DATA PROTECTION NOTICE
We collect and control personal data only in compliance with the relevant laws. We do not want to collect or control personal data unnecessarily, only to the extent it is necessary. In case we need to process personal data, we strive to avoid identifying Data Subjects to the extent this is possible. We do not send unwanted materials, newsletters. We store personal data the safest way possible and protect it against unauthorized access. We pay special attention to the protection of the rights and freedoms of individuals with respect to the controlling of their personal data, and to this end we have taken and applied appropriate technical and organizational measures. Personal data is processed in a fair, transparent and secure manner, taking into account the best interests of the Data Subjects. I. INTRODUCTION:
1. What is this Notice about? (scope of this Notice)
With this data protection notice (hereinafter: “Notice”) we provide information which personal data of those who visit, register or purchase on any of the following websites: http://www.eventim.hu, http://ticketexpress.hu and http://tex.hu we control, and about the purposes and methods of such data controlling. Hereinafter we refer to such websites and any of their pages collectively as “Websites” and “Website” in case of any of them.
The scope of the Notice does not apply to services and data controlling activities of third parties (other than the Data Controller) advertising or appearing in any other way on the Websites with their promotions, games, services, campaigns or other published contents, including any link on any of the Website leading to such activities and contents. The data protection notices of the third party providing such services apply to such services, and the Data Controller does not undertake any liability for such data controlling activities.2. What data does qualify as personal data? (definition of personal data)
Personal data means any information relating to an identified or identifiable individual (“Data Subject”). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
3. What does personal data controlling mean? (definition of data controlling)
Controlling of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Who controls the personal data? (contact details of the Data Controller)
The above Websites are operated by TEX Hungary Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (seat: 1065 Budapest, Bajcsy-Zsilinszky út 31. floor 1. 1.; company registration No.: Cg. 01-09-877903; represented by Mr. Gyula Kovácska managing director and Mr. Christoph Klinger managing director; contact information: email@example.com); this company determines the purpose and means of the controlling of personal data and therefore, this company is the Data Controller of the personal data (hereinafter: “Data Controller”).
5. Is there any other company that processes personal data on behalf of the Data Controller? (data processors)
Yes, these companies are called as data processors. This Notice lists the companies, the purposes and the means of those who process personal data on behalf of the Data Controller.
6. Who is responsible for the accuracy and lawfulness of the personal data submitted to the Websites? (credibility of personal data)
The Data Control does not check the personal data provided by the Data Subject, unless otherwise stated in this Notice; and the Data Subject is fully liable for the credibility of the personal data submitted by him or her. The Data Subject (visitor, buyer, user, complainant, etc.) warrants that he or she obtained the consent of the other Data Subject to the controlling of all those personal data which such other Data Subject provided or gave access to him or him and which he or she submitted to the Website when visiting the Website or using the services provided by the Data Controller (for instance, when publishing content created by someone else). The Data Subject shall take full responsibility for the user content he or she uploads or shares on the Website or publishes in relation to the services provided by the Data Controller. When (e.g. in case of buying tickets, registration, making comments or complaints) the Data Subject provides data (e.g. user name, identification, password, etc.) he or she is liable that it is the Data Subject who avails of the services by use of the e-mail address and any other data submitted by him. On the basis of this undertaking of liability, the Data Subject who registered the e-mail address and provided other personal data on the Website shall be deemed solely responsible for all actions related to the entries using that e-mail address and those personal datae. The Data Controller excludes liability for any damage caused to the Data Subject due to the inaccuracy, lack or change of the personal data (i.e. name, e-mail address) provided by the Data Subject during the use of the services provided by the Data Controller or due to the disability of the Data Subject’s e-mail box to receive new messages.
The personal data of the Data Subject under the age of 16 may only be collected and controlled with the consent of an adult person exercising parental supervision vis-à-vis such Data Subject. The Data Controller is unable to check whether the person giving the consent to the data controlling (usually the legal representative) is solely authorized to give consents to the data controlling, and the Data Controller cannot review the content of the parental consent either. The legal representative of Data Subject warrants that the consent to the data controlling complies with applicable laws. In case of the use of services or webshop of the Data Controller by a Data Subject who is under the age of 16 the Data Controller assumes that the appropriate consent of the legal representative has been provided.
