Privacy Policy
Date of publication: September 15, 2021
Version number: 1.0
Dear User,
In connection with the use of the mobile application (“App” or “Application”) that you have downloaded, your personal data will be processed in accordance with this Notice. Please read this Privacy Notice, which is intended to ensure that we process your data in accordance with EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“General Data Protection Regulation”) and with the applicable Hungarian data protection legislation, in particular Act CXII of 2011 on the Right to Information Self-determination and Freedom of Information, and to adequately inform you about our data processing activity.
1 The Data Controller
Company name of the data controller: Etele Plaza Plant Ltd. (hereinafter “Data Controller”)
Registered office: 1082 Budapest, Futó utca 47-53., 7th floor
Company registration number: 01-09-283776
E-mail address: info@eteleplaza.hu
Website: eteleplaza.hu
Contact details of the Data Protection Officer of the Data Controller:
Postal address: 1119, Budapest, Hadak útja 1.
E-mail address: dpo@eteleplaza.hu
Telephone number: +36 70 457 1191
2 General Information on Data Processing
We collect and process your personal information when using the Application.
Personal information means any information about you that you share with us or that we have access to about you. Personal data processing means any operation we perform on data relating to you (e.g. storage of data provided through the Application in our systems, use of data relating to your movement for security or statistical purposes based on marketing analysis, location or bluetooth tracking). This Notice refers to you in several places as “data subject”.
While some of your data may no longer be processed for one of the purposes set forth in this Notice, there may be other purposes (such as providing another service) that still make it necessary to process the same data. These other purposes are described in this Notice insofar as they relate to the use of the Application. You can find information about all other data processing concerning the customers and visitors of ETELE Plaza in the Privacy Notice published on our website referred to above.
The retention period indicated in this Notice for each data processing purpose may be extended by the retention period indicated under the heading “Data Backups” if the data is backed up by the Data Controller.
According to this Notice, data processed based on consent will be deleted immediately in the event of withdrawal of consent, or will no longer be processed for the purpose affected by such withdrawal. The User has the right to refuse or withdraw their consent at any time by (i) deleting the data in the Application; or (ii) initiating the cancellation with the Data Controller by sending a written request to the Data Controller’s postal address or e-mail address provided above; or (iii) unsubscribing through the link provided in a newsletter. Withdrawal of consent shall not affect the lawfulness of the data processing performed prior to the withdrawal. Refusal or withdrawal of consent shall not result in any adverse legal consequence for the User, consent shall not be a precondition for the performance of the Contract defined in Subsection 3.1, and its refusal or withdrawal shall not affect the terms and conditions of the contract. Data related to the granting and date of consent will be retained during the general civil law limitation period (5 years) after the withdrawal of consent, for the purpose of executing or defending any potential legal claims.
Please note that the services described in the Contract setting out the general terms and conditions of use of the Application are not fully available at effective date of this Privacy Notice, in particular parking payment and smart parking services, the point collection, redemption or other related services under “ETELE Klub” Loyalty Program will be available from the date when the Data Controller notifies you, as user, through the Application or by sending an electronic message. Accordingly, the personal data processing described in connection with these services in this Notice will only be carried out from the date announced by the Data Controller.
3 Scope of Processed Data, Purpose and Legal Basis of Data Processing, Data Retention Period
3.1 Fulfilment of the Contract setting out the terms and conditions of the use of the Application and the services available therein
Pursuant to the Contract setting out the Application terms of use and the use of the services provided therein (the “Contract”), the Data Controller undertakes to provide services that cannot be provided without the knowledge of your personal data. These services include:
- navigation;
- parking services;
- “ETELE Klub” loyalty program services.
The detailed terms of the above mentioned services are set out in the general terms and conditions of the Application (i.e. the Contract).
3.1.1 Navigation
The “Navigation” function available through the Application allows the Application to direct the User to the store or service provider indicated by them on the premises of ETELE Plaza, and shows on the map of the parking garage the number of free parking spaces per parking level, or per parking zone at certain levels as well as the parking levels or parking zones with free parking spaces located closest to the destination designated in the building of ETELE Plaza, and directs the User to the parking level or zone selected by them.
In the event that you allow the Application to access your location data at any time during or after downloading the Application, and turn on the Bluetooth feature, we will process your personal data listed in the table below for the purpose of making available the “Navigation” feature.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Actual position of the User (geolocation data) | Navigating to ETELE Plaza, to means of public transport around the building of ETELE Plaza, to a store/service provider within ETELE Plaza or to a parking level or parking zone selected by the User within the framework of the parking facilitation service, based on the User’s position. | Fulfilment of the Contract |
Information on of your location is required for the Application to guide you to the location you specify in the shortest possible way. While navigating you from a remote location to ETELE Plaza, the Application will not record or store the User’s location data (i.e. from where and on what route you approached ETELE Plaza).
The Application also contains an internal map of ETELE Plaza. In order to display your current location on this map and to provide the “Navigation” service on the premises of ETELE Plaza, you must allow the Application to access your location data in the settings of your mobile device.
You can change or turn off location settings on your mobile device at any time.
If you do not turn on, or do not leave in active mode the device feature needed to identify the unique ID of your mobile device (e.g. Bluetooth feature), or does not allow the Application to access your location data, we will not process the above data and therefore cannot provide the “Navigation” service to you.
Data retention period: to provide the “Navigation” service, the above data will be processed as long as:
- You allow the Application to access and use your location data, and to use the Application, and
- the device function required to locate your mobile device (e.g. Bluetooth) is enabled on your mobile device, and such devices is located on the premises of ETELE Plaza or within a few meters thereof.
Please note that the Data Controller also processes certain data concerning your position in connection with the additional purposes (parking services and statistics) defined in Subsections 3.1.3 and 3.3.
You do not need to pre-register in the Application to use the “Navigation” service alone.
3.1.2 Registration in the Application
All other services of the Data Controller (beyond the “Navigation” service) are only available in the Application, or the Data Controller can only send customized advertising messages, if you have pre-registered in the Application. The purpose of registration is to enable the Data Controller to identify you to the extent necessary for these services and for the marketing purposes.
You can register in the Application either directly (by entering your information in the Application) or with your existing Facebook or Google user accounts, or in the case of iOS devices with your Apple user account.
In the event that the User has a social media account (e.g. Facebook, Google) or Apple user account, they will have to provide additional data for the registration, after authentication has been completed.
