Privacy Notice to Campers

This Privacy Notice (“Notice”) will provide you with information on the data processing activities of JDC Hungary, address: 1075 Budapest, Síp utca 12, Hungary ("JDC Hungary" or “we”) with respect to certain personal data about applicants and participants of the JDC-Lauder International Jewish Youth Camp ("Szarvas Camp" or "Camp") and Szarvas Online Events.

The purposes of data processing by JDC Hungary is to manage campers' ("Camper") applications and their participation in the Szarvas Camp and Online Events (Szarvas Goes Online, Szarvas Spirit Days), including

• Application to and registration with the Camp, Online Events and the verification of Campers’ and their legal guardians' identity for data quality purposes,
• Checking the Campers’ (medical) fitness necessary for their participation in the Camp;
• Managing payments by Campers / Legal Guardians;
• Providing financial support / grants in connection with Camper’s participation;
• Providing personal services to Campers, including food, accommodation, cultural and other entertainment programs;
• Ensuring the security of the Camp
• Communication with Campers and their legal guardians on matters in preparation for and relating to Camp participation
• Providing newsletter services – sending opportunities for participation in other youth programs or any other information in connection with the JDC via e-mail and post;
• Photo, video and image recording at the Camp and Online Events, and the release of such recordings for general promotion purposes;
• Checking the Zoom and Teams applicants' identity.

The Notice is structured as follows:

1. Who is the Data Controller
2. What is the Legal Basis of Data Processing, Scope of Personal Data Being Processed, Data Retention Periods and Recipients of the Data
3. What is the Duration of Data Processing
4. Data Processors and Service Provider
5. Your Rights
6. Your Legal Remedies
7. Amendments to the Privacy Notice
8. How to Contact Us

1. Who is the Data Controller

If you apply to and register with the Szarvas Camp as a Camper, the controller of your personal data will be JDC Hungary (Address: 1075 Budapest, Síp utca 12; Email: reg@szarvas.camp; Phone: +361-888-9400) who operates the Szarvas Camp.

2. What are the Purposes, the Legal Basis of Data Processing, Scope of Personal Data Being Processed, Data Retention Periods and Recipients of the Data

Certain goals of processing personal data we process, the categories of the data processed, the legal basis for the data processing, the duration of the data processing and a list of those who have access to the data are presented in the table below.