7. What is the legislation behind personal data protection? (legislative background)
The Data Controller especially took into consideration the following laws when creating this Notice: Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act No. CXII. of 2011 on Information Self-Determination and Freedom of Information (“Info Act”), Act No. V. of 2013 on the Civil Code (the “Civil Code”), Act No. CVIII. of 2001 on E-commerce Services (“E-commerce Act”), Act No. XLVIII. of 2008 on Advertising Activity (“Advertising Act”).
II. ABOUT THE DATA CONTROLLING
II. 1. FOR THE WEBSITE VISITORS:
Cookies keep unique identifier of computers or device and profile information. Cookies are not capable of identifying the visitors of the Websites; however, they are capable of identifying and recognizing the device used by the visitor when visiting the Websites. These cookies may be placed on the computer or device used for visiting the Website by the visitors of the Website during visiting the Websites.
1. What kind of cookies are used on the Websites?
On the Websites permanent, tracking and cookies related to one work session are used. The permanent cookies enable that the Websites remember the visitor visiting the Website more times, his or her settings and preferences. Cookies related to one work session help the Website recognize the visitor of the Website at the time of the visit even ifthe visitor of the Websites moves from page to page; but these cookies expire when the visitor leaves the Website.
There are several types of cookies used on the Websites; we differentiate them based on their functions, as follows:
- Technical cookies: Use of technical cookies enables proper display and operation of the Websites, among others the login to the Websites or managing the purchase of tickets, and they are necessary for the proper display of the Websites.
- Functional cookies: Functional cookies enable tracking the browsing of the Websites and the preferences used during browsing; with the help of these, the Websites can remember among others to the registration data, the events checked by the visitor, the language preferences, etc.
- Analytical cookies: Analytical cookies enable tracking the behaviour of visitors of the Websites and as a result, based on the use and exploitage of the Website by the visitors, making it possible to develop the Website and to provide an even better user experience and to display more useful content. Googly Analytics is used on the Websites to analyze use of the Websites. If the visitor of the Website does not want his or her data concerning the use of the Websites (including the IP address) to be collected and processed by cookies, and he or she wishes to disable them, he or she may download and install the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu.
- Google AdWords tracking cookies: On the Websites, information is obtained with the help of Google tracking cookies about the fact that the Website visitor reached the Website after seeing any of our advertisements displayed in the Google system or after clicking on it. Based on the information obtained through tracking cookies, statistics can be made about Website visitors who view or click on our advertisements. Based on content viewed on the Websites, Google is able to display targeted advertisements on the websites of other partners of Google.
- Facebook remarketing cookies: On the Websites we try to get in touch again with previous visitors of the Websites with the help of Facebook remarketing cookies, by showing them advertisement concerning our services. With the help of remarketing cookies, we try to reach those visitors with social media campaign, who have already visited the Websites at least once.
2. What kind of personal data do the cookies carry? These cookies carry the unique identification number of the computer or device used for visiting the Website, the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.
4. What are the legal basis and duration of data controlling? Personal data is controlled based on the consent of the Website visitor, which can be given by clicking on the “Change settings” pop-up window on the Website and by choosing among the options on the Cookie settings/policies site. Personal data is controlled until the end of visiting the Website or until the consent is withdrawn. Cookies placed on the computer or device of the Website visitor will stay there until the user of the computer or device deletes them. The Data Controller collects the IP addresses of the Website visitors entering the Webpages based on its legitimate interest, without the specific consent of the visitor, for the purpose of ensuring for the Controller to provide content related services on the Websites and the services offered to be provided by the Data Controller on the Websites (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website). The legal basis of the personal data controlling in the framework of or related to content services provided on the Website might be the consent of the Data Subject, the legitimate interest of the Controller as well as safeguarding the fundamental rights to receive information and express opinions in compliance with the boundaries set by laws. If the collection of personal data is based on the essential legitimate interest the Data Controller has performed and may perform in the future the test of considering the interests of Data Subjects to the protection of their personal data against the right of the Data Controller to collect and control that personal data in line with the relevant rules of GDPR and as the result of the assessment that Data Controller could establish its legitimate interest to data controlling. The Data Controller shall provide information on the above to the Data Subject if request for information is submitted by the Data Subject according to the regulation of this Notice.
