1. Purpose of this Notice, the Data Controller and the Data Subject

The purpose of this Notice is to describe, in full detail, and in accordance with Regulation EU 2016/679 (General Data Protection Regulation, “GDPR”) the data processing activity of the production company as a group company of Mid Atlantic Films group in the course of its film production.

The production company shall be defined in each film (the “Project”). In connection with a Project, the production company shall be the data controller (the “Data Controller”), and the data subjects are those individuals, who are participating in the Project [crew members, cast, stunts, extras, contact persons of third parties (together the “Data Subject”)].

2. Purpose of processing, categories of data processed and the legal basis of the processing

The Data Controller, in the course of data processes specified in this notice, shall process the personal data for the purpose and on the legal basis specified in Attachment 1 of this notice.

In case the legal basis for the process is the consent of the Data Subject, such consent is provided wilfully. The Data Subject shall be entitled to withdraw its consent at any time by providing a notice to the Data Controller; in such case the withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal. In case the Data Subject rejects to provide its consent, or withdraws their consent, it may cause that the Data Controller shall not be able to contact the Data Subject or may not be able to provide any services to the Data Subject.

Data may be provided freely for the performance of a contract with the Data Subject, or to take the steps prior entering into such contract; however, in case the Data Subject would not provide their data in such processes, it may cause that that the Data Controller shall not enter into the contract with the Data Subject or shall not be able to perform such contract.

Furthermore, it can be the legitimate interest of the Data Controller, among others, to process personal data in connection with ongoing regulatory, court or other procedures to prove the compliance with legal obligations of the Data Controller, or for the establishment, exercise or defence of legal claims.

It is obligatory to provide those data that are necessary for compliance with legal obligation, taking into consideration that the Data Controller would not be able to fulfil its obligations provided by law (e.g., tax deduction).

The legal basis for processing the personal data in relation to the measures taken by the Data Controller in order to avoid the spread of Coronavirus (COVID-19) is the consent of Data Subject. The legal basis for processing health data is the explicit consent of the Data Subject. Consenting to the data processing shall be voluntary. The Data Subject shall be entitled to withdraw its consent by way of a written statement addressed to the Data Controller any time, on the provision that this shall not affect the lawfulness of data processing based on consent before its withdrawal.

The legal basis for processing the personal data in relation to the copies of the identification documents (for the purpose of data verification) of the Data Subject is the legitimate interests of the Data Controller. Access to these documents is limited to the staff responsible for the verification of the data. The uploaded documents will be deleted from the system of the Data Controller upon verification to be no later than on the 3rd business day after the day of receipt.

3. Data processor

Data processing activities shall be provided by contractors, service providers of the Data Controller who are engaged to provide services involving data processing services.

The Data Controller shall ensure with appropriate measures that data processors acting on behalf of the Data Controller shall act and process personal data that was made available for them in accordance with the instructions of the Data Controller and in accordance with the relevant Hungarian and EU laws.

The Data Controller stores the personal data specified in Attachment 1 on “Mid Atlantic Films – Production Platform” operated by Mid Atlantic Productions Kft. (registered office: 1151 Budapest, Károlyi Sándor út 158., e-mail: admin@midatlanticfilms.com) – hereinafter together “Data processor”.

In connection with the above activity, Data processor acts as a data processor with respect to the personal data, and Data processor provides data storage and support to the Data Controller in connection with the data.

The Data Controller also transfers personal data to bookkeeping and tax advisor companies, for the purpose of bookkeeping and providing tax advice, which companies are also considered as data processor of the Data Controller. At the request of the Data Subject the Data Controller will provide a list of the data processors.

Data processor may only process the data in accordance with the Data Controller’s instructions.

The Data Controller and the data processors shall adopt appropriate state-of-the-art technical measures to protect personal data against unauthorised or accidental data processing, in particular unauthorized access, alteration, transfer, disclosure, erasure or destruction, accidental damage and loss, as well as inaccessibility due to any changes in the applied technique.

