CONCERNING
DATA PROCESSING IN RELATION TO THE USE OF THE BudapestGO APPLICATION
Introduction
Pursuant to Articles 12 and 14 of Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation, hereinafter GDPR), BKK Centre for Budapest
Transport (hereinafter Data Controller or BKK) provides the following
information to data subjects on the processing of personal data in connection
with the BudapestGO application.
I.
DATA CONTROLLER INFORMATION AND CONTACT DETAILS; THE CONCEPTS APPLIED
IN THAT PRIVACY POLICY
|
Name of data controller |
BKK Budapesti Közlekedési Központ Zártkörűen Működő Részvénytársaság/Centre for Budapest Transport (Data
Controller) |
|
Company seat |
1075 Budapest, Rumbach Sebestyén utca 19–21. |
|
Data Protection Officer
email address |
|
|
Phone number (customer
service) |
+36-1-3-255-255 |
|
Access to data protection
documentation |
For the purposes of this document, personal
data is any information relating to an identified or identifiable natural
person (‘data subject’), such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person, based on which the natural person (data subject) can be
identified.
The data subjects of the personal data
processing according to this document are in particular those natural person customers
who register a user account in the BudapestGO application.
BKK ID: Upon
registration, after entering the data, the user must confirm their registration
by email. Data Controller shall assign an internal identifier (a BKK ID) to the
User, so that Data Controller can perform administrative processes that Data
Subject cannot do in his/her user account. The ID is sent to the User by email
confirming registration, and it is also displayed in the user account
Public Transport Mobile
Ticket: the electronic transport ticket purchasable via the app that is required
for using the passenger transport service.
Push messages are direct
notifications that we may send to the Data Subject's device via a mobile
application.
In-app messages are
notifications or information displayed in the mobile application, typically in
a message bubble.
II.
DESCRIPTION OF THE PROCESS OF DATA
PROCESSING, INTRODUCTION OF THE PURPOSES OF AND THE LEGISLATION FORMING THE
LEGAL BASIS OF DATA POCESSING
Data Controller wishes to widen the range of services offered by introducing
the BudapestGO application which facilitates everyday mobility in Budapest and
increases the customer experience at the same time. By using the BudapestGO app,
customers create a profile to get access to digital services, such as making
purchases or finding information. The BudapestGO app, accessible to all, contributes
to the improvement of the transport situation in the capital and heightens the
travel experience.
BudapestGO customer functions (this is not a comprehensive list and it
might change, so that the change does not apply to the processing of personal
data)
-
journey planning
-
Public Transport Mobile Ticket purchase interface within the app (mobile
ticket purchases require registration; BKK joins the National Mobile Payment Zrt. system as a reseller)
-
MÁV Passenger Transport Company Limited by Shares integration is enable the display of real-time location of suburban railway
trains along with planned and real-time date for regional trains. On-street
displays show departure times for suburban railways and regional trains. At the
same time, the real-time locations of VOLÁNBUSZ regional buses in the capital
and Pest county is also displayed, as well as planned
and real-time data.
-
integration with the BKK Info service (displaying and listing of
relevant traffic change updates)
-
subscription to the BKK Info service
-
customer feedback through the app (general comments and suggestions for
the app, request for information, error report, complaints)
-
displaying of the locations of drinking fountains
-
payment functions (add invoicing address, push notifications, stored and
non-stored card purchases, automatic re-purchase)
-
Map based and list format display of stations
-
Distance-based listing of stations
-
List of favourites for quick access to points of personal preference
-
Functions related to the sale and use of mobile tickets
Function
of the ticket/pass purchase for someone else (Beneficiary)
The
User has the possibility to purchase a mobile transport ticket for another
registered user of the Application (Beneficiary), in which case the purchase of
the mobile transport ticket establishes a legal relationship between the
Beneficiary and the individual public transport operator associated with the
mobile transport ticket. If the User purchases a mobile transport ticket for
the Beneficiary, the User is required to provide the following personal data of
the Beneficiary during the purchase process: the Beneficiary's BKK ID and, in
case of season ticket or day ticket type products, the number of the
Beneficiary's identity document. The User has the option to save the BKK ID to
the User profile, in this case, regardless of the type of products to be
purchased, the BKK ID of the Beneficiary, the name of the Beneficiary user
account, the type and number of the Beneficiary’s identity document must be
entered during the saving process.