The data generally collected during registration and during the use of the Application as well as the related purposes and legal basis of their processing are summarized in the table below.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| User’s first and last name, and a password in the case of registering with the use of non-social media or Apple ID | Identifying the User, keeping contact with the User | Fulfilment of the Contract |
| User’s date of birth | Verifying whether the User is over 16 years of age or older | Fulfilment of the Contract |
| E-mail address | Confirming registration by the User (except, if registration was made by using social media or Apple ID), confirming successful registration by Service Provider, and keeping in contact in relation to the services | Fulfilment of the Contract |
| User’s gender and postal code of their home address (non-mandatory data to be provided and stored only if the relevant consent is given) and the fact granting consent and date of the consent | Designing the content of a personalized electronic marketing message (including the parameters of special discounts sent in the marketing messages) (“profiling”) | Consent
The fact of granting consent and date of the consent, as personal data, will be processed by the Data Controller on the basis of its legitimate interest to be able to verify compliance with data protection requirements. |
| Data generated during the use of the Application, if it is technically necessary to use certain functions (e.g. date of registration, last time of changing the user password etc.) | Ensuring the technical conditions for the appropriate and safe use of the Application | Fulfilment of the Contract |
| User IDs generated by the Data Controller | Ensuring the technical conditions for the appropriate use of the Application (the Data Controller collects and stores your data in several IT systems, in order to ensure that individual data in the systems can be assigned to you, thus ensuring the accuracy of the data, and in order to ensure the foregoing the Data Controller uses user IDs) | Fulfilment of the Contract |
| Social media ID, if different from the e-mail address (it is also possible to register directly in the Application, in which case these data will not be processed) | Registering in the Application (if the User registers through a social media account) | Fulfilment of the Contract |
| Data contained in this table, mandatory data, or any data generated otherwise during the use of the Application | Exercising or defending potential legal claims arising from the Contract. | It is in the legitimate interest of the Data Controller to be able to identify the User in the event of exercising or defending any legal claim, and to hold adequate evidence. |
With the exception of the non-mandatory data marked in italics in the above table, the User shall be required to provide all the above data during registration, as without these the Data Controller will not be able to fulfil its obligations under the Contract. Furthermore, in the absence of contact details, the Data Controller would not be able to manage or maintain the existing contractual relationship with the User and to inform the User in a timely manner about relevant information related to the Contract (e.g. amendments to the general terms and conditions). With regard to non-mandatory data, it is important to know that we may only use those for purposes that require your express consent, so if you provide those during registration, but do not consent to the sending of individual marketing offers and the related profiling, these data will not be recorded, therefore, we will not process those in the absence of a legal basis.
Data retention period: With the exception of data based on consent, we will process the data indicated in the table above during the term of the Contract, while the data required for the exercising legal claims will be processed until the end of the civil limitation period (as a general rule, 5 years from the due date of potential claims arising from the Contract) until the final conclusion of the relevant legal proceedings (including possible enforcement). Please note that if you do not register with a Facebook, Google or Apple account, successful registration with the Application (as set out in the General Terms and Conditions of the Application) also requires you to confirm your registration (via the so-called two-factor authentication), for which you have 30 days from providing your registration data. After the expiration of this deadline, we will provide an additional 30 days to complete the registration by sending a reminder. In case of failure to confirm the registration, the data provided during registration will be anonymised after the expiry of the 60-day period calculated based on the foregoing.
For data processing based on consent, see Section 2 of this Notice.
Please note that the Data Controller uses the registration data for parking services (Subsection 3.1.3), the “ETELE Club” loyalty program (Subsection 3.1.4), marketing messages (Subsection 3.2), and for statistical purposes (Section 3.3). , and in connection with compliance with Application terms of use (Subsection 3.5).
3.1.3 Parking services
In the Application, you can use the following parking services:
- the “Where did I park?” function will help you to find the parking level or zone in the parking garage of ETELE Plaza on the one hand, and on the other hand will direct to this parking level or zone;
- you can pay the parking fee by using the Application (ticketless/“smart” parking).
In order to provide these services, the Data Controller operates a license plate recognition system and Bluetooth sensors in the parking lots of ETELE Plaza. With the help of these, the Data Controller records the license plate numbers of the vehicles entering the parking lot, and the place and time of the entry. The Application only allows the payment of the parking fee and the use of “Where did I park?” service, if you enter your license plate number in the Application before entering the parking garage, and thus the Application can identify you as a user registered with a given license plate number read out by the license plate recognition system. The license plate can be deleted from the Application at any time, but in that case these services cannot be provided by the Data Controller any longer.
The “Where did I park?” feature is provided in the following manner:
You register your license plate number in the Application, and then the parking space (zone or level) of your vehicle is identified by the license plate recognition camera system installed in the parking garage, and the Application guides you to the parking level or zone where you parked your car by using the navigation shown in Subsection 3.1.1.
In connection with the services related to parking, the Data Controller will process your data indicated below, for the purposes and on the legal basis as defined in the table below. Data marked in italics in the table below is required to perform both parking services.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| License plate number of the User’s vehicle | Provision of parking services | Fulfilment of the Contract |
| Date and time of entering and exiting the parking garage by the User, amount payable, fact of payment by credit card / through the Application / by redemption of Etele points, type of parking space (VIP or standard), payment transaction ID, payment status, parking discount rate | Ensuring payment of the parking fee | Fulfilment of the Contract |
| Retaining the accounting and tax documents resulting from parking service | Legal obligations to retain the accounting and tax documents | |
| The actual position of the User (geolocation data), if the User enables positioning on their mobile phone or turns on the Bluetooth feature, and the number of the last parking zone the User has entered, and number of the space potentially entered manually | Ensuring the availability of the “Where did I park?” function | Fulfilment of the Contract |
| Unique ID of the parking operation | Ensuring the availability of parking services | Fulfilment of the Contract |
Data retention period: any personal data recorded in relation to your position with the help of the “Where did I park?” function will be processed until the service has been completed, i.e. until you leave the parking lot.
In connection with the service related to the payment of the parking fee through the Application, the Data Controller will keep the above data for the purpose of establishing and exercising any legal claims until the end of the general civil limitation period, i.e. for 5 years from the date of payment of the parking fee through the Application – during this time period you can also access your parking history in the relevant menu item of the Application. In the case of accounting and tax documents, any data required for this purpose shall be retained for the time period prescribed by law (accounting records: 8 years, tax records and documents: end of the calendar year affected by the tax return obligation + 5 years).
In the event that the User records one or more license plates in the Application, the license plate will be stored until the User deletes it from the Application to ensure the availability of the convenient service, where parking data is automatically recorded through the Application and the User does not have to enter their license plate number for each parking operation in the Application.
Please note that the Data Controller will also process certain data related to parking in accordance with Subsections 3.1.4, 3.2 and 3.3 (for the purposes of participating in “ETELE Klub” loyalty program, and for marketing and statistical purposes).
