Data Controlling Policy

T-Systems Magyarország Zrt. as data controller (registered address: 1097 Budapest, Könyves Kálmán krt. 36., Trade Register number: Cg. 01-10-044852; tax ID: 12928099-2-44; “Data Controller”) pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (”General Data Protection Regulation”) hereby informs the data subjects about the processing of their personal data.

1. Name and contact details of the company performing data controlling:

T-Systems Magyarország Zrt. (registered offices: 1097 Budapest, Könyves Kálmán krt. 36. Trade Register number: Cg. 01-10-044852; tax ID: 12928099-2-44)

2. Name and contact details of the data controlling officer

dr. Attila Puskás (address: 1097 Budapest, Könyves Kálmán krt. 36.; email: DPO@telekom.hu.

3. Scope of the controlled data, legal basis for data controlling, purpose and duration of data controlling:

Purpose of data controlling:	Legal basis for data controlling:	Scope of the controlled personal data	Duration of data controlling:
The purpose of data controlling is to verify the connection between the purchase of tickets/passes for bicycle rental and the rental eligibility. Checking the validity of tickets/passes, notification of the users on the events related to their rentals, as well as issuance of accounting documents related to the purchased tickets/passes. Handling complaints and customer service requests, identification of users to the extent necessary for the former and distinguishing the users from each other.	Consent based on Article 6, Section (1) a.) of the GDPR.	Birth name Phone number E-mail address Residential address	Until revocation, but for no more than 5 years following the expiry of the ticket/pass.

Purpose of data controlling:

Legal basis for data controlling:

Scope of the controlled personal data

Duration of data controlling:

The purpose of data controlling is to verify the connection between the purchase of tickets/passes for bicycle rental and the rental eligibility.

Checking the validity of tickets/passes, notification of the users on the events related to their rentals, as well as issuance of accounting documents related to the purchased tickets/passes.

Handling complaints and customer service requests, identification of users to the extent necessary for the former and distinguishing the users from each other.

Consent based on Article 6, Section (1) a.) of the GDPR.

Birth name

Phone number

E-mail address

Residential address

Until revocation, but for no more than 5 years following the expiry of the ticket/pass.

[In case of data controlling based on consent (Article 6, Section (1) a.) or Article 9, Section (1) a.) of GDPR): The data subject is entitled to revoke his/her consent at any time. Revocation of the consent does not apply to the legality of data controlling prior to its revocation.]

4. Automated decision making (including profiling):

No automated decision making - including profiling - is performed in the course of data controlling.

5. Forwarding personal data, addressees and categories of addressees of the personal data:

In connection with data controlling, the Data Controller employs the following data processors:

Name, address, contact details of the data processor, activities related to data controlling
- EZÚS Pons Danubii s r.o., Nám. gen. Klapku 1, 945 01 Komárno, office@ponsdanubii.eu
- SuperFaktura, s.r.o., Pri Suchom mlyne 6, 811 04 Bratislava, info@superfaktura.sk

Personal data shall not be forwarded to third persons.

Personal data shall not be forwarded to third countries (i.e. to outside the European Union) or to international organizations.

6. Duration of storage period of personal data or criteria for the determination of the duration:

Until revocation, but for no more than 5 years following the expiry of the ticket/pass.

7. Rights of the data subject related to the data controlling:

In connection with the data controlling, the data subject is entitled the following rights:

a) right of access to the personal data related to the data subject,

b) right to correct the data subject’s personal data,

c) right to delete or restrict the data subject’s personal data - with the exception of mandatory data controlling,

d) right to data portability, provided that the conditions determined in the legal provision exist, and

e) right of objection in case of data controlling based on legitimate interests.

Right of access:

The concerned individual is entitled to receive feedback from the data controller as to whether his/her personal data are being controlled, and if such data controlling is in progress, then he/she is entitled to gain access to the personal data. The Data Controller makes copies of the personal data subject to data controlling available to the Data Subject. For additional copies requested by the Data Subject, the data controller may charge reasonable fees based on the administrative costs. If the data subject submitted his/her application electronically, the response shall also be given electronically, if possible, unless it was requested otherwise by the data subject.

Right of correction:

The data subject person is entitled to request correction of his/her personal, and the Data Controller is obliged to carry out such correction without delay.

Right of deletion:

The data subject person is entitled to request deletion of his/her personal data without unreasonable delay, and the Data Controller shall delete these personal data without unreasonable delay, if any of the following reasons are in place:

the personal data are no longer needed for the purpose they were collected for or controlled otherwise;
the data subject revokes his/her consent the data controlling is based on pursuant to Article 6, Section (1) a) or Article 9, Section (2) a) of the General Data Protection Regulation, and there is no other legal basis for data controlling;
pursuant to Article 21, Section (1) of the General Data Protection Regulation, the Data Subject objects the data controlling, and there is no preferred legitimate reason for data controlling, or the Data Subject objects the data controlling pursuant to Article 21, Section (2) of the General data Protection Regulation;
the personal data were controlled illegitimately;
personal data must be deleted to comply with the legal obligation stipulated by community or member state law applicable to the data subject;
personal data were collected in connection with offering services related to the information society referred to in Article 8, Section (1) of the General data Protection Regulation (conditions applicable to children’s consent).

