Megoldás Mozgalom

SOLUTION MOVEMENT

Privacy Notice

Version 1.4.

Effective from 19 December 2022

The Solution Movement shall provide the following information pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (GDPR) No 2016/679 (hereinafter referred to as 'GDPR') concerning personal data processing carried out by it in connection with the membership, communication or website of the Solution Movement.

1. Data of the Controller

Name of data controller: Solution Movement
Abbreviated name of data controller: MEMO
Type of organization: Association
Form of association: Party
Registration Number: 01-02-0017750
Headquarters: 1061 Budapest, Székely Mihály utca 16.

Represented by:

President Viktor Dénes Huszár independently
Dr. Krisztina Ilona Bajusz Vice-President individually, Dr. Dániel Bogó Vice-President individually

Members:
President György Zoltán Gattyán independently
Viktor Dénes Huszár, Gábor Borsányi, Dr. Krisztina Ilona Bajusz Vice-Presidents together with another Vice-President

Mailing address: 1101 Budapest, Expo tér 5-7.
E-mail: info@memo.hu

The Data Controller receives requests related to data protection at the following contact details:

Information about the Data Protection Officer:
Name: Adam dr. Nemeth (attorney in the dr. Nemeth Adam attorney at law)
E-mail: bejelentes@drnemethadam.hu

2. Applicable legislation

The personal data processing carried out by the Controller on the basis of this Data Protection Notice is governed by the following laws:

1. Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
2. Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.);
3. Act V of 2013 on the Civil Code (hereinafter referred to as the Civil Code);
4. Act CLXXV of 2011 on the right of association, the status of public benefit and the operation and support of civil society organisations (hereinafter referred to as 'Ectv.');
5. Act XXXIII of 1989 on the Operation and Management of Parties (hereinafter referred to as 'PartyTv.');
6. Act XXXVI of 2013 on the Electoral Procedure (hereinafter referred to as 'Ve.');
7. 1/2018. (I. 3) Ministry of Justice decree on the detailed rules for the implementation of tasks falling within the competence of election offices in the elections of Members of Parliament, the establishment of the scope of the nationally aggregated data on the election results, as well as the forms to be used in the electoral procedure, as well as the amendment of certain decrees on electoral matters;
8. Act CL of 2017 on the Rules of Taxation;
9. Act C of 2000 on Accounting; and
10. Act CXXVII of 2007 on Value Added Tax.

3. Characteristics of data processing carried out by the Controller on the basis of this notice

3.1. Data processing related to voters

3.1.1. Consultation on the signing of a recommendation sheet

Purpose of data management: At the request of the data subject, on the basis of a prior appointment, to disembark the address of the data subject for the purpose of signing the recommendation sheet of the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections.

At the request of the data subject, the Data Controller organizes that the candidate or activist running on behalf of the Data Controller in the constituency of the data subject's address should disembark to the place of residence of the data subject, giving the data subject the opportunity to fill in and sign the recommendation sheet. In this case, Data Controller transfers the data to the candidate or to the activist.

Data Controller: The Data Controller and the Candidate can contact directly with the data subject. Entering contact serve the common purpose (collecting the recommendation) of the Data Controller and the Candidate, therefore the Data Controller and the Candidate are joint controller. The contract between the Data Controller and the Candidate is regulate the responsibilities of the parties and the Candidate must handle the data of the data subject according to this privacy policy.

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Data Controller operates as a party, the fact that the data subject signs or intends to sign the recommendation sheet of the candidate running on behalf of the Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: Persons who have contacted the Controller with a request to sign a recommendation sheet.

Scope of personal data processed: The data provided by the data subject includes the name, e-mail address, telephone number and address. Based on the address provided by the data subject to the Controller, the Data Controller determines the given constituency and the person of the candidate running in the given constituency, as well as the date of the visit.

3.1.2. Collection of recommendations

Purpose of data management: Collection of recommendations in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections

The voter recommends the candidate by providing and signing his personal data on the recommendation sheet of the candidate running on behalf of the Data Controller in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections. On the recommendation sheet, the person collecting the recommendation also indicates his personal data and signature. When the candidate is announced, the signature sheet is handed over to the electoral commission responsible for registering the candidate.