3.1.4 “ETELE Klub” loyalty program services
The Data Controller wishes to reward the Users for their loyalty, i.e. for their purchases and other activities in ETELE Plaza, within the framework of the “ETELE Klub” loyalty program (“Loyalty Program”). Within the framework of the Loyalty Program, the Users, in accordance with the provisions of the Contract (General Terms and Conditions of the Application) may receive loyalty points, so-called Etele Points. Customers may earn and collect loyalty points, and then redeem Etele Points and convert them into discounts through the Application.
The number of Etele Points collected by the User depends on:
- the purchase amount, as the number of Etele Points is determined based on the value of the purchase;
- he place of purchase, given that not all stores located in ETELE Plaza participate in the Loyalty Program; and
- the date of purchase, as the User may initiate the crediting of Etele Points in the Application within two weeks from the date of the receipt issued for the purchase,
- other ongoing or periodic point collection options as determined by the Data Controller, for example the User’s birthday.
Etele Points can be collected based on the User’s purchases in the manner that the User takes a photo of the invoice (receipt) issued by the store participating in the Loyalty Program, and uploads the photo in the Application. Please note that in order to credit Etele Points, the Data Controller must use only the string starting after the AP letter code for the unique identification of the cash register (“AP code”, which consists of a letter “A” and eight numeric characters), the grand total and the date and time of the purchase (hour, minute). Therefore, if you do not want to share other details of the receipt (in particular, the list of purchased products) with the Data Controller, take a photo of the receipt (e.g. by folding the document or obscuring the data) so that only these three elements appear in the photo. Please also note that the AP code on the document image, the total amount of the receipt and the date of purchase are read from the receipt by the native character recognition software of your mobile device, and the Application transmits these data to the Data Controller, provided that you confirm, prior to transferring such data, that these pieces of information were. If you fail to confirm the accuracy of such data, or if your mobile device does not have such character recognition software, Etele Points will not be credited.
The User will be entitled to convert the Etele Points acquired within the framework of the Loyalty Program into discounts in accordance with the provisions of the Contract (as per the general terms and conditions of the Application).
The Data Controller will also credit Etele Points on the basis of other circumstances, including the processing of additional personal data, in accordance with the effective provisions of the Contract and the announcements published thereof. Thus, in particular, the processing of birthday data may result in the crediting of Etele Points, so that the User to receive extra Etele Points on their birthday. In addition, other activities (e.g. uploading of receipt the first time, or registration itself) may involve earning Etele Points. The processing of all this data is essential to establish entitlement to the credits, and to actually credit the related points.
The Data Controller may also organize marketing campaigns on an ad hoc basis, which provide another opportunity to earn Etele Points. Participation in such campaigns may be conditional on the provision of additional personal data by the User, or if the use of previously provided personal data becomes necessary for different purposes in relation to the organization of these campaigns, we may request special consent for such different uses. Information on such data processing is available in the Privacy Notices of the relevant marketing campaign.
The legal basis and purpose of data processing performed in connection with the Loyalty Program, as well as the scope of data processing are summarized in the table below. The processing of all the data stated below are necessary to be able to participate in the Loyalty Program and to exercise the related discounts.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Data required for crediting Etele Points (AP code, date of purchase, amount of purchase), picture of the uploaded receipt | Crediting Etele Points, checking the conditions necessary for crediting Etele Points, checking the fulfilment of the conditions necessary for the discounts and services used for Etele Points, checking the fulfilment of the conditions necessary for redeeming Etele Points | Fulfilment of the Contract |
| Number of Etele Points (balance), discount or service validated with Etele Points, place and date of redemption of Etele Points | Providing discounts and services available in exchange for Etele Points under the Loyalty Program, redemption of Etele Points
Verifying that conditions required for the discounts and services used for Etele Points and the redemption of Etele Points have been met |
Fulfilment of the Contract |
| Unique transaction code for crediting and using Etele Points | Providing discounts and services available in exchange for Etele Points under the Loyalty Program, redemption of Etele Points
Verifying that conditions required for the discounts and services used for Etele Points and the redemption of Etele Points have been met |
Fulfilment of the Contract |
| Date of birth | Crediting Etele Points provided for a birthday | Fulfilment of the Contract |
| Uploading of receipt for the first time, completed registration and its date | Crediting Etele Points | Fulfilment of the Contract |
| Other personal data required for crediting Etele Points according to the effective rules of the Loyalty Program | Crediting Etele Points | Fulfilment of the Contract |
Data retention period: the data required for the crediting of Etele Points, uploaded in photo format and transmitted via the native character recognition software, and then confirmed by you, will be retained for one year from the date of the crediting the points. Verification of the uploaded documents for the purpose of crediting the points will take approximately two weeks from uploading, however, even after the expiry of this period, the uploaded image of the documents will be kept for one year from uploading to be able to verify the lawfulness of crediting the points even in the case of disputes or complaints, or for the purposes of preventing abuse or fraud, or for ensuring compliance with contractual terms and conditions and for exercising the rights of service provider. However, please retain the original document used for crediting Etele Points (uploaded in the Application) beyond the above referred retention period in the event that you have a complaint about the Etele Points credited thereof.
Any additional personal data processed in connection with the Loyalty Program, indicated in the table above, will be retained by the Data Controller until the end of the general civil law limitation period, i.e. 5 years from the last user activity in the Loyalty Program or, if it is earlier, 5 years from termination of the Loyalty Program by the Data Controller, for the purpose of establishing, exercising or defending legal claims. For the purposes of this section, user activity shall mean the uploading of documents in the Application, crediting Etele Points in any another way (e.g. uploading documents for the first time) or redeeming Etele Points.
Please note that the Data Controller will process certain data related to the Loyalty Program in accordance with Subsections 3.2 and 3.3 for additional (marketing and statistical) purposes.
3.1.5 Card payment in the Application
As defined in the Contract, the Application also allows the Users to pay for the services included in the Application with their bank card. For example, you can purchase a parking ticket in the parking lot of ETELE Plaza through in the Application. Acceptance and settlement of bank card payments shall not be performed by the Data Controller, but by OTP Mobil Kft. through the “SimplePay” service. However, in order to do so, the Data Controller must share some personal data with OTP Mobil Kft. so that the paying party (user) can be notified by a direct confirmatory message from SimplePay about the successful completion of the transaction, include the relevant transaction ID and data. These are the following:
- details of the card payment, such as date of the purchase, amount payable, currency, transaction IDs of the purchase;
- the User’s e-mail address.
For the purposes of card payments, OTP Mobil Kft. will also share personal data with the Data Controller. For example, OTP Mobil Kft. will inform the Data Controller about the status of card payment, whether the payment was successful or unsuccessful for any reason, or if the User has claimed a refund. In the latter case, the Data Controller will also receive information from OTP Mobil Kft. about the reason for the failure.
