User Data Agreement

The site https://opendlp.sortitionlab.org/ is operated by the Sortition Foundation and Sortition Europe Nonprofit Ltd. In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, and Act CXII of 2011 on informational self‑determination and freedom of information, Sortition Foundation and Sortition Europe Nonprofit Ltd. (as data controllers) provide the following information regarding

  • the use of the website https://opendlp.sortitionlab.org/ (hereinafter: “Website”),
  • subscribing to the newsletter,
  • participation in events, workshops,
  • data processing related to registering for citizen’s assemblies and data provision,

as follows:

1. Data Controllers

  • Sortition Foundation Registered office: Unit 3 Wellbrook Court, Girton, Cambridge, CB3 0NA, United Kingdom Tax number: GB344874864

  • Sortition Europe Nonprofit Ltd. Registered office: 1092 Budapest, Ráday utca 31. C. front building, 1st floor, unit 11 Tax number: 32356465‑2‑43

2. Basic Principles of Data Processing

  1. The legal basis for data processing by the Foundation is the voluntary consent of the Data Subject (hereinafter: “Data Subject” or “User”). The Data Subject is entitled to withdraw their consent at any time, which, however, does not affect the lawfulness of the processing carried out prior to withdrawal. The data proving the fact of consent will be retained by the Foundation as long as necessary for proving the consent or for other legitimate interest of the Foundation.
  2. The Data Subject is responsible for the truthfulness and accuracy of the personal data they provide. The Foundation does not verify the accuracy of the personal data disclosed. The Foundation is not liable for damages caused to the Data Subject or any third party because of incorrect or untrue data provided by the Data Subject.

3. Giving Consent

  • On the Website: by using the Website, registering as a user on the Website, or providing personal data in any other way.
  • In other cases: by a verifiable means initiated by the Data Subject (on paper, in writing, by email, audio or video recording, etc.).

No consent is required for capturing an image or sound in public gatherings or public life events (mass events) and for their use, if made as public recordings. The consent of the Data Subject is considered granted for personal data disclosed by them in public life or made public by them. Personal or family life of a public figure is not considered a public matter; such data is processed only with explicit consent.

The Data Subject’s consent is deemed given for personal data disclosed by them or made public during their public appearances.

The Foundation processes the personal data provided only for the purposes described in this notice, and only to the extent and for the duration necessary, unless otherwise required by law.

4. Detailed Rules of Data Processing

4.1 Scope of Data Subjects

  • Natural persons using the Website (Users)
  • Individuals subscribing to the newsletter
  • Participants in events organized by the Foundation
  • Persons lodging complaints or otherwise communicating with the Foundation
  • In cases of processing based on legitimate interest: persons whose contact data are publicly available in a professionally relevant context

4.2 Purposes of Data Processing

  • To enable use of the Website; to provide online content and online platform for registered users
  • Sending newsletters: primarily to inform about relevant professional content, the Foundation’s news, events, publications, trainings, etc. If the Data Subject objects, further processing for this purpose ceases
  • To enable users to organize events by registering and contacting participants
  • Facilitating participation in events organized by the Foundation
  • Handling complaints and other communications initiated by the Data Subject
  • Other communications or requests initiated by the Data Subject

4.3 Categories of Processed Data

  • Date and time of visit, IP address and domain name, accessed content
  • For newsletters: name, email, subscription logs
  • Complaints, responses, other communications
  • System‑generated technical data (e.g. browser, device, usage logs)
  • For events: personal data and event‑relevant information, attitudes, preferences
  • With explicit consent: name, organization, job title, email address, phone number

4.4 Legal Basis for Processing

  • The Foundation processes personal data on the basis of consent, except in certain cases:
  • The IP address upon site entry is recorded on the basis of the Foundation’s legitimate interest (e.g. to ensure lawful operation, prevent misuse)
  • Newsletter subscription is based on explicit, prior consent; unsubscribe is always possible
  • Complaint handling: legal obligation (for record‑keeping) or the Foundation’s legitimate interest (e.g. lawful handling of disputes)
  • Direct contact with explicit consent: basis is the Data Subject’s consent

4.5 Data Processors

Data processors are entities engaged by the Foundation under a contract in accordance with Article 28 of the GDPR (e.g. IT providers, newsletter services). They process personal data on behalf of the Foundation only according to its instructions.

4.6 Duration of Data Processing

  • IP addresses: stored for up to two weeks
  • Complaint records: retained for 5 years, per legal obligation
  • Personal data provided by User: as long as the User remains subscribed or does not request deletion
  • Technical system data: stored as long as necessary for system operation
  • Data in the supporter database: updated or deleted if position changes, upon knowledge
  • Editorial content: archived and retained unless the Data Subject requests deletion

5. Editorial Content

  • Data Subjects: persons appearing in the content of the Website
  • Purpose: journalistic / public information (e.g. photos, statements, interviews) with consent or legitimate interest
  • Processed data: editorial content, photographs, interview materials
  • Legal basis: consent or legitimate interest (e.g. freedom of expression, public interest)
  • Retention: archived unless a request for deletion arises

6. Data Processing and Data Transfer

  • Data processors may include third parties providing hosting, IT support, email services, etc.
  • The processor must not act on its own regarding the data and may only use data according to instructions
  • Data may be transferred to competent authorities if required by law or court order
  • Personal data will not be transferred to entities in third countries (outside the EEA)

7. Data Security

The Foundation takes technical and organizational measures to safeguard personal data against unauthorized access, alteration, disclosure, destruction, or damage, and considers the state of the art. The same obligations apply to data processors. In case of lawful data transfer, the Foundation is not liable for damage caused by the recipient.

8. Rights of the Data Subject

The Data Subject may at any time request information, correction, deletion, restriction of processing, or object to data processing. The Foundation must respond without undue delay, but at latest within one month. If a request is denied, reasons must be provided, along with recourse to supervisory authority or court.

  • Requests are free of charge.
  • Identity verification may be required.
  • The Data Subject can obtain a copy in machine‑readable format.
  • Deletion may be refused if there is legal obligation or overriding legitimate interest (e.g. public interest, legal claims).
  • Restriction may be requested under certain conditions (e.g. data accuracy dispute, objection, pending legal claims).
  • If processing was restricted, data can only be processed with consent or for legal claims, public interest, etc.
  • The Foundation will notify others to whom data was disclosed, unless impossible or disproportionately difficult.
  • The Data Subject may also demand portability of data.
  • If a request is not fulfilled, the Data Subject will be informed of reasons within one month.

If the Data Subject believes their rights have been violated, they may also lodge a complaint with the National Authority for Data Protection and Freedom of Information in Hungary:

National Authority for Data Protection and Freedom of Information Address: 1055 Budapest, Falk Miksa utca 9‑11. Mailing address: 1374 Budapest, Pf. 603. Phone: +36‑1‑391‑1400 Fax: +36‑1‑391‑1410 Email: ugyfelszolgalat@naih.hu

The Data Subject may also bring a civil suit; competence lies with the court of their place of residence. The courts can be found at: https://birosag.hu/torvenyszekek

The Data Subject can also make a complaint to the Information Commissioner, who is the official data protection regulator in the UK. Their contact information can be found on their website at www.ico.org.uk.

9. Changes to the Privacy Policy

This privacy policy will be published and updated on the Website. The currently effective version always applies, even if at the time of registration or data provision a prior version was in force.

10. Contact Information

For questions, remarks, requests, or exercising privacy rights, contact:

  • Sortition Europe Nonprofit Ltd. Address: 1092 Budapest, Ráday utca 31. C. front building, 1st floor, unit 11 Email: info@kozossegigyules.hu

  • Sortition Foundation Address: Unit 3 Wellbrook Court, Girton, Cambridge, CB3 0NA, United Kingdom Email: info@sortitionfoundation.org

Effective Date: This privacy notice is valid from 1 September 2025 onward.

If you have any questions about how we handle your data, please contact us at privacy@sortitionfoundation.org.

By checking the box below, you confirm that you have read and understood this data agreement and consent to the processing of your personal data as described above.

Last updated: October 2025

Back to Registration