Privacy policy
Last updated: 2025.02.23
PRIVACY POLICY
concerning marketing activities related to festivals organised by Sziget Zrt.
Within the frameworks of the “GrassrEUts Empowering audience and opening the stage for European artists” project supported by the Action to the European Education and Culture Executive Agency (EACEA) as part of the Creative Europe Programme (Call Identifier: CREA-CULT-2024-COOP-2), Sziget Zrt., Exit Foundation, Scoop Organization, Everything is New, Lda. and All-Ukrainian Association of Music Events organise a music competition (hereinafter: “Competition”) that aims to identify, support, and promote emerging European artists by providing them with opportunities to perform at renowned festivals in accordance with the terms of the participation rules. During the Competition, we process various personal data in connection with it that we process in accordance with the relevant effective legislation, especially Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).
We hereby inform you on the details of the processing of your personal data and your corresponding rights.
The purpose of this Privacy Policy is to inform you about the processing of your personal data provided to the below specified companies as data controllers (hereinafter each one: “Data Controller”) in order to participate in the above Competition preliminarily to the processing of your data in accordance with Articles 12, 13, and 14 of the GDPR. In this Privacy Policy, you will receive a detailed and clear information about who, on what purpose, on what basis your personal data is collected, managed, who has access to your data and what rights are you entitled to in relation to the data processing.
Who processes your data?
The Competition is organised on a country-by-country basis; therefore, competitors need to contact the respective data controller depending on the country of origin to be given upon the application.
The entity of the data controllers:
in terms of participants from Hungary:
Sziget Cultural Management Private Company Limited by Shares
seat: 1033 Budapest, Hajógyári sziget 23796/58.
company registration number: 01-10-049598
availability of the data protection officer:
Postal address: H-1033 Budapest, Hajógyári-sziget topographical lot No.: 23796/58.
E-mail:dpo@sziget.hu
hereinafter: “Sziget Zrt.”
as the organiser of Sziget Festival;
in terms of participants from Serbia:
Exit Foundation
seat: KISACKA 5, NOVI SAD, 21000 Serbia
company registration number:
availability of the person in charge of privacy matters:
as the organiser of EXIT Festival;
in terms of participants from Tunisia:
Scoop Organization (CARTHAGE)
seat: La Marsa Safsaf, La Mars, 2078 Tunisia
company registration number:
availability of the person in charge of privacy matters:
as the organiser of Carthage Jazz or dedicated event(s) for the winner of GrassrEUts;
in terms of participants from Portugal:
Everything Is New, Lda
seat: Rua Pero da Covilha, Lisboa, 1400-296 Portugal
company registration number:
availability of the data protection officer:
as the organiser of NOS Alive;
in terms of participants from Ukraine:
ALL-UKRAINIAN ASSOCIATION OF MUSIC EVENTS (UAME)
seat: Kyiv, Sichovyh Striltsiv 37-41 Kyiv, 04053 Ukraine
company registration number:
availability of the person in charge of privacy matters:
as the organiser of a related online festival in 2025, the festival of 2026 tbd.
More information on the festivals are available on the site of the Competition.
The scope of processed data, the purposes, duration and legal basis of data processing:
What is the purpose of processing your data?
Your contact data are necessary for your participation, whereas the data related to the past posts, activities, audiovisual materials on the public social media sites of the applicant band are needed to evaluate and, thus, rank performance of the applicants and, in case, your band reach one of the best results, we need to provide you with your award, which is offering stage performance opportunities at the respective events country-by country. The actual stage performance in 2025 (and the videorecording thereof) will be the basis of the second round of the Competition.
In case any of the Data Controllers intends to use any of the data for different purposes than those specified herein, the respective Data Controller shall inform you preliminarily – providing all necessary information related to such intended data processing.
What is the basis of processing your personal data?
All your data is processed based on your consent given pursuant to Point a) of Article 6 of the GDPR. In case it is not only your data (either contact data, data on social media platform, or data in or related to audiovisual materials), you are fully liable for the lawfulness of providing such data to the respective Data Controller possessing the explicit, informed consent of the de facto data subject.
How long are your data processed?
Your data are stored for 3 years reckoned from the closing date of the Competition. The closing date of the Competition is published on the site of the Competition.
Who may access your personal data?
Your contact data may be accessed only by the administrators appointed by the respective Data Controller, whereas the sites and audiovisual materials are to be viewed and scored by the jury selected by the respective Data Controller, who are authorized to access the Competition site with their dedicated logged registrations and, even then, may access the Competition data only to the extent and for the time necessary to fulfil their duties related to the Competition.