Right to limit data controlling:

The Data Subject is entitled to request the data Controller to limit data controlling, provided that any of the following conditions are met:

the data subject disputes the accuracy of the personal data; in this case the limitation applies to the period available to the data controller to verify the accuracy of the personal data;
the data controlling is illegitimate, and the data subject objects the deletion of the data, and requests their limited use instead;
the data controller no longer needs the personal data for data controlling purposes, but the data subject requests them to submit, enforce or protect legal needs; or
the data subject objected the data controlling pursuant to Article 21, Section (1) of the General Data Protection Regulation; in this case, the limitation applies to the period, until the determination of whether legitimate reasons of the data controller have priority over the data subject’s legitimate reasons.

If data controlling is limited, then such personal data - except for storage - can only be controlled with the consent of the data subject, or to submit, enforce or protect legal needs, or to protect the rights of other natural or legal persons, or for important public interests of the European Union or a member state thereof.

Right of data portability:

Furthermore, the Data Subject is entitled to receive the personal data related to him/her and made available by him/her to the Data Controller in an articulate, broadly used format readable by machine, furthermore, he/she is entitled to forward these data to another data controller without being prevented by data controller to who he/she made the personal data available, if: (i) the data controlling is based on Article 6, Section (1) a) or Article 9, Section (2) a) of the General Data Protection Regulation, or on a contract pursuant to Article 6, Section (1) b) of the General Data Protection Regulation, and (ii) the data controlling is performed automatically;

Right of objection:

The Data Subject is entitled to object the controlling of his/her personal data pursuant to Article 6, Section (1) e) or f) for reasons related to his/her own situation, including profiling based on the provisions mentioned above. In this case, the data controller is no longer allowed to control the personal data, except if the Data Controller proves that data controlling is due to coercing legitimate reasons that have priority over the interests, rights and liberties of the data subject, or which are related to submission, enforcement or protection of legal requests.

If the personal data are controlled in order to directly acquire business opportunities, the data subject is entitled to object the controlling of his/her personal data for such purpose, including profiling, if it is related to direct acquisition of business. If the data subject protests against using his/her personal data for direct business acquisition, then the personal data must not further be used for such purpose.

General rules of exercising the data subject’s rights:

The Data Controller shall inform the data subject regarding the actions taken upon his/her request without unnecessary delay, but not later than within one month as of the receipt of the data subject’s request. If necessary - taking into consideration the complexity and number of the requests - this deadline can be extended by two additional months. The Data Controller shall notify the Data Subject on the extension of the deadline - with the identification of the reasons for the delay - within one month from receiving the request. If the data subject submitted his/her application electronically, the response shall also be given electronically, if possible, unless it was requested otherwise by the data subject.

The Data Controller shall provide the information and other action upon the request of the data subject free of charge. If the request of the Data Subject is obviously unfounded, or – especially due to its repetitive nature – excessive, the Data Controller may with respect to the administrative costs related to providing the requested information or taking the requested action:

charge a reasonable fee, or
refuse to take the requested action.

It is the obligation of the Data Controller to prove that the request is obviously unfounded or excessive.

Should the Data Controller have well-founded doubts as to the identity of the natural person submitting the request, it may request further information necessary for the confirmation of the data subject’s identity.

8. Possibilities for legal remedy:

With respect to controlling of his/her personal data, the Data Subject may at any time contact the Data Controller’s data protection officer (dr. Attila Puskás (address: 1097 Budapest, Könyves Kálmán krt. 36.; email: DPO@telekom.hu.

In the event of a violation of his/her rights, the Data Subject may take legal action against the Data Controller. The court will deal with the matter out of turn. It is the obligation of the Data Controller to prove that the data controlling is in compliance with the legal provisions. Settlement of the lawsuit is in the power of the tribunal, i.e. of the Budapest Tribunal in the capital city. The lawsuit can also be launched before the tribunal competent according to the residence or location of the Data Subject.

The Data Controller shall be obliged to compensate for the damage caused by illegitimate controlling of the Data Subject’s data or violation of the data security requirements. The Controller shall be released from the responsibility, if he can prove that the damage was caused by an unavoidable cause outside the scope of data controlling. The damage need not to be compensated for, if it was the result of the harmed party’s deliberate of grossly negligent behavior.

In case of complaints related to the controlling of his/her personal data, the Data Subject may also contact the Hungarian National Authority for Data Protection and Freedom of Information (dr. Attila Péterfalvi, Chairman of the Hungarian National Authority postal address: 1530 Budapest, PO: 5., address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; E-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

Date: Budapest, April 21, 2021