Privacy Policy

DATA CONTROLLER INFORMATION

We hereby provide the following information regarding the protection of natural persons with regards to personal information management and the free flow of such data, and the repealment of Decree 95/46/EC (general data protection decree), according to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April, 2016). This privacy policy regulates the data management of the following pages:

                vasutvill.hu

The privacy policy is available via the following links:

                vasutvill.hu

definitions

1. a) personal information: any kind of information related to an identified or identifiable natural person (“data subjects”); identifiable is the natural person who can be identified in a direct or indirect way, especially based on some kind of identification, e.g. name, number, location data, online ID, or one or more aspects of the biological, physiological, genetic, intellectual, economical, cultural or social characteristics of such natural person.

1. b) data management: any operation or operations, carried out either in an automated or a non-automated way, on the personal information or data sets, such as collection, recording, organization, distribution, storage, conversion or modification, query, lookup, use, disclosure, transfer, distribution or other type of making available, harmonization or matching, restriction, deletion or disposal.

1. c) data controller: a natural person or legal entity, public authority, agency or any other authority that constantly defines the purposes of personal data management individually, or with others; in case the purposes of data management are defined by EU or member state laws, the manager or the special aspects for appointing the data controller may also be defined by member state laws.

1. d) data processor: a natural person or legal entity, public authority, agency or any other authority that handles personal information o behalf of the data controller.

1. e) recipient: a natural person or legal entity, public authority, agency or any other authority that the personal data is communicated to, whether or not they are a third party. The public authorities who can access the personal data as part of an individual investigation, compliant with EU or member state laws, do not constitute recipients; the management of the above mentioned data by these public authorities must comply with the relevant data protection regulations, according to the purposes of data management.

1. f) third party: a natural person or legal entity, public authority, agency or any other authority that is not the same as the data subject, the data controller, the data processor or the persons who, under the direct management of the data controller or the data processor, are authorized to handle the personal information.

1. g) record keeping system: a data set of personal information, organized in any way, according to centralised, decentralised or functional or geographical aspects, accessible according to specified criteria.

1. h) data protection incident: a breach of security that results in the accidental or unlawful disposal, loss, modification, unauthorized communication or unauthorized access of data being transferred, stored or otherwise handled.

1. i) representative: a natural person or legal entity with a place of business or place of residence in the European Union, appointed by the data controller or the data processor in written form, according to Paragraph 27, representing the data controller or data processor in relation to the liabilities of the data controller or data processor pursuant to this decree.

1. j) company: a natural person or legal entity engaged in economic activity, irrespective of the legal form, including personal partnerships and associations engaged in regular economic activity.

Principles of data management

1. Legitimacy, fair procedure and transparency

The company carries out data management in a legitimate and fair way, transparent to the data subject (legitimacy, fair procedure and transparency).

2. Purpose limitation

The company collects data only for specified, clear and legitimate purposes,

and does not handle data in a non-compatible way (purpose limitation).

3. Data minimisation

The company carries out data management according to its purpose(s), in a relevant way, minimising data to the necessary level (data minimisation). Accordingly, the company does not collect or store more data than absolutely necessary for the purpose of the data management.

4. Accuracy

Data management by the company is accurate and up-to-date. The company takes all reasonable measures in order to immediately delete or rectify all personal information inaccurate from the aspect of the purposes of data management (accuracy).

5. Limited storage

The company stores the personal information in a format that makes personal identification of the data subjects possible for a limited time, necessary to achieve the data management purposes, according to the storage obligations specified by relevant legislative acts (limited storage).

6. Integrity and confidentiality

The company ensures appropriate level of safety of the personal information by using appropriate technical or organizational measures, including protection against unauthorized or unlawful handling, accidental loss, disposal or damage of personal information (integrity and confidentiality).

7. Accountability

The company is accountable for compliance with the above-detailed principles, and the company certifies such compliance (accountability). In accordance with the above, the company ensures continuous compliance with the regulations of this in-house policy, the continuous review of data management, and, if necessary, the modification and amendment of data management procedures. The company prepares documentation to certify compliance with statutory obligations.

data management

1. Contact via vasutvill.hu

The fact of data collection, the scope of managed data and the purpose of data management

Information about data management

2. Use of “Google Analytics”

The home pages of Vasútvill Kft. use Google Analytics, the web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files, stored on your computer, thus facilitating the analytics of the web page visited by the User.

The information created using the cookies related to the web page used by the User are normally sent to and stored on one of the USA-based servers of Google. By activating IP-anonymizing on the web page, Google truncates the User’s IP address upon its arrival at the server inside the European Union’s member states or in other states that are a party to the Agreement on the European Economic Area, before saving it in a mass storage. (https://support.google.com/analytics/answer/2763052?hl=en)

Sending the complete IP address to one of Google’s USA-based servers and having them truncated there is carried out in special cases only. Commissioned by the operator of this web page, Google will use this information to evaluate the use of the web page by the User, and to create reports on home page activity for the web page operator, and to provide other services related to web page and internet usage.

