MÁV-START e-Ticket (online ticket purchase)

Privacy Policy

1. Data manager

Name:

Registered address:

Registration number:

Court of registration:

VAT Number: E-mail:

MÁV-START Railway Passenger Transport Co. (hereinafter "MÁV- START Co." or "Data Manager")

Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary

01-10-045551

The Budapest Metropolitan Court as Court of Registration

13834492-2-44

eszrevetel@mav-start.hu

2.The purpose and legal base of the data management, range of collected information, duration of data storage

2.1. The purpose and legal base of the data management

Data Manager handles the personal data of its passengers/clients in order to:

·register the user in the Online Ticket Sales System of MÁV-START (hereinafter: "e-Ticket"), based on the consent of the user in accordance with Article 6 (1) (a) of GDPR;

·fulfil the contract created by purchasing the tickets, based on the provisions of Article 6 (1) (b) of GDPR, and Article 169 (1) and (2) of the Act on Accounting.

MÁV-START Co. may use the aggregated and / or anonymised sales data for statistical purposes. No personal data can be recovered from this kind of data.

The passenger permits the above data handling by: using the e-Ticket system; purchasing a ticket in the e-Ticket system; declaring it at the time of contributing a comment or complaint; or starting the journey.

For other than the above purposes (e.g. marketing), MÁV-START Co. handles the passengers' or clients' personal data only, if MÁV-START Co. informed the person about it, and the person has given his/her explicit consent to it.

2.2. Range of collected information

MÁV-START Co. handles the personal information in the e-Ticket system:

·in case of registration: name and e-mail address of the User

·in case of ticket purchase: e-mail address, invoicing data (name, address, tax number), name and date of birth of the passenger(s), data of the purchased product(s) (route, rate and entitlement of reduction, validity period, quantity), any additional data required to travel with the product in accordance with the applicable regulation of the product (e.g.: ID number).

The e-train-tickets purchased from the e-Ticket system are personalised tickets, therefore the name and date of birth of the passenger is indicated on the ticket. Pursuant to the Act No XLI of 2012 (Passenger Transport Act), the Railway Undertaking shall be entitled to check whether the personalised ticket is used by the person indicated on the ticket.

The e-Ticket system does not verify the accuracy of the information provided. The correctness of the data entered is solely the responsibility of the person providing it. By providing the e-mail address, the User will also be liable for the sole use of the provided e- mail address. With respect to this responsibility, any liability associated with a log-in with an e-mail address will be borne exclusively by the User who registered the e-mail address.

MÁV-START Co. stores the following data recorded automatically in the log files:

·e-mail address used for log-in,

·activities and their exact time made during purchasing in e-Ticket,

·IP address of the connected device.

The above data is recorded automatically by the e-Ticket system, without any user interaction. Unless otherwise stated by the law, these data cannot be linked to other personal information of the user. The data can only be accessed by MÁV-START Co. and the system operator.

2.3. Duration of data handling

MÁV-START Co. handles the personal data only for the time necessary for the purpose of data management (e.g. until arranging the complaint or comment; withdrawal of consent; statistical processing of asserted claims; etc.), or until the deadlines set by the applicable tax, security or other regulations. To record the rights and obligations regarding invoicing, the purchased product(s) and electronic invoice(s) are stored for 8 years from the date of purchase based on the provisions of Article 169 (1) and (2) of the Act on Accounting.

2.4. Possibility of data transfer

Data Manager is entitled and obliged to transmit any legally stored and available personal data to the competent authorities, when obliged by law or by statutory obligation. MÁV-START Co. cannot be held responsible for such data transfers and their consequences.
In the case of an online payment, Data Manager complies with the data transfer obligation set out in the PSD2 Directive. Data Manager cannot be held responsible for this data transfer and its consequences. With prior informing the passenger, MÁV-START Co. may transfer the e-mail address and name assigned to the user profile, and data regarding the purchase (including, but not limited to: data of the purchased product, log file) to the payment service provider for the purpose of customer support for users, confirming transactions and fraud analysis.

The personal data on the e-train-ticket and stored in the electronic code on the e-train-ticket may be known by the railway undertakings indicated on the ticket during the checking of the ticket and may be handled in accordance with their own privacy policies.

2.5. Recipient of data transfer:

The recipient of the data transfer is authorised to know the data in accordance with the PSD2 regulation, and for the purpose of customer support for users, confirming transactions and fraud analysis. Recipient handles the data in accordance with its own privacy policy.