Purpose and legal basis for data processing	Legal basis of data processing	Personal data / categories of personal data processed	Data retention periods	Recipients or categories of recipients of the personal data
Application to and registration with the Camp, Online Events including the verification of Campers’ identity, their legal guardians for data quality purposes and communication with them.	Personal data is processed on the basis of contractual necessity based on Section 6 (5)(a) of the Information Act and as of May 25, 2018 under Article 6 (1) (b) of the GDPR. The processing of religion data is based on written consent pursuant to Section 5(2)(a) of the Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information ("Information Act") and as of May 25, 2018 based on the explicit consent of the data subject under Article 9 (2) (a) of the GDPR. The provision your personal data for this purpose is requirement necessary to enter into a contract with us. However, if you do not provide personal data, your participation and registration in the Camp might be delayed or impossible.	Personal data: Name, mother's name, date and place of birth, address, email address; Travel document: type, number, expiration date, issued and country. Emergency contact's name, home and work phone number, cell phone, email Primary and secondary legal guardian's name, address, phone number, email address Designation of the applicant's school's name Chosen Szarvas Camp session:  Religion data: Affiliation to movements, events, organizations relative to the Jewish culture	We will process data during your participation in the camp and your data will be deleted after the applicable civil law statute of limitation of 5 years runs (Article 6:22 § (1)) of the Civil Code), unless the processing of the data is necessary relating to the initiation, enforcement or defence of any legal claims.	Program administrators at the Szarvas Camp headquarters of JDC Hungary Country coordinators on a need to know basis WEBSTATION Bt. (1034 Budapest, Kecske utca 23.) mint szerver hoszting szolgáltatásokat biztosító adatfeldolgozó. The American Jewish Joint Distribution Committee, Inc. The Ronald S. Lauder Foundation
Checking the medical fitness of applicants for their participation in the Camp;	Written consent of the data subject based on Section 4(3) of the Act XLVII of 1997 on the processing and protection of medical data and related data ("Medical Data Act"), Section 5(2)(a) of the Information Act and as of May 25, 2018 based on the explicit consent of the data subject pursuant to Article 9 (2) (a) of the GDPR. The provision of personal data for this processing purpose is voluntary. However, if you do not provide personal data, your participation and registration in the Camp might be delayed or impossible.	Personal data: Name, mother's name, date and place of birth, address, email address; Health data:  Social security or health insurance number (of foreign applicants) Allergies (e.g. insect bites, bees, medication, pollen/dust, food and the allergen with the corresponding medication required) Food intolerances Height, weight Information relating to current medical status (whether the Camper is currently suffering from or has a history of asthma, diabetes, mumps, measles, chickenpox; period, ongoing nature of the condition and whether the applicant requires treatment) Regular administration of medicines; Whether the participant will take medication during camp; Any other current physical or mental condition that might affect participation Restriction of physical activity, if any; Information regarding medical history (serious injuries, surgeries, broken bones) Information about COVID-19 symptoms, tests, and test results.	We will process this data until your withdraw data processing or until the applicable civil law statute of limitation of 5 years runs (Article 6:22 § (1)) of the Civil Code), whichever is earlier.	Program administrators at the Szarvas Camp headquarters of JDC Hungary Medical staff at the Szarvas Camp COVID-19 laboratories
Managing payments by Campers / Legal Guardians	Contractual necessity based on Section 6 (5)(a) of the Information Act and as of May 25, 2018 under Article 6 (1) (b) of the GDPR; and Article 6(1)(c) of the GDPR in relation to accounting related obligations. The provision of personal data is a requirement necessary to enter into a contract with us. However, if you do not provide personal data, your participation and registration in the Camp might be delayed or impossible.	Personal data: Name of the payer; Information concerning the Camper’s or his/her primary or secondary legal guardian's credit card details, including type of card, card number, expiration date and CVC number; Information concerning the camper’s or his/her primary or secondary legal guardian's bank account details, including name and address of bank and bank account number	The personal data will be processed until the expiry of the right to the determination of tax (Article 202 (1) of the Taxation Procedure Act) or in case of accounting records will be cancelled / deleted 8 years after the closing of the financial year for the accounting period after the termination of employment (§ 169 of the Accounting Act).	CFO / finance department at JDC Hungary
Providing personal services to Campers, including food, accommodation, cultural and other entertainment programs	Contractual necessity based on Section 6 (5)(a) of the Information Act and as of May 25, 2018 under Article 6 (1) (b) and with the written consent of the data subject based on Section 5(2)(a) of the Information Act, Section 4(3) of the Act XLVII of 1997 on the processing and protection of medical data and related data (Medical Data Act) and as of May 25, 2018 based on the explicit consent of the data subject pursuant to Article 9 (2) (a) of the GDPR. The provision of personal data is requirement necessary to enter into a contract with us. However, if you do not provide personal data, your participation and registration in the Camp might be delayed or impossible.	Personal data:  Name, mother's name, date and place of birth, address, email address; Religion data: Affiliation to movements, events, organizations relative to the Jewish culture Health data: Allergies (e.g. insect bites, bees, medication, pollen/dust, food or allergens with the corresponding medication required) Food intolerances Height, weight Information relating to current medical status (whether the Camper is currently suffering from or has a history of asthma, diabetes, mumps, measles, chickenpox; and whether the applicant requires treatment) Regular administration of medicines Whether the participant will take medication during camp; Any other current physical or mental condition that might affect participation Restriction of physical activity, if any Information regarding medical history	We will process this data until you withdraw your consent to data processing or until the applicable civil law statute of limitation of 5 years runs (Article 6:22 § (1)) of the Civil Code), whichever is earlier.	Program administrators at the Szarvas Camp headquarters of JDC Hungary Kitchen staff at Szarvas Camp with regard to Campers with food intolerances   Medical staff allergies with regard to food intolerances, medical condition and needs of the participants Psychologist at the Camp.
Ensuring the security of the Camp	Legitimate interest based on Section 6 (5)(b) of the Information Act and as of May 25, 2018 under Article 6 (1) (f). We consider that we have a prevailing legitimate interest to process the data of Volunteers for physical security reasons. The provision of your personal data for this data processing purpose is a statutory requirement.	Personal data: Name and room list of Volunteers Certificate of identity with a photograph requested to be provided by each Volunteer.	We will process the data during the Volunteer's stay in the Camp.	Security staff
Providing newsletter services – sending opportunities for participation in other youth programs or any other information in connection with JDC via email or post	The consent of the data subject based on Section 5(1)(a) of the Information Act, and as of May 25, 2018 under Article 6 (1) (a) of the GDPR. The provision of personal data for this purpose is voluntary. However, if you do not provide your data, we will not be able to send your newsletters.	Personal data:  Name, mother's name, date and place of birth, address, email address. Primary and secondary legal guardian's name, address, phone number, email address	We will process this data until you withdraw your consent to data processing.	Program administrators at the Szarvas Camp headquarters of JDC Hungary The American Jewish Joint Distribution Committee, Inc. The Ronald S. Lauder Foundation
Photo, video and image recording at the Camp and Online Events, and the release of such recordings for general promotion purposes of the Szarvas Camp	The written consent of the data subject based on Section 5(2)(a) of the Information Act, and as of May 25, 2018 under the explicit consent of the data subject under Section 9(2)(a) of the GDPR. The provision of personal data is voluntary. However, if you do not provide your data, we will not be able to process your data.	Personal data: Voice, image, simulated likeness, other characteristics, oral and written statements Religion data: Affiliation to movements, events, organizations relative to the Jewish culture	We will process this data (photo, video and image recordings) until you withdraw your consent to data processing.	IT and multimedia staff at JDC Hungary Publication of photos, videos and image recordings at the Camp The American Jewish Joint Distribution Committee, Inc.