5. How can you disable placing cookies on your computer or device? Website visitors can disable placing cookies on their computer or device by adequate browser settings. Further, the visitors of the Website can choose on the “Cookie settings/policies” site of the Website whether the functional, analytical, tracking or third party cookies may be enabled in the course of browsing the Website. The changes can be amended anytime on the ”Cookie settings/policies” site. However, it should be noted that disabling cookies on the computer or device may result that the user experience will be compromised; in such case, the visitor of the Website may not reach certain elements of the Website in the form as if the placing of cookies had been enabled. When disabling functional cookies, the Website visitor does not allow among others that we send him or her reminders about the products placed in the shopping cart, or that the Websites remember his or her language preferences etc. When disabling analytical cookies, the Website visitor does not allow among others that we analyse his or her activity on the Websites in order to display tailored content on the Website, or contact him or her with personalised offers at the contact points provided by him or her (if he or she provided such data, e.g. in the course of registration). When disabling Google AdWords tracking cookies, the Website visitor does not allow cookies to be placed on his computer in connection with advertisements, especially when clicking on advertisements. When disabling third party cookies, the Website visitor does not allow that third parties, in particular social media sites (e.g. Facebook, Google+ or Twitter) place cookies on his or her computer or device used for visiting the Website.
II. 2. FOR TICKET PURCHASERS:
1. Which personal data is controlled by the Data Controller when purchasing ticket and for which purposes?
For purchasing a ticket you have to provide us with the following personal data: first and last name, address, invoice name and address (when different from home address), e-mail address, telephone number, shipping name and address (optional). In the course of ticket sale, the date of purchase, the event to be visited with the purchased ticket, the place and date of the event, number and price of purchased tickets and the location of the places will be also registered. The Data Controller excludes liability for any damage caused to the Data Subject due to the inaccuracy, lack or change of the personal data, especially name, address or e-mail address provided by the Data Subject during the ticket purchase or due to the disability of the Data Subject’s e-mail box to receive new messages. For instance, the Data Controller does not take responsibility if the ticket cannot be delivered to the Data Subject due to an error in the data above.. In the course of ticket purchase we also control payment information, in order to make sure that the price of the ticket has been paid. We collect and control the following bank card data: name of the card holder, last four digits of the bank card number, bank card type, expiry date and also the notification on the successful / unsuccessful transaction. We collect and control the above bank card data with the aim of verifying that the purchaser and the card holder are the same person and in case the purchaser and the card holder are not the same person, excluding the possibility of misuse of the credit card / credit card fraud.. For certain events, we sell personalized tickets. When purchasing personalized ticket, it is required to provide the place and date of birth, address and mother’s maiden name in addition to the data listed above. By purchasing a ticket, a contract for sale of tickets will be concluded between the Data Subject and the Data Controller. We control the data provided by the Data Subject for the purposes of performing the contract, in particular for issuing the ticket and the invoice, possible delivery of the ticket and getting into contact for providing information when changes occur in relation to ticket or to the event, in line with our terms and conditions for ticket refund.
2. Data controlling related to information indicating reduced mobility
At certain events the organizers ensure that the event is accessible to wheelchair users. Due to technical reasons we cannot sell tickets for wheelchair users through the Websites. Should you have any questions in this regard, please send us an e-mail to the firstname.lastname@example.org e-mail address so that we can help you.
