Information on Tickething Customer Data Processing
Controller: Tickething-Change Kft. Registered seat: 3360 Heves, Hunyadi út 25. Company Registry Number, Place of Registry: Company Registry Court of Heves County Regional Court E-mail: firstname.lastname@example.org Phone: +36 304068886 Tax identification number: HU25566734 (hereinafter referred to as the Controller).
To whom is this information addressed? This information on customer data processing addresses the data procession of all and any natural person partners of our Company who visit all or any of the following webpages: Tickething.hu, Tickething.com, Tickething.at, Tickething.de, Tickething.es and Tickething.fr webpages (hereinafter collectively referred to as Tickething webpages and provide us with their personal data in return for using our services.
Most signifcant legislations applied in our data processing procedure:
¢ GDPR (General Data Protection Regulation) - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
¢ Act CXII of 2011 on the right of informational self-determination and on freedom of information
¢ Act V of 2013 from the Hungarian Civil Code ¢ Act CVIII of 2001 on certain issues of electronic commerce services and information society services ¢ Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities ¢ Act C of 2000 on accounting and its implementation ¢ Act CL of 2017 on the rules of taxation and its implementation
DEFINITIONS "personal data" means any information relating to an identified or identifiable natural person ("data subject"), an identifiable natural person is one who can be identfied, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person "data subject" means an identifiable natural person whose data has been provided (such as the visitor of the webpage, subscriber to the newsletter, job applicant). "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data "data processing" means the performance of technical tasks connected to data processing operations "processor" means a natural person or legal person, public authority, agency or other body which processes personal data on behalf (mandate, instruction or decision) of the controller "profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data "consent of the data subject" means any freely given, specific, informed and umambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,
PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
¢ Personal data is processed merely for the duration and purpose stated in this information section.
¢ Processing of personal data is restrictied to those which are adequate and relevant to what is necessary in relation to the purposes for which they are processed. ¢ Only staff whose work relates to data processing may get access to personal data acquired by way of processing.
DATA PROCESSING ACTIVITIES
6.1. Webpage visit In order to prevent misuse and ensure and control the performance of our services, our webpages' visitors' personal data are recorded.
If a visitor visits our webpages, certain data of the device used during the visit will be automatically recorded (e.g.: PC, laptop, phone, notebook) including the exact time and date of the visit, IP address, a webpage from which the visit origins, browser's type, type of the operational system, and the domain name and address of the internet service provider. The webserver of the visited webpage automatically records the data without your declaration or action during the visit, from which the system automatically generates statistical data. This information is used exclusively in consolidated and aggregated form for statistical purposes and to enable us to enhance the user experience and improve the level of our services.
Purpose of our data processing: to control the service and prepare statistics. In case of data breach, the stored data may be used to track down the source of breach in cooperation with the visitors' internet providers and authorities.
Legal basis for data processing: Act CVIII of 2001 on certain issues of electronic commerce services and information society services, §13/A, section 3.
Most internet browsers automatically consent to cookies, however, the data subjects have the possibility to erase or refuse them. As every browser is unique, it may set its cookie preferences arbitrarily by way of its own devices. Should the user decide to refuse every cookie of the webpage, (s)he can modify the settings of the web browser to be informed of the sent cookie or can simply refuse every cookie. Moreover, the user may erase any cookies stored on his / her computer or mobile device. Please, find further information on settings in the support centre of the browser. However, refusal of all cookies may result in restricted use of the webpage.
Purposes of data processing: ¢ To enchance user experience by way of storing personal settings In case of webpage visit, the webpage identifies the data subject as an individual user by way of normal cookies to record the user's language settings and his / her login. ¢ Anonim statistical log The analytical software of the webpage stores anonim normal cookies after every visit to record the number of visits and the field of interest of the visitors. Every analytical information is stored without name (or any other personal data) and used for technical and marketing purposes. It helps us gain knowledge of the number of the visitors of our webpages, but not of their names. To this end, the analytical devices and the attached cookies of the following service providers are used:
¢ "Facebook Pixel": The data protection principles and rules of the service provider can be read here: " https://www.facebook.com/policies/cookies/ " https://www.facebook.com/about/privacy/update ¢ "Google Analytics" and "Google Tag Manager": The data protection principles and rules of the service provider can be read here: " https://policies.google.com/privacy?hl=hu " https://support.google.com/analytics/answer/6004245?hl=hu " https://www.google.com/safetycenter/everyone/start/ ¢ "Hotjar": The data protection principles and rules of the service provider can be read here: " https://www.hotjar.com/legal/policies/privacy " https://www.hotjar.com/legal/policies/cookie-information " https://www.hotjar.com/legal/compliance/gdpr-commitment ¢ "Mixpanel": The data protection principles and rules of the service provider can be read here: " https://mixpanel.com/legal/privacy-policy/
Legal basis for data processing: data subjects' consent to the abovementioned service providers Duration of data processing: There are two types of cookies: session cookies and persistent cookies. Both of them are stored in the browser until they are deleted by the user.