The purpose of processing the above personal data is to enable you to make purchases within the Application and to pay by card through the Application protected by the associated security measures. Once the purchase has taken place, the purpose of further retention of personal data is to enable the Data Controller to take actions, and, if necessary, to defend himself and to have access to the necessary information in the event of any legal claim regarding the purchase or for the above purposes, and to ensure that the Data Controller holds the accounting and tax documents of the purchases in accordance with the legal regulations within the relevant retention period. As the Data Controller has an obligation to pay fees and make settlements with OTP Mobil Kft in connection with transactions made through the SimplePay system, the Data Controller will also process the above personal data for this purpose, other than the User’s e-mail address.
If you have requested a VAT invoice in the Application, we will also process the data required for issuing it (company name, address, tax number, e-mail address for e-invoice delivery) for the purpose of issuing your invoice.
The legal basis of the Data Processing is the fulfilment of the Contract concluded for the provision of the service, including the possibility of credit card payment, in connection with the data processing purposes related to the payment of fees and invoicing. Once the purchase is completed, the legal basis for further processing and storage of data is on the one hand the legitimate interest of the Data Controller related to the exercising and defending of potential legal claims, and on the other hand the fulfilment of accounting and tax record keeping legal obligations. Data processing related to the Data Controller’s obligation to pay fees to and settle the accounts with OTP Mobil Kft. is based on the legitimate interest of OTP Mobil Kft. to be in possession of the certificates required for compliant fulfilment and for settlement of fees, so that they can reconcile the data needed for verifying proper performance.
We will process the above personal data during the term of the Contract, or until the end of the civil limitation period (i.e. 5 years from the due date of potential legal claims arising from the Contract) or until the final closure of the related legal proceedings (including possible enforcement). In the case of accounting and tax documents, the data required for this purpose shall be retained within the period prescribed by law (accounting records: 8 years, tax records and documents: end of the calendar year affected by the tax return obligation + 5 years). Please note that if you click on the “Pay” (or other similarly marked) button in the Application, you will be redirected to the online payment platform operated by OTP Mobil Kft. Or the financial institution designated by it, where you have to enter your bank card details in order to purchase must be successful. The payment page is not operated by the Data Controller, but by OTP Mobil Kft. or any other financial institution designated by it, so the Data Controller will under no circumstances have access to the bank card data thus provided!
For further information on data processing related to card payments please see the Privacy Notice accessible on the website of OTP Mobil Kft. (https://simplepay.hu/adatkezelesi-tajekoztatok/).
3.2 Marketing activity
3.2.1 Sending electronic marketing messages
To be able to inform the User in a timely manner about any events, prize games, discounts and promotions organized in the stores operating in ETELE Plaza, and to promote the shopping centre and its services, the Data Controller sends out electronic newsletters, advertising messages (electronic marketing messages) to the User.
Electronic marketing message shall mean
- an e-mail containing an advertisement (e-mail) sent to the e-mail address provided by the User in the Application,
- a so-called “push” notification sent to the User’s mobile phone, containing advertisements; and
- a “push” notification containing advertisements sent to the User’s mobile phone based on their position.
In the Application, the User may choose to receive electronic marketing messages through one or more of the above channels. In the absence of registration and selection of the desired sending channel, and in the case of consent given to sending marketing messages, the method used will be “push” notifications sent to the mobile device through the Application. If the User does not wish to receive marketing messages with regard to certain topics, but might be interested in other matters, offers, discounts and information on other product areas or services, the User may indicate their lack of interest in certain topics, in which case we will not contact them with further messages. These settings can be changed by the User at any time.
The Data Controller sends signals to the mobile device based on the position of the User determined by the Bluetooth-based location service. For example, if you are passing by or approaching a shoe store that is currently having special offers to its customers, we may call the User’s attention to this favourable opportunity in an e-marketing message according to their chosen communication channel. This requires the processing of the User’s actual position, as personal data, because this information is required for us to be able to send electronic marketing messages through the Application. Accordingly, if you have not consented to receiving these types of electronic marketing messages, or if you have not enabled location detection on your device or have not turned on the Bluetooth feature, your current position will not be processed as personal data for the purpose of sending electronic marketing messages.
The legal basis, purpose and scope of the data processing related to the sending of marketing messages are summarized in this table.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Name of the User, contact details provided by him and selected for marketing messages (e.g. e-mail address, actual position of the User) | Sending marketing messages to the User | Consent given by the User |
| Consent granted and the date of the consent | Granting of consent and the date of the consent are recorded and stored in order to verify data processing is compliant with the data protection requirements. | The Data Controller processes these data on the basis of its legitimate interest to be able to verify that data processing is compliant with the data protection requirements. |
Please note that as data processing for marketing purposes is in all cases based on consent, the User will be entitled to refuse or withdraw their consent at any time by sending a written request to the above address or to the e-mail address of the Data Controller, or by way of unsubscribing in a newsletter or through the Application (under settings). Withdrawal of consent shall not affect the lawfulness of data processing performed prior to such withdrawal. Refusal or withdrawal of consent shall not have any adverse legal consequences for the User, consent to the performance of the Contract under this clause shall not be a precondition, and its refusal or withdrawal shall not affect the terms of the Contract.
For more information on data processing based on consent, see also Section 2 of this Notice.
Please note that the Data Controller will process certain data related to the sending of marketing messages for additional (statistical) purposes in accordance with Subsection 3.3.
3.2.2 Sending personalized marketing messages
The Data Controller places special emphasis on the fact that all Users can participate in a unique, personalized experience in ETELE Plaza. In order to provide timely information to interested Users about products, services, events and discounts in their area of interest, the Data Controller will send personalized marketing messages based on their consent given in the Application in a manner appropriate to the User’s preference. The channels for sending such electronic marketing messages may be the same as those specified in Subsection 3.2.1 above. Please note that in order to ensure that the User is given fully personalized services, the Data Controller will place personalized advertisements for the User on the Application platform.
A special type of personalized marketing messages and personalized advertisements appearing in the Application are those electronic messages and advertisements that were provided by the Data Controller to the User with respect to special discounts and the related details concerning certain products or services at the Data Controller’s own discretion and based on prior consultation with the affected stores (e.g. discount rate, conditions, validity period).
To be able to send you messages and advertisements about the offers and discounts that are suited most to your interests and preferences, it is necessary for you, as User, to indicate your interests and favourites in the Application. The Data Controller will collect and analyse the “favourites” and “interests” provided by the User in the Application and other data related to the User’s use of the Application (e.g. data on the receipts uploaded in the Application under the “ETELE Klub” loyalty program, or data provided to the Data Controller by social media sites etc.).
