BKK CENTRE FOR BUDAPEST TRANSPORT PRIVATE LIMITED COMPANY PRIVACY POLICY on the BKK Online Shop sales
Table of contents 1. General provisions 1.1. During the sale of Passes on the BKK Online Shop, BKK only processes data from registered the Users (hereinafter referred to as: Users), and BKK receives data directly from the parties concerned (registered Users). BKK does not check the lawfulness of the data transfer (whether there are legal grounds for data processing); it is the sole responsibility of the User. Accordingly, if the data processing is subject to the consent of the concerned party, the obligation to obtain such consent lies with the User. If there is a breach of obligation to ensure lawful data processing, the User shall be liable for any breach of interest or penalty that affects BKK. If BKK becomes aware that the User is not entitled to process the personal data provided by the User, BKK shall immediately take the measures necessary to establish the lawfulness of the data processing (depending on the given situation it may be the suspension of data processing, the blocking of the data or the irrevocable deletion of unduly processed personal data). 1.2. By transferring their data, the User authorises BKK to process such data as an individual data processor in the interest of the fulfilment of the contract established between BKK and the User, within the required framework. 1.3. The notification of any affected parties regarding data processing by BKK is the sole responsibility of the User. The User, upon forwarding the data, expressly undertakes to notify the affected parties in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Act on Information). 1.4. The privacy regulations and information that define the data processing by BKK, including the name and contact information of organisations entrusted with the online sale of Passes, are available on www.bkk.hu on an ongoing basis. 1.5. BKK reserves the right to change the Privacy Policy, of which BKK provides notification in accordance with the effective legislation. Email us at bkk@bkk.hu if there are any questions regarding the Privacy Policy. 1.6. BKK is committed to protect the personal data of its passengers, and it considers the right of passengers for self-determination regarding information also as highly important. BKK processes personal data with confidentiality, and BKK shall take all security, technical and organisational measures that guarantee data security. This Privacy Policy applies only to the processing of personal data; however, BKK undertakes that for any other data processing by BKK the requirements regarding data security of this Privacy Policy shall also be applicable. With regards to the online sale of Passes, BKK does not transmit personal data to any country outside the European Economic Area. 1.7. The data processing principles of BKK are compliant with legislation related to data protection, in particular with the following: the Fundamental Law of Hungary (Freedom and Responsibility, Article VI); Act V of 2013 on the Civil Code;
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information; Act XLI of 2012 on Passenger Transport Services; Act CVIII of 2001 on certain issues of electronic commerce activities and information society services; Act C of 2000 on Accounting. 2. THE SCOPE OF PERSONAL DATA; THE PURPOSE, LEGAL BASIS AND DURATION OF DATA PROCESSING 2.1. Data of the User 2.1.1. During and after registration on the BKK Online (web) Shop, the User must provide their personal information. 2.1.2. The purpose of data processing: the conclusion of a Sales Contract for the sale of Passes on the BKK Online Shop, the identification of the User, the checking of activity related to the online sale and an easier access to contact the User. 2.1.3. The legal basis for data processing: the authorisation of the User provided through the submission of their data. 2.1.4. The types of processed data: family and first name; company name; name of the non-natural person (legal entity); email address; the User name; password; name, country of issuance, type and number of personal identification document(s) provided by the User; data of purchases initiated by the User; log data generated during other activities performed in the BKK Online (web) Shop. 2.1.5. The duration of data processing: 5 (five) years following the cancellation of the Sales Contract (for example, after the deletion of the registration). 2.2. Data of persons conducting a purchase for the benefit of the User 2.2.1. On the BKK Online (web) Shop, the User must provide the data required for issuing an invoice for the User that pays the purchase price of the given Pass. 2.2.2. The purpose of data processing: the contractual performance between BKK and the User, to ensure the verifiability of the different purchases (orders), the prevention of legal disputes, the fulfilment of the accounting obligations of BKK. 2.2.3. The legal basis for data processing: the authorisation of the User provided through the submission of their data. 2.2.4. The type of processed data: family and first name, company name, name of the non-natural person (legal entity), email address, tax identification number, company tax number, data of purchases (orders) initiated by the User. 2.2.5. The duration of data processing: the period defined in the effective act on accounting and other relevant legislation.
