Privacy Policy - Budapest Artineris

Last updated: 1 June 2026

This Privacy Policy explains how Menexa Srl processes personal data collected when users browse the Budapest Artineris website, apply to take part in the event, or publish content related to the Budapest Artineris programme (hereinafter: “BA”).

Personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, hereinafter: “GDPR”) and with the applicable European and national data protection legislation.

1. Data Controller

The Data Controller is:

Menexa Srl
Via della Barchetta, 13 – 00186 Rome, Italy
VAT number: IT14994471002
Email: info@menexa.eu
Website: menexa.eu

Budapest Artineris is organised and managed in Hungary by Menexa Srl. Any enquiry concerning data protection or the exercise of data subject rights may be sent to info@menexa.eu.

2. Scope of this Privacy Policy

This Privacy Policy applies to the following activities:

browsing the BA website;
sending information requests or contact messages;
submitting an application to participate as an artist, curator or venue;
creating and managing a user account;
creating, editing and publishing personal or professional profiles;
publishing information about events, exhibitions, open studios and cultural projects;
uploading images, biographies, descriptions and other communication materials;
administrative and operational communications related to the organisation of BA.

3. Categories of personal data processed

Depending on how the services are used, the Data Controller may process the following categories of personal data.

3.1. Identification and contact data

first name and surname;
artist name or professional name;
email address;
telephone number, where voluntarily provided;
name of the organisation, venue or project represented;
role, professional category or field of activity.

3.2. Data published on profile pages and event pages

biographical information, professional presentation and description of activities;
links to websites and social media profiles;
images, portraits, photographs of artworks and communication materials;
event title, date, venue and description;
any additional information intended for publication.

3.3. Technical and browsing data

IP address;
browser and device type;
operating system;
access date and time;
technical log files;
information required to ensure the proper operation and security of the website.

3.4. Data voluntarily provided by users

The Data Controller may also process any information voluntarily submitted by users through email messages, contact forms or upload tools available on the website.

4. Purposes and legal bases of the processing

Purpose	Legal basis
Responding to information requests and contact messages	Article 6(1)(b) GDPR: steps taken at the request of the data subject prior to entering into an agreement; or Article 6(1)(f) GDPR: the legitimate interest of the Data Controller in responding to enquiries
Receiving, reviewing and evaluating participation applications	Article 6(1)(b) GDPR: steps taken at the request of the data subject prior to entering into an agreement
Managing participants accepted into the BA programme	Article 6(1)(b) GDPR: performance of the participation terms
Creating and managing user accounts	Article 6(1)(b) GDPR: provision of the requested service; and Article 6(1)(f) GDPR: legitimate interest in ensuring the secure operation of the system
Publishing participant profiles, events, images and cultural content	Article 6(1)(b) GDPR: performance of the BA participation terms; where required, Article 6(1)(a) GDPR: the data subject’s consent
Sending communications concerning the organisation of BA, deadlines and administrative requirements	Article 6(1)(b) GDPR: performance of the requested service; and Article 6(1)(f) GDPR: legitimate interest in the proper organisation of the event
Providing technical support, preventing misuse and ensuring IT security	Article 6(1)(f) GDPR: legitimate interest in protecting the website, its users and the IT infrastructure
Complying with legal obligations and managing legal claims	Article 6(1)(c) GDPR: compliance with a legal obligation; and Article 6(1)(f) GDPR: legitimate interest in establishing, exercising or defending legal claims
Sending newsletters and communications that are not strictly required for the organisation of BA	Article 6(1)(a) GDPR: the data subject’s prior and revocable consent

5. Publicly available information

Budapest Artineris is intended to promote contemporary art events and to introduce participating artists, curators and venues to the public. Information submitted by accepted participants for publication may therefore be made publicly available on the BA website, in the programme, on maps, in search results and through the event’s communication channels.

Publicly available information may include:

the participant’s professional name or name;
professional biography or presentation;
profile picture and other uploaded images;
links to websites and social media profiles;
event title, venue, date, time and description;
any other content provided by the participant for public distribution.

Users may only upload images, texts and information that they are authorised to publish. Images portraying third parties or data relating to third parties may only be uploaded where an appropriate legal basis or valid authorisation exists.

6. Mandatory and voluntary information

Information marked as mandatory is required to process a participation application, manage an accepted participant’s profile or provide the requested service. Failure to provide this information may prevent the application from being assessed or the service from being provided.