Furthermore, the Data Controller finds it important to provide services both through the Application and in ETELE Plaza itself that satisfy the needs of the Users to the fullest extent possible. In order to explore and understand the needs of the Users, the Data Controller will conduct online opinion polls and surveys. The questionnaires are available in the Application, or will be sent by the Data Controller to the User by e-mail, if the User has consented to receiving such messages as per Subsection 3.2.1. The Data Controller will also analyse the responses given to these questionnaires, and will use them to create user profiles specified in this section, thus to create the content of personalized marketing messages and personalized advertisements displayed in the Application (including the definition of terms and conditions applicable to special discounts included in these electronic marketing messages and advertisements). If you do not wish to receive these, please do not complete the questionnaires.
Automated methods will be used to evaluate the User’s personal characteristics based on multiple data, and to draw the conclusions regarding the User’s personal preferences and interests. This means that our system designed to use a pre-defined algorithm, without human intervention, will compile a profile based on the interests as well as the stores and services marked as favourites in the Application, and based on the crediting of Etele Points and purchases made, as to what goods, services and events may be most suited to your interest, and will design the scope and content of the electronic marketing messages to be sent to you as well as the terms and conditions of the special discounts to be provided to you (e.g. persons eligible to receive special discounts, the discount rates). This process is also called automated profiling.
Please note that data processing performed in connection with the provision of special discounts published in the electronic marketing messages and advertisements will be considered as automated decision-making, given that based on the results of the automated profiling presented above, you may become eligible for benefits (this is called automated decision-making if the decision based on profiling has legal effect on you, or may significantly affect you). In doing so, we use the method and logic that if the information about your interests and favourites and the products and services you may be interested in can be deduced from the use of the Application, the relevant special discounts offered to you will be designed accordingly. In this context, we emphasize that automated decision-making will be used only for the purpose of determining the details of special discounts. Thus, when defining, sending and publishing the content of general electronic marketing messages or advertisements that do not contain special discounts, no automated decision-making will be applied that would have a legal effect on you, or would significantly affect you in any similar way, and no conclusions will be drawn and no messages will be sent to you under any circumstances that are based on your health condition, political opinion, religious or philosophical beliefs, racial or ethnic origin, sexual orientation, or other similar circumstances.
To be able to send personalised marketing messages, on the one hand, the same user data is processed as in Subsection 3.2.1. In addition, other data provided through the Application, in particular other personal data collected during the use of the Application, will be processed as indicated in the table below.
The legal basis, purpose and scope of data processing performed in connection with the sending of personalized marketing messages and the publication of personalized advertisements through the Application and with the provision of special discounts in these marketing messages and advertisements are summarized in this table.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Any data marked as “favourite” and/or “interest” in the Application and recorded during the use of the Application, e.g. data on receipts uploaded under the “ETELE Klub” loyalty program (date, place and final amount of purchase), Etele Loyalty Program balance , the responses given to the questionnaires, data provided by the User, data provided by the User during registration and the data provided by the social media sites to the Data Controller during login to the Application | Designing the content of personalised electronic marketing messages and personalised advertisements to be published in the Application, and determining the terms and conditions of special discounts provided in personalised marketing messages and advertisements (“profiling”) | Consent given by the User |
| Name of the User, contact details provided by them and selected for marketing messages (e.g. e-mail address, telephone number, actual position of the User | Sending electronic marketing messages with personalised content to the User | |
| Granting of consent and date of the consent | Granting of consent and the date of consent are recorded and stored in order to verify data processing was compliant with the data protection requirements. | The Data Controller processes these data on the basis of its legitimate interest to be able to verify that data processing was compliant with the data protection requirements. |
Please note that as data processing for marketing purposes presented in this section is based on consent, the User will be entitled to refuse or withdraw their consent at any time by sending a written request to the above address or to the e-mail address of the Data Controller, or by unsubscribing in a newsletter or by changing the settings in the Application. Withdrawal of consent shall not affect the lawfulness of data processing performed prior to such withdrawal. Refusal or withdrawal of consent does not have any adverse legal consequences for the User.
Please note that the consent given to receiving general marketing messages as per Subsection 3.2.1, and the consent given to receiving personalised marketing messages and to the publication of personalized advertisements as per Subsection 3.2.2 constitute independent, separate legal statements. Accordingly, a consent granted to one type of data processing activity does not include a consent to another type of data processing on behalf of the data subject. On the other hand, however, this also means that withdrawal of consent regarding one type of data processing activity does not result in the withdrawal of consent to another type of data processing, and does not affect the lawfulness of the other data processing activity.
Data retention period: for the above mentioned purposes related to marketing activities, we will process the relevant data until the purpose exists, but by all means until withdrawal of consent, at the latest.
For more information on processing based on consent, please see also Section 2 of this Notice.
Please note that the Data Controller will process certain data related to personalised marketing messages for additional purposes (statistical purposes) as specified in Subsection 3.3.
3.3 Statistical analyses
The Data Controller will also analyse data collected during the use of the Application for statistical purposes, in order to draw long-term, general conclusions in connection with the needs of the Users as well as to continuously improve its own services, and the services provided by the stores operating in ETELE Plaza, and with the intention of improving the services of the Application. However, we perform these analyses on anonymized or pseudonymised data that can no longer identify you, or you would be only identifiable based on these, if we combined the data from the analyses with other data that are managed separately.
In connection with the use of the Application, statistical and analytical analyses will also be transferred to the Data Controller after the anonymisation of user data by the service providers providing mapping services in relation to our “Navigation” service.
Anonymisation means that the Data Controller permanently deprives the personal data of all personal characteristics, on the basis of which the data subject (User) could be further identified. As a result, the statistical summaries provided to the Data Controller by the above-mentioned service providers in connection with the use contain completely anonymous data.
With regard to the use of data for statistical purposes, please note that according to Article 5 (1) (b) and Article 6 (4) of the General Data Protection Regulation, the use of personal data for statistical purposes, or the anonymization of data for statistical purposes (as data processing being different from, but at the same time compatible with the original data processing purpose) does not violate the requirement of purpose limitation.
The production of statistics and the anonymisation carried out for this purpose are based on the legitimate interest of the Data Controller and the stores operating in ETELE Plaza to ensure the continuous development of the services and of the Application, and to be able to perform analyses related to the operation of ETELE Plaza. The scope of the data processed in this context, the purpose and legal basis of data processing are summarised in the table below.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Data of registered Users related to the use of services recorded in the Application (e.g. parking data, Etele Point-related transactions, activity data, which service was used, marked favourites etc.) | Producing statistical analyses, and preparing reports | It is in the legitimate interest of the Data Controller to perform analyses for the continuous improvement of the Services and of the Application |
| Data collected on locations while the User uses the Application: location data, device descriptive data, map views, retrieved navigation data, time of entry to ETELE Plaza;
Data provided by users initiating, but failing to confirm the registration process |
Anonymisation for statistical purposes |
Data retention period: the Data Controller will not retain the data processed for statistical or anonymisation purposes separately in connection with these purposes, these data will be subject to the retention periods relevant to other data processing purposes according to this Privacy Notice.