3. What is the duration of data processing?

Your personal data will not be kept in a form that allows you to be identified for any longer than is reasonably considered necessary by us for achieving the purposes for which it was collected or processed or as it is established in the applicable laws related to data retention periods. Your personal data will, in any case, be retained for the duration of your participation in the Camp as well as thereafter as long as there are statutory retention obligations or potential claims resulting from your participation are not yet time-barred.

4. Data Processors and Service Provider

We may, in the course of the operation of the Szarvas Camp utilize the services of various data processors and external service providers to handle and process your personal data for specific purposes, on behalf of and in accordance with our instructions. The data processors may store your personal data in protected centralized databases, with limited access, in printed or in electronic form. Electronic databases may only be managed by specially authorized administrators and said database is accessible only to such authorized persons. The data processors shall process the personal data at the most as long as the term of the data processing contract concluded with them is valid and in force.

5. Your Rights

Your Rights (before 25 May 2018):

Under applicable Hungarian data protection law, you as a data subject have, among others, the rights to access information, to make rectification of your data; to block or mark personal data; to have your personal data deleted, as well as to object to data processing.

(i) You have the right of access to information:

Upon your request, we, as the responsible data controller, will provide information to you about the data we process, its source(s), the purpose, legal basis, duration of the data processing, the name, address and data processing activity of data processors, the circumstances, effects and measures taken to discontinue/prevent a data protection/privacy incident, and, in the case of data transfer, its legal basis and the recipient. We will provide this information in writing in the shortest possible time, but not later than 25 days from the date of receipt of the relevant request, in a comprehensible form. This information is free of charge if you have not submitted a request for the same data during the year in which the given request was submitted. In other cases, we may ask you for cost reimbursement.

(ii) You are entitled to make rectification of your data:

We will rectify the personal data if the data does not correspond to the correct personal data that you have provided to us.

(iii) You have the right to block or mark personal data:

You may request the blocking and marking of personal data. We will block personal data if you request this or if, based on the available information, it can be assumed that deletion would violate your legitimate interests. Blocked personal data can only be processed as long as there is a data processing purpose that prohibits the deletion of personal data. We will mark the personal data we process if you dispute its correctness, accuracy or timeliness, but if the incorrect or imprecise nature of the disputed personal data cannot be established clearly.

(iv) You have the right to delete your data:

We will delete personal data if its processing is unlawful, the person concerned so requests, the data in question is incomplete or incorrect - and this status cannot be legally remedied - provided that the deletion is not prohibited by law, the purpose of data processing is discontinued or the data retention period has expired, or the deletion is ordered by the court or by the Hungarian National Data Protection and Freedom of Information Authority.