Any information not marked as mandatory is provided voluntarily.

7. Recipients and Data Processors

Personal data may only be accessed by persons who need to process them for the purposes of organising BA, managing the website, providing technical support or complying with legal obligations.

The Data Controller may share personal data with the following categories of recipients:

IT service providers and hosting providers;
website maintenance and technical support providers;
email delivery and communication providers;
authorised persons involved in the organisation of the event;
public authorities, courts or other bodies where disclosure is required by law.

Service providers appointed by the Data Controller may only process personal data on documented instructions and subject to appropriate data protection obligations.

8. Transfers outside the European Economic Area

Personal data processed as part of the ordinary operation of BA are processed and stored within the European Economic Area.

Should it become necessary in the future to transfer personal data outside the European Economic Area, such transfers will only take place in compliance with Chapter V of the GDPR and subject to the safeguards required by applicable law. Data subjects will receive appropriate information where required.

9. Data retention periods

Personal data are retained only for as long as necessary to fulfil the purposes for which they were collected or to comply with applicable legal obligations.

Contact messages: for up to 24 months after the enquiry has been closed, unless a longer retention period is required to manage a legal claim.
Rejected or withdrawn participation applications: for up to 24 months after the conclusion of the relevant BA edition, unless a longer retention period is required by law or to manage a legal claim.
Account data relating to accepted participants: for as long as the account remains active or until the relevant administrative relationship has ended.
Published profiles and event information: these may remain available as part of the BA cultural archive until the data subject requests their deletion or update, or until publication is no longer relevant to the purposes of the project.
Technical log files: generally for no longer than 12 months, unless a longer retention period is necessary to investigate a security incident, prevent misuse or manage a legal claim.
Documents required by law: for the period established by the applicable legislation.

10. Cookies and similar technologies

The website may use technical cookies required for its proper operation. These cookies are necessary to provide essential website functions, maintain security and manage user preferences.

Analytics, statistical or other non-essential cookies — where such tools are activated — may only be used after the user has provided prior consent. Consent may be changed or withdrawn at any time through the cookie settings available on the website.

For further information, please read the Cookie Policy.

11. Automated decision-making

Personal data are not used for decisions based solely on automated processing — including profiling — that produce legal effects concerning the data subject or similarly significantly affect the data subject.

Applications to participate in BA are evaluated by the relevant organisers.

12. Data subject rights

Subject to the conditions set out in the GDPR, data subjects have the right to:

receive information about the processing of their personal data;
request access to their personal data;
request the correction of inaccurate or incomplete data;
request the deletion of their personal data where the applicable legal requirements are met;
request restriction of processing;
object to processing based on legitimate interests;
request data portability where the applicable requirements are met;
withdraw their consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.

Requests concerning data subject rights may be sent to info@menexa.eu.

The Data Controller will respond without undue delay and no later than one month after receiving the request. Where necessary, taking into account the complexity and number of requests, this period may be extended in accordance with the GDPR.

13. Right to lodge a complaint

Data subjects have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement.

In Hungary, the competent supervisory authority is:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Website: naih.hu

As Menexa Srl is established in Italy, data subjects may also contact the Italian Data Protection Authority:

Garante per la protezione dei dati personali
Piazza Venezia, 11 – 00187 Rome, Italy
Website: garanteprivacy.it

14. Personal data relating to minors

Budapest Artineris is a professional and cultural initiative. The services used to submit participation applications are not specifically directed at minors.

Where data or images relating to a minor are uploaded, the person uploading the content must have obtained the required parental, guardian or other lawful authorisation.

15. Data security

The Data Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, unlawful use, alteration or unauthorised disclosure.

These measures may be reviewed and updated periodically, taking into account technological developments, the nature of the processed data and the potential risks involved.

16. Links to third-party websites

The BA website may contain links to websites, social media platforms or online services operated by third parties. Menexa Srl is not responsible for the processing of personal data carried out independently by these external service providers. Users are encouraged to read the privacy policies published by the relevant third parties.

17. Amendments to this Privacy Policy

The Data Controller reserves the right to update this Privacy Policy where required by changes in the law, technical developments or modifications to BA services.

The most recent version is always available on this page. Where material changes are made, data subjects will be informed by appropriate means.