3.4 Data backups
The Data Controller will make a backups for all data recorded in its IT system processed according to this Section3, for data security reasons. Thus, the Data Controller will make copies of the personal data sets described above at specific intervals, which are retained for a specified period of time, thus ensuring a high degree of recoverability of the original data set in the event of a possible data loss. The purpose of the backups is to ensure the uninterrupted operation of the processes related to the use of the Application in this Notice and in the Contract, even in the event of any malfunctions in the IT systems.
The legal basis, purpose and scope of data processing in connection with making data backups are summarized in this table.
| Scope of data managed | Purpose of data management | Legal basis for data management |
| All personal data stored in the Data Controller’s IT systems processed based on this Notice | Making backups, ensuring the restoration of the original data set, ensuring the uninterrupted operation of the processes requiring the processing of personal data listed in this Notice | It is in the legitimate interest of the Data Controller to ensure the uninterrupted operation of the processes related to the use of the Application, and of the services provided through the Application |
Data retention period: The Data Controller will make backups every 24 hours and keeps them for 7 days from the date of the backup.
3.5 Adherence to the Terms of Use of the Application
Users are only entitled to use the Application in the manner specified in the general terms and conditions. In order to check whether the User complies with the regulations for the use of the Application, in particular that the User’s activities do not infringe on the rights and legitimate interests of others (e.g. personal rights, intellectual property rights, usage rights) and on the proper IT operation of the Application, or do not endanger or are not infringing for any reason otherwise, the Data Controller will monitor the User’s activities in the Application, which means that it may have access to data related to the use of the Application for such purposes.
The Data Controller shall comply with Act CVIII of 2001 on Electronic Commerce Services and Information Society Services, and is required to carry out the procedure in accordance with the law in case the Data Controller becomes aware, either on the basis of information given by a third party or in any other way, that the User’s activity in the Application is unlawful, in particular if the data or uploaded content provided by the User violates any laws (e.g., infringes on any right protected by copyright or trademark law, or is considered as libellous or defamatory content).
The legal basis, purpose and scope of data processing regarding compliance with the rules for the use of the Application are summarized in this table.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| Data related to the User’s activity in the Application, and other data provided by or content uploaded by the User | Adherence to the Terms of Use of the Application | The Data Controller’s legitimate interest in exercising its legal claims arising from the Contract in the event of breach of contract, and in enforcing the obligations set out in the contractual terms and conditions for the use of the Application |
| Personal data required to carry out the procedure as per Act CVIII of 2001 on Electronic Commerce Services and Information Society Services, and personal data learnt during such proceedings (in particular the name of the beneficiary, address, telephone number, e-mail address, name of the infringer and the circumstances of the infringement) | Carrying out the procedure intended to remove unlawful content as per Act CVIII of 2001 on Electronic Commerce Services and Information Society Services | To meet the legal obligation to remove unlawful content as per Act CVIII of 2001 on Electronic Commerce Services and Information Society Services |
Data retention period: The Data Controller shall only retain the personal data generated during the procedure to remove or make inaccessible any unlawful content or personal data learnt during such proceedings carried out either pursuant to the provisions set out in the general terms and condition of contract or to the provisions of Act CVIII of 2001 on Electronic Commerce Services and Information Society Services. These data will be processed by the Data Controller until the end of the civil limitation period (i.e. 5 years from the end of the proceedings) or, in the event of exercising any legal claim, until the final conclusion of the relevant legal proceedings (including possible enforcement).
3.6 Complaint handling
The User, as a consumer, will be entitled to file a complaint as per Act CLV of 1997 on Consumer Protection with the Data Controller in connection with the Application and with the services provided on the basis of the Contract.
In order to thoroughly investigate any complaints submitted by the User, to assess their validity, it is necessary to reveal the facts in detail, and thus to process the User’s personal data in particular, for the purpose and on the legal basis detailed below.
| Scope of data processing | Purpose of data processing | Legal basis of data processing |
| User’s name and contact details provided by them (e-mail address, telephone number and/or postal address) | Contacting the User, informing the User about the result of the investigation of the complaint | To meet the legal obligation to investigate any complaint pursuant to Act CLV of 1997 on Consumer Protection |
| The facts presented by the User in the complaint, the documents provided by the User and the content of the report regarding the complaint. | Detailed investigation of the User’s complaint | To meet the legal obligation to investigate any complaint pursuant to Act CLV of 1997 on Consumer Protection |
| Drawing a report to be prepared pursuant to Section 17/A(5) of Act CLV of 1997 on Consumer Protection | ||
| Drawing a report to be prepared pursuant to Section 17/A(5) of Act CLV of 1997 on Consumer Protection | ||
| (I) the place, time and manner of filing of the complaint; (ii) the place and date of recording the minutes; (iii) the User’s signature in the event of a personal complaint; and (iv) the unique identification number of the complaint. | Drawing a report to be prepared pursuant to Section 17/A(5) of Act CLV of 1997 on Consumer Protection | To meet the legal obligation to investigate any complaint pursuant to Act CLV of 1997 on Consumer Protection |
Data retention period: personal data related to the handling of complaints will be processed by the Data Controller in accordance Section 17/A(7) of Act CLV of 1997 on Consumer Protection. Act 17 / A. § (7) to meet its legal obligations.
4 Recipients of Personal Data, Categories of Recipients
Given the complexity of data processing, the amount of tasks involved and the complexity of the technical solutions required by the applied technology, the Data Controller will involve third parties in the data processing, using certain services from these persons, which require access to personal data. In other cases, personal data may need to be transferred or made available to a third party. Third parties who have access to the data in this way are considered to be the recipients of personal data.
The recipients of the data may be data processors who participate in the data processing on behalf of the Data Controller, acting in accordance with the Data Controller’s instructions, or other data processors who assist the work of the data processors, or so-called independent data controllers, who determine the purpose and means of data management independently, unrelated to the Data Controller, under their own responsibility. Independent data controllers are responsible for the lawfulness of data processing by independent data controllers, and these independent data controllers are obliged to inform the data subjects (natural persons involved in data processing) about the data processing operations performed by the independent data controllers.
The recipients of personal data, their status as processors (including secondary data processors) or independent data controllers, as well as their activities related to the activities of the Data Controller are summarized in the tables below.