In view of the fact that the withdrawal of the recommendation is subject to a legal prohibition (Ve. Section 122 (5) the right of the data subject to erasure or withdrawal of consent may be exercised taking into account this limitation.

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Due to the fact that the Data Controller operates as a party, the fact that the data subject signs the recommendation sheet of the candidate running on behalf of the Controller or collects recommendations for the candidate constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of stakeholders: voter giving recommendations, person collecting recommendations.

Scope of personal data processed:

voter giving recommendations: name, personal identification, Address in Hungary, signature.
person collecting recommendations: name, personal identification number or official identity card number, signature.

Duration of storage of personal data: until the last day of the deadline for the candidate's notification, i.e. in the case of the election of members of parliament and the election of members of the European Parliament, until the 37th day preceding the election day (Articles 124 and 252 of Ve), in the case of the election of local government representatives and mayors, until the 34th day preceding the election day (Article 307/G of Ve). If the person collecting the recommendation has also indicated their personal data on a signature sheet without a recommendation, the period of storage of the personal data may be extended until the day following the above deadline (26 February 2022).

3.1.3. Processing of additional data when collecting recommendations

Purpose of data management: Handling of additional data necessary for the collection of recommendations in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: The legitimate interest of the Controller in conducting the collection of recommendations and ensuring data accuracy (Article 6(1)(f) of the GDPR).

Due to the fact that the Data Controller does not process personal data relating to the political opinion of the data subject for the purpose of data processing and the data relating to the political opinion of the data subject cannot be deducted on the basis of the personal data processed, the data processed do not fall within the special category of the GDPR as defined in Article 9(1).

Definition of stakeholders: voters contacted by the referral collector.

Scope of personal data processed: whether the person visited by the collecter was at home at the time or not, the address of the data subject has changed and has since died.

3.2. Data processing related to supporters, supporting members and members

3.2.1. Data processing related to supporters

Purpose of data management: Cooperation and contact with supporters

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Controller operates as a party, the fact that the data subject provides or intends to provide support to the Data Controller constitutes a special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons providing support to the Controller.

The scope of personal data processed: name, address (or temporary address), mailing address (if differs from the address or temporary address), place and date of birth, mother’s maiden name, phone number, e-mail address, website URL, category of support.

Duration of storage of personal data: until the withdrawal of the consent of the data subject.

If the support involves the issue of an invoice, the provisions of the section entitled “Registration of membership fees and payment of grants” shall be applied with an appropriate derogation.

3.2.2. Conducting a membership procedure for candidates and candidates for membership

Purpose of data management: Conducting a membership procedure

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Controller operates as a party, the fact that the data subject has submitted a request for membership to the Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons applying for membership procedures at the Data Controller, members supporting the application for membership with their recommendation.

Scope of personal data processed:

• name, birth name, nationality, place and time of birth, permanent address, notification address, telephone number, e-mail address, other contact details, declaration by the data subject that he or she meets the conditions of membership;
• cv data, id card picture, personal data included in the summary of the interview;
• only for candidates: the name of the member who supported the application for membership and other personal data (address and contact details) contained in the statement of recommendation.

Duration of storage of personal data: For this purpose, the Controller handles the above categories of personal data until the conclusion of the membership procedure. If a membership relationship is established, the personal data processed will be transferred to the members' register and supporting members’ register, respectively. If the application for membership is rejected, the name, place of birth and date of birth of the data subject and the date of refusal shall be entered in the register of rejected applications for admission on the basis of the consent of the data subject, the rest of the data will be deleted.

3.2.3. Register of members and supporting members

Purpose of data management: Registration of a member, supporting member

Legal basis for data processing: maintenance of the membership relationship between the data subject and the Controller (Article 6(1)(b) GDPR).

Given that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's member register constitutes a special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of data subjects: members of the Data Controller, supporting members, members supporting the application for membership with their recommendation.