Data
update for discounted services provided in the Hungarian capital
At
BKK, we are constantly working to further develop our existing digital channels
(such as BudapestGO or BUBI) to provide you with an even more convenient and
diverse mobility experience. Among other things, we are currently working on a
system that will allow people to use the capital's services at a discounted price
when they buy products on our channels. In order to do this, we need to connect
the personal data of data subjects of each channel. If the data subject also has
a MOL Bubi registration, he/she would be required to provide the phone number even in
BudapestGO, registered in MOL Bubi account.
Key
pieces of legislation concerning data processing according to this present
Privacy Policy and their abbreviations used therein:
·
Regulation (EU) 2016/679 of
the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation, GDPR)
·
Act CXII of 2011 on
Informational Self-Determination and Freedom of Information (Privacy Act)
·
Act XLI of 2012 on
Passenger Transport Services (Passenger Transport Act)
·
Act C of 2000 on Accounting
(Accounting Act)
·
Act CL of 2017 on the Rules
of Taxation (Taxation Act)
·
Act V of 2013 on the Civil
Code
III.
PROCESSING OF CERTAIN PERSONAL DATA GENERATED DURING BudapestGO USE AND LEGAL BASES OF DATA PROCESSING
The purpose of data processing is to ensure the personalised and optimal
operation of the app, as well as to perform invoicing and customer service
activities relating to service use, including the receipt of queries arriving
through BKK’s feedback management system concerning the service The handling,
storage and use of the search history by the User, the User’s location (GPS coordinates
on the map), User’s navigation history does not take place in the app or on
Data Controller’s devices: those data are stored only by the User’s mobile
phone. The User cannot be identified based on those data, and the app is not
capable of linking the data to individuals.
The
source of the personal data is the Data Subject. The table below presents the
details of the purposes of data processing.
|
Designation
and purpose of data processing |
Legal basis of data processing |
Scope of processed data |
Duration of data processing |
|
1. Collection and storage of
personal data for registration and contracting purposes, including automatic
sending of e-mail messages to validate and complete registration |
GDPR Article 6 (1) b), necessary to take the steps
at the request of the data subject before the conclusion of the contract |
·
identifying data of
registering person: first and last name ·
contact details: registered
email address ·
encrypted (hashed) password ·
BKK ID ·
date of registration ·
associated social media
accounts (Facebook, AppleID, Google) |
As long as the registration is active (until
cancelled by the user or after 3 years of inactivity, the data will be
deleted including registration data). |
|
2. Specifying of location |
Data subject’s voluntary consent pursuant to GDPR
Article 6 (1) a) |
·
location data (GPS
coordinates of the mobile device) |
until consent is withdrawn or location data is
blocked |
|
3. Places marked as “favourites” |
Data subject’s voluntary consent pursuant to GDPR Article
6 (1) a) |
·
Favourites (including
“saved places” containing “home” and “workplace)” |
Once logged in to the user account, the data can be
entered, edited or deleted by clicking on the icon below the search field on
the home screen. As long as the registration is active (until
cancelled by the user or after 3 years of inactivity), the data will be
deleted (including registration data). |
|
4. Collection and storage of
personal data for the purpose of mobile ticket sales (tickets, passes) |
GDPR Article 6 (1) b), performance of the contract |
·
BKK ID, family and given name,
email address ·
bankcard/credit card
token data · transaction data (time of purchase, expiration date, validity period,
group ID, transaction payment ID, Simple transaction ID, Barion
transaction ID, payment gateway service transaction ID, 32-digit bank
transaction ID, BudapestGO transaction ID, NMFR transaction ID) |
In connection with the assertion of any claim, 5
years according to the statute of limitations in article 6:21-6:25 of the
Civil Code. |
|
5. Collection, storage of
personal data related to the validation / code scanning of transport mobile
tickets purchased in the application |
GDPR Art. 6 (1) b), performance of the contract |
·
time, method, result of
code scan, ·
the unique identifier of
the metro station/vehicle associated with the scanned/selected code |
In connection with the assertion of any claim, 5
years according to the statute of limitations in article 6:21-6:25 of the
Civil Code. |
|
6. Viewing, collecting and
storing personal data for the purpose of verifying the validity of mobile
transport tickets purchased in the application |
Performing a public task pursuant to Art. 6(1)(e) of
GDPR, pursuant to the authorisation of Art. 7 (1) and (4) of the Passenger
Transport Act |
·
The occasional mobile
ticket has validated or not, and whether the prepaid products (day tickets,
