Budapest Transport Closely Held Corporation (registered office: 1980 Budapest, Akácfa u. 15.; company registration number: 01-10-043037; hereinafter: Data Controller) processes the personal data provided by you in connection with the retail activity of souvenirs through webshop on the basis of this information (hereinafter: Information) as follows.

General information

The Data Controller declares that it handles the data obtained in connection with its activities in accordance with the provisions of this Policy and the legislation in force at any time.

The Data Controller further declares that it will only process the personal data of the data subjects (natural persons whose data are processed) for the purposes specified in this Policy, in accordance with the principles of fair and lawful data processing, to the extent and for the time necessary. The Data Controller ensures that the data are accurate, complete, up-to-date, and that the data subject can only be identified for the time necessary for the purpose of data processing.

The Data Controller shall always process the personal data provided to it in compliance with the applicable Hungarian and European legislation and its data protection policy https://www.bkv.hu/hu/adatvedelmi_politika?jid= and shall always take the technical and organizational measures necessary for proper secure data management.

Please note that personal data will be processed in particular on the basis of the following applicable legislation:

Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, the current text can be accessed via the following link:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC);).

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information, its current text is available via the following link: http://njt.hu/cgi_bin/njt_doc.cgi?docid=139257.338504).
• Act CXII of 2011 on Informational Self-Determination and Freedom of Information, its current text is available via the following link: http://njt.hu/cgi_bin/njt_doc.cgi?docid=139257.338504).

 

Through this Policy, we provide you with the information to be provided by law in connection with data processing, as follows.

 

1. Purpose of the intended processing of personal data:

 

Selling souvenirs through the Webshop. Purpose of data processing: order fulfilment, delivery /identification number: A17/.

 

2. Legal basis for data processing:

 

Data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

 

3. Recipients or categories of recipients of personal data, if any:

 

- Financial Department, Magyar Posta (Hungarian Post) for delivery.

 

4. The period of storage of personal data, if it is not possible to determine this, the criteria used to determine this period:

 

storage takes place in the case of the invoice of the transaction (10 years). In the case of personal data related to deliveries, the retention period for registration in Magyar Posta's software is one year, taking into account Magyar Posta's Privacy Policy.

 

5. Whether the provision of personal data is based on a legal or contractual obligation, or whether it is a prerequisite for entering into a contract, whether the data subject is obliged to provide personal data, and what are the possible consequences of failure to provide data?

 

- a prerequisite for the conclusion and performance of the transaction is to know the data of the buyer required for this purpose (it is necessary to identify from whom the purchase price is coming, where to send the purchased product, to whom the invoice should be issued); The provision of data is not mandatory, but without this, the transaction is not possible.

 

6. Rights of data subjects and the order of their enforcement:

 

The Data Controller shall inform the data subject without undue delay, but within one month of receipt of the request, of the measures taken following the request as described below. If necessary, considering the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

The data subject may exercise his or her rights towards the Data Controller through the following contact details:

mailing address: 1980 Budapest, Pf. 11;

phone number: +36-1/461-6500;

Email: bkv@bkv.hu.

 

6.1. Access to data        

The data subject shall have the right to be informed whether or not personal data concerning him or her are being processed, and if so, he or she shall have the right to be informed about his or her personal data and the information referred to in points 1, 3, 4, 6.2 to 6.4 and 9 of this Policy.

The Data Controller shall provide the data subject with a copy of the personal data undergoing processing. Any further copies requested by the data subject may be subject to a reasonable fee based on administrative costs. Where the data subject makes his or her request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject.

 

6.2. Rectification of personal data

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

 

6.3. Deletion of personal data

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

- the personal data have been unlawfully processed;

- the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.

The Data Controller shall not delete personal data if data processing is necessary:

- for exercising the right to freedom of expression and information;

- for compliance with a legal obligation under Union or Member State law to which the Controller is subject to the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority;

- on grounds of public interest in the area of public health;

- for archiving purposes in the public interest, scientific or historical research or statistical purposes, in so far as the data subject's right to erasure is likely to render impossible or seriously impair processing;

- for the establishment, exercise or defence of legal claims.

 

6.4. Restriction of processing personal data

The data subject shall have the right to request from the Data Controller restriction of processing where one of the following applies:

- the accuracy of the personal data is contested by the data subject, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data;

- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of a legal claim;

- the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate reasons of the Data Controller override those of the data subject.

The Data Controller shall inform the data subject at whose request processing has been restricted in advance about the lifting the restriction of processing.

 

6.5. Notification obligation related to rectification, erasure or restriction of processing of personal data

The Data Controller shall communicate the rectification, erasure or restriction of processing of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. At the request of the data subject, the Data Controller shall inform him or her of these recipients.

 

6.6. Data portability

The data subject is entitled to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Data Controller, where processing is based on the data subject's consent or on a contract; or the processing is carried out by automated means.

When exercising his or her right to data portability, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.

 

7. Contact details of the Data Controller and the Data Protection Officer

 

7.1. Responsible for data management

BKV Zrt’s organizational units implementing the given data processing purpose.

 

7.2. Contact details of the Data Protection Officer

Name:	dr. László Anga
Phone:	+36 (1) 461-6500
E-mail:	adatvedelem@bkv.hu

 

 

 

 

 

8. Data security:

 

We inform you that the Data Controller ensures the security of personal data through its relevant internal regulations, in particular the Corporate Data Protection and Data Security Policy, the IT Security Policy and the Document Management Policy, and takes the technical and organizational measures and establishes the procedural rules necessary to enforce the GDPR and other data and confidentiality rules.

The Data Controller processes personal data with the utmost care, in strict confidentiality, only to the extent necessary for the use of services, and in case of consent, in accordance with the provisions of the given person. The Data Controller shall ensure that the personal data processed:

• protected against unauthorized access (confidentiality of data),
• accessible to authorised persons (availability),
• its authenticity and authentication are ensured (credibility of data processing),
• its unchangedness can be proven (data integrity).

 

9. Remedies:

 

In case of violation of his rights, the data subject may turn to court. The person concerned may, at his or her choice, bring the action before the court of his/her domicile or residence.

The data subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) regarding the processing of his or her personal data. Any person may initiate an investigation by reporting it to the Authority on the grounds that a violation of rights has occurred or there is an imminent threat thereof in connection with the processing of personal data. The contact details of the Authority shall be as follows:

Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information)

Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1350 Budapest, Pf.: 5.

Phone: +3613911400

Fax: +3613911400

E-mail: ugyfelszolgalat@naih.hu

Webpage: http://www.naih.hu

 

10. Other information:

 

In case of performance by post, Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6., company registration number: 01-10-042463) processes the data in respect of the name, address, e-mail address and telephone number provided for the performance.