In case of wheelchair users, personal data related to the reduced mobility and health condition will also be collected; unfortunately, we cannot proceed with the sale of the ticket without this additional information. Therefore, if the wheelchair user does not give his/her explicit consent to control such sensitive personal data of his or her, we will not be in a position to offer our services to him or her. We obviously pay particular attention to this sensitive personal data.3. What is the basis and duration of controlling the data? Controlling of personal data related to sale of tickets is partially based on the consent of the Data Subjects (in particular in case of the personal data necessary for keeping contact) and partially takes place in order to ensure the performance of the sale and purchase contract (in particular in case of data of transaction performed by a bankcard, the data related to the successfulness or unsuccessfulness of the payment). Personal data related to ticket purchase and keeping contact are retained for five (5) years from the sale of the ticket to enforce the rights and legitimate interests of the Data Controller (or if the limitation period for enforcing rights is longer, then until the end of that period), with the exception of the following:
in case of personalized tickets, the Data Controller deletes the personal data indicated on the ticket within three (3) days; and invoices issued by the Data Controller will be retained until the period in line with the currently applicable law (at the time of this Notice: for eight (8) years); the Data Controller forwards the name of the bank card holder, the last four digits of the card number, the bank card type and expiry date, following the comparison of the purchaser’s and the bank card holder’s identity, to CTS EVENTIM AG & Co. KgaA (Contrescarpe 75A 28195 Bremen, Germany, contact details: email@example.com), where the data is held for five (5) years from their collection. II. 3. FOR WEBSITE ACCOUNT HOLDERS:
1. Which personal data is collected by the Data Controller during the registration and for what purpose?
During the registration, for the purpose of creating a user account, the user shall provide his or her first and last name, e-mail address and a password. During the registration, the date of the registration and the IP address at the time of registration will also be collected. If the registration is created with Facebook profile, data controlling pursuant to point II.6 of this Notice is also carried out.
If the Data Subject creates a user account or identifies him/herself for the Data Controller in another way (for instance purchasing a ticket on the Website) it is possible that the Data Controller connects all data collected in relation to the particular Data Subject, like the data collected when the Data Subject browsed the Website, newsletter tracking data, names, e-mail address, phone number, postal address, Facebook profile data, Google account information, demographic data related to the Data Subject, information on the interests and preferences of the Data Subject, online and offline transaction information, and any contact made with customer service. The purpose of this data connecting activity is to carry out market research, including customer analysis, customer segmentation and running statistics. Furthermore, Data Controller can use this information for the purpose to identify the preferences and interests of the Data Subject to tailor the experience of the Website for the Data Subject and optimize the service. The Data Subject is entitled to object to the profiling at any time. In such case, the Data Controller may not control the personal data for such purpose.
3. What is the basis and duration of controlling the data?
Controlling of personal data related to the registration is based on the consent of the user.
Personal data related to registration will be retained for five (5) years from the deletion of the registration, for enforcing the rights and legitimate interests of the Data Controller (or if the limitation period for enforcing rights is longer, then until the end of that period). Personal data related to the registration may be amended at any time in the user account and the registration may be deleted by sending an e-mail with a request for deletion to the firstname.lastname@example.org e-mail address. II. 4. FOR NEWSLETTER AND DIRECT MARKETING SUBSCRIBERS:
1. Which personal data is controlled by the Data Controller related to newsletters and direct marketing and for which purposes?
When subscribing to receiving newsletter, the Data Subject shall provide his or her first and last name and e-mail address. When subscribing for the newsletter, the time and date of subscribing and the IP address at the time of subscribing will also be registered, furthermore, the Data Controller also collects newsletter tracking data. By subscribing for receiving newsletters and direct marketing materials, the Data Subject agrees that the Data Controller may send electronic message containing advertisement to the Data Subject’s email address, and give information regarding news, events, discounts, new functions, games, etc. When subscribing to the newsletter, it may be chosen on the http://www.eventim.hu/hu/hirlevel/ page in connection with which topics newsletters and in relation to which artist concert notification are wished to be received from the Data Controller. In addition, the Data Subject agrees that we may contact him or her with our advertisement within the framework of Google AdWords or Facebook remarketing campaign. The Data Controller hereby notifies the Data Subjects that the newsletters sent to them carry tracking pixels which allow the Data Controller to prepare statistics regarding the successfulness or unsuccessfulness of marketing campaigns. The tracking pixel carried within the newsletter enable the Data Controller to track whether and when the addressee opened the newsletter, and which references of the email were opened by the Data Subject (newsletter tracking data). Collecting newsletter tracking data is used by the Data Controller to conduct research with the aim of general marketing and optimize the use of newsletters.