season tickets) are valid or not, Personal data displayed on inspector’s device during
the inspection: ·
start and end of
validity, ·
the number of the photo
identity card issued for the product (where applicable), ·
Unique ID of the NMFR
interrogation. The following personal data are stored in the
backend system: ·
inspector identifiers ·
date and time of the last
validation of the product, ·
date, time, place and
result of inspection, ·
NMFR transaction ID
(unique product ID) |
In connection with the assertion of any claim, 5
years according to the statute of limitations in article 6:21-6:25 of the
Civil Code. |
|
7. Collecting and storing
personal data for the purpose of providing a function for the purchase of
products for someone else (Beneficiary) |
GDPR Article 6 (1) b), performance of the contract |
·
BKK ID, family and given
name, email address of the Purchaser, ·
BKK ID of the
Beneficiary, ·
bankcard/credit card
token data of the Purchaser ·
transaction data of the
product purchased for Beneficiary (see above), ·
ID card type and number
of the Beneficiary, ·
account name of the
Beneficiary |
In connection with the assertion of any claim, 5
years according to the statute of limitations in article 6:21-6:25 of the
Civil Code. |
|
8. In case of products
purchased for someone else, to ensure the transparency of each purchase and
to facilitate future purchases, the display and storage of the Beneficiary's
profile for the Purchaser. |
GDPR Article 6 (1) b), performance of the contract |
·
the name of the
Beneficiary, ·
the BKK identifier of the
Beneficiary, ·
type and number of the
Beneficiary's ID card, |
For the duration of the contract: as long as the
registration of the Purchaser or Beneficiary is active; after 3 years of
inactivity, the data will be deleted (including the registration) |
|
9. Storage of invoicing-related
personal data in the user account and automatic sending of the e-invoice by
e-mail |
GDPR Article 6 (1) b), performance of the contract |
·
invoicing name, ·
invoicing address, ·
invoicing email address
(if different from registered email address), invoice number |
The data can be saved, edited or deleted by the user
when logged into the application during the purchase or in the Settings menu.
Until the data is deleted, or as long as the registration is active (until
cancellation by the user or after 3 years of inactivity), the data will be
deleted (including registration data). |
|
10. Invoicing |
GDPR Article 6 (1) c), compliance with a legal
obligation pursuant to Section 169 (2) of the Accounting Act |
·
invoicing name, ·
invoicing address, ·
invoicing email address
(if different from registered email address), invoice number |
In the case of a contract, 8 years after the year of
approval of the annual accounts for the year of issue of the last accounting
document related to the contract, |
|
11. Sending in-app messages
to inform you about maintenance, downtime affecting the use of the mobile
application |
GDPR Article 6 (1) b), performance of the contract |
·
BKK ID |
As long as the registration is active; after 3 years
of inactivity, the data will be deleted (including registration data) |
|
12. Sending e-mail messages
to inform about feature enhancements and other news |
GDPR Article 6 (1) f) legal interest of the data controller |
·
BKK ID ·
name ·
email address |
As long as the registration is active; after 3 years
of inactivity, the data will be deleted (including registration data) |
|
13. Sending in-app messages
to inform you about feature enhancements and other news |
GDPR Article 6 (1) f) legal interest of the data
controller |
·
BKK ID |
As long as the registration is active; after 3 years
of inactivity, the data will be deleted (including registration data) |
|
14. In the notifications
menu of the app, you can set up notifications (expiring mobile ticket,
automatic re-purchase, transport service changes) |
Data subject’s voluntary consent pursuant to GDPR
Article 6 (1) a) |
·
BKK ID ·
name ·
email address |
Until consent is withdrawn or location data is
blocked, after 3 years of inactivity, the data will be deleted (including
registration data) |
|
15. Mandatory data reporting |
GDPR Article 6 (1) c), compliance with a legal
obligation specified in Articles 165-169 of Accounting Act and in accordance
with Articles 77-78 and 202 of Taxation Act |
·
billing name and address |
Invoicing data: Data Controller must retain the
issued service related e-invoices in line with and
for a period as well as for a period of 8 years after the issue of the last
invoice |
|
16. Retention of data after
account deletion for the purpose of enforcing BKK's legal claims |
GDPR Article 6 (1) c), compliance with a legal
obligation, according to which 169 (2) of the Accounting Act is applicable. |
·
BKK ID ·
billing name and email
address provided at the time of purchase ·
transaction data (product
name, time of purchase, product status, expiration date, validity period,
group ID, transaction payment ID, Simple transaction ID, 32-digit bank
transaction ID, BudapestGO transaction ID, NMFR
transaction ID) ·
token data for the
bankcard entered at the time of purchase |
the Data Controller shall keep the data for 8 years.