Google Analytics does not link the IP address provided by the user’s browser to other Google data. The User may prevent the storage of cookies by adjusting their browser accordingly, however, please note that not all features of this website may be fully accessible in this case. In addition, you may prevent Google from collecting and processing cookie data related to web page usage by the User (including the IP address) by downloading and installing the browser plug-in available on the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

3. Use of “cookies”

The fact of data collection, the scope of managed data and the purpose of data management

Information about data management

4. Other data handling

If a question arises during the use of our data management services, or the data subject has a problem, you may contact the data controller in the ways specified on the website (telephone, e-mail, social media sites, etc.).

The data controller will delete all the received e-mails, messages, and data received by phone, Facebook, etc., together with the name and e-mail address of the inquirer, and any other personal data provided voluntarily after a maximum of 2 years from the date of disclosure.

Further information on data management not listed in this policy will be provided when recording the data.

The Service Provider is obliged to provide or hand over information, or to make documents available upon the special request of certain authorities or other authorities based on authorization by legislative acts.

In such cases, the Service Provider issues personal data to the requesting party, if they specify the exact purpose and scope of the data, only to the extent strictly necessary to achieve the purpose of the request.

Data transmission, DATA PROCESSORS

The hosting provider

1. Activity provided by the data processor: Hosting service
2. Name and contact information of the data processor

            MEDIACENTER HUNGARY Informatikai, Szolgáltató és Üzemeltető Kft.

            H-6000 Kecskemét, Sostakovics utca 3. 2. em. 6.

            Company registration number: 03-09-114492

            Tax number: 13922546-2-03

3. The fact of data management and the range of handled data: All personal data provided by the data subject.
4. Data subjects: All the data subjects using the web page.
5. The purpose of data management: Making the website available and ensuring its proper operation.
6. Duration of data management, deadline for data deletion: Data management will go on up to the termination of the agreement between the data controller and the hosting provider, or the data subject’s request for cancellation to the hosting provider.
7. Legal basis for data processing: consent of the User, Paragraph 5, Article (1), Item 6, section (1), item a) of the Act on Information Technology, and Paragraph 13/A, Article (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.

POTENTIAL RELIEF

The data subject may request information on the management of their personal data, and may request the rectification of their personal data or, with the exception of mandatory data processing, the deletion or cancellation of the data, or may request the restriction of data management, and may exercise their right to right to data portability and right to protest in the way indicated upon data collection, or via the customer service of the data controller. Regarding the data management procedures detailed in this policy, Vasútvill Kft. is the data controller.

Right to information

Upon request of the data subject, Vasútvill Kft. takes appropriate measures to ensure that all the information on the handling on personal information, mentioned in Articles 13 and 14 of the GDPR, and all the information according to Articles 15 – 22 and 34 are provided in a concise, clear, easy-to-comprehend way and in an easily accessible form to the data subjects, formulated in a clear and comprehensible way

Right to access of the data subject

The data subject is entitled to get feedback from the data controller about whether their personal information is being handled, and if such data management is in progress, they are entitled to access the personal data and the following information: purposes of data management; categories of the personal information involved; the recipients or the categories of recipients to whom or with whom personal data were or will be communicated, including in particular third-country recipients or international organizations; planned storage time of personal information; the right to rectification, deletion or restriction of data management and the right to object; the right to submit a complaint with the supervisory authority; information on data sources; the fact of automated decision making, including profiling, as well as the logic used and understandable information about the importance of such data management, and the expected consequences for the data subject. In the case of transfer of personal data to third countries or to international organizations, the data subject shall be entitled to be provided with appropriate information on the guarantees regarding the transfer. Vasútvill Kft. makes a copy of the personal data subject to data management available to the data subject. The controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject.

At the request of the data subject, Vasútvill Kft. provides the information in electronic form. The right to information can be exercised in a written form, using the contact information indicated on page 2 of this policy.

Upon request of the data subject, oral information may also be provided, provided there is verifiable proof of their identity, and upon their identification.

Right to rectification

Vasútvill Kft. rectifies personal data if it does not correspond to reality and the personal information true to reality is available to them.

Right to deletion

In case one of the following reasons exists, the data subject is entitled to request the deletion of the personal data relating to them by Vasútvill Kft., without undue delay:

Ø personal data are no longer needed for the purpose for which they were collected or otherwise processed;

Ø the data subject withdraws the consent on which the data management is based, and the data management has no other legal basis;

Ø the data subject objects to the data processing, and there is no legal reason for data management to be given priority;

Ø the personal information has been unlawfully treated;

Ø the personal information must be deleted in order to fulfil a legal obligation under an EU or member state law applicable to the data controller;

Ø the collection of personal information is related to the provision of information society services.

