Notice on the Operation of Image Capturing Cameras at the Tihany Open-Air Museums by Tihanyi Legenda Közhasznú Nonprofit Ltd.
The operator and data controller of the camera surveillance system is Tihanyi Legenda Idegenforgalmi és Fejlesztési Közhasznú Nonprofit Kft. (Headquarters: 8237 Tihany, Kossuth Street 12. Tel. number: +36/307497186, Email: skanzen@tihany.hu, Mailing address: 8237 Tihany, Kossuth Street 12., Tax ID: 14935527219, Representative: Orsolya Petróczi) (hereinafter referred to as: Data Controller).
Location of the Cameras
The area monitored by the cameras is owned by the Hungarian State. It has been entrusted to the Data Controller for management by the Municipality of Tihany. The Tihany Open-Air Museums are located at land parcel number 135, at Batthyány Street 20. The enclosed area of the Tihany Open-Air Museums is accessible to employees and visitors. The area in front of the Tihany Open-Air Museums is public, where anyone can stay or pass through; this area is not monitored by cameras.
The cameras operate 24/7, and no audio is recorded.
There are 20 cameras placed within the Tihany Open-Air Museums (land parcel number 135, Tihany, Batthyány Street 20). Out of these 20 cameras, 5 are located on the external facades of the buildings, monitoring the external areas within the property boundaries, while 17 are inside the buildings at the Tihany Open-Air Museums, such as the Halászcéh House, the Porta/Shop, and the Parasztgazda House, as shown in the attached floor plan and camera images.
The cameras are placed as follows according to the numbered floor plan:
-
- The Halászcéh House, which is closest to the entrance, has both internal and external exhibition areas. Outside the building, cameras number 6 and 12 are located. Camera 6 monitors the entrance, where visitors enter, while camera 12 monitors the area between the Halászcéh House and the Parasztgazda House.
- Inside the Halászcéh House, the barn area has cameras 5 and 20, the summer kitchen has cameras 3 and 19, and the guest room has camera 13.
- The Parasztgazda House, which serves as the exhibition space, has 3 cameras (7, 8, and 9) on its façade, monitoring the area around the building within the property boundary.
- Inside the Parasztgazda House, camera 10 is located in the guest room, camera 2 in the room, cameras 15 and 18 in the kitchen, camera 11 in the pantry, camera 16 in the storage, and cameras 4 and 14 in the large storage room.
- The Porta/Shop building is protected by cameras 1 and 17.
The internal cameras are positioned to monitor the exhibition spaces, assisting staff in safeguarding the exhibition items. In the Porta/Shop area, two cameras are installed, mainly for protecting the staff’s personal safety, as well as the cash register and inventory (as elaborated under the objectives section). The cameras do not monitor social areas or the kitchen used by the staff.
Scope of Affected Individuals
The cameras monitor the buildings and the enclosed area of the Tihany Open-Air Museums, and they capture the images and movements of individuals present, including visitors and employees of the Tihany Open-Air Museums.
Purpose of Data Processing
The purpose of data processing is for asset protection (inventory, exhibition items, artifacts), the protection of information technology devices, ensuring personal safety, and enabling the identification of legal consequences in the event of incidents (break-ins, vandalism, theft, events involving personal injury), assisting law enforcement, and identifying the perpetrator of unlawful actions.
Cameras 1 and 17 in the shop are particularly for protecting employees, the inventory, and the cash register.
Cameras 2, 3, 4, 5, 10, 1, 13, 14, 15, 16, 18, 19, and 20 are mainly for protecting artifacts and safeguarding the smart information devices displayed in the exhibitions.
Cameras 7, 8, and 12 are specifically for the protection of architectural heritage and the buildings.
Legal Basis for Data Processing
The Tihany Open-Air Museums are owned by the Hungarian State. They were entrusted to the Data Controller by the Municipality of Tihany under the asset management agreement SZT – 39328 with the Hungarian National Asset Management Company Ltd. In 2013, the municipality transferred the operation to Tihanyi Legenda Nonprofit Kft. under a lease agreement. The legal basis for data processing is provided by Section 1, Section 7(1)-(2), and Section 11(11)-(12) of Act CXCVI of 2011 on National Assets, as well as the asset management and lease agreements. Accordingly, data processing is carried out based on Article 6(1)(e) of the GDPR, in the exercise of public authority granted to the Data Controller or for the performance of tasks in the public interest. The primary goal is to preserve and protect national values. The Data Controller aims to protect buildings under national heritage protection, valuable assets, exhibition items, and data stored in information technology devices. The further purpose of data processing is to ensure the physical safety of the employees, as employers are obliged to provide safe working conditions under the Labor Code, Section 51(2)(b) and (4).
Retention Period for Recordings
Normally, recordings are retained for 5 days, extended in the case of long weekends. If an incident or crime occurs on the monitored site, the retention period lasts until necessary procedures are completed.
Data Transfer
Personal data may only be accessed by authorized personnel of the Data Controller. The Data Controller does not share personal data with other recipients or transfer it to third countries. However, footage may be provided to authorities (police, courts, public prosecutors) in accordance with legal obligations. If the Data Controller requires the footage to enforce legal claims, authorized lawyers may also access it.
Technical and Organizational Measures
The Data Controller has implemented necessary technical and organizational measures to protect personal data, which are regularly reviewed. Internal procedures are designed to safeguard personal data. These measures ensure that data is not destroyed, accessed by unauthorized persons, altered, used, destroyed, deleted, transferred, modified, or disclosed. According to internal procedures, only those who need access to the data for their work or to achieve the data processing objective are granted access, while ensuring the authenticity and integrity of the data. The system storing the footage is located in a secure room with an alarm system. Data storage is protected with multi-level password protection, specific access rights, regularly updated antivirus software, firewalls, and a closed network. These protections are continuously reviewed and updated as needed.
Access to Stored Data
Footage is viewed in real-time by staff on duty at the site, such as exhibition assistants and administrative staff. The footage is recorded, and the executive director has access to the stored recordings. If maintenance or troubleshooting is required, the executive director grants temporary access to the person assigned to the task. All access to data (who, when, for what purpose) is logged. The executive director manages access rights. Recordings are overwritten when deleted. Outside working hours, the Data Controller does not monitor the cameras in real-time.
What Happens if Personal Data is Compromised?
A data protection incident occurs when security is breached, such as when personal data is destroyed, altered, lost, disclosed, or accessed by unauthorized persons. In such cases, the Data Controller must report the incident to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of becoming aware of the incident. Notification is not required if it can be proven that the incident does not pose a risk to the rights and freedoms of natural persons. Additionally, affected individuals must be informed, unless the Data Controller has successfully mitigated the impact of the incident. All incidents are recorded, regardless of whether notification to the NAIH is required.
The data subjects, including you, have the following rights regarding data processing:
Right to Information: Data subjects must be informed at least about the identity of the Data Controller, the purpose of data processing, the legal basis, the recipients of the data, whether data will be transferred and to whom, and additional relevant information. This notice serves this purpose.
Right to Access: The data subject has the right to request and receive information about whether their personal data is being processed. They can access the following information: the purpose of the data processing, the legal basis, which personal data are processed, who the recipients are (such as data processors), the duration of the data processing, the rights of data subjects, whether there is any data transfer, the guarantees in place, whether automated decision-making or profiling is involved. The data subject is entitled to request a copy of the data being processed. The Data Controller will provide the first copy free of charge, and after that, a reasonable fee based on administrative costs may be charged. The Data Controller will provide further details on this upon request.
To ensure data security and the protection of the rights of data subjects, the Data Controller is required to verify the identity of the person requesting access to the data before granting access, viewing the recordings, or providing copies of the recordings. The request for access to the data or a copy of the data requires the data subject’s personal appearance.
Right to Rectification and Completion: The data subject can request the rectification of inaccurate data and, without undue delay, but no later than within one month, the Data Controller must rectify the inaccurate data. The data subject must verify the accuracy of the rectified data. If the data subject notices that their data is incomplete, they can request its completion via a supplementary statement.
Right to Erasure (Right to be Forgotten): The data subject has the right to request the erasure of their personal data if any of the following apply: the data is no longer necessary for the purposes for which it was collected, the data subject objects to the data processing and there is no other legal basis for processing, the data has been processed unlawfully, or there is a legal obligation to erase the data. The request for erasure can only be refused if the data is necessary for the exercise of freedom of expression and information, legal obligations, public interest purposes, or for legal claims or statistical purposes.
Right to Restriction of Processing (Blocking): The data subject may request the restriction of data processing under the following circumstances: a) the data subject disputes the accuracy of the data, and the restriction will last until the accuracy can be verified; b) the processing is unlawful, but the data subject opposes erasure and requests restriction; c) the data is needed for the establishment of legal claims, even though the Data Controller no longer needs it; d) the data subject has objected to the processing, and the restriction will last until it is determined whose interests take precedence. During the restriction, the data will be stored, but no further processing will be carried out, except in specific cases such as consent or for legal claims.
Right to Object to Data Processing: If the data subject’s data is processed based on legitimate interest or public interest, they may object to this processing for reasons related to their specific situation. In this case, their data will no longer be processed unless the Data Controller can prove that its legitimate interest outweighs the data subject’s rights, or the data is required for legal claims.
How can the data subject exercise these rights?
If the data subject wishes to exercise any of the rights listed above, they should contact the Data Controller. Requests can be made in person using the contact details provided in this notice, via postal mail, or by email. The request should include the data subject’s name, other identifying information, and mailing address. Responses and actions will be provided free of charge. If there is any doubt about the identity of the person making the request, the Data Controller may ask for additional identifying information. The response will be free of charge unless the request is clearly unfounded or repetitive, in which case a reasonable fee may be charged. The Data Controller must respond within one month, and the deadline may be extended by up to two additional months in cases of complexity or a large number of requests. If an extension is necessary, the Data Controller will inform the data subject within one month of the reason for the delay.
If the Data Controller has not processed personal data securely or lawfully, and this has caused damage to the data subject or another person, they are entitled to seek redress. If the Data Controller has violated the data subject’s personality rights through unlawful data processing, the data subject is entitled to claim compensation. The Data Controller may be exempt from liability if the damage was caused by the data subject’s intentional or grossly negligent behavior or if they can prove that the damage was caused by an unavoidable external cause beyond the scope of data processing.
Who can the data subject contact to enforce their rights?
If the data subject believes their personal data has been unlawfully processed, they should first contact the Data Controller using the contact details provided in this notice so that their concerns can be investigated and addressed. The data subject can also contact the National Authority for Data Protection and Freedom of Information (NAIH), or they can file a claim with the court, which may be the court of the data subject’s residence or the court of the Data Controller’s headquarters. The court will process the case as a priority.
NAIH contact details: Address: 1055 Budapest, Falk Miksa Street 9-11 Mailing address: 1374 Budapest, P.O. Box 603 Phone: +36 (30) 683-5969, +36 (30) 549-6838 Email: ugyfelszolgalat@naih.hu Website: www.naih.hu
If you have any questions or concerns regarding this notice or the processing of your personal data, please feel free to contact the Data Controller using any of the communication channels listed in this notice.
The notice can be downloaded from the website: www.tihanyitajhazak.hu.
Attachment: Site map of the camera locations and camera images: Camera Images_05.01
Tihany, May 1, 2024.
Review date: May 1, 2025.