Scope of personal data processed:

• name, birth name, nationality, place and time of birth, permanent address, notification address, telephone number, e-mail address, other contact details, declaration by the data subject that he or she meets the conditions of membership;
• cv data, id card picture, personal data included in the summary of the interview;
• only for members: the name of the member who supported the application for membership and other personal data included in the statement of recommendation (address and contact details);
• the start date of membership, in the case of members only: the fact that the membership has been suspended, the start and end dates;
• data generated during the procedure of the Ethics Committee, sanction applied.

Duration of storage of personal data: until the termination of the membership relationship.

3.2.4. Registration of membership fees and payment of grants

Purpose of data management: registration of the payment of membership fees. The Controller makes card payment available via the Simple system, during which data is forwarded to OTP Mobil Kft., the provider of the Simple system, as set out below.

Legal basis for data processing: compliance with the legal obligation (billing and tax liability) imposed on the Controller (Article 6 (1) c) of the GDPR, Section 159 (1) of VAT Tv.

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's register concerning the payment of membership fees and subsidies constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of stakeholders: member, support member, supporter.

The scope of personal data processed: name, address/billing address, e-mail, phone number, amount and date of payment.

Duration of storage of personal data: 8 years (Section 169 (1) of Accounting Act)

Based on the consent of the data subject, the Controller shall forward the following categories of the personal data concerning the data subject, as submitted on the website www.memo.hu, to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.), as independent controller. Categories of personal data forwarded: family name, given name, country, phone number, e-mail address. Purpose of data forwarding: customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

3.2.5. Register of rejected applications for admission

Purpose of data processing: Register of rejected admission requests (to reduce the volume of admission requests in bad faith)

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the Register of Rejected Recruitment Requests constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons applying for membership whose application for admission has been rejected by the Presidency.

Scope of personal data processed: name, place and time of birth, date of rejection

Duration of storage of personal data: 12 months

3.2.6. Register of former members

Purpose of data processing: Register of former members

Legal basis for data processing: the Controller has a legitimate interest in reducing the volume of bad faith recruitment requests during the recruitment of members, supporters and support members (Article 6(1)(f) of the GDPR).

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the register of former members of the Data Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of data subjects: former members whose membership has been terminated as a result of withdrawal, termination or exclusion resulting from a suspension. This processing does not cover the termination of the membership due to death.

The scope of the personal data processed: name, date of termination of legal relationship, reason for termination of legal relationship, the fact that the member has fulfilled his or her accounting obligations or has been postponed, acquitted or is being prosecuted.

Duration of storage of personal data:

• 6 months in the event of withdrawal or termination due to suspension
• 12 months in case of exclusion

3.3. Data handling of connecting persons to MEMO

Purpose of data management: The data subject can connecting to MEMO community without membership or supporting membership.

The data subject can send the request of the connection trough ’Csatlakozz önkéntesnek’, ’Csatlakozz ötleteddel/javaslatoddal’, ’Csatlakozz hírlevelünkhöz’, ’Csatlakozz ifjúsági tagozatunkhoz’ joining form.

After joining, the Data Controller keep in connection with the data subject via electronic communication (via email and telephone) and send information about the activity of the MEMO.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) GDPR).

Given that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's regular contact register constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects:

• Persons who have send the joining form.

The scope of personal data processed: name, postal code, e-mail, phone number.

Additional informatione that we are handling if you are joining to our youth department (’Csatlakozz ifjúsági tagozatunkhoz’) is the data of birth (based on this information the Data Controller can check the age of the data subject).

Additional information that we are handling if you are joining to us with an idea (’Csatlakozz ötleteddel/javaslatoddal’) is the idea of the data subject.

Duration of storage of personal data: Until the data subject's consent is withdrawn.

3.4. Responding to requests

Purpose of data management: To respond to unofficial requests from outside the organization.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) gdpr).

Given that the Controller operates as a party, the fact that the data subject has made a request to the Data Controller constitutes or may constitute special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: Persons who contact the Controller by request.

The scope of personal data processed: name, e-mail address, telephone number.

Duration of storage of personal data: 3 years.

3.5. Processing related to the exercise of the rights of the data subject and the complaint concerning the processing of personal data

Purpose of data management: Enforcement of data subject rights, handling of complaints.