|
|
17. Sending push messages to
the User screen, which contain only information related to an incident or
disaster affecting or hindering the use of public transport as a public service , without any advertising messages. |
GDPR Article 6 (1) f) based on the legitimate
interest of the data controller |
·
BKK ID ·
name |
In the device settings, the user can disable an
application from sending a push message to their screen, otherwise as long as
the registration is active; after 3 years of inactivity, the data will be
deleted (including registration data) |
|
18. Emailing of messages to
subscribers: information, news,
promotions and discounts of public interest related to the public services of
BKK and Budapest Municipality |
GDPR Article 6 (1) f), the interest of the data
controller |
·
BKK ID ·
email address ·
name |
As long as the registration is active (until
deletion by the user); or after 3 years of inactivity, the data will be
deleted (including registration data) |
|
19. Send push direct
marketing messages to User screen |
Data subject’s voluntary consent pursuant to GDPR
Article 6 (1) a) |
·
BKK ID |
Until withdrawal of consent (user can disable an
application from sending a push message to his/her screen in the device
settings) or as long as the registration is active (until deletion by the
user); or after 3 years of inactivity, the data will be deleted (including
the registration) |
|
20. E-mail direct marketing
messages: information about
updates, campaigns, news, promotions, discounts related to BudapestGO |
Data subject’s voluntary consent pursuant to GDPR
Article 6 (1) a) |
·
BKK ID ·
email address ·
name |
Until withdrawal of consent or as long as the
registration is active (until deletion by the user); or after 3 years of
inactivity, the data will be deleted (including registration data) |
|
21. Updating and storing personal data for the
purpose of developing
our digital channels, in order to provide discounted services in the Hungarian
capital. |
GDPR Article 6 (1) f) based on the legitimate
interest of the data controller |
·
e-mail address, ·
phone number stored in BudapestGO and
MOL Bubi |
Until the new single registration and login interface
is available or the registration is cancelled. |
|
22. Recording and storing
personal data for the purpose of detecting and investigating application
errors |
GDPR Article 6 (1) f) based on the legitimate
interest of the data controller |
·
Error code ·
Time of purchase ·
BudapestGO trans action
ID (Purchase Head ID) ·
Title ·
Registered e-mail address
·
BKK ID ·
NMFR Transaction ID ·
Start and end of validity
·
Billing e-mail address ·
Billing name ·
Invoice serial number ·
Bank identifier (32) ·
Simple / Barion transaction ID ·
SAP message text ·
Request root ID ·
Group ID ·
Payment gateway provider
transaction ID ·
Result codes and error
codes associated with transactions |
a) 48 hours
after the final status of the payment transaction has been set by the Trustee
in the Trustee's system, or b) in the case
of bulk payment transactions and file uploads used to create bulk payment
links, 30 days after the processed file has been made available to the Payer;
or c) in the case
of a payment link created manually or via API, 48 hours after the final
status of the payment link has been set by the Payee in the Payee's system,
or after the expiry date of the payment link or the validation of the payment
link. |
For each purpose, the legal basis for processing
is Article 6(1)(f) of the GDPR (processing necessary for the purposes of the
legitimate interests pursued by the controller or a third party).