2. What is the basis and duration of data controlling?
Controlling of personal data related to newsletter and direct marketing is based on the explicit consent of the Data Subjects which can be expressed by ticking the relevant checkbox. Data controlling lasts until the consent is withdrawn, i.e. until unsubscribing.
II. 5. FOR INQUIRERS, COMPLAINANTS:
1. Which personal data is controlled by the Data Controller related to complaint handling and for which purposes?
In the course of complaint handling, the complainant shall provide personal data related to his or her previous purchase, in particular his or her first and last name, address or invoice address, phone number, delivery name and address, if different from the above, e-mail address and order number (if applicable). The Data Controller informs the Data Subjects that if they make a complaint over the phone the Data Controller records this phone conversation after providing preliminary notification to the Data Subject. The phone number, the date and time of the call, the voice record, other personal data provided during the call is also collected and controlled if the complaint is made over the phone. The possible consequences of failing to provide the above data: the complaint cannot be made over the phone. The Data Controller allows the Data Subjects to make a complaint via email (email@example.com) or by post at the address of 1065 Budapest, Bajcsy-Zsilinszky út 31. The Data Subject has to right to request the listening and deleting of the voice recording, which can be made at firstname.lastname@example.org within the data retention period of the voice recording. This personal data are controlled by the Data Controller with the aim to handle related to complaints, questions, comments and problems arising in connection with ordered products.
2. What is the basis and duration of data controlling?
Controlling of personal data related to complaint handling is based on the consent of the Data Subject. The minutes, transcripts and responses will be retained for five (5) years from the time of the complaint, for enforcing the rights and legitimate interests of the Data Controller and of the Data Subject (or if the limitation period for enforcing rights is longer, then until the end of that period). The Data Controller retains the voice recording for three (3) months from registering the complaint with the support of GEOMANT-ALGOTECH Zártkörűen Működő Részvénytársaság as data processor. Once the retention period expires the data is erased.
If the complaint is made via email and the complainant is not registered on the Website, the e-mail address of the complainant will be erased on the ninetieth (90th) day from the resolution of the issue, with the exception of unique cases when the legitimate interest of the Data Controller justifies the longer retention of the personal data, in which case erasure will be made when this legitimate interest ceases to exist.II. 6. FOR SIGNING IN WITH SOCIAL MEDIA ACCOUNT:
1. Which personal data is controlled by the Data Controller related to social media sites and for which purposes?
The Data Controller, during its activity may control the name and public profile photo of such users who registered on Facebook/Google+/Twitter/Pinterest/YouTube/Instagram etc. social media, and “liked” the Website of the Data Controller, for the purposes of sharing and liking some content, product and discounts of the Websites or the Websites itself.
2. What is the basis and duration of the data controlling?
Controlling of personal data related to social media sites is based on the voluntary consent of the Data Subject given to data controlling on the social media sites. Section II.6.1. of this Notice governs the source, control, the method and legal basis of the transfer of personal data and the Data Subject may be informed on the particular social media site. Data controlling related thereto is carried out on the social media site, therefore the duration, method of data controlling and the possibilities for deletion and modification of data is covered with the regulations of the particular social media site.
The collection of the personal data of the players participating in the Facebook prize game is based on the voluntary consent of the players, which is given by the applying to the prize game. After the prize game is over and the prizes are delivered, the Data Controller deletes all personal data collected in relation to the prize game.II. 7. FOR THOSE WHO SEND E-MAIL TO THE CORPORATE E-MAIL ADDRESSES WITH THE EXTENSION OF TEX.HU OR EVENTIM.HU
1. Which personal data is controlled by the Data Controller related to unsolicited e-mails sent to the corporate e-mail addresses and for which purposes?
The Data Controller may receive unsolicited e-mails, like spam messages or job applications at the corporate inbox; in which case the Data Controller controls personal data such as the sender’s e-mail address, name, home address, phone number, other voluntarily provided personal data (e.g. date of birth, educational history, photo, references and other documents) based on the voluntary consent of the person sending the e-mail.