4. Data transfer

The personal data may be disclosed – without limitation – to the group companies of the Data Controller (the Mid Atlantic Films group) and to the competent authorities (e.g., National Media and Telecommunications Authority, the National Film Office, National Tax and Customs Authority) and/or courts in connection with the procedures initiated in connection with the Project, and to the foreign producer (including its group companies) involved in the Project. Personal data may also be disclosed to the Data Controller’s legal counsel or other professional advisers (e.g., accountant, tax advisor), and to crew members.

The data may only be accessed by persons within the organisation of the Data Controller who are duly authorised to access the data and whose access is strictly necessary and indispensable for the performance of their contractual and/or statutory obligations.

5. Transfer of personal data to third country

Data Controller may transfer the personal data in connection with the Project to companies located in third countries (outside the EEA) as well. Taking into consideration that in some of those countries the adequate level of protection of personal data is not guaranteed, the Data Controller ensures appropriate and adequate safeguards for the transfer [Article 46. (2) c) GDPR] to the Data Subjects by applying the Standard Model Clauses adopted by the European Commission.

The Data Subject may request copy of the data transfer agreement and the general terms and conditions from the admin@midatlanticfilms.com e-mail address.

6. Data retention

The Data Controller shall retain the personal data for the period set forth in Attachment 1; thereafter the personal data will be deleted or anonymized.

The Data Controller shall not be obliged to delete the personal data as described above in case it has the legitimate interest to retain the personal data for longer period. Such legitimate interest includes without limitation using the data as evidence during court or administrative procedures, or to justify the compliance of the Data Controller with applicable laws in the course of ongoing administrative, court or other official proceedings.

7. Data Subject rights

Pursuant to applicable Hungarian and EU data protection laws the Data Subject may have the right to: (i) request access to his personal data; (ii) request rectification of his personal data; (iii) request erasure of his personal data; (iv) request restriction of processing of his personal data; and (v) object to the processing of his personal data.

(i) Right of access: The Data Subject may have the right to obtain confirmation as to whether or not his personal data is being processed, and, where that is the case, to request access to the personal data and to certain information relating to the data process.

The right of access applies to – inter alia – the following information: purposes of the processing, the categories of personal data processed, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.

Furthermore, the Data Subject may have the right to obtain a copy of his personal data processed by the Data Controller.

Right to rectification: In certain cases, the Data Subject may have the right to request the rectification of inaccurate personal data, or the completion of incomplete personal data.

Right to erasure (right to be forgotten): In certain cases, the Data Subject may have the right to request the erasure of his personal data, and the Data Controller may be obliged to erase such personal data.

Right to restriction of processing: In certain cases, the Data Subject may have the right to request the restriction of the processing of his personal data. In this case, the respective data may be processed only for certain purposes.

Right to object: In certain cases, the Data Subject may have the right to object to the processing of his personal data, and the Data Controller may be required to cease the processing of such data.

It may be possible that the Data Controller is unable to fully or partially grant a request related to the above rights due to the nature of the data. In addition, the above rights are not absolute, and the exercise of the above rights may be subject to conditions pursuant to applicable data protection laws.

The Data Subject may also lodge a complaint with the National Authority for Data Protection and Freedom of Information (seat: 1055 Budapest, Falk Miksa utca 9-11., Hungary, Telephone: +36 (1) 391 1400, e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu) or may initiate court proceedings before the court having competence over his place of domicile or habitual residence in connection with the unlawful data processing.

8. Contact

The Data Subject may exercise his rights set out in Section 7 by sending an e-mail to the Data Controller to the email set forth in Section 5, or by sending a postal letter to the seat of the Data Controller. The Data Controller will respond to any requests within the shortest time possible, but in any case, no later than within 1 (one) month.

9. Amendment of the Policy

The Data Controller may amend the present Policy unilaterally at any time due to any changes in applicable laws or the Data Controller’s data processing operations. The date of the last update is indicated at the end of the Policy.

Last update: August 27th, 2024