¢ Session cookies are stored by the computer, the notebook or mobile device only temporarily and they are deleted when the user ceases to visit the webpage. These cookies help the system remember information, as a result, the data subject is required to provide information only once. The validity of session cookies is limited to the session time of the user and it purports to avoid loss of data (eg.: in case of filling in a longer form). Upon termination of the session or closing the browser, this type of cookies is automatically deleted from the computer. ¢ Persistent cookies, however, are stored on the computer, the notebook or the mobile device even after the termination of the visit. These cookies assist the webpage in recognising an earlier visitor. Persistent cookies can be used to identify the subject by way of joining the identifier with the user, so they ensure the proper functioning of the system in every case where the identification of the user is a precondition (eg.: webshop, notebook, webmail). Persistent cookies do not contain any data in themselves and they can be used to identify the user by way of joining data found in the webserver's data base. The disadvantage of these cookies is that they identify the browser rather than the user, as a result, if the user visits the webpage in a public place (eg.: netcafé, library) and fails to close the program before leaving the place, it may happen that a second user of the same computer may get unathorized access to the given webshop simply by using the data of the first visitor.
Outer service providers also use web beacons to collect information with regard to evaluating user habits and serving advertisements. The function of web beacons is similar to those of the cookies, however, their refusal is not possible in the browsers. 6.3. Social network cookies
Features of social networks are available on the webpage, too. These features have an operational principle which allows them to read cookies and, in some cases, to place social network cookies on the users' devices. These cookies can make it possible to send targeted advertisement.
The Controller has no access to these cookies and the information collected by them.
The webpage may contain social network cookies of the following service providers:
¢ Facebook - The data protection principles and rules of the service provider can be read here:
o https://www.facebook.com/policies/cookies/ o https://www.facebook.com/about/privacy/update ¢ Google+ o https://policies.google.com/privacy?hl=hu ¢ Youtube o https://www.youtube.com/intl/hu/yt/about/policies/#community-guidelines ¢ Instagram o https://help.instagram.com/155833707900388 ¢ Twitter o https://twitter.com/en/privacy o https://help.twitter.com/en/rules-and-policies/twitter-cookies ¢ https://help.twitter.com/en/rules-and-policies/global-operations-and-data-transfer Linkedin o https://www.linkedin.com/legal/cookie-policy o https://www.linkedin.com/legal/preview/privacy-policy o
6.4. Facebook Tickething is available on Facebook, too. A Facebook user can subscribe to Tickething posts by clicking on the "Like" button on Facebook's Tickething page and can unsubscribe any time by clicking on the "Dislike" button on the same page. The user can also delete any unwanted post on his /her Facebook wall by choosing the appropriate settings on the message board.
Purpose of data processing: to notify the subject of news, products, news from Tickething webpages and to send propagatory articles, documents.
Legal basis of data processing: consent of the subject.
Duration of data processing: Tickething news appears on the data subject's Facebook wall until the data subject consents to it.
Purpose of data processing: to keep contact with the user, to answer questions or to solve the emerging problems.
Legal basis of data processing: consent of the subject.
Categories of processed personal data: name, email address.
Duration of data procesing: The messages and the processed personal data are deleted by the Controller after handling the given problem, complaint or answering the question. However, the Controller archives them for tax and accounting reasons or if it is necessary to ensure or protect the user's rights or interest. In this case, the Controller stores them until the end of the investigation.
6.7. Registration on the webpage
Certain Tickething services and products are available only for registered cases. The user who wishes to use Tickething services and products has to create a personal account on the webpage in order to improve the buying or selling activities on the Webpage in the future. Upon registration, the user accepts to be contacted by the Controller by using the given contact for direct marketing.
Purpose of data processing: to register the personal data necessary for using the Webpage.
Legal basis of data processing: consent of the subject. Categories of processed personal data: name, email address. Additionally, in case of Facebook registration, city and the number of Facebook friends.
Duration of data processing: it lasts until withdrawal of the user's consent.
