FestiPay Privacy Policy

FestiPay Privacy Policy

 

Effective Date: March 1, 2019

  1. Introduction, definitions, principles of data processing

FestiPay Zrt. in compliance with Act CXII of 2011 on information self-determination and freedom of information, with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and other relevant legislation, issues the following privacy policy (“Privacy Policy”).

 

FestiPay Zrt. reserves the right to amend this privacy notice at its own discretion at any time. The latest effective date will be highlighted at top top of the Privacy Policy.

Contact information of FestiPay Zrt.

  • Name: FestiPay Készpénzmentes Fizetési Szolgáltatások Zártkörűen Működő Részvénytársaság
  • Address: 1135 Budapest, Reitter Ferenc utca 46-48
  • Company Registry number: 01-10-048644
  • Tax number: 25405983-2-41
  • E-mail: info@festipay.hu

FestiPay Zrt. does not have a designated Data Protection Officer.

The terms used and Articles referred to in this Privacy Policy shall have the same meaning and content as defined in GDPR.

FestiPay Zrt. ensures that Personal Data is

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  7. Legal basis for data processing

With regards to FestiPay Zrt.’s activity, personal data shall only be processed if at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which FestiPay Zrt. is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in FestiPay Zrt.;
  • processing is necessary for the purposes of the legitimate interests pursued by FestiPay Zrt. or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

FestiPay Zrt. primarily processes data based on the consent of the data subject.

In cases a third party discloses someone’s personal data to FestiPay Zrt., it is that third party’s obligation to the consent of the data subject and FestiPay Zrt. excludes all liability for the absence of such consent.

  1. Scope of Personal Data processed and purpose of processing

Data processing in relation to mobile payment (technical) services in the Festipay application.

FestiPay Zrt. shall, (A) process (in its capacity as data processor), and within this scope, (B) transmit to (a) the merchants and (b) acquirer banks/financial institutions, participating in the clearance and completion of the given mobile payment transaction, the following personal data only, provided by the end-user (the data subject) through the corresponding client side mobile application platform:

  • the mobile phone number;
  • the card number, security code and the validity date of the bank card;
  • the first name, surname and birth date of the data subject / end-user (as it appears on the bank card);
  • e-mail address, delivery address and billing address.
  • Password

Such data shall be processed only for the purpose of

  • using the corresponding mobile transaction/payment service by the end-user of the service;
  • completing and;
  • keeping track of the transactions by FestiPay Zrt. and the payment service providers.
  1. Data storage duration

The personal data will not be kept for longer, than is necessary to fulfill the specific purposes outlined in this Privacy Policy and to comply with FestiPay Zrt.’s legal requirements.

The personal data are stored until the data subject deletes the personal data from the mobile device or the bank card expires after which the stored data are deleted immediately.

The storage duration of data related to accounting are stored as described in Act C of 2000 on Accounting.

  1. Security measures

FestiPay Zrt. ensures compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk. These measures will guarantee an appropriate level of personal data security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by personal data processing and the nature of the data to be protected. FestiPay Zrt. will in any case take measures to protect personal data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful processing.

  1. Personal data processing outside the EEA and data forwarding

FestiPay Zrt. will not transfer personal data outside the European Economic Area.

FestiPay Zrt., in relation to the mobile payment service will forward the personal data of data subjects to the following enterprises:

  • the banks  and  financial  institution  participating  in  the acceptance/clearing of the transactions;
  • FestiPay Zrt.’s data processors;
  • the merchants participating in the clearing of the transactions.
  1. Rights of the data subject

7.1. The right to transparent information, communication and modalities

FestiPay Zrt. shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. When requested by the data subject, the information may shall be provided in writing by electronic means, provided that the identity of the data subject is proven by other means.

7.2. The right to receive information

7.2.1. Where personal data relating to a data subject are collected from the data subject, FestiPay Zrt. shall, at the time when personal data are obtained, provide the data subject with all of the following information:

  • the identity and the contact details of FestiPay Zrt. and, where applicable, of FestiPay Zrt.’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • where the processing is based on a legitimate interests pursued by FestiPay Zrt. or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that FestiPay Zrt. intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In addition to the information referred to above, FestiPay Zrt. shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from FestiPay Zrt. access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based the basis of consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where FestiPay Zrt. intends to further process the personal data for a purpose other than that for which the personal data were collected, FestiPay Zrt. shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to above.

The obligation to provide information shall not apply where and insofar as the Data Subject already has the information.

7.2.2. Where personal data have not been obtained from the data subject, FestiPay Zrt. shall provide the data subject with the following information:

  • the identity and the contact details of FestiPay Zrt. and, where applicable, of FestiPay Zrt.’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, that FestiPay Zrt. intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, and a reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

In addition to the information referred to above, FestiPay Zrt. shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • where the processing is based on FestiPay Zrt.’s legitimate interest, the legitimate interests pursued by FestiPay Zrt. or by a third party;
  • the existence of the right to request from FestiPay Zrt. access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  • where processing is based on the granting of consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

FestiPay Zrt. shall provide the information referred to in section 7.2.2. as follows:

  • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  • if the personal data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Where FestiPay Zrt. intends to further process the personal data for a purpose other than that for which the  personal  data  were  obtained,  FestiPay Zrt. shall  provide  the  Data  Subject,  prior  to  such  further processing, with information on that other purpose and with any relevant further information.