4.1 Data processors (and secondary data processors)
| Name of data processor | Reason for the transfer / transmission / access reason / involvement of a recipient |
| Futureal Prime Properties One Real Estate Development Sub – Fund (1082 Budapest, Futó utca 43-45. 6th floor), FR Management Partnership CV Hungarian Branch Office (1082 Budapest, Futó utca 43-45. 7th floor), Futureal Management Kft. (1082 Budapest, Futó utca 47-53. 7th floor) | Involvement of data processors, contracting with them and coordination of their services |
| VividMind Zrt. (Registered office: 1118 Budapest, Ménesi út 24.) | Developing and supporting the operation of the Application
(The data processor may access the personal data during the testing of the contractual operation of the Application, in particular during the identification of errors and their rectification.) |
| Futureal Prime Properties One Real Estate Development Sub – Fund (1082 Budapest, Futó utca 43-45. 6th floor), | Provision of IT tools (servers) and services for the storage of a master database containing user data |
| Attention CRM Consulting Limited Liability Company (registered office: 1075 Budapest, Madách Imre út 13-14. Building T. 4th floor) | Operation and support of the master database containing user data |
| Salesforce.com, Inc. | Cloud-based IT service related to the “CRM system”, i.e. the customer relationship management system, which also contains the data stored in the master database |
| CloudForged, LLC | Amazon Web Services is a cloud-based hosting service |
| Amazon Web Services, Inc. | hosting service |
| H1 Systems Engineering Services Ltd. (1117 Budapest, Budafoki út 64.) | Camera system operation |
| Visio Globe SAS (Immeuble Silvaco ZIRST II, 55, rue Blaise Pascal, Montbonnot Saint Martin, Auvergne-Rhone-Alpes 38330) | Operation of a navigation map |
| Google Ireland Limited (Google Geofence Provider) | send a signal to switch between other navigation systems and the Application |
| Futureal Management Service Provider Limited Liability Company (registered office: 1082 Budapest, Futó utca 47-53. 7th floor); FR Management Partnership CV Hungarian Branch Office (1082 Budapest, Futó utca 47-53. 7th floor) | Creating marketing messages, and profiling |
| Swarco Traffic Hungaria Kft (registered office: 1103 Budapest, Gyömrői út 150.) | Parking system, license plate recognition operation |
| OTP Mobil Kft. | Credit card payment, receiving and processing payment transactions |
4.2 Independent and joint data controllers
| Name of the recipient | Reason for the transfer / transmission / access reason / involvement of recipient |
| The operator of the social media site used to log in to the Application (Facebook Ireland Limited; address: 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; Google Ireland Limited; address: Gordon House, Barrow Street, Dublin 4, D04e5w5, Ireland) or other login service provider (Apple Distribution International Limited; address: Hollyhill Industrial Estate, Hollyhill, Co. Cork, Ireland) | The social media or other service provider that accesses the Application through a registered account may access the personal data generated in connection with the login through its own devices (see the information for these data controllers referenced below). |
| OTP Mobil Kft. | Settlement of payment transactions |
| FR Management Partnership CV Hungarian Branch (1082 Budapest, Futó utca 43-45. 7th floor) and the sweepstakes organisers it involves | For the sweepstakes organized in connection with the registration in the Application, the data required in this area will be handed over to the organizer (see the data management information related to the sweepstakes). |
The Data Controller and Facebook Ireland Limited are considered joint controllers for the collection of data through the Application and the transfer of such data to Facebook Ireland Limited who:
- entered into an agreement on joint data management with the data controller appendix available at https://www.facebook.com/legal/controller_addendum. The Appendix sets out the data processing obligations of the Data Controller and Facebook Ireland Limited in accordance with the provisions of the GDPR;
- have agreed that it is the duty of the Data Controller to provide the Users with at least the information set out in Section 2 of the Appendix;
- have agreed that, in cooperation with the Data Controller and Facebook Ireland Limited, Facebook Ireland Limited will be responsible for exercising its rights under Articles 15-20 of the GDPR in respect of personal data held by Facebook Ireland Limited following joint processing.
Facebook Ireland Limited’s privacy policy is available at https://www.facebook.com/about/privacy. It provides further information on how Facebook Ireland Limited handles personal data, on what legal basis Facebook Ireland Limited carries out its data processing and what opportunities it provides for data subjects to exercise their rights.
Apple Distribution International Limited collects personal information in connection with your use of this Apple login service as an independent data controller when you sign in with your Apple ID. More information: https://www.apple.com/legal/privacy/pdfs/apple-privacy-policy-en-ww.pdf.
Google Ireland Limited collects personal information in connection with the use of Google login service as a separate data controller when the User signs in to their Google Account. Learn more at https://policies.google.com/privacy?hl=en.
By transferring personal data to the above recipients, the Data Controller does not transfer the Users’ data to third countries outside the European Union, however, data may be transferred to the third country by the above-mentioned independent data controllers. The Data Controller shall not transfer the personal data to any person other than the above recipients, unless the transfer is required by law, by any authority or court (for example, if any authority, inspection or supervisory body has access to the personal data file in the course of proceedings held in the electronic system or records, or if the Data Controller has an obligation to provide information to such authorities).
5 Data Subject Information Obtained from Other Sources
As a general rule, the User provide their personal data when registering in the Application or using the Application and using the services provided by us. However, there are cases in which the Data Controller obtains the data from another source. These cases are as follows:
| Scope of data processing | Source of data processing |
| Data transmitted to the Data Controller during registration via a social media service provider (with social login). | Social media providers (Facebook, Google) through which login is made in App. |
| License plate number, start and end time of parking, parking fee, parking discount category, parking discounts, data related to charging an electric vehicle | Parking system operator (Swarco Traffic Hungaria Kft) |
| Data provided by OTP Mobil Kft. In connection with bank card payment (status of bank card payment, reason for payment failure, request for refund, so-called chargeback data, settlement data) | OTP Mobil Kft. |
The Data Controller also processes those personal data of the User, which are specified in Section 3 of this Notice, which were created by automated inference process for the analysis and implication of personal preferences, interests, shopping habits of the User.
6 Rights of the Data Subject
6.1 Right of access
The User shall have the right at any time to request information whether their personal data are processed, and if so, in what manner such data are processed by the Data Controller, including the purposes of the processing, recipients to whom the personal data have been or will be disclosed, the source of information from where the Data Controller obtained such data, the retention period of such data, any right that they may have concerning the processing, and where personal data are transferred to a third country or any international organisation, the User subject shall have the right to be informed of the appropriate safeguards relating to the transfer. When exercising the right of access the User shall be also entitled to request copies of such data. Where the User makes the request by electronic means, and unless otherwise requested by the User, the information shall be provided in an electronic form (Pdf format) to the User. Where the right of access by the User would affect adversely the rights and freedoms of others, in particular the business secrets or intellectual properties of others, the Data Controller shall have the right to refuse the request of the User to the extent necessary and proportionate. For any further copies of the above information requested by the User, the Data Controller may charge a reasonable fee that is proportionate to the related administrative costs.