2. What is the duration of the data controlling?
Depending on the content of the unsolicited e-mail, the data controlling may last until the consent is withdrawn, or it will be erased without further delay (if the e-mail carries unlawful content or if it was sent in error).
III. WHO DO WE SHARE YOUR PERSONAL DATA WITH? The Data Controller may share (besides its own competent staff) the personal data with the below companies as data processors for the below purposes:
- Delivery: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: H-2351 Alsónémedi, Európa u. 2., Hungary; contact information: email@example.com, phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
- Online payment: CTS Eventim AG & Co. KGaA (seat: Contrescarpe 75A, 28195 Bremen, Germany)
- Hosting provider: Perftech d.o.o. (seat: Baragova ulica 7E, 1000 Ljubljana, Slovenia; contact information: phone number: +386 1 588 44 00; Fax: +386 1 588 44 20; e-mail: firstname.lastname@example.org) CTS Eventim Austria GmbH (seat: Heumühlgasse 11, 1040 Vienna) using the software of Dhimahi d.o.o. (seat: Tržaška 202, SI-1000 Ljubljana, Slovenia; contact information: phone number: +386 (0) 590 73500, e-mail: email@example.com)
- Partners of the Data Controller (ticket sellers): Ticket seller partners of the Data Controller are listed on the http://www.eventim.hu/hu/outletek/ website.
- For the purpose of sending newsletter and promotion e-mails: Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact information: +49 30 7680 780)
- Accounting services, hardware- and software administration: AKIT Pénzügyi, Informatikai, Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (seat: H-1113 Budapest, Ibrahim utca 3. 1. em. 6., Hungary; company registration No.: 01-09-673711; contact information: phone number: +36 1 365 1921, e-mail address: firstname.lastname@example.org)
- IT services, hardware- and software maintenance: Zénó-Net Számítástechnikai Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság (seat: H-1116 Budapest, Szalóki utca 34., Hungary; company registration No.: 01-09-722019; contact information: e-mail email@example.com)
- Retaining voice records: GEOMANT-ALGOTECH Zrt. (registered seat: 1013 Budapest, Krisztina tér 2.; company registration number: 01-10-048136; represented by: Viktor Gajódi Board Member; contact details: firstname.lastname@example.org)
- Event organizers: The personal data of the Data Subjects may be transferred to event organizers in case of some events. In such cases the exact data of the recipient event organizers will be given in a separate notice to the Data Subjects.
- Other data transfer: In case of an exceptional authority request or request of other organizations, if authorized by the law, the Data Controller is obliged to provide information, communicate, transfer data or provide documentation, in particular, the Data Controller may make the personal data of the Data Subject accessible in case of an official request made by the court, the police; infringement of IP rights, property rights or other infringement of law or in case of reasonable suspicion of the above or in case of endangering or violating the Data Controller’s interests or the provision of its Services. In such cases the Data Controller transfers personal data to the requester – in the event it determined the exact purpose and scope of data – only to the extent necessary to achieve the purpose of the request.
- Data transfer to third countries It may occur that the Data Controller transfers personal data to a service provider seating outside of the European Union, a so called “third country”. In case the personal data is transferred to a third country, the Data Controller guarantees that data transfer is only carried out to a country which is qualified as secure country by the European Commission. The Data Controller requires from all recipients of personal data to take appropriate security measures to protect personal data when transmitted to third countries, by applying the general data protection clause of Article 46 (2) of the GDPR.
- Web Analytics Measurements Google Analytics as an independent, external provider supports the independent measure of the frequency of visits and other web analytical data of the Websites. Detailed information on the data processing can be found at the following link: http://www.google.com/analytics. The Data Controller uses the data provided by Google Analytics solely for statistical purposes and to optimize the operation of the website.
IV. WHAT ARE YOUR RIGHTS RELATED TO THE DATA CONTROLLING? In the course of Data controlling, the Data Subject is entitled especially to the rights set out in this point.