However, we would like to inform you that each Data Controller is obliged to fulfil the written data requests of the authorities based on legal authorization. Courts, prosecutors, investigative authorities, infringement authorities, public administrative authorities, the respective national authority for data protection, or other bodies may contact the country-specific Data Controller in order to provide information, communicate and transfer data, or make documents available, based on the authorization by law. The responsible Data Controller shall provide the requesting body with the personal data that is absolutely necessary for the fulfilment of the purpose of the request, provided that the exact purpose and the scope of the data has been specified. The responsible Data Controller shall keep records of data transmissions in accordance with the requirements of the GDPR (to which authority, what personal data, on what legal basis, when the Data Controller transmitted), the content of which the responsible Data Controller shall provide information upon request, unless the provision of information is prohibited by law.
The data processing processes are presented in the below chart for easier overview:
1. DATA PROCESSING RELATED TO THE APPLICATION
When you apply for the Competition, you give your band’s information (your band name, the year when the band was formed, country, the language of the lyrics, music genre, a short introduction of the band, Facebook site, Instagram profile, Spotify band page); the contact person’s e-mail address and telephone number; mandatory: your YouTube channel name, your official video on YouTube, optional: your band’s photo, short introduction video, and/or other social media platform availabilities. After submitting the application, you will receive a confirmation that your application has been submitted.
Description: | In order to apply for the Competition, certain data are needed to enter the Competition: - band information, - contact information - the band’s YouTube channel and links to the band’s official social media sites and live videos, and you may provide - a short introduction video, - a photo of your band, - availability of the profiles on other social media platforms. |
Legal basis: | The legal basis of the data processing is your consent granted in accordance with Point a) of Article 6 (1) of the GDPR which you gave upon your application and acceptance of the terms of the Competition. |
Purpose: | You participate the Competition with the purpose to win a live performance opportunity at the country-specific event in 2025, as well as to qualify for the international pool having the opportunity for a live performance in 2026 at the events organised any of the Data Controllers distinctive from the band’s own country. |
Data processed: | The band information, contact person’s availability, the performance and all data therein of the competitor and contributors thereto as described above. Please, be informed that you are fully liable to observe the rights of other data subjects during the Competition; thus, in case you provide us with any audiovisual material, please, make sure that you have requested the explicit, informed consent of all data subjects. |
Parties involved: | Sziget Zrt. as operator of the competition site |
Retention of data: | The personal data related to the Competition shall be deleted 3 years after the closing of the Competition. |
2. Evaluating the SUBMITTED performances in the Competition
The submitted applications are to be evaluated by jury members selected by the respective Data Controller. The evaluation criteria are laid down in the rules available on the website. The jury members have to be impartial and need to evaluate the applications as objectively as possible. As jury members are also individuals, their personal data are also to be kept confidential.
Description: | The performances submitted (i.e. the audiovisual materials as per Point 1 above) are evaluated in order to determine who has reached the best ranking. There will be 5 bands awarded in each country. |
Legal basis: | The legal basis of the data processing is your consent granted in accordance with Point a) of Article 6 (1) of the GDPR which you gave upon your application and acceptance of the terms of the Competition. |
Purpose: | The winners of the first round of the Competition are to be determined based on their submitted audiovisual materials that are evaluated by the jury selected in each country. |
Data processed: | In addition to data as per Point 1, the votes given by the jury members (the personal data of the jury members is confidential). |
Parties involved: | Sziget Zrt. as operator of the competition site the jury members |
Retention of data: | The personal data related to the Competition shall be deleted 3 years after the closing of the Competition. |
3. Communicating the results in the national selection: ranking and awarding
Description: | Based on the results (as per Point 2 above), the ranking of the competitors is established and the winners are to be awarded. All applicants will be informed whether they are winners or not. From the ranking, the best 5 competitors are to be invited for the above specified country-specific event (for which the event-specific privacy policies shall be applicable therefrom). In case the winning band participates the respective 2025 festival, the respective Data Controller shall process their personal data in course of or in connection with the contracting, finances, accreditation, stage performance in accordance with the data processing rules applicable to any and all artists. |
Legal basis: | The legal basis of the data processing is your consent granted in accordance with Point a) of Article 6 (1) of the GDPR which you gave upon your application and acceptance of the terms of the Competition, whereas for the live events, respective privacy and other policies will be applicable based on which event the competitor will perform in live. |
Purpose: | The winners of the 1st round of the Competition are to be awarded. |
Data processed: | in accordance with Point 2 |
Parties involved: | Sziget Zrt. as operator of the competition site |
Retention of data: | The personal data related to the Competition shall be deleted 3 years after the closing of the Competition. |
4. Evaluating the LIVE performances in the Competition
The live performance of the winners of the first round of the Competition is to be broadcast live and to be made available for a certain period in order to enable also the audience to vote on the performances. The details of the voting are to be publisher for each respective Data Controller.