According to the result of the balancing of
interests carried out by the Controller in this context:
The Data Controller assesses that the purposes
for which the processing is carried out are based on the legitimate interest
referred to in Article 6(1)(f) of the GDPR, given that the Data Controller has the
legitimate interest in the purposes being fulfilled and that the processing
does not adversely affect the interests or fundamental rights and freedoms of
the Data Subjects in such a way as to override the legitimate interests of the
Data Controllers (the specific interests or fundamental rights and freedoms of
the Data Subject do not prevail over the interest).
|
Legitimate interest exists |
The legitimate interest is sufficiently specific, genuine and current,
as the processing is really necessary for the effective performance of the
Controller's business activities. |
|
Processing is necessary |
The processing is necessary for the purposes of the legitimate
interest, otherwise the business objective of the Data Controller (to provide
its services as efficiently as possible and with the highest level of
satisfaction) could not be achieved. |
|
Processing constitutes a proportionate
restriction on the data subject |
The interests, fundamental rights and freedoms
of the Data Subjects are not violated during the Data Processing. The
interests of the Data Subjects are not protected to a higher degree than the
interests of the Data Controller. Given that the Data Subject is duly
informed of the processing concerning him or her at the time of collection
and that the effects of the processing are fully foreseeable due to the way
in which the processing is carried out, the proportionality standard in this
respect is shifted towards permissibility. The proportionality of the
restriction is also enhanced by the fact that the controller provides the
data subject with full, clear and comprehensible information at the time of
collection on the scope of the personal data processed, the basis, the method
and the time of processing, and the data subject's rights in relation to the
processing. |
Subject to Art. 21 of the GDPR, the Data
Controller expressly draws the attention of the Data Subjects, clearly and
separately from any other information, to the fact that each Data Subject has
the right to object at any time, on grounds relating to his or her particular
situation, to the processing of his or her personal data for the purposes of
the processing specified in this Notice, based on Art. 6(1)(f) of the GDPR.
In this case, the Controller may no longer
process the personal data unless the Controller proves that the processing is
justified by compelling legitimate grounds which override the interests, rights
and freedoms of the Data Subject or for the establishment, exercise or defence
of legal claims.
IV.
AUTOMATED DECISION-MAKING
including profiling and meaningful information about the logic
involved, as well as the significance and the envisaged consequences of such
processing for the Data Subject:
Data Controller performs no profiling.
Furthermore, Data Controller informs Users that anonymised statistics and
statements are prepared based on incoming system data in order to improve the
quality level of the BudapestGO application. These data are not suitable for
personal identification.
V.
DATA SECURITY MEASURES
Data
Controller undertakes to ensure the security of personal data processed by it
and it shall implement appropriate technical and organisational measures and
adopt policies by taking into account the state of the art, the costs of
implementation, the nature, scope, context and purposes of data processing as
well as the varying likelihood and severity of the risk to the rights and
freedoms of natural persons to make sure that the recorded, stored and
processed data are protected and prevented from destruction, unauthorised use
or alteration.
Data
Controller undertakes to request from all third parties to whom data are
transferred or handed over on any legal basis to comply with the requirement of
data security.
Data
Controller guarantees a data security level in line with the risk, including
among others, as appropriate:
-
the pseudonymisation
and encryption of personal data
-
the ability to ensure
the ongoing confidentiality, integrity, availability and resilience of
processing systems and services (operating and development security, protection
against and detection of intrusions, prevention of unauthorised access)
-
the ability to restore
the availability and access to personal data in a timely manner in the event of
a physical or technical incident (prevention of data breach, vulnerability and
incident management)
-
a process for regularly
testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing
(maintenance of business continuity, protection against malicious codes, safe
storage, transmission and processing of data, security education of staff)
In assessing the appropriate level of security account shall be taken in
particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised disclosure
of, or access to personal data transmitted, stored or otherwise processed.
Data
subject’s data shall be stored on Data Controller’s protected internal server
that meets the highest level of IT security guidelines. Remote access is
possible only by a limited number of authorised persons through a virtual
private network, following authentication. All user activity involving
modification in the course of data processing shall
be logged. Data shall not be copied to any physical storage devices.
Data Controller shall operate the applied IT equipment for data
processing, as follows:
·
by ensuring the protection
of physical equipment containing data related to BKK
·
by ensuring that only
approved and authorised users have access to data used by Data Controller
·
by ensuring that only
persons authorised to use the systems have access to Data Controller’s data
·
by ensuring that no
unauthorised person can forward, read, alter or delete Data Controller’s data
in the course of data transfer or storage.
Processed data can be known only by Data Controller and its staff as
well as by its commissioned data processor(s) according to different access
levels; Data Controller shall not hand over any data to unauthorised third
parties. Data Controller and Data Processor staff can access personal data
based on job category assigned by Data Controller and Data Processor, in a
defined way, according to access level.
·
by ensuring that Data
Controller’s data are protected from accidental destruction or loss, and in
case of events leading to those results, data can be accessed and restored in a
timely manner
·
by ensuring that Data
Controller’s data are handled separately from other customers’ data. Data
Controller and Data Processor shall qualify and process personal data as confidential.
In order to protect datasets handled electronically in different databases,
Data Controller shall ensure, with the legally specified exceptions, that the
data stored in the databases cannot be directly linked and attributed to Data
Subject
·
by ensuring that Data
Controller has a process is in place for regularly testing, assessing and
evaluating the effectiveness of technical and organisational measures
·
Data Controller shall
deploy a firewall to protect IT systems and use virus detection and elimination
software to prevent external and internal data loss. Data Controller has taken
measures for the proper control of any form of both incoming and outgoing
communication in order to prevent abuse.
VI.
DATA PROCESSORS, DATA TRANSMISSION
|
Name and headquarters of the data processor |
Activity carried out by the data processor |
Personal data processed by the data processor |
|
Telekom
Rendszerintegráció Zrt. 1097 Budapest, Könyves Kálmán krt. 36. |
It
is responsible for the full operation and development of the BudapestGO
system. |
all
personal data listed in Table III |
|
Neosoft Informatikai Szolgáltató Kft. 8000 Székesfehérvár, Távirda utca 2/A 2. em. 1. |
Providing
a platform for sending mass newsletters to customers registered in BKK's own
database. |
·
full name, ·
email address, ·
country, postcode city, ·
date of registration |
|
Nevogate Payment Services Kft. 1066
Budapest, Nyugati tér 1-2. |
·
The processing of payment
transactions of natural persons initiating electronic payments and ·
strong customer
authentication and ·
fraud and abuse detection |
·
in the case of bulk
payment transactions and file uploads used to create bulk payment links,
personal data of the source file and the processed file; and ·
in the case of the use of
a payment link created manually or via API, personal data transmitted during
the generation of the link |
Data processors are authorised to process the personal data above only
under the duration of their contracts with Data Controller and only for the
relating, legally specified period.
The Data Controller informs the User that when the User is redirected to
the OTP Mobile SimplePay page during the payment by bankcard
(in case of recurring and oneclick card registration,
the 32-digit identifier, BudapestGO transaction ID, customer email address, invoicing
data: name and address) are transferred to OTP MOBIL Szolgáltató
Kft. as the data processor of BKK.
The nature and purpose of the data processing activities carried out by
the processor can be found in the SimplePay
Privacy Notice, available at the following link: https://simplepay.hu/adatkezelesi-tajekoztatok/
BKK's standby bankcard payment service provider as a separate data
controller is Barion Payment Zrt.,
whose data processing information is available here:
https://www.barion.com/en/privacy-notice/
The names and email addresses of the natural persons who, on behalf of
the Client, access the electronic interface provided by the Provider and
perform user operations on the electronic interface on behalf of the Client.
Verification of access rights and provision of access during user access to the
electronic platform provided by the Provider to the Customer.
The
nature and purpose of the data processing activities carried out by National
Mobile Payment Ltd. can be found in the privacy information of National Mobile
Payment Ltd. at the following link: https://nmzrt.hu/
In
the event of a request by a public authority, the requested data will be
transmitted to the public authority.
VII.
YOUR RIGHTS AS A DATA SUBJECT AND HOW TO EXERCISE THOSE RIGHTS:
Data
Controller shall inform the data subject through the contact channels provided
by him or her without undue delay, and in any event one month of receipt of
data subject’s request about action taken on the request submitted in line with
the information below. That period may be extended by two further months where
necessary, taking into account the complexity and number of the requests. The
controller shall inform the data subject of any such extension within one month
of receipt of data subject’s request together with the reasons for the delay.
You, as a data subject,
have the following options to exercise your rights below:
Your right to be informed
You may request information from Data Controller
regarding the following:
·
what personal data
·
on what legal basis
·
for what data processing
purpose
·
from what source
·
for what period will be
processed
·
if a Data Processor is
employed, and if yes, the name, address and data processing activity of the
Data Processor
·
to whom, when, based on
what legislation Data Controller has given access to what personal data or to
whom data have been transferred
·
about the circumstances and effects of a data
protection incident and the and the preventive measures taken
In person:
-
BKK
customer service centres
By telephone:
-
BKK Call Centre +36 1 325 52 55
In writing to Customer Service:
-
letter
addressed to 1075 Budapest, Rumbach Sebestyén u. 19-21.
-
email: bkk@bkk.hu
Your right of access
You shall have the right to obtain from the Data
Controller confirmation as to whether or not personal data concerning you are
being processed and, where that is the case, access to the personal data and
the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to
whom the personal data have been or will be disclosed, in particular recipients
in third countries or international organisations;
d) where possible, the envisaged period for which
the personal data will be stored, or, if not possible, the criteria used to
determine that period;
e)
the existence of the right to request from the controller rectification
or erasure of personal data or restriction of processing of personal data
concerning the data subject or to object to such processing;
f)
the right to lodge a complaint with a supervisory authority (in Hungary
it is the National Authority for Data Protection and Freedom of Information);
g) where the personal data are not collected from
you, any available information as to their source;
h) the existence of automated decision-making,
including profiling and, at least in those cases, meaningful information about
the logic involved, as well as the significance and the envisaged consequences
of such processing for you.
Data
Controller shall provide a copy of your personal data undergoing processing.
For any further copies requested by you, BKK may charge a reasonable fee based
on administrative costs. If you make the request by electronic means, the
information shall be provided in a commonly used electronic form, unless you
request it otherwise. The right to obtain a copy shall not adversely affect the
rights and freedoms of others.
Your
right to rectification
You shall have the right to
obtain from Data Controller without undue delay the rectification of inaccurate
personal data concerning you. Taking into account the purposes of the
processing, you shall have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.
Your right to erasure
(‘right to be forgotten’)
You
as a data subject shall have the right to obtain from Data Controller the
erasure of personal data concerning you. Data Controller shall have the
obligation to erase personal data without undue delay where one of the
following grounds applies:
a) you withdraw consent on which the processing is based and where there is
no other legal ground for the processing;
b) you object to the processing necessary for the performance of a task
carried out in the public interest or in the exercise of official authority or to
processing necessary for the legitimate interests pursued by the controller or
by a third party, and there are no overriding legitimate grounds for the
processing, or you object to the processing for direct marketing purposes;
c) the personal data have been collected in relation to the offer of
information society services.
A
request for erasure cannot be granted if the processing is necessary:
a) to comply with an obligation under Union or Member State law to which
the Data Controller is subject to which the processing of personal data is
subject, or to carry out a task carried out in the public interest or in the
exercise of official authority vested in the Data Controller;
b) for the establishment, exercise or defence of legal claims.
Your right to
restriction of processing
You as a data subject
shall have the right to obtain from Data Controller restriction of processing
where one of the following applies:
a) the accuracy of the personal data is contested by you, for a period
enabling BKK to verify the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal
data and request the restriction of their use instead;
c) BKK no longer needs the personal data for the purposes of the
processing, but they are required by the you for the establishment, exercise or
defence of legal claims, or
d) you have objected to processing necessary for the performance of a task
carried out in the public interest or in the exercise of official authority, or
to processing necessary for the legitimate interests pursued by Data Controller
or by a third party, pending the verification whether the legitimate grounds of
BKK override yours.
Where processing has
been restricted based on the above, such personal data shall, with the
exception of storage, only be processed with your consent or for the
establishment, exercise or defence of legal claims or for the protection of the
rights of another natural or legal person or for reasons of important public
interest of the Union or of a Member State. You as a data subject who has
obtained restriction of processing shall be informed by BKK before the
restriction of processing is lifted. The restriction shall apply until the
reason indicated by you renders data storage necessary. You may request
restriction of processing in case, for instance, you believe that Data
Controller has unlawfully processed your data, however it is necessary for
authority or judicial proceedings initiated by Data Controller that those data
are not deleted by Data Controller. In these cases, Data Controller shall
continue to store data until the official request by an authority or court of
law is received; deletion will be performed thereafter.
Your right to object
You may object to the
processing of your personal data if the legal basis for the processing is:
-
the performance of a task carried out in the
public interest pursuant to Article 6(1)(e) of the GDPR or in the exercise of
official authority vested in the controller;
-
legitimate interest of the
controller or a third party pursuant to Article 6(1)(f) of the GDPR.