6.2 Right to rectification
The Data Controller shall rectify or supplement the personal data of the User based on any related request from the User. Where there is any doubt concerning any rectified data, the Data Controller may call upon the User to adequately verify, preferably by an official document, the rectified data for the Data Controller. If the Data Controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the Data Controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the User, the Data Controller shall inform the User of the identity of these recipients.
6.3 Right to erasure (“right to be forgotten”)
Where the User requests the erasure of any or all of his/her personal data, the Data Controller shall have the obligation to erase those without undue delay, if:
- the Data Controller does not need the affected personal data in relation for the purposes for which they were collected or otherwise processed;
- processing was based on the consent of the User, however, the User has withdrawn his/her consent, and there is no other legal ground for the processing;
- processing was based on the legitimate interest of the Data Controller or a third party, however, the User has objected to the processing, and there is no overriding legitimate grounds for the processing, except for objection to data processing for direct marketing purposes;
- the personal data have been unlawfully processed by the Data Controller, or
- the personal data have to be erased for compliance with a legal obligation.
If the Data Controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the Data Controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the User, the Data Controller shall inform the User of the identity of these recipients. The Data Controller shall not always be required to erase the personal data, in particular where e.g. the data processing is necessary for the establishment, exercise or defence of legal claims.
6.4 Right to restriction of processing
The User may request restriction of processing in relation to their personal data where one of the following applies:
- the accuracy of the personal data is contested by the User, in this case restriction of processing shall be applied for a period enabling the Data Controller to verify the accuracy of the personal data;
- the processing is unlawful, but the User opposes the erasure of the data, and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise and defence of legal claims; or
- the User has objected to the processing, in this case restriction of processing shall be applied until it is verified whether the legitimate grounds of the Data Controller override those of the User.
Restriction of processing means that such personal data shall not be processed by the Data Controller or shall, with the exception of storage, only be processed with the User’s consent, or in the absence of such consent the Data Controller may also process these data for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The User shall be informed by the Data Controller before the restriction of processing is lifted. If the Data Controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the Data Controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the User, the Data Controller shall inform the User of the identity of these recipients.
6.5 Right to object
Where processing of data concerning the User is based on the legitimate interest of the Data Controller or a third party, the User shall have the right to object to processing of data. The Data Controller shall not be obliged to accept such objection, unless the Data Controller demonstrates
- compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User, or
- the data processing is related to the submission, enforcement or protection of the data controller’s legal claims.
6.6 The right to data portability
The User shall have the right to receive the personal data concerning him/her, which he/she provided to the Data Controller based on consent or on a contract, and are processed by the Data Controller by automated means (e.g. in a computer system), in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller, or the User shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. In the case of such requests, the Data Controller shall make available the requested data in Pdf file format. Where the exercise of the right to data portability by the User would adversely affect the rights and freedoms of others, the Data Controller shall have the right to refuse to comply with the request of the User to the extent necessary. A measure taken in the field of data portability shall not mean the erasure of the data, unless the User has submitted a request for erasure at the same time, in the absence thereof, the Data Controller continues to retain the data, until any purpose for processing or an appropriate legal basis exists.
6.7 Automated decision-making and profiling
As described in Subsection 3.2.2 of this Notice, the Data Controller performs automated profiling in connection with the Application only with the prior consent of the User by comparing the User’s personal preferences and certain Application usage data. However, as also noted in the subsections, automated profiling for the purpose of sending personalised marketing messages and personalised advertisements shall not be performed, while profiling, or so-called automated decision-making will be performed for the purpose of providing special discounts.
Thus, since the processing of data by the Data Controller in connection with the granting of special discounts constitutes automated decision-making within the meaning of point c) of Article 22(2) of the General Data Protection Regulation, the Data Controller grants the User the right to:
- request the intervention of a person with the appropriate authority and authorisation (human intervention) over the Data Controller to control and possibly override such decision-making;
- express their views on automated decision-making; and
- file an objection to the decision with the Data Controller.
Furthermore, the Data Controller will ensure that the person performing the review evaluates all available data and facts, including any additional data provided by the User.
6.8 Objection
Given that certain data are processed by the Data Controller on the basis of a legitimate interest (see above, detailed according to the individual functions of the Application, which set out the legal basis for data processing for each purpose), we expressly and specifically draw the Users’ attention to the right to object, which they can practice in the form of a relevant written declaration. In this case the data affected by objection shall be erased by the Data Controller without delay, unless those are necessary for the defence or exercise of legal claims, or unless the objection is made against the Data Controller’s processing based on such compelling legitimate interest that overrides the interests and rights of the User as opposed to our interest related to such data processing.
6.9 Right to lodge a complaint and right to remedy
If the User considers that the processing of his/her personal data by the Data Controller infringes the provisions set out in the effective data protection legislations, in particular the provisions of the GDPR, he/she shall have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”). Contact information for NAIH:
Website: http://naih.hu/
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf . 9.
Phone: + 36-1-391-1400
Fax: + 36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The User shall have the right to lodge a complaint with another supervisory authority, in particular with a supervisory authority established in a Member State where their habitual residence, workplace is situated or the alleged infringement has taken place.
The User, regardless of their right to lodge a complaint, may also engage in legal proceedings in case of an infringement referred to above. In the case of the Data Controller, the competent court shall be the Budapest Metropolitan Court, however, the User may also bring a court action before the tribunal where their place of residence is situated. The contact details of the tribunals in Hungary can be found at the link below: http://birosag.hu/torvenyszekek. Furthermore, if the User’s habitual residence is situated in another member State of the European Union, the User may also engage in legal proceedings before any competent court having jurisdiction in the Member State where his/her habitual residence is situated. The User may also bring proceedings before a court against any binding decision of a supervisory authority concerning the User. The User shall also have the right to a judicial remedy, where the supervisory authority does not handle a complaint or does not inform the User within three months on the progress or outcome of the complaint lodged by the User. The User shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of Users’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his/her behalf, to initiate a judicial review of the decision adopted by the supervisory authority, to bring an action on his/her behalf, to exercise the right to receive compensation on his/her behalf.
7 Time period Available to Respond to the request Submitted by the User
The Data Controller ensures that in the event that the Users exercise any of their rights in connection with the processing described in this notice and turn to the Data Controller in this regard, the Data Controller shall respond to such requests without undue delay, but no later than within one month, at the latest, excluding the withdrawal of consent, where they shall take action without delay to erase the data processed based on consent.
The time period specified in the above paragraph may be extended by two further months where necessary, taking into account the complexity and number of the requests. In this case the Data Controller shall inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the User makes the request by electronic means, the information shall be provided by electronic means where possible.
* * *