Right to information and correction Right to deletion Right to restriction of data controlling Right to data portability Right to object Right to withdraw consent The Data Subject is entitled to receive information about the facts related to the data controlling prior the start of the data controlling. The Data Subject is entitled to request information on his or her personal data and on the controlling thereof. The Data Controller provides the opportunity to the Data Subject to receive information on the personal data controlled and to receive copy or extract of the documents containing the personal data. The Data Subject is entitled to receive information as to whom, for which purpose and in what scope his or her personal data controlled by the Data Controller have been forwarded. The Data Controller is obliged to provide information regarding the personal data and the controlling thereof. The Data Controller is obliged to provide information in writing and in plain language without undue delay, but within one (1) month from the submission of the request at the latest. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than within one (1) month on the reasons of lack of taking measures, and inform the Data Subject on the possibility of the legal remedy before the court and the Hungarian National Authority for Data Protection and Freedom of Information. The Data Subject is entitled to request the rectification and correction of his or her personal data. Furthermore, having regard to the aim of the data controlling, he or she is entitled to request the supplementation of the incomplete personal data. The Data Subjects are recommended to review their personal data from time to time in order for the optimal use of the services provided by the Data Controller and if necessary, to contact the Data Controller to clarify their data as described above. Within five years of the death of the Data Subject the rights of access, rectification, restriction and deletion shall be exercised by the person authorized by the Data Subject in a public document or a private document with full probative value placed at the Data Controller or failing that, close relatives of the Data Subject shall exercise these rights.
- Right to deletion The Data Subject is entitled to request the deletion of his or her personal data: a) for which the Data Controller does not have the consent or statutory authorization to control (right of objection), b) that are no longer necessary in relation to the purposes for which they were collected or otherwise processed, c) regarding which the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing, d) that have been unlawfully processed, e) that have to be erased for compliance with a legal obligation.
- Right to restriction of data controlling Instead of deletion, the Data Controller restricts the controlling of personal data in the following cases: a) upon the request of the Data Subject, when the Data Subject challenges the accuracy of the personal data; in such case the restriction lasts until the Data Controller verifies the accuracy of the personal data, or b) when the Data controlling is unlawful and the Data Subject opposes the deletion of the personal data and requests the restriction on the use of the personal data instead, or c) when the Data Controller no longer needs the personal data for the purpose of data controlling, but the Data Subject requires that for its legal interests, or d) when the Data Subject has objected to data controlling, but it is necessary to determine, whether the legal interests of the Data Controller override those of the Data Subject.
- Right to data portability The Data Subject is entitled to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and is entitled to transmit those data to another Data Controller.
- Right to object The Data Subject is entitled to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data which is necessary for reasons of public interest or for carrying out a task falling within the scope the Data Controller’s public powers or for enforcing the legal interests of the Data Controller or a third party. In case of objection, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which relate to filing, enforcing or defence of legal claims.
Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such reason, which includes profiling if it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Right to withdraw consent The Data Subject may withdraw his or her consent without reasoning given to the data controlling at any time. Withdrawal of consent does not affect the legitimacy of the data controlling based on consent given prior to withdrawal.
V. WHAT KIND OF MEASURES DO WE TAKE FOR PERSONAL DATA SECURITY?
The Data Controller carries out those necessary technical and organizational measures to guarantee security of the personal data in respect of both the data files stored on information technology device and on traditional, paper based data holders which are appropriate in light of the contemporary requirements, conforming with the aim of the data controlling and with the risks arising out of the data controlling threatening the fundamental rights of the Data Subject; and it takes care of complying with the data security provisions of the applicable laws. When it establishes and applies the necessary measures safeguarding the security of the personal data, the Data Controller takes into account to the the technical possibilities as developing at all times, the costs of carrying out the measures, the nature, the scope and purposes of the data controlling and the enforcement of the rights of the Data Subject. In addition, the Data Controller ensure the appropriate security of personal data with introducing measures, in particular, against unlawful or unauthorized controlling of data, accidental loss, destruction or damage of data.