Name:

OTP Mobil Szolgáltató Kft.

Registered address:

1093 Budapest, Közraktár utca 30-32

 

River Park K30., épület II.

Registration number::

01-09-174466

Court of registration:

The Budapest Metropolitan Court as Court of Registration

VAT Number:

24386106-2-43

E-mail:

ugyfelszolgalat@simple.hu

3. Information on the use of a Data Processor

Name:

MÁV Service Center Co.

Registered address:

Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary

Registration number:

01-10-045838

Court of registration:

The Budapest Metropolitan Court as Court of Registration

VAT Number:

14130179-2-44

E-mail:

helpdesk@mav-szk.hu

Location of data storage: Krisztina krt. 37/A, Budapest, H-1012, Hungary

Data Processor manages the data managed under point 2 for the period specified in point 2 and provides a complete IT service based on the contract with Data Manager.

4. Range of persons entitled to know the data

By Data Manager: staff of the department(s) responsible for operating the System; the staff of the Client Service; staff of the department handling the central refund.

5. Information on measures for data security

5.1.Data storage, security of data management

·MÁV-START Co. commits itself to ensure safety of passengers' and other clients' personal data it manages. Personal data are handled non-public, in increased security IT systems, and are prevented from accidental destruction, unauthorised access or modification. MÁV-START Co. ensures that personal data are disclosed to competent employees only, with high-level access control.

·In collaboration with Data Processor, Data Manager takes the necessary technical and organisational measures to:

o make the proper operation and functioning of the application in accordance with the IT Security Policies;

o ensure that eligible users access the application's functions and data according to their level of authority;

o take care of saving and storing data;

·observe the procedural rules necessary to enforce the provisions of the data protection legislation specified in point 9. The uploaded files are subjected to virus checking and other security screenings by the Data Manager through the Data Processor.

·The hardware elements of the System are located in the server room of MÁV Service Center Co. (Krisztina krt. 37., Budapest, H-1012. Hungary), as Data Processor.

·Data Manager takes all technical, organizational and organizational measures to protect the security of data handling, which provides a level of security appropriate to the data management; selects the IT tools used and operates them so, that the data treated:

o is accessible to all authorised persons (availability);

o is ensured to be credible and authentication (authenticity of data management); o can be proved to be unchanged (data integrity);

o is accessible only to authorised persons, and is protected against unauthorised access (confidentiality).

6.Rights and enforcement of rights

6.1. Right to request information

Information, data correction and limitation of data handling can be requested in written form from Data Manager through the contact details in point 1.

At the request of the User, Data Manager provides information about the handled data; the purpose, legal basis and duration of data handling; the name and address (seat) of the Data Manager; the name and address (seat) of the Data Processor and its activities related to data management; the contact details of the data protection officer; who and for what purpose receive or have received the User's personal data; and the User's rights regarding data management. The Data Manager shall provide the information in writing and in a legible form within the shortest possible time, but no later than within one month from the submission of the request. If necessary, considering the complexity and number of requests, this time limit may be extended by two months. If the request for information is unfounded or - especially because it is repetitive - excessive, Data Manager may set a cost reimbursement or deny taking action based on the request.

6.2. Right to withdraw consent

Consent to data handling can be withdrawn any time, but the withdrawal does not affect the legality of the data handling based on the consent before the withdrawal.

6.3. Right to access

User is entitled to receive feedback from Data Manager as to whether his/her personal information is being processed.

Based on the right to access the User is entitled to access to personal data relating to ongoing data management and to the following information:

·purpose of data management,

·the categories of personal data concerned,

·duration of data handling,

·who and for what purpose receive or have received the User's personal information,

·the User's rights regarding the data handling,

·the right to submit complaint to the supervisory authority.

By the request of the User, Data Manager will provide the User a copy of the personal data that is the subject of data processing, as long as it does not adversely affect the rights and freedoms of others. Data Manager may apply an administrative fee (cost reimbursement) for the additional copies requested.

6.4. Modifying (correcting) and deleting data

Modification (correction) of inaccurate personal data and supplementing incomplete data can be requested in written form through the contact details in point 1.

User can request the deletion of his/her personal data in written form through the contact details in point 1. if: the data handling is unlawful; the purpose of data management is terminated; the consent to data handling has been withdrawn; the specified deadline for storing the data has expired; and it is ordered by a court or authority.