(v) We, as data controller, have 25 days to delete, block or rectify/correct personal data. If your claim for rectification, blocking or deletion is not complied with, then the data controller must provide its reasons for the decision within 25 days in writing or, with your consent, via electronic means. We will notify you as a party affected by another person's correction, blocking, marking or deletion request, and will notify anyone to whom the data in question has previously been transferred, unless, considering the purpose of the data processing, your legitimate interests are not violated if the notice is not sent to you.

(vi) You have the right to object:

You may object to the processing of your personal data in certain cases specified in the relevant legislation or when the processing or transfer of personal data is only required for us to comply with our legal obligation or to enforce the legitimate interests of the data controller, data recipient or a third party, unless the data processing is prescribed by law. In the latter case, we will comply with your deletion request after our legal obligations are fulfilled. We will examine the objection within the shortest possible time but not later than 15 days from the submission of the relevant request and will make a decision on the merits and will inform the requesting person in writing. If we determine that the given objection is justified, then we will discontinue the data processing, including further data collection and data transfer, and will block the data, and shall inform those who previously received the personal data affected by the objection, about the objection itself and any measures taken relating to the objection, and those who are obliged to take action to enforce the right to object. If you disagree with our decision regarding your objection, you may challenge it before the court within 30 days from the date the decision is announced. You can exercise your rights by directly contacting us. In connection with this, we may request you to identify yourself before exercising your rights.

(vii) The injured party is entitled to compensation and damages:

We reimburse any damage caused by the unlawful processing of the data or by breach of the data security requirements. In the event of violation of personality rights, the injured party may seek damages pursuant to Section 2:52 § of the Civil Code. The data controller is liable for the damage caused by the data processor to the data subject. The data controller is exempted from liability if the damage results from an unavoidable cause outside the scope of data processing.

Your Rights (after 25 May 2018):

Pursuant to the applicable data protection law you may have the right (i) to request access to your personal data, (ii) to request rectification of your personal data, (iii) to request erasure of your personal data, (iv) to request restriction of processing of your personal data, (v) to request data portability, (vi) to object to the processing of your personal data (including objection to profiling; also other rights in connection with automated decision-making).

Please note that the above mentioned rights might be limited under the applicable national data protection law. Below please find further information on your rights to the extent the EU General Data Protection Regulation applies:

(i) Right of access

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information include – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.  You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

(ii) Right to rectification

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(iii) Right to erasure (right to be forgotten)

Under certain circumstances you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.

(iv) Right to restriction of processing

Under certain circumstances you may have the right to obtain from us restriction of processing your personal data. In this case the respective data will be marked and may only be processed by us for certain purposes.

(v) Right to data portability

Under certain circumstances you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

(vi) Right to object and rights relating to automated decision-making

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data.

If your data processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.

Furthermore, under certain circumstances in case of automated individual decision-making, you have the right to obtain human intervention, to express your point of view and to contest the decision.

6. Your Legal Remedies

You also have the right to lodge a complaint with the competent data protection supervisory authority. If you believe that your rights have been infringed, you may contact the Hungarian National Data Protection and Freedom of Information Agency (1024 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone: +36-1-391-1400, telefax: +36-1-391-1410, e-mail: ügyfelszolgalat@naih.hu) or may file court proceedings and request compensation of damages sustained as a result of the unlawful processing of personal data or as a result of an infringement of the security requirements of data protection. If you reside in Hungary, you are hereby notified that court action may be filed before the county court having jurisdiction over the data subject's place of domicile or habitual residence.

7. Amendment to the Privacy Notice

We may amend this Notice from time to time in order to comply with our legal obligations and any changes in the data processing activities of your personal data. We will inform you in advance relating to the amendment or review of this Notice in the way you were originally informed of this Notice. You can determine when this was last revised by referring to the "LAST UPDATED" legend at the top of this Notice.

8. How to Contact Us?

If you have any questions related to data processing under this Notice, please contact JDC Hungary at the address 1075 Budapest, Síp utca 12, Email: reg@szarvas.camp; Phone: +361-888-9400.