2.3. Information related to the Passes 2.3.1. Following registration on the BKK Online (web) Shop the User can perform online purchases. Prior to the first purchase, the valid identification number of the document (ID) used for travel with the given Pass must be provided for the User affected. 2.3.2. BKK stores data in the protected database of the server operated by its service agent. The database is directly linked to the online interface. 2.3.3. The purpose of data processing: the contractual performance between BKK and the User, to issue the right kind of Passes, to ensure the verifiability of the different purchases (orders), the prevention of legal disputes, the provision of convenient shopping functions (copying data from previous orders), the elimination of fraudulent Passes. 2.3.4. The legal basis for data processing: the authorisation of the User provided through the submission of their data. 2.3.5. The scope of processed data: the place of issue, the type and number of the personal identification document (active travel document) of the affected User (passenger). 2.3.6. The duration of the data processing: 5 (five) years after the expiry of the Pass. 2.4. Other data processing 2.4.1. Information upon the User s request on data processing not listed in this Privacy Policy will be provided by BKK and its service agent/representative. 2.4.2. Hereby we inform the Users that regarding data provided on the BKK Online Shop sale system BKK may be contacted by a court, a prosecutor, an investigating authority, a public administrative authority, the Hungarian National Authority for Data Protection and Freedom of Information ( NAIH ) or other bodies under legislative authorisation to provide or transfer data, and to provide certain documents. 2.4.3. To these authorities BKK shall provide personal data if the authority specified the exact purpose and scope thereof only to the extent that is indispensable to fulfil the request of the given authority. 3. THE METHOD OF STORING PERSONAL DATA, THE SECURITY OF DATA PROCESSING 3.1. BKK selects and operates the IT tools applied for processing personal data during sale of Passes in its Online Shop in a way that: a) the processed data would be accessible to those authorised to process it (availability); b) the authenticity and validation of the processed data would be ensured (authenticity of data processing); c) it can be ensured that the processed data have not changed (data integrity); d) the processed data would be protected against unauthorised access (data secrecy).
3.2. BKK protects the data with appropriate measures particularly from unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as random destruction, damage or inaccessibility resulting from the applied technology. 3.3. In order to safeguard the different electronically handled datasets in its registers BKK ensures the appropriate technical solutions that the stored data except where it is permitted by law cannot be directly linked to the affected person. 3.4. With regards to actual technological developments, BKK ensures data protection with technical, organisational and institutional measures that provide an adequate level of protection against risks occurring in relation to data processing. 3.5. During data processing BKK preserves a) confidentiality: BKK protects the information that only authorised persons would have access to it; b) integrity: BKK ensures the accuracy and completeness of the information and its processing method; c) availability: BKK ensures that when the authorised User needs it, they would have access to the desired information and the related tools would also be available. 3.6. The IT systems and networks of BKK and its cooperating partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding as well as computer viruses, computer break-ins and attacks that lead to the denial of service. The operator ensures security with safety procedures on both a server and an application level. 3.7. Hereby we inform the affected people that regardless of Internet protocols (email, web, ftp, etc.) electronic online messages are vulnerable to network threats that lead to unfair activities, the disputing of the contract, the disclosure or modification of contractual information. In order to be defended against such threats BKK takes all the reasonable precautions, and as part of that, it monitors its systems to ensure that all safety derogation could be recorded and that these could serve as evidence for all securityrelated events. The monitoring of the system enables BKK to verify the effectiveness of the applied protective measures. 4. DATA AND CONTACT INFORMATION OF THE DATA CONTROLLER BKK Budapesti Közlekedési Központ Zártkörűen Működő Részvénytársaság (BKK Centre for Budapest Transport) Registered seat: 1075 Budapest, Rumbach Sebestyén utca 19 21. Company registration number: 01-10-046840 Telephone: +36 30 774 1000 email: bkk@bkk.hu
5. LEGAL REMEDIES 5.1. The affected person may request information on the processing of their personal data and they may request the correction and apart from the obligatory data processing even the deletion or blocking thereof at the indicated contact information of BKK. 5.2. If the affected person does not agree with the decision made by data processor, they may appeal to court within 30 days following the notification thereof. The affected person may also refer to court if their rights were breached by the data processor. The court handles such cases as an extraordinary procedure. 5.3. BKK pays compensation to the affected person or to a third party for any damage caused by the unlawful processing of data or breaching the requirements of data privacy. Data processor shall be exempt from any responsibility if the damage was caused by a force majeure beyond the control of data processing. Data processor does not compensate for the damage if it was caused by intentional or gross negligent conduct of the damaged party. 5.4. Legal remedies and complaints can be submitted to the Hungarian National Authority for Data Protection and Freedom of Information: Hungarian National Authority for Data Protection and Freedom of Information Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C Mailing address: 1530 Budapest, Pf. 5 Telephone: +36 1 391 1400 Fax: +36 1 391 1410 email: ugyfelszolgalat@naih.hu Website: http://www.naih.hu