Legal basis for data processing: Compliance with the legal obligation imposed on the Controller (Article 6(1)(c) gdpr, Articles 15-18, 21 of the GDPR, Article XXVIII(7) of the Fundamental Law).

Definition of data subjects: Persons who have complained about the processing of their personal data validating their rights as data subjects.

The scope of personal data processed: name, place and time of birth, mother's name, e-mail address, other data provided in the submission on the enforcement of her rights or in the complaint concerning data processing (e.g. subject of a complaint).

Duration of storage of personal data: 5 years from the end of the enforcement of the rights of the data subject or the settlement of the complaint related to the processing of personal data (general limitation period according to the Civil Code).

3.6. Processing related to the execution of contracts

Purpose of data management: Execution and performance of contract on services used or provided by the Controller, request for, or providing quotation prior to the execution of the contract.

Legal basis for data processing:

• In case the data subject is a party to the contract, then processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)b of GDPR).
• In case the data subject is not a party to the contract, then processing is based on the legitimate interest pursued by the controller to the performance of the contract (Article 6(1)f of GDPR)

Definition of data subjects: contracting party (if the contracting party is a natural person), or the representative, contact person of the contracting party (if the contracting party is an entity).

The scope of personal data processed: name of the contracting party, (billing) address, e-mail, telephone, data pertaining to the service ordered.

Duration of storage of personal data: 5 years of the performance of the contract (Article 6:22. of the Civil Code), or 8 years of the performance of the contract (Article 169(2) of the Act on Accounting), if the contract is qualified as an accounting record.

3.7. Data processing on the Data Controller's website

3.7.1. Data relating to the Website and its operator

The website available at www.megoldasmozgalom.hu and www.memo.hu address (hereinafter: Website) is operated by the Data Controller. The contents placed on the Website are protected by copyright, their use is only possible with the prior written consent of the Data Controller. The Data Controller accepts requests for the use of the contents placed on the Website at the contact details specified in section 1 above. Hyperlinks placed on the Website may point to websites operated by third parties on which further data processing may take place. The visitor can find out about the data processing on the given website.

3.7.2. Data security measures applied on the Website

During the operation of the Website, the Data Controller strives to use technological solutions for data security. When designing the development and development of the Website, it takes into account data protection and data security aspects, tests the security of the Website, and in the course of the further development of the Website, in case of changes of data protection relevance, it amends this Privacy Notice as necessary. The Data Controller uses https on the Website. This Privacy Notice is available from the main page of the Website, so data subjects can be informed in advance about the circumstances of the processing of their personal data before providing their personal data (subscription to the newsletter, registration, contacting the Data Controller, etc.).

3.7.3. Cookie Policy

The Controller's cookie policy can be found at the following address

3.7.4. Privacy Policy of the MEMO Application

The Controller’s privacy policy applicable to the MEMO application can be found at the following address: https://memo.hu/app/adatvedelem.

Links to the privacy policy can be found on the login page of the MEMO application, and on the information page of the MEMO application in App Store and Google Play store.

4. Processors

The Controller uses the following data processors in the course of the personal data processing contained in this Data Protection Notice:

CloudFlare, Inc. (101 Townsend St, San Francisco, CA 94107, UNITED STATES). The service provider is a company registered in the United States of America. The agreement with the service provider includes a sample contract for the transfer of data between the European Union and the United States of America, accepted by the Commission of the European Union, but the storage of personal data transmitted to the Controller by e-mail or web form during the operation of the Website is not stored on the storage space provided by CloudFlare, Inc., it takes place on a server within the European Union. Accordingly, the Controller does not transfer any special data to CloudFlare, Inc.
In the course of data processing related to voters (section 3.1), candidates running in each constituency are considered to be data processors used by the Controller. If, in the course of collecting signatures, the candidate does not act in person, but through the activist appointed by him, the activist shall be considered as the candidate's sub-data processor.
The county-level leaders of Solution Movement may record the contact details of the data subjects contacting them, for the purpose they are contacted by the data subject (e.g. for the provision of support by the data subject, recruitment as a supporting member, contact via newsletters, postal mails, phone calls and SMS messages etc.)
The Data Contoller uses the services of Jotform Inc. (4 Embarcadero Center, Suite 780, San Francisco CA 94111, Amerikai Egyesült Államok) when collecting joining request and other newsletter subscriptions. The Jotform Inc. uses the Standard Contractual Caluses of the European Comission, and the servers of the Jotform Inc. can be found within the territory of the European Union.