The Data Controller provides for adequate measures:
to provide safety against unauthorized access to equipment used for data processing; to prevent unlawful reading, copy, modification or deletion of data holders; to ensure the possibility of recovering the data files; to protect the data files against viruses; for the physical security and physical safety of the data files and the devices on which the data are stored; to prevent unauthorized entry of personal data into the data controlling system, and to prevent unauthorized access, modification or deletion of the personal data stored in that system; to prevent the use of data controlling systems by unauthorized persons by means of data transmission equipment; to ensure that persons entitled to use the data controlling system may have access only to personal data described in the access permission; to ensure that the recipient to whom the personal data was transmitted or may be transmitted, or was made available or may be made available by data transmission equipment; to ensure that it will be verifiable and determinable later that which personal data was entered into the data controlling system, by whom and at what time; to prevent the unauthorized access, copy, modification or deletion of personal data during their transmission or during the transport of the data holder; to ensure that in the event of a malfunction, the data management system can be restored; to ensure that the data controlling system is operational and that a report is prepared of the errors arising in the course of the operation, and that personal data cannot be modified even in case of defective operation of the system; and those related to the fire protection of paper based registers. In case of a personal data breach occurred in connection with the personal data controlled by the Data Controller or by the data processors acting on behalf of the Data Controller based on its mandate or instruction, the Data Controller records the nature of the personal data breach, the affected Data Subjects, the scope of the affected personal data, the likely consequences stemming from the data breach, the measures taken or planned to be taken for handling the personal data breach and, and it notifies the Hungarian National Authority for Data Protection and Freedom of Information about the personal data breach without delay, but no later than within seventy-two (72) hours after having become aware of the personal data breach. When the personal data breach is likely to result in a high risk to the rights of the Data Subject, the Data Controller shall communicate the personal data breach to the Data Subject without delay. The personal data breach does not have to be reported if the personal data breach is unlikely to result in a risk to the rights of the Data Subject. VI. WHO IS THE DATA PROTECTION OFFICER?
The Data Controller designates a data protection officer, having regard to the fact that ticket sale service provided by the Data Controller consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale. The data protection officer is Mr. László Kiss, who can be contacted directly at the following e-mail address: email@example.com.
VII. HOW CAN YOU EXERCISE YOUR RIGHTS?
The Data Subject may submit his or her request for information, correction, deletion or locking to the following e-mail address: firstname.lastname@example.org. In case the Data Subject contacts the Data Controller with respect to this Notice, asks questions, makes comments, this information will be retained and used by the Data Controller for the purpose of providing adequate answer. The Data Controller is obliged to provide information regarding the request for correction, locking or deletion in writing and in plain language without delay, but no later than within one (1) month from the submission of the request. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than one (1) month on the grounds of measures, and inform the Data Subject on the possibility of the legal remedy to turn to the court and the Hungarian National Authority for Data Protection and Freedom of Information. The Data Controller informs the Data Subject and those to whom personal data has been forwarded for the purposes of data processing on the correction, locking and deletion. The information may be omitted if it does not infringe the rightful interest of the Data Subject taking into consideration the purpose of the data processing.
VIII. HOW CAN YOU SEEK LEGAL REMEDY?
In case of any disagreement between the Data Subject and the Data Controller in connection with the data controlling, it is advisable to contact the responsible personnel of the Data Controller before taking any legal actions. In order to remedy the violation of his or her rights, the Data Subject is entitled to turn to the courts or to the Hungarian National Authority for Data Protection and Freedom of Information. When the Data Subject turns to the court, he or she is entitled to initiate a litigation at the competent court within the geographical area in which the Data Subject resides or has his or her habitual residence, instead of the competent court based on the seat of the Data Controller. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information: Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary Postal address: 1530 Budapest, Pf.: 5. Phone number: +36 (1) 391-1400 E-mail address: email@example.com Webpage: www.naih.hu
IX. HOW CAN WE UPDATE THIS NOTICE? The Data Controller reserves the right to modify this Notice in the future at its discretion in particular in case of the change of law, to ensure that the Notice provides relevant and adequate information about the collecting and processing of the personal data of the Data Subjects. This Notice may be supplemented by other information received from the Data Controller. Information about modifications of this Notice will be sent by e-mail to the Data Subjects.
Dated: Budapest, 16 October 2018