Data deletion cannot be initiated if data management is required for the following: to exercise the right to freedom of expression and information; fulfilment of an obligation under EU or member state law governing the processing of personal information by the data controller, or to carry out a task in the public interest or with an authorization assigned to the data controller; for public health or archiving, scientific and historical research purposes or for statistical purposes, in the public interest; or to submit, validate or protect legal claims.

Right to restrict data management

Upon the request of the data subject, Vasútvill Kft. restricts data management in case any of the following conditions is met:

• the data subject disputes the accuracy of the personal data, in which case the restriction refers to the period of time that allows the accuracy of the personal data to be verified;
• data management is unlawful, and the data subject is against the deletion of the data, and requests a restriction on their use instead;
• the data controller no longer needs personal data for data management purposes, but the data subject requests them for the submission, validation or protection of legal claims; or
• the data subject objected to the data management; in this case, the limitation shall apply for the period until it is established whether the legitimate reasons of the controller prevail over the legitimate reasons of the data subject.

If data management is restricted, personal data may be handled only with the consent of the data subject, or with the submission, validation or protection of legal claims, or the protection of rights of other natural persons or legal entities, or in the public interest of the European Union or a member state. Vasútvill Kft. shall inform the data subject in advance of the lifting of the restriction on data management.

Right to data portability

The data subject is entitled to receive the personal data concerning them, made available by them to the data controller, in a delimited, widely used, machine-readable format, and to forward such data to another data controller.

Right to object

The data subject has the right to object at any time, for reasons relating to their situation, to the processing of personal data necessary for the performance of a task carried out in the public interest or with an authorization assigned to the data controller, or for the legitimate interests of the data controller or a third party, including profiling based on the above mentioned provisions.

In case of objection, the data controller shall not continue processing the personal data, unless it is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or by reasons related to the submission, validation or protection of legal claims.

The subject shall have the right to object at any time to the processing of personal information relating to them, including profiling, if related to direct marketing. In case of objections to the handling of personal data for the purpose of direct marketing, the data shall not be handled for this purpose by Vasútvill Kft. 

Automated decision-making in individual cases, including profiling

The data subject has the right not to be subject to a decision based solely on automated data management, including profiling, which would have legal effect on them, or by which they would equally be signifi   cantly affected. This right shall not apply if the data processing is necessary for the conclusion or performance of a contract between the data subject and the data controller; if it is made possible by EU or member state law, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or if it is based on the explicit consent of the data subject.

Right of withdrawal

The data subject is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the legality of the pre-withdrawal data management based on consent.

Procedural rules

The data controller shall inform the data subject without undue delay, but in any case within one month of receipt of the request, of measures taken pursuant to a request under Articles 15 – 22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this deadline may further be extended by two months.

The data controller shall inform the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the request. If the data subject has submitted the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.

If the controller does not take action upon the request of the data subject, they shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action, and of the fact that the data subject may submit a complaint to a supervisory authority and exercise their right of appeal.

Vasútvill Kft. provides the requested information and information free of charge. If the data subject’s request is clearly unfounded, or, in particular because of its repetitive nature, unreasonable, the data controller may charge a reasonable fee on the basis of the administrative costs involved in providing the requested information or taking the requested action, or refuse to take action based on the request.

The data controller shall inform all recipients of any rectification, deletion or restriction of data management carried out by them to whom the personal information has been communicated to, unless this proves impossible or requires a disproportionate effort. Upon their request, the controller shall inform the data subject of the recipients.

The data controller makes a copy of the personal data subject to data management available to the data subject. The controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.

Compensation and grievance fees

Any person who has suffered material or non-pecuniary damage as a result of a breach of the Data Protection Regulation shall be entitled to compensation from the data controller or the data processor for the damage suffered. The data processor is only liable for damages caused by data management if they have not complied with the statutory obligations specifically imposed on data controllers, or if they have ignored or acted contrary to the lawful instructions of the data controller. If multiple data controllers or multiple data processors or both the data controller and the data processor are involved in the same data management, and are responsible for the damage caused by the data management, each data controller or data processor is jointly and severally liable for the entire damage. The data controller or data processor is exempt from liability if he proves that he is not liable in any way for the event causing the damage.

Complaint

In case you have any questions or concerns regarding the data management carried out by Vasútvill Kft., please feel free to contact our company using the contact information listed on page 2 of the policy.

Opportunity to complain

Complaint against a possible violation by the data controller may be submitted to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság):

Nemzeti Adatvédelmi és Információszabadság Hatóság

H-1125 Budapest, 22/C, Szilágyi Erzsébet fasor

Mail address: H-1530 Budapest, Postafiók: 5.

Phone: +36-1-391-1400 Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

This policy comes into effect on 1 August, 2019.