1. Name of data controller:
Name: MÁV-START Vasúti Személyszállító Zártkörűen Működő Részvénytársaság
Seat: 1091 Budapest, Üllői út 131.
Company registration number: 01-10-045551
Court of registration: Fővárosi Törvényszék Cégbírósága
Company Registry Court of Budapest-Capital Regional Court
Tax number: 13834492-2-44
Email: ugyfelszolgalat [KUKAC] mav-start.hu
2. Purpose, legal ground and form of data management, scope of managed data, record keeping, and scope of affected parties
Purpose of data management: To perform administrative tasks in relation to passenger complaints, suggestions, reimbursements, and damage claims.
Scope of managed data: Full name, mother’s birth name, address, email, telephone number, bank card number, place and date of birth, place of departure and destination, grounds for complaint/suggestion/reimbursement claim/damage claim, name of the recording person and signature of the consumer, place of recording, list of evidence supplied by the consumer, and record number of the complaint.
Legal ground of data management: To fulfil the obligations prescribed by Item c) of Paragraph (1) of Section 6 of GDPR (General Data Protection Regulation): Chapter VI of Regulation (EC) No 1371/2007 of the European Parliament and of the Council on rail passengers’ rights and obligations, and Item b) of Paragraph (3), and Paragraph (5) of Section 17/A of Act CLV of 1997 on consumer protection.
Record keeping: For 5 years after the date of recording the complaint.
Form of data management: In paper form and electronic form.
3. Information on the involvement of data processor:
According to service provider agreement: MÁV Szolgáltató Központ Zártkörűen Működő Részvénytársaság
Seat: 1091 Budapest, Üllői út 131.
Company registration number: 01-10-045838
Court of registration: Company Registry Court of Budapest-Capital Regional Court
Tax number: 14130179-2-44
Email: helpdesk [KUKAC] mav-szk.hu
Place of record keeping: 1012 Budapest, Krisztina krt. 37/A
The data processor manages the data mentioned in Clause 2 for the time indicated in Clause 2, and provides full-scale information technology services, including the operation of communication applications, according to the contract concluded with the data controller.
For the operation of System ANDOC, the data processor is:
According to agreement: Care All Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Seat: 1121 Budapest, Törökbálinti út 15. A. ép. fszt.
Company registration number: 01-09-727414
Court of registration: Company Registry Court of Budapest-Capital Regional Court
Tax number: 13284567-2-43
The data processor manages the data mentioned in Clause 2 for the time indicated in Clause 2, and operates the System ANDOC for the record keeping of personal data obtained during complaint handling, according to the contract concluded with the data controller.
4. Scope of persons entitled to be familiar with these data:
Employees of MÁV-START Zrt. involved in the receiving, electronic recording, processing or checking of the complaint/claim, and the employees involved in its investigation.
5. Information on data safety measures:
Methods of record keeping, and data management safety:
-
The data controller takes the technical and organisational measures with the involvement of the data processor:
-
to maintain the operation of the application(s) according to the IT Safety Guidelines (IBSZ);
-
to ensure that the functions and data of the application(s) are available to the entitled users according to their respective rights; and
-
to save and archive data;
-
as well as to follow the administrative requirements necessary to comply with the data safety regulations of Clause 7. The data controller subjects the uploaded files to virus scanning and other safety filtering processes through the data processor.
-
The IT elements of the system are located at the data processing server room (1012 Budapest, Krisztina krt. 37.) of MÁV Szolgáltató Központ Zrt. as data processor.
-
The data controller takes the necessary technical, organisational and structural measures to ensure the required protection level of data management safety according to the relevant risks, and selects and operates the IT equipment in order to guarantee that the managed data:
-
is available for the entitled persons (availability);
-
is authentic and verified (authenticity of data management);
-
remains unchanged in a verifiable way (integrity);
is only accessible by the entitled parties, and protected against unauthorised access (confidentiality).
6. Rights of the affected parties and means of enforcement:
6.1. Right to request information
You have the right to request information from the data controller in a written form via the contact data of Clause 1, to request the correction of your personal data, and to request the restriction of the management of your data.
Upon request, the data controller provides information on the managed data, the legal ground of data management, the time of record keeping, the name and address (registered seat) and activities of the data processor in relation to this data management, the contact data of the data protection officer, and on who received your personal data and for what purpose, as well as on your rights related to data management. The data controller shall give a written, easily understandable reply with the required information as soon as possible, but at least within a month. If necessary, this period can be extended by 2 months on the basis of the complexity of your request and/or the high number of requests. If your request is clearly unfounded or excessive – especially due to its repetitive nature, the data controller shall have the right to either invoice the process costs, or refuse to take any measure with regard to your request.
6.2. Right to access
You have the right to receive feedback from the data controller on whether the management of your personal data is under progress.
According to your right to access, you are entitled to access your personal data in relation to an ongoing data management, as well as the following information:
- the purpose of data management;
- the categories of affected personal data;
- time of record keeping;
- who receives/received your personal data and for what purpose;
- your rights related to data management;
- your right to lodge a complaint with the supervisory authority.
Upon your request, the data controller shall give you a copy of your personal data that are subject to data management, provided that this has no adverse effect on a third person’s rights or freedom. For any further copies, the data controller may invoice you a reasonable fee according to the administrative costs.
6.3. Modification (correction) and deletion of data
You may request the modification (correction) of your personal data if inaccurate or incorrect, or any addition if incomplete, in a written form via the contact data of Clause 1.
You may request the deletion of your personal data in a written form via the contact data of Clause 1 if the purpose of data management ceased to exist, the affected party withdrew consent, the data management proves to be illegitimate, the deadline of record keeping expires, or a court or authority orders so.
The data controller shall inform you and all parties who received the data for the purpose of data management on the execution of the correction or deletion. This provision of information may be omitted if such omission is not against your best interest from the aspect of the data management purpose.
The data controller shall not delete personal data if those are required to fulfil any legal obligation of the data controller, to lodge a legal claim, or to assert or protect rights.
6.4. Restrictions of data management
You may request the restriction of your personal data in a written form via the contact data of Clause 1 from the data controller if:
-
you question the accuracy of the personal data (in this case, the restriction is only valid while the data controller checks the accuracy of said data);
-
the data management is illegitimate, but you are against the deletion of said data, and request the restriction of use instead;
- the purpose of data management ceased to exist, but you still need your data for lodging a legal claim, or asserting or protecting rights.
- This restriction is valid until the indicated reason requires it. In this case, your personal data – with the exception of record keeping – may only be managed with your permission, or to lodge a legal claim, or to assert or protect rights; or to protect the rights of any third person (natural or legal entity), or for the public interest. The data controller informs you in advance on the lifting of the restrictions.
6.5. Legal remedy
In the case of the violation of your rights, or if you question the decision of the data controller, you may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)
Seat / postal address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. / 1530 Budapest, Pf. 5.
Telephone: (+36-1) 391-1400
Fax: (+36-1) 391-1410
Email: ugyfelszolgalat [KUKAC] naih.hu
In the case of the violation of your rights, or if you question the decision of the data controller, you have the right to file a damage claim directly against the data controller with the local court competent at the data controller’s seat or your place of residence, within 30 days after the communication of the decision. The court processes the case as a matter of urgency.
If you need further information not included in this document, you may request information via the contact data of Clause 1.
If you have any questions, suggestions, or require further information on the management of your data, please contact the following email address: adatvedelem [KUKAC] mav-start.hu.
7. Relevant legal regulations:
-
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
-
Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Privacy Act")
-
Act V of 2013 on the Civil Code
-
Regulation (EC) No 1371/2007 of the European Parliament and of the Council on rail passengers’ rights and obligations
- Act CLV of 1997 on consumer protection
MÁV-START Zrt.