The information does not have to be provided where and insofar as:

  1. the Data Subject already has the information;
  2. b)obtaining or disclosure is expressly laid down by Hungarian law to which FestiPay Zrt. is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  3. c)the personal data must remain confidential subject to an obligation of professional secrecy regulated by European Union or Hungarian law (e.g. banking secrecy), including a statutory obligation of secrecy.

7.3. The right of access

The data subject shall have the right to obtain from FestiPay Zrt. confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from FestiPay Zrt. rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

7.4. The right to rectification

The Data Subject may request FestiPay Zrt. to rectify one or more items of personal data that have been indicated incorrectly. Where regular data provision takes place on the basis of the data to be rectified, where necessary FestiPay Zrt. shall inform the recipient of the data about the rectification, and shall remind the Data Subject that the Data Subject must also initiate the rectification at other controllers.

7.5. The right to erasure (the “right to be forgotten”)

The data subject shall have the right to obtain from FestiPay Zrt. the erasure of personal data concerning him or her without undue delay and FestiPay Zrt. shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or without any investigation into whether such grounds exist, the data subject objects to the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which FestiPay Zrt. is subject;
  • the personal data have been collected in relation to the offer of information society services relating to a person who is a minor.

Where FestiPay Zrt. has made the personal data public and is under an obligation to erase the personal data, FestiPay Zrt., taking into consideration the available technology and the cost of implementation, must take reasonable steps, including technical measures, to notify controllers which are processing the personal data of the fact that the data subject has requested the erasure, by such controllers, of any links to, or copies or reproductions of, the personal data in question

The right of erasure shall not apply insofar as the processing is necessary:

  1. for compliance with a legal obligation that stipulates the processing of the personal data, applicable under European Union or Hungarian laws to which FestiPay Zrt. is subject;
  2. for the establishment, exercise or defence of legal claims.

7.6. The right to object

The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation to the processing of personal data concerning him or her which is necessary for the pursuit of a legitimate interest of FestiPay Zrt. or a third party, including profiling based on the above mentioned provisions. In this event, FestiPay Zrt. shall no longer process the personal data unless FestiPay Zrt. demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercising or defence of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing of the personal data for direct marketing purposes, the personal data shall no longer be processed for the purpose of profiling. No later than at the time of the first contact with the Data Subject, the right referred to above shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means based on the appropriate technical specifications.

7.7. The right to restriction of processing

The Data Subject shall have the right to obtain from FestiPay Zrt. restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the Data Subject, for a period enabling FestiPay Zrt. to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. FestiPay Zrt. no  longer  needs  the  personal  data  for  the  purposes  of  the  processing,  but  they  are required by the Data Subject for the establishment, exercise or defence of legal claims;
  4. the Data Subject has objected to processing in accordance with the provisions of the first paragraph of section 6.;  in  this  case,  the  restriction  shall  apply  until  it  is  determined  whether  the  legitimate grounds of FestiPay Zrt. override the legitimate interests of the Data Subject.

Where  processing  has  been  restricted  on  the  basis  of  the  above,  such  personal  data  shall,  with  the exception of  storage,  only  be  processed  with  the  Data  Subject’s  consent  or  for  the  establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or a Member State. A Data Subject who has obtained restriction of processing on the basis of the above shall be informed by FestiPay Zrt. in advance of the lifting of the restriction on processing.

7.8. The right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she  has  provided  to  FestiPay Zrt.,  in  a  structured,  commonly  used  and  machine-readable  format  and have the right to transmit those data to another controller without hindrance from FestiPay Zrt. to which the personal data have been provided, where:

  1. the processing  takes  place  for  one  or  more  specific  purposes  or  is  based  on  the  express consent of the Data Subject, or  is necessary for  the conclusion of a contract  with the Data Subject, or the subsequent performance thereof; and
  2. the processing is carried out by automated means.

In exercising his or her right to data portability in accordance with the above, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability shall be without prejudice to the right to erasure (“right to be forgotten”). That right shall not apply in cases where the processing is necessary for the performance of a task carried out in the public interest or in the course of exercising official authority vested in FestiPay Zrt.. The right to data portability shall not adversely affect the rights and freedoms of others.

  1. Personal data breach

In case of a personal data breach, FestiPay Zrt. shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory  authority, unless  the  personal  data  breach  is  unlikely  to  result  in  a  risk  to  the  rights  and freedoms  of  natural  persons.  Where  the  notification  to  the  supervisory  authority  is  not  made  within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify FestiPay Zrt. without undue delay after becoming aware of a personal data breach. The notification must at least:

  1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken by FestiPay Zrt. to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. FestiPay Zrt. shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, FestiPay Zrt. shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures included in the notification referred to in this section.

The communication to the data subject shall not be required if any of the following conditions are met:

  1. FestiPay Zrt. has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. FestiPay Zrt. has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  4. Legal remedies, Supervisory Authority

The data subject, in case of breach of his/her rights, may turn to the ordinary Courts.

Procedure by the Supervisory Authority

The data subject may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság)