DATA PROTECTION AND DATA MANAGEMENT NOTICE
I. THE CONTROLLER
The COUNCIL ON GEOPOLITICS (hereinafter referred to as the “Data Controller”) has
drawn up the following data protection notice to ensure the lawfulness of its internal data
processing procedures and the rights of data subjects.
Name of data controller: Geopolitikai Tanács Közhasznú Alapítvány
Data Controller’s registered office: 1036 Budapest, Kiskorona utca 14. VI./31.
E-mail address of the controller: info@geotan.hu
The Data Controller processes personal data in accordance with all applicable laws, but in particular
with the following:
– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of
Information (hereinafter: Infotv.);
– Regulation (EU) 2016/679 of the European Parliament and of the Council on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation; hereinafter: the Regulation or GDPR).
The Data Controller shall treat personal data confidentially, and shall take all technical and
organisational measures related to data storage and management, and other technical and
organisational measures to ensure the security of the data.
Concepts
The terminology used in this Privacy Notice is identical to the interpretative definitions set out in
Article 4 of the Regulation and, supplemented at certain points, to the interpretative provisions of
Article 3 of the Data Protection Act.
When this notice refers to data or processing, it means personal data or the processing thereof.
*****
II. DATA MANAGEMENT OBJECTIVE: To operate a whistleblower reporting system
The Data Controller operates an internal whistleblowing system in order to comply with the
provisions of Act XXV of 2023 on Complaints, Notifications of Public Interest and Rules on
Reporting Abuse (hereinafter: Complaints Act), given that the number of its employees exceeds
50. The operation of the whistleblowing system, the procedure for reporting and the protection of
whistleblowers shall be in accordance with the provisions of the Data Controller’s current
whistleblowing policy (hereinafter: the “Policy”).
Purpose of data processing
The purpose of data processing is the operation of the whistleblowing system pursuant to Section
18 (1) of the Complaints Act in accordance with the Rules and Regulations of the Data Controller
2
in force at the time and the law, and through this the investigation of the reports and the remedying
or elimination of the abuse that is the subject of the report.
Personal data processed
Within the framework of the reporting system, the Data Controller processes the personal data
necessary for the identification of the reporting person, the persons concerned by the complaint
and the investigation, as well as other personal data necessary for the investigation of the complaint.
Legal basis for processing
The legal basis for the processing is the fulfilment of the legal obligation of the Data Controller
pursuant to Article 6(1)(c) of the Regulation, which is based on Section 18(1) of the Complaints
Act.
Source of personal data
The source of the data is the reporting person and the persons involved in the investigation.
Recipients of personal data made available
The personal data of the data subject may be accessed by only those employees of the Data
Controller whose job is related to the processing of personal data.
The Data Controller may transfer the data to a whistleblower protection lawyer or other external
organisation involved in the investigation of the complaint for the purpose of investigating the
complaint and remedying or terminating the conduct that is the subject of the complaint, subject
to the conflict of interest rules under the Complaints Act.
If the investigation of complaint justifies the initiation of formal proceedings, the Data Controller
shall initiate such proceedings. The data necessary to file a complaint may be transmitted to the
competent authority, which shall be considered as an independent controller.
Complaints can be made in writing via the link https://geotan.whisly.io. In this context, the Data
Controller will use the services of the following data processor:
Whisly Ltd – The developer and operator of the Whisly whistleblowing system used by the Data
Controller.
The data processor may process the personal data of the data subject only for the purposes
specified by the Controller and contractually agreed upon, in accordance with the Controller’s
instructions, and has no autonomous decision-making power with regard to the processing. The
processor has undertaken confidentiality obligations and contractual guarantees with regard to the
retention of personal data obtained in the course of its tasks.
Transfer of personal data to a third country or international organisation
The Controller will not transfer personal data to third countries or international organisations.
Duration of processing of personal data
3
The Data Controller shall process the personal data for a maximum period of 5 years, provided
that, in order to comply with Article 26(1) of the Complaints Act, the Data Controller shall
promptly delete any personal data that are not necessary for the purpose of investigating the
complaint and remedying or terminating the conduct that is the subject of the complaint.
Automated decision-making and profiling
Neither of these occurs during the processing.
*****
III. THE RIGHTS OF THE DATA SUBJECT IN RELATION TO THE PROCESSING
Right to information
The data subject has the right to be informed about the processing of his or her personal data,
which the Data Controller shall provide by means of this notice.
Right of access
At the request of the data subject, the Data Controller shall at any time inform the data subject
whether or not his or her personal data are being processed and, if so, provide access to the
personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom or with which the Controller has
disclosed or will disclose the personal data, including in particular recipients in third
countries or international organisations;
d) the envisaged period of storage of the personal data or, if this is not possible, the criteria
for determining that period;
e) the data subject shall also be informed of his or her right to obtain from the Controller the
rectification, erasure or restriction of the processing of personal data concerning him or
her and to object to the processing of such personal data;
f) the right to lodge a complaint with a supervisory authority or to take legal action;
g) if the data have not been collected directly from the data subject by the Data Controller,
any available information on the source of the data;
h) where automated decision-making is carried out, the fact of such processing, including
profiling, and, at least in those cases, the logic used, i.e. the significance of such processing
and the likely consequences for the data subject.
Right to rectification of personal data
The data subject shall at any time have the right to obtain, at his or her request and without undue
delay, the rectification of inaccurate personal data relating to him or her by the Controller. Taking
into account the purposes of the processing, the data subject shall also have the right to request
the completion of incomplete personal data, including by means of a supplementary declaration.
In the case of a request for rectification (amendment) of data, the data subject must substantiate
the accuracy of the data requested to be amended and must also certify that the person entitled to
the amendment is the person who requests the amendment. Only in this way can the Data
4
Controller assess whether the new data is accurate and, if so, whether it can amend the previous
data.
The Data Controller further draws the attention of the data subject to the need to notify any change
in his/her personal data as soon as possible, thus facilitating lawful processing and the exercise of
his/her rights.
Right to erasure
At the request of the data subject, the Data Controller shall delete personal data relating to the data
subject without undue delay where one of the following grounds applies:
a) the Controller no longer needs the personal data for the purposes for which they were
collected or otherwise processed;
b) the data subject objects to the processing and there are no overriding legitimate grounds
for the processing;
c) the personal data are unlawfully processed by the Controller;
d) the personal data must be erased in order to comply with a legal obligation under Union or
Member State law applicable to the Data Controller.
Right to restriction of processing
The data subject shall have the right to obtain, at his or her request, the restriction of processing
by the Controller if one of the following conditions is met:
a) contests the accuracy of the personal data; in this case, the restriction applies for the period
of time that allows the Controller to verify the accuracy of the personal data;
b) the data processing is unlawful and you oppose the erasure of the data and instead request
the restriction of their use;
c) the controller no longer needs the personal data for the purposes of processing, but the
data subject requires them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in this case, the restriction applies for the
period until it is established whether the legitimate grounds of the Controller prevail over
the legitimate grounds of the data subject.
THE PROCEDURES FOR ENFORCING THE RIGHTS OF THE DATA SUBJECT
The data subject can exercise the above rights by sending an e-mail to info@geotan.hu , by post to
the Data Controller’s headquarters or by visiting the Data Controller’s headquarters in person. The
Controller shall investigate and act on the data subject’s request without undue delay after receipt
of the request. The Data Controller shall inform the data subject of the action taken on the basis
of the request within 1 month of its receipt. If the Controller is unable to comply with the request,
it shall inform the data subject within 1 month of the reasons for the refusal and of his or her rights
of appeal.
Within five years after the death of the data subject, the rights of the deceased as set out in this
notice, which the data subject enjoyed during his or her lifetime, may be exercised by a person
authorised by the data subject by means of an administrative arrangement or a declaration in a
public or private document of full probative value made to the controller or, if the data subject
made several declarations to a controller, by a declaration made at a later date. If the data subject
has not made a corresponding declaration, his or her close relative within the meaning of Act V of
5
2013 on the Civil Code may, even in the absence of such a declaration, exercise the rights under
Articles 16 (right of rectification) and 21 (right of access to data) of the Regulation. (right to object)
and, if the processing was unlawful during the lifetime of the data subject or if the purpose of the
processing ceased to exist upon the death of the data subject, to exercise the rights of the deceased
during his or her lifetime as laid down in Articles 17 (right to erasure) and 18 (right to restriction
of processing) of the Regulation within five years of the death of the data subject. The right to
exercise the rights of the data subject under this paragraph shall be exercised by the next of kin
who first exercises that right.
*****
IV. THE RIGHT OF REDRESS IN RELATION TO DATA PROCESSING
In order to enforce his or her right to judicial remedy, the data subject may take legal action against
the Controller if he or she considers that the Controller or a processor acting on his or her behalf
or under his or her instructions is processing his or her personal data in breach of the provisions
of the law on the processing of personal data or of binding legal acts of the European Union. The
court shall decide the case out of turn. The Tribunal shall have jurisdiction to hear the case. The
lawsuit may be brought, at the choice of the data subject, before the court of the place of residence
or domicile of the data subject or before the court of the seat of the Data Controller.
Anyone may file a complaint with the National Authority for Data Protection and Freedom of
Information (NAIH) against the Data Controller, alleging that the processing of personal data has
resulted in a violation of rights or an imminent threat thereof, or that the Data Controller is
restricting the exercise of rights related to the processing of personal data or is refusing to exercise
such rights. The complaint can be made using one of the following contact details:
National Authority for Data Protection and Freedom of Information (NAIH)
Postal address: 1363 Budapest, Pf. 9.
Address: 1055 Budapest, Falk Miksa utca 9-11.
E-mail: ugyfelszolgalat@naih.hu
URL: http://naih.hu
Executed on 1/January/2026