5. Data transmission, other common features of data processing

The Data Controller does not transfer the processed data to a third country or to an international organization, nor does it carry out automated decision-making and profiling.

The Data Controller transfers the personal data it manages to an authority, court or other public body only on the basis of legislation and in a documented way.

6. Rights and remedies for the data subject

6.1. Right to withdraw consent

In the case of data processing based on consent, the data subject is entitled to withdraw his consent at any time. The withdrawal of consent does not affect the legality of consent-based data processing prior to withdrawal.

6.2. Right to request information

The data subject is entitled to request information in writing from the Controller regarding the processing of his personal data. Within one month, the Data Controller informs the data subject in writing about the purpose, legal basis, scope of the data processed, duration of data processing, source of data, possible data transfer, etc.

6.3. Right to rectificationThe

rectificationThe data subject is entitled to ask the Controller in writing to clarify, supplement or modify the personal data relating to him (e.g. in the event of incorrect data collection or subsequent data change). Within one month, the Data Controller informs the data subject in writing about the completion of the clarification, addition and modification.

6.4. Right to cancel

The data subject is entitled to ask the Controller in writing to delete the personal data relating to him. If the Controller is not obliged by law to retain the data, the Controller deletes the personal data indicated in the request within 5 working days and informs the data subject in writing about this.

6.5. Right to restrict data processing

The data subject is entitled to ask the Controller in writing to limit the processing of personal data relating to him. For example, data processing may be restricted (blocked) if the data subject wishes to use the blocked personal data for enforcement before a court or authority. The Controller may process the blocked personal data only with the consent of the data subject, with the exception of storage, or in order to submit, enforce or defend legal claims or to protect the rights of other natural or legal persons, and is also obliged to clearly indicate the fact of blocking and to treat the blocked personal data separately.

6.6. Right to data portability

The data subject is entitled to request in writing the Controller to send the personal data relating to him in a delimited, widely used, machine-readable format, and he is entitled to transfer this data to another data controller without being hindered by the Controller.

The right to data portability may be exercised in the following cases:

• the processing is based on the consent of the data subject or
• data processing is necessary for the performance of a contract in which the data subject is also a contracting party (including where, at the request of the data subject, steps are taken prior to the conclusion of the contract); and
• data processing is carried out in an automated manner.

The data subject may request the Controller to transfer his personal data directly between data controllers, if this is technically feasible.

6.7. Right to protest

The data subject is entitled to object to the processing of his personal data based on the legitimate interest of the Controller or a third party, including profiling based on those provisions, for reasons related to his or her situation. In this case, the Controller may no longer process the personal data unless the Controller proves that the processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.

6.8. Enforcement of data processing

The data subject is entitled to contact the Data Controller directly if he has questions about the processing of his personal data or wishes to exercise his data protection rights. The name and contact details of the Data Protection Officer can be found in section 1 of this Privacy Policy.

In case of violation of data protection rights, the data subject can apply for redress to the National Authority for Data Protection and Freedom of Information (registered office: 1055 Budapest, Falk Miksa utca 9-11, postal address: 1363 Budapest, Pf.: 9., phone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu).

If the processing of the data subject's personal data is carried out unlawfully, the data subject is entitled to file a civil action against the Data Controller. The person concerned may also bring the case before the court of his place of residence (https://birosag.hu/torvenyszekek).

7. Scope and amendment of this notice

This Privacy Notice shall enter into force on the date specified in the subheading of this document and shall remain in force until the Controller replaces it with a new version of the Privacy Policy. The Controller reserves the right to unilaterally amend this Data Protection Notice at any time if the review of the Data Protection Notice, the change affecting the Data Controller's data management activities, a change in the law, data protection authority practice, business need, authority or court decision necessitate the amendment. The revised Data Protection Notice is published on the Website or sent to the data subject on request.