Of the correction of deletion of the data the Data Manager notifies the requesting person and those who have received the data for data handling. Notification can be omitted if the legitimate interest of the requesting person regarding the purpose of data handling.

Data Manager does not delete personal data if it is necessary to submit, enforce, or protect legal claims.

Certain personal data can be modified within the e-Ticket system by the User.

Personal and other data related to the user account will be deleted in several steps in accordance with the legal regulations detailed in the Privacy Policy accepted during the registration to the e-Ticket system.

The cancellation of the e-mail address and registration data that belong to a non-activated registration can be requested through the Customer Service by entering the e-mail address.

An activated user account can only be deleted in the e-Ticket system by using the Delete registration feature.

A user account can only be deleted, if all the tickets in it have expired or have been refunded. A user account containing valid tickets or tickets marked for refund cannot be deleted.

Clicking the Delete registration button will promptly delete the following data in the database:

·first and last name provided at the time of registration,

·invoicing data recorded by the user, which can be selected for invoicing,

·identifiers required to pay in the SimplePay payment associated with card data stored in the payment system.

By tapping the Delete registration button the registered e-mail address (user account ID) will be marked for deleting, which means that the user account will no longer be available. Previously purchased tickets and invoices can be accessed from database for a period of one year from the date of cancellation based on the registered e-mail address, if a claim or other legitimate request arrives to our Client Service.

On the 366th day after initiating the deleting of the account the data will be archived for the purpose and duration mentioned in 2.3.

6.5. Blocking of data (limitation)

Blocking (limitation) of personal data can be requested in written form from Data Manager through the contact details in point 1. if:

·the User disputes the accuracy of personal data (in this case, the restriction applies to the period during which Data Manager checks the accuracy of the data);

·data handling is illegal, but the User opposed to the deletion of data and requests them to be blocked or limited;

·the purpose of data management has ceased, but the User needs to submit, enforce or protect legal claims.

Blocking (limitation) lasts until the reason you specify makes it necessary. In this case the personal data will only be handled - excluding storage - with the consent of the User; or to submit, enforce or protect legal claims; or to protect the rights of another natural or legal person; or to deal with important public interest. The Data Manager informs the User in advance, if the data will be unlocked by the request of the User.

6.6. Right to appeal

In the event of violation of rights or in the event of disagreement with the decision of the Data Manager, the User may submit a complaint to the National Data Protection and Information Authority:

Name:

National Data Protection and Information Authority

Registered address /

Szilágyi Erzsébet fasor 22/c., Budapest, H-1125, Hungary / Pf. 5.,

Mailing address:

Budapest, H-1530, Hungary

Telefon:

(+36-1) 391-1400

Telefax:

(+36-1) 391-1410

E-mail:

ugyfelszolgalat@naih.hu

In the event of violation of rights or in the event of disagreement with the decision of the Data Manager, the user may appeal directly to the court competent for the address of Data Manager or for the address of the place of residence of the User, within 30 days of receiving the decision from the Data Manager. The court may hear the case without delay.

Further information in addition to the Privacy Policy can be requested through the contact information provided in point 1.

Comments, objections or information requests regarding the handling of personal data can also be sent to adatvedelem@mav-start.hu.

7. Sending information

Service Provider reserves the right to inform registered users about major changes to the operation of the System or major changes that affect the journey with the purchased tickets (e.g. new developments, force majeure, etc.) by e-mail.

8. Modifying the Privacy Policy

MÁV-START Co. reserves the right to change this Policy at any time by its unilateral decision. MÁV-START Co. informs all users of the changes in appropriate manner (e.g. in newsletter or in pop-up window). By using the e-Ticket system after the change of Privacy Policy, the User acknowledges the changed Privacy Policy, no further user consent is necessary.

9.Applied law

·Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR);

·Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (second Payment Services Directive or PSD2);

·Act No. CXII. on the right to sovereignty of information and the freedom of information;

·Act No. V of 2013 on Civil Law;

·Constitution of Hungary (Freedom and Responsibility, Article VI.);

·Act No XLI of 2012 on Passenger Services;

·Act No CVIII of 2001 on Electronic Commerce Services and Information Society Services;

·Act No C of 2000 on Accounting.

© MÁV-START Co. All rights reserved.