in relation to the protection of classified data
93. The purpose of data processing and the scope of the processed data:
The purpose of data processing is to provide the personal security clearance, user licence and confidentiality statement necessary for the access to and processing of the data. The purpose of the processing is also to fulfil the legal obligation to review classified data.
Scope of data processed: name, name at birth, mother’s name, citizenship, registration number, place and date of birth.
94. Legal basis of data processing:
Compliance with a legal obligation under Article 6(1)(c) of the GDPR.
95. Term of data processing:
a) In the case of a personal security clearance, until its expiry date or revocation.
b) In the case of a user licence and confidentiality statement, 8 years after the withdrawal of the user licence.
c) In the case of documents created during the review of the classified data and related to the person who performed or reviewed the classification, 8 years from the date of the review.
96. Data transfer:
The data may be transferred to the National Security Authority and to NATO and EU institutions for certificates issued to them. All data transfers are documented.
Performing statutory data-reporting obligations and, if an authority procedure is initiated or a public authority requests data, then data may be transferred to the competent authority.
Rights related to data processing:
Right of information and right to access:
You may request written information from the MNB about the following, using the contact point listed as “Data Controller”:
- what personal data of yours the MNB manages,
- on what legal basis does the MNB manage your personal data,
- for what reason does the MNB manage your personal data,
- from which source the MNB acquired your personal data,
- for what period does the MNB manage your personal data,
- if the MNB still manages your personal data,
- to whom, when, for what reason and to which personal data did the MNB grant access to or to whom did the MNB transfer your personal data.
Furthermore, you are entitled to a copy of your personal data stored at the MNB.
The MNB will fulfil your request in a maximum of 30 days in a reply letter sent to the contact details provided in your request. If you send your request to the MNB through an electronic channel, the MNB will also reply using electronic means if possible. Please indicate if you would like to receive the reply through a different channel.
Right to rectification:
You may request the MNB in writing using the contact point listed as “Data Controller” to modify or rectify your personal data (for example your name, email address if it changed). If you send your request to the MNB through an electronic channel the MNB will also reply using electronic means if possible. Please indicate if you would like to receive the reply through a different channel.
The MNB will fulfil the request in a maximum of 30 days without undue delay, and send a notification in a reply letter sent to the contact details provided in the request.
Right to erasure (“right to be forgotten”):
You may request the MNB in writing to delete your personal data, using the contact point listed as “Data Controller”.
The MNB will reject the request for erasure if it is required by legislation to store your personal data. If such requirements are not valid for your personal data, the MNB will fulfil the request in a maximum of 30 days without undue delay, and send a notification in a reply letter sent to the contact details provided in the request. If you send your request to the MNB through an electronic channel the MNB will also reply using electronic means if possible. Please indicate if you would like to receive the reply through a different channel.
Right to restrict the processing of personal data:
You may request the MNB in writing to restrict the processing of your personal data, using the contact point listed as “Data Controller”. If the processing of personal data is restricted, such personal data shall, with the exception of storage, only be processed by the MNB with the data subject's consent or for the establishment of legal claims or for reasons of important public interest.
A request to restrict the processing of data may be submitted if:
- you think that your data are not correct or
- you think that the MNB’s processing of your data was not legal but you do not wish to have your data erased or
- you request the processing to establish or defend legal claims but the MNB does not need these data any more.
The MNB will fulfil the request in a maximum of 30 days without undue delay, and send a notification in a reply letter sent to the contact details provided in the request. If you send your request to MNB through an electronic channel the MNB will also reply using electronic means if possible. Please indicate if you would like to receive the reply through a different channel.
Right to withdraw consent:
You may notify the MNB in writing, during the period of processing, that you wish to withdraw your consent to the processing of your personal data, using the contact point listed as “Data Controller”. If consent is withdrawn the MNB’s processing of your personal data prior to withdrawal is deemed to be legal.
The MNB will delete the personal data upon receiving the withdrawal without undue delay, and send a notification in a reply letter sent to the contact details provided in the notification. If you send your request to the MNB through an electronic channel the MNB will also reply using electronic means if possible. Please indicate in your notification if you would like to receive the reply through a different channel.
Legal remedy:
If, in the affected person’s judgement, data management does not comply with the legal requirements, they have the option to initiate the proceedings of the MNB’s data protection officer, or they can bring the matter before court.
In addition, an investigation may be initiated by filing a report to the National Authority for Data Protection and Freedom of Information on the grounds that there was an infringement in practising the rights related to personal data management or there is imminent danger thereof.
Contact information to National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf. 5.
Telephone: 06-1-391-1400
Telefax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu