MÁV application ticket purchase - Privacy Policy

1. Data manager

Name:	MÁV-START Railway Passenger Transport Co. (hereinafter ‘MÁV-START Co.’ or ‘Data Manager’)
Registered address:	Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary
Registration number:	01-10-045551
Court of registration:	The Budapest Metropolitan Court as Court of Registration
VAT Number:	13834492-2-44
E-mail:	eszrevetel [KUKAC] mav-start.hu

2. The purpose and legal base of the data management, range of collected information, duration of data storage

2.1. The purpose and legal base of the data management

Data Manager handles the personal data of its passengers/clients in order to:

register the user in the JÉ Ticketing System of MÁV-START (hereinafter: ‘JÉ’), based on the consent of the user in accordance with Article 6 (1) (a) of GDPR;
fulfil the contract created by purchasing the tickets, based on the provisions of Article 6 (1) (b) of GDPR, and Article 169 (1) and (2) of the Act on Accounting.

MÁV-START Co. may use the aggregated and / or anonymised sales data for statistical purposes. No personal data can be recovered from this kind of data.

The passenger permits the above data handling by: using the MÁV application; purchasing a ticket in the MÁV application; declaring it at the time of contributing a comment or complaint; or starting the journey.

For other than the above purposes (e.g. marketing), MÁV-START Co. handles the passengers' or clients' personal data only, if MÁV-START Co. informed the person about it, and the person has given his/her explicit consent to it.

2.2. Range of collected information

MÁV-START Co. handles the personal information in the MÁV application:

in case of registration: name and e-mail address of the User
in case of ticket purchase: e-mail address, invoicing data, name and date of birth of the passenger(s), data of the purchased product(s), any additional data required to travel with the product (e.g.: ID number).

Only personalised tickets can be purchased in the MÁV application. The name and date of birth of the passenger is indicated on the ticket. Pursuant to the Act No XLI of 2012 (Passenger Transport Act), the Railway Undertaking shall be entitled to check whether the personalised ticket is used by the person indicated on the ticket.

The MÁV application does not verify the accuracy of the information provided. The correctness of the data entered is solely the responsibility of the person providing it. By providing the e-mail address, the User will also be liable for the sole use of the provided e-mail address. With respect to this responsibility, any liability associated with a log-in with an e-mail address will be borne exclusively by the User who registered the e-mail address.

MÁV-START Co. stores the following data recorded automatically in the log files:

e-mail address used for log-in,
activities and their exact time made during purchasing in the MÁV application,
IP address of the connected device.

The above data is recorded automatically by the MÁV application, without any user interaction. Unless otherwise stated by the law, these data cannot be linked to other personal information of the user. The data can only be accessed by MÁV-START Co. and the system operator.

2.3. Duration of data handling

MÁV-START Co. handles the personal data only for the time necessary for the purpose of data management (until e.g.: arranging the complaint or comment; withdrawal of consent; statistical processing of asserted claims; etc.), or until the deadlines set by the applicable tax, security or other regulations. To register the rights and obligations regarding invoicing, the purchased product(s) and electronic invoice(s) are stored for 11 years from the date of purchase based on the provisions of Article 169 (1) and (2) of the Act on Accounting.

2.4. Possibility of data transfer

Data Manager is entitled and obliged to transmit any legally stored and available personal data to the competent authorities, when obliged by law or by statutory obligation. MÁV-START Co. cannot be held responsible for such data transfers and its consequences.

With prior informing the passenger, MÁV-START Co. may transfer the e-mail address and name assigned to the user profile, and data regarding the purchase (including, but not limited to: data of the purchased product, log file) to the payment service provider for the purpose of customer support for users, confirming transactions and fraud analysis.

The personal data on the e-train-ticket and stored in the electronic code on the e-train-ticket may be known by the railway undertakings indicated on the ticket during the checking of the ticket and may be handled in accordance with their own privacy policies.

3. Information on the use of a Data Processor

Name:	MÁV Service Center Co.
Registered address:	Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary
Registration number:	01-10-045838
Court of registration:	The Budapest Metropolitan Court as Court of Registration
VAT Number:	14130179-2-44
E-mail:	helpdesk [KUKAC] mav-szk.hu
Location of data storage:	Krisztina krt. 37/A, Budapest, H-1012, Hungary

Data Processor manages the data managed under point 2 for the period specified in point 2 and provides a complete IT service based on the contract with Data Manager.

Recipient of data transfer:

Name:	MÁV-HÉV Suburban Rail Co.
Registered address:	Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary
Registration number:	01-10-049023
Court of registration:	The Budapest Metropolitan Court as Court of Registration
VAT Number:	25776005-2-44
E-mail:	mav-hev [KUKAC] mav-hev.hu

The recipient of the data transfer is authorised to know the data only in the case of the control of the purchased products and handling the related complaints.

4. Range of persons entitled to know the data

By Data Manager: staff of the department(s) responsible for operating the System; the staff of the Client Service; staff of the department handling the central refund.

5. Information on measures for data security

5.1. Data storage, security of data management

MÁV-START Co. commits itself to ensure safety of passengers' and other clients' personal data it manages. Personal data are handled non-public, in increased security IT systems, and are prevented from accidental destruction, unauthorised access or modification. MÁV-START Co. ensures that personal data are disclosed to competent employees only, with high-level access control.
In collaboration with Data Processor, Data Manager takes the necessary technical and organisational measures to:
- make the proper operation and functioning of the application in accordance with the IT Security Policies;
- ensure that eligible users access the application's functions and data according to their level of authority;
- take care of saving and storing data;
In collaboration with Data Processor, Data Manager observes the procedural rules necessary to enforce the provisions of the data protection legislation specified in point 9. The uploaded files are subjected to virus checking and other security screenings by the Data Manager through the Data Processor.
The hardware elements of the System are located in the server room of MÁV Service Center Co. (Krisztina krt. 37., Budapest, H-1012. Hungary), as Data Processor.
Data Manager takes all technical, managerial and organizational measures to protect the security of data handling, which provides a level of security appropriate to the data management; selects the IT tools used and operates them so, that the data treated:
- is accessible to all authorised persons (availability);
- is ensured to be credible and authenticated (authenticity of data management);
- can be proved to be unchanged (data integrity);
- is accessible only to authorised persons, and is protected against unauthorised access (confidentiality).

6. Rights and enforcement of rights

6.1. Right to request information

Information, data correction and limitation of data handling can be requested in written form from Data Manager through the contact details in point 1.

At the request of the User, Data Manager provides information about the handled data; the purpose, legal basis and duration of data handling; the name and address (seat) of the Data Manager; the name and address (seat) of the Data Processor and its activities related to data management; the contact details of the data protection officer; who and for what purpose receives or has received the User's personal data; and the User's rights regarding data management. The Data Manager shall provide the information in writing and in a legible form within the shortest possible time, but no later than within one month from the submission of the request. If necessary, considering the complexity and number of requests, this time limit may be extended by two months. If the request for information is unfounded or - especially because it is repetitive - excessive, Data Manager may set a cost reimbursement or deny taking action based on the request.

6.2. Right to withdraw consent

Consent to data handling can be withdrawn any time, but the withdrawal does not affect the legality of the data handling based on the consent before the withdrawal.

6.3. Right to access

User is entitled to receive feedback from Data Manager as to whether his/her personal information is being processed.

Based on the right to access the User is entitled to access to personal data relating to ongoing data management and to the following information:

purpose of data management,
the categories of personal data concerned,
duration of data handling,
who and for what purpose receives or has received the User's personal information,
the User's rights regarding the data handling,
the right to submit complaint to the supervisory authority.

By the request of the User, Data Manager will provide the User a copy of the personal data that is the subject of data processing, as long as it does not adversely affect the rights and freedoms of others. Data Manager may apply an administrative fee (cost reimbursement) for the additional copies requested.

6.4. Modifying (correcting) and deleting data

Modification (correction) of inaccurate personal data and supplementing incomplete data can be requested in written form through the contact details in point 1.

User can request the deletion of his/her personal data in written form through the contact details in point 1. if: the data handling is unlawful; the purpose of data management is terminated; the consent to data handling has been withdrawn; the specified deadline for storing the data has expired; and it is ordered by a court or authority.

Data Manager notifies the requesting person and those who have received the data for data handling of the correction and of the deleting of the data. Notification can be omitted if it does not infringe the legitimate interest of the requesting person regarding the purpose of data handling.