In the event of the
exercise of the right to object, the Data Controller may no longer process the
personal data, unless it can demonstrate compelling legitimate grounds for the
processing which override the interests or rights of the Data Subject or for
the establishment, exercise or defence of legal claims.
Where personal data are
processed for direct marketing purposes, the data subject shall have the right
to object at any time to processing of personal data concerning him or her for
such marketing, which includes profiling to the extent that it is related to such
direct marketing. Where the data subject objects to processing for direct
marketing purposes, the personal data shall no longer be processed for such
purposes.
Your right to data portability
You as a data subject
shall have the right to receive the personal data concerning you, which you
have provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another
controller without hindrance from the controller to which the personal data
have been provided, where:
a) the processing is based on consent or on a contract and
b) the processing is carried out by automated means.
In exercising your
right to data portability, you as a data subject shall have the right to have
the personal data transmitted directly from one controller to another, where
technically feasible.
The
exercise of the right to data portability shall be without prejudice to the
right to erasure. That right shall not apply to processing necessary for the
performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller. The right to data portability
shall not adversely affect the rights and freedoms of others.
Your right to withdraw your consent
You have the right to withdraw your consent to data processing at any
time. Withdrawal of consent does not affect the lawfulness of processing based
on consent prior to its withdrawal.
Your right to legal remedy
Contacting
the Data Controller
Before
initiating a procedure by a law court or authority, we recommend you send your
complaint or query about the processing of your personal data to Data
Controller, so that we can investigate and remedy it in a satisfactory manner,
or fulfil your justified request.
Data
Controller shall investigate, take action and provide information to data
subject without undue delay and within the legally prescribed timeframe in the
event data subject exercises his or her right in connection with the data
processing, requests information about the data processing, objects to, or
complains about the data processing. If needed, the time limit can be extended
in a legally specified way, taking into account the complexity and number of
the queries.
If
the data subject lodged the query electronically, the response will also be
given that way, unless data subject requests it otherwise. If Data Controller
does not take action based on data subject’s query without undue delay, but
within the legally specified time limit, Data Controller shall notify data
subject about the reasons of absence of action, or of the refusal to fulfil the
request, and whether Data Subject can launch a procedure by a court or an
authority in the specific case.
In order to exercise your rights concerning data
processing, or in case have any questions or concerns with regard to your data processed
by Data Controller, or if you need information about your data, or wish to file
a complaint, you may turn to Data Controller using the contact details listed
under Point I in this Privacy Policy.
Launching a proceeding
before a court of law
Data Subject may turn to a court of law
against Data Controller or data processor – in connection with data processing
falling within its scope of activity – if he or she believes that Data
Controller or its commissioned data processor has infringed the provisions
concerning the processing of personal data specified in legislation or in a
mandatory legal act of the EU, while processing Data Subject’s personal data.
Settlement of the lawsuit is in the power of the tribunal. The lawsuit
can also be launched before the tribunal competent according to the residence
or location of the Data Subject, at Data Subject’s discretion. You can also start a
civil lawsuit against BKK. Settlement of the lawsuit is in the power of
the tribunal, i.e. of the Budapest-Capital Regional
Court,
which is competent based on the location of BKK’s registered company seat. You
can also launch the lawsuit before the tribunal competent
according to your place of residence.
Notification to the supervisory authority
If you believe that
Data Controller has processed your data unlawfully, you shall have the right
without prejudice to any administrative or judicial remedies, in particular in
the Member State of your habitual residence, place of work or place of the alleged
infringement, to file a complaint with the National Authority for Data
Protection and Freedom of Information (NAIH) located at 1055
Budapest, Falk Miksa utca
9-11., postal address: 1363 Budapest, Pf. 9., e-mail: ugyfelszolgalat@naih.hu, phone :+36 1
391-1400, fax.:+36 (1) 391-1410, website: www.naih.hu), if in your opinion Data Controller has restricted you in exercising
your rights or denied your request to exercise those rights (initiating an
investigation), and if you believe Data Controller or its commissioned data
processor has infringed the provisions concerning the processing of personal
data specified in legislation or in a mandatory legal act of the EU (request to
conduct proceedings by an authority).
This Privacy Policy is effective from 10 June 2025.