Description: | The live performances of the winners of the first round are evaluated by both the audience, and the jury in order to determine who has reached the best results. There will be 2 bands awarded in each country. |
Legal basis: | The legal basis of the data processing is your consent granted in accordance with Point a) of Article 6 (1) of the GDPR which you gave upon your application and acceptance of the terms of the Competition. |
Purpose: | The winners of the second round of the Competition are to be determined based on their live performance that are evaluated by the audience and the jury. |
Data processed: | band information, the live performance (recorded) |
Parties involved: | Sziget Zrt. as operator of the application YouTube |
Retention of data: | The personal data related to the Competition shall be deleted 3 years after the closing of the Competition (the data related to the participation at the respective festival and the performance fall under different data processing activities). |
5. Communicating the results in the inetrantional selection: ranking and awarding
Description: | Based on the results (records as per Point 4 above), the ranking of the competitors is established and the winners are to be awarded. The winners are to be published. From the ranking, the best 2 competitors are to be part of the internation pool for the 2026 events and all Data Controllers except for their country of origin may invite any of the bands from this pool to the above specified country-specific event (for which the event-specific privacy policies shall be applicable therefrom). |
Legal basis: | The legal basis of the data processing is your consent granted in accordance with Point a) of Article 6 (1) of the GDPR which you gave upon your application and acceptance of the terms of the Competition, whereas for the live events, respective privacy and other policies will be applicable based on which event the competitor will perform in live. |
Purpose: | The winners of the 2nd round of the Competition are to be awarded. |
Data processed: | in accordance with Point 4 |
Parties involved: | Sziget Zrt. as operator of the application YouTube all Data Controllers other than the country-specific Data Controller for the selection of 2026 festival participants |
Retention of data: | The personal data related to the Competition shall be deleted 3 years after the closing of the Competition (the data related to the participation at the respective festival and the performance fall under different data processing activities). |
What measures do we make to protect your data?
Each Data Controller pays particular attention to data security, therefore, each has taken appropriate security measures, as well as appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used, and to protect your personal data from data loss, data destruction, data manipulation and unauthorized access.
It is the duty of all colleagues (including the invited jury members) of each Data Controller to observe data confidentiality, i.e. to treat personal data confidentially, and each Data Controller continuously revises its security measures in accordance with technological development.
What rights do you have in connection with the data processing?
Each Data Controller facilitates the exercise of your rights set out in the GDPR written below. No Data Controller can refuse to fulfil your request to exercise data subject rights, unless it proves that it could not identify you. Each inquired Data Controller shall inform you of the measures taken in response to your request without undue delay but, in any case, within one month reckoned from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline can be extended by another two months. The inquired Data Controller shall inform you about the extension of the deadline, indicating the reasons for the delay, within one month reckoned from the receipt the request. If you have submitted the request electronically, the inquired Data Controller shall also provide the information electronically, unless you request it otherwise.
If the inquired Data Controller does not take measures following your request, it shall inform you without delay, but at the latest within one month reckoned from the receipt of the request, of the reasons for the failure to take measures, as well as the fact that you can file a complaint with a supervisory authority and exercise your right to judicial remedy.
The inquired Data Controller shall provide the information and take the measures free of charge, however, if your request is clearly ungrounded or - especially due to its repetitive nature - excessive - taking into account the administrative costs associated with providing the requested information or taking the requested measures – the inquired Data Controller may charge a reasonable fee or refuse to take measures based on request.
If the inquired Data Controller has reasonable doubts about the identity of the natural person who submitted the request related to the rights of the data subject below, it may request the provision of additional information necessary to confirm the identity of the data subject.