Data Manager does not delete personal data if it is necessary to submit, enforce, or protect legal claims.

Certain personal data can be modified within the MÁV application by the User.

Personal and other data related to the user account will be deleted in several steps in accordance with the legal regulations detailed in the Privacy Policy accepted during the registration to the MÁV application.

The cancellation of the e-mail address and registration data that belong to a non-activated registration can be requested through the Customer Service by entering the e-mail address.

An activated user account can only be deleted in the MÁV application by using the Delete account feature in My profile menu.

A user account can only be deleted, if all the tickets in it have expired or have been refunded. A user account containing valid tickets or tickets marked for refund cannot be deleted.

Tapping the Delete account button will promptly delete the following data in the database and/or in the application installed on your phone

first and last name provided at the time of registration,
invoicing data recorded by the user, which can be selected for invoicing,
identifiers associated with card data stored in the SimplePay payment system,
name and birth date of passenger(s) stored on the device of the User.

By tapping the Delete account button the registered e-mail address (user account ID) will be marked for deleting, which means that the user account will no longer be available. Previously purchased tickets and invoices can be accessed from database for a period of one year from the date of cancellation based on the registered e-mail address, if a claim or other legitimate request arrives to our Client Service. Registering with an e-mail address (user account ID) marked for deleting result a new User account. Linking old and new user accounts is not possible.

The e-mail address will be deleted on the 366th day after initiating the deleting of the account. Previously purchased tickets and invoices cannot be accessed based on the e-mail address, therefore MÁV-START cannot fulfil any requests in this regards after this deadline.

6.5. Blocking of data (limitation)

Blocking (limitation) of personal data can be requested in written form from Data Manager through the contact details in point 1. if:

the User disputes the accuracy of personal data (in this case, the restriction applies to the period during which Data Manager checks the accuracy of the data);
data handling is illegal, but the User opposed to the deletion of data and requests them to be blocked or limited;
the purpose of data management has ceased, but the User needs to submit, enforce or protect legal claims.

Blocking (limitation) lasts until the reason you specify makes it necessary. In this case the personal data will only be handled - excluding storage - with the consent of the User; or to submit, enforce or protect legal claims; or to protect the rights of another natural or legal person; or to deal with important public interest. The Data Manager informs the User in advance, if the data will be unlocked by the request of the User.

6.6. Right to appeal

In the event of violation of rights or in the event of disagreement with the decision of the Data Manager, the User may submit a complaint to the National Data Protection and Information Authority:

Name:	National Data Protection and Information Authority
Registered address / Mailing address:	Szilágyi Erzsébet fasor 22/c., Budapest, H-1125, Hungary / Pf. 5., Budapest, H-1530, Hungary
Telefon:	(+36-1) 391-1400
Telefax:	(+36-1) 391-1410
E-mail:	ugyfelszolgalat [KUKAC] naih.hu

In the event of violation of rights or in the event of disagreement with the decision of the Data Manager, the user may appeal directly to the court competent for the address of Data Manager or for the address of the place of residence of the User, within 30 days of receiving the decision from the Data Manager. The court may hear the case without delay.

Further information in addition to the Privacy Policy can be requested through the contact information provided in point 1.

Comments, objections or information requests regarding the handling of personal data can also be sent to adatvedelem [KUKAC] mav-start.hu.

7. Sending information

Service Provider reserves the right to inform registered users about major changes to the operation of the System or major changes that affect the journey with the purchased tickets (e.g. new developments, force majeure, etc.) by e-mail.

8. Modifying the Privacy Policy

MÁV-START Co. reserves the right to change this Policy at any time by its unilateral decision. MÁV-START Co. informs all users of the changes in appropriate manner (e.g. in newsletter or in pop-up window). By using the MÁV application after the change of Privacy Policy, the User acknowledges the changed Privacy Policy, no further user consent is necessary.

9. Applied law

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR)
Act No. CXII. on the right to sovereignty of information and the freedom of information
Act No. V of 2013 on Civil Law
Constitution of Hungary (Freedom and Responsibility, Article VI.);
Act No XLI of 2012 on Passenger Services;
Act No CVIII of 2001 on Electronic Commerce Services and Information Society Services;
Act No C of 2000 on Accounting.