How to withdraw consent: after registration, the user can withdraw his / her consent at any time by sending an email here: email@example.com. 6.8. Buying and selling on the webpage The unique feature of Tickething webpages is that they allow for both buying and selling online tickets. Data processing is necessary to ensure the smooth and transparent buying or selling experience, confirming, accepting and performing the transaction. Purpose of data processing: to ensure the successful buying, selling and exchange on the web. Legal basis of data processing: ¢ contractual basis in case of a natural person as a contractual party or
¢ legal interest in case of buying, selling or exchanging Tickething products on behalf of a natural person. It means the mutual legal interest of the Controller and the natural person who places the order and ¢ in connection with invoicing, performance of legal obligations related to data processing. Categories of processed data: ¢ in case of buying: name, email address. ¢ in case of selling: name, email address, bank account number. ¢ in case of invoicing: name, address to which the invoice shall be issued, data pertaining to the date of using the service. Duration of data processing: ¢ For contracts: 5 years as of performance. ¢ For invoice: end of the 8th year as of issuance of the invoice. 6.9. Selling of personalized tickets Tickething webpages allow for selling, buying and exchanging personalized tickets. In this case, to ensure the smooth and transparent execution of the transaction, all the data required for the invalidation of the original ticket and for issuing the new personalized ticket will be transmitted to the issuer/provider of the new ticket. Under Article 26 of GDPR, in the framework of mutual data processing, the issuer cancels the data shown on the original ticket (data of the seller or exchanger) and replaces them with the data of the buyer. In the course of mututal data processing, the issuer of the personalized ticket is represented by the Controller in relation to the subjects. Purpose of data processing: to ensure the successful buying, selling and exchange of personalized tickets on the web. Legal basis of data processing: ¢ contractual basis in case of a natural person as a contractual party or
¢ legal interest in case of buying, selling or exchanging Tickething products on behalf of a natural person. It means the mutual legal interest of the Controller and the company that places the order and ¢ in connection with invoicing and execution of legal obligations related to data processing. Categories of processed data: ¢ in case of buying with contractual basis: name, email address, number of identity or student card ¢ in case of selling with legal interest: name, email address, bank account number ¢ in case of invoicing: name, address to which the invoice shall be issued, data pertaining to the date, duration and location of using the service
Data sent to the issuer of the ticket: ¢ name of the seller and bar code of the sold ticket, ¢ name and identity card or student card number of the buyer.
Duration of data processing: ¢ For contracts: 5 years as of performance. ¢ For invoice: end of the 8th year as of issuance of the invoice.
6.10. Sending newsletters, advertisements The Controller sends newsletters and advertisements to potential customers about the services and products of Tickething webpages. Tickething regularly sends customer satisfaction surveys to its registered users and Tickething visitors. Filling them in is optional, however, the user and the visitor consent to the publication of his / her name and opinion by doing so.
Purpose of data processing: marketing activity to solicit new customers.
Legal basis for data processing:
¢ consent of the data subject or
¢ legal interest basis if the Controller has formerly gained access to the subject's data (eg: the data subject has already bought a product via Tickething). In this case, the Controller informs the data subject of the aim of data processing (marketing activity) and the legal basis upon their first contact after the change of legal basis. The subject may refuse this data processing at any time and, following this, the Controller ceases to process his / her data.
Categories of processed personal data: name, email address, field of interest in music, cultural events in certain cases. Duration of data processing: ¢ Legal basis is consent: data processing ceases upon the user's withdrawal of consent. ¢ Legal basis is legal interest: data processing ceases upon the user's refusal. How to withdraw consent to or refuse data processing: the user may withdraw his / her consent at any time by sending a letter to the following email address: firstname.lastname@example.org.
RIGHTS OF THE SUBJECTS
The data subject has the following rights detailed in chapter 7 relating to data processing. Should you, as a subject, wish to exercise your rights, please, contact Tickething in the following way:
e-mail address: email@example.com.
The Controller has the obligation to identify the subject natural person in every case before granting the request. It is forbidden to grant the user's request without prior identification. After identification, the Controller provides information concerning the request in writing in an electronic way. If the request has been filed in an electronic way, the Controller will answer in an electronic way, too. However, the subject may request the answer to be given in a different form. The Controller informs the subject of the actions taken regarding the request within maximum 1 (one) month as of the receipt of the subject's letter. If it is necessary, taking account of the high number or the complexity of the requests, this deadline may be extended to another 2 (two) months and the Controller shall inform the subject of it still within the first one month administrative period. The Controller shall inform the subject of the lack of actions within the first one month administrative period, too. The subject may file a complaint against it with the Hungarian National Authority for Data Protection and Freedom of Information and may exercise his / her rights to remedy.