We describe below what rights you have during the data processing:
right of information and access to personal data: | “I would like to know what data is stored about me and what are they used for.” Within the data processing period, you may request information from the respective Data Controller about the processing of your personal data. As soon as possible reckoned from the date of submission of the request but no later than within 1 month, the respective Data Controller shall inform you in writing, in a comprehensible form about the processed data, the purpose, the legal basis and the duration of the data processing, and – in case the data has also been transferred - about who receives it and for what purpose it receives or has received the data.
“I would like to access my data to see what data is stored about me.” You are entitled to receive feedback on the processing of your personal data with a content set forth in Points a) to h) of Article 15 (1) of the GDPR. |
right of rectification of data: | “I would like to have my wrongly recorded data corrected.” Within the data processing period, you may request that the respective Data Controller corrects, complete your personal data. The respective Data Controller shall satisfy your request as soon as possible reckoned from the date of submission of the request but no later than within 1 month. |
right of erasure of data: | “I would like to have my data deleted.” You also have the possibility to request that the respective Data Controller deletes your personal data without undue delay, if a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed; b) you withdraw your consent to the data processing, and there is no other legal basis for the data processing; c) you object against the data processing and there is no overriding legal reason for the data processing; d) your personal data has been processed unlawfully; e) the personal data shall be deleted in order to fulfil the legal obligation prescribed by EU or member state law applicable to the respective Data Controller. The right to deletion shall not apply to cases where the respective Data Controller is required to continue storing the data by law, or in the event that the respective Data Controller is entitled to further process personal data in line with Point c) of Article 6 (1) of the GDPR or Section 6 (5) of Act on the right to informational self-determination and on the freedom of information (for example, in connection with invoicing). The respective Data Controller does not make your personal data public (only publicly available information submitted by you or the recording at the live event are to be made available for the evaluation at the Competition), so if you wish to use your right to be forgotten, it will be enforced in relation to data processors performing data processing activities. |
right to restriction of data processing: | “I would like that my data is not used until I have checked the lawfulness of it.” You are also entitled to have the respective Data Controller restrict data processing at your request if a) you dispute the accuracy of your personal data, in which case the limitation applies to the period that allows the respective Data Controller to check the accuracy of the personal data; b) the data processing is unlawful and you oppose the deletion of the data and, instead, request the restriction of their use; c) the respective Data Controller no longer needs the personal data for the purpose of the data processing but you require them in order to submit, enforce or defend legal claims; or d) you have objected against the data processing, in this case the restriction applies to the period until it is established whether the legitimate reasons of the respective Data Controller take priority. If data processing is subject to restrictions based on any of the above reasons, such personal data, with the exception of storage, will only be processed with your consent, or to motion, enforce or defend legal claims, or to protect the rights of another natural or legal person, or the important public interest of the Union or a member state. |
right to data portability: | “I would like to access my data and would like to take them over to another data controller.” As neither Data Controller carries out automated data processing, the data subject's right to receive personal data in a segmented, widely used, machine-readable format based on his/her consent or in connection with the contract concluded with him/her or to have it transmitted to another data controller is not applicable. |
right to object: | “I object in connection with the further processing of my personal data.” You may object against the processing of your personal data, (i) if the processing or transmission of personal data is necessary for the execution of a task of public interest or for the enforcement of the legitimate interests of the respective Data Controller, data receiver or third party, except in the case of mandatory data processing and the case set forth in Article 21 (1) of the GDPR or Section 6 (5) of Act on the right to informational self-determination and on the freedom of information (in the case of the existence of a substantiated compelling legitimate reason), or (ii) if your personal data is used or transferred - without your consent - for the purpose of direct business acquisition, public opinion polls or scientific research. The respective Data Controller shall examine the objection, make a decision on its groundedness, and inform you about its decision in writing as soon as possible, but no later than 1 month reckoned from the submission of the request. |
The respective Data Controller also informs you that the EU and Member State or the national privacy legislation applicable to itself or to the data processor used by it may limit the above rights for, inter alia, the prevention, investigation, detection or prosecution of crimes, as well as the implementation of criminal sanctions, including protection against threats to public safety and the prevention of these dangers; the protection of the data subject or the protection of the rights and freedoms of others; and enforcement of civil law claims (Article 23 of the GDPR), of which circumstances it shall inform you according to the conditions written above.
In case you consider that the inquired Data Controller has violated a legal provision regarding data processing, or has not fulfilled any of your requests, you may initiate the investigation procedure of the national data protection authority. We would furthermore like to inform you that in the event of a violation of the legal provisions on data processing, or if we have not fulfilled any of your requests, you may apply to court against the inquired Data Controller.