The provision of the requested information and the Controller's actions are free of charge. Exemptions are if the request is unsubstantiated or - due to its repeated occurence - excessive. In this case, the Controller may charge a cost or may decline to grant the request. The data subject has the following rights to exercise against the Controller: 7.1. Withdrawal of consent The subject may withdraw his / her consent to any data processing which has formerly been carried out based on his / her consent (Art. 7 GDPR). In this case, Tickething shall delete the data subject's personal data related to the given data processing without unreasonable delay upon receipt of the request. 7.2. Provision of information (access) The data subject may request information if the Controller processes his / her personal data (Art. 15 GDPR) and in case of affirmative answer the subject may pose the following questions: ¢ What is the purpose of data processing? ¢ What are the exact data processed? ¢ Who the Controller transmits the data to? ¢ How long are the data stored by the Controller? ¢ What rights does the data subject have and how can a breach be remedied relating to his / her data? ¢ How has the Controller gained access to the data subject's data? ¢ Does the Controller make an automatic decision concerning the data subject by using the subject's personal data? ¢ The data subject may request a copy of his / her processed personal data. (The Controller may charge a commensurate administrative cost for the additional copies.) 7.3. Right to rectification The data subject may request the Controller to rectify his / her personal data registered inaccurately or incompletely (Art. 16 GDPR). 7.4. Right to erasure of personal data The data subject may request the Controller to erase his / her processed personal data (Art. 17. GDPR) where one of the following grounds applies: ¢ the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise porcessed; ¢ the data subject withdraws consent on which the processing is based; ¢ it is proved that the Controller processes personal data unlawfully; ¢ by operation of European Union or domestic regulation. The Controller may not erase the personal data when processing is necessary: ¢ for exercising the right of freedom of expression and information; ¢ for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; ¢ for achiving purposes in the public interest, scientific or historical research purposes os statistical purposes as far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing or ¢ for the establishment, exercise or defence of legal claims. 7.5. Right to restriction of processing The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies (Art 18 GDPR): ¢ the accuracy of the presonal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; ¢ the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; ¢ the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; ¢ the data subject has objected to proccessing pending the verification whether the legitimate grounds of the Controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
7.6. Right to data portability The data subject shall have the right to receive his / her personal data processed by the Controller in a machine-readable format (Art. 20 GDPR) and have ther right to transmit those data to another controller or - upon request - the Controller transmits them where processing is solely based on the consent of the natural person or a contract concluded with or for the benefit of the natural person and is carried out in an automatic way. 7.7. Right to object to processing his / her personal data The data subject shall have the right to object to processing his / her personal data (Art. 21 GDPR) insofar the processing is necessary to establish the legal rights of the Controller or a third person including profiling based on the data. In this case, the Controller shall delete the data subject's personal data unless compelling legitimate grounds are demonstrated for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The data subject shall have the right to object to processing his / her personal data where one of the following applies: ¢ personal data are processed for direct marketing purposes and the Controller shall delete the given personal data in this case; ¢ personal data are processed for statistical reasons. In this case the Controller shall delete the personal data unless the processing is necessary for the performance of a task carried out for reasons of public interest.
8.1. Right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information).
In the event the data subject considers that the processing of his / her personal data relating to him / her infringes GDPR, the data subject shall have the right to lodge a complaint with the Hungarian Authority for Data Protection and Freedom of Information. president: dr. Péterfalvi Attila postal address: 1534 Budapest, Pf.: 834 address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c Telephone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 web: http://naih.hu e-mail: firstname.lastname@example.org 8.2. Right to judicial remedy The data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR. Proceedings shall be brought before the regional courts and may be brought before the courts of the Member State where the data subject has his or her habitual residence should the data subject decide so. The Hungarian Authority for Data Protection and Freedom of Information shall have the right to intervene in the litigation in favour of the data subject.
The Controller is assisted in personal data processing by the following data processors:
Activity: Invoicing Name / Company name: Számlázz.hu Registered seat: 1031 Budapest, Záhony utca 7
Activity: Accounting Name / Company name: Hungarian Venture Capital Services Accounting & Consulting Könyvelő és Tanácsadó Kft. Registered seat: 9027 Győr, Hűtőházi út 2