Privacy Policy Information
1. Introduction
Fővárosi Vízművek Zártkörűen Működő Részvénytársaság (Waterworks of Budapest Private Company Limited by Shares) (registered seat: 1138 Budapest, Váci út 182., company registration number: 01-10-042451; https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/ hereinafter: Company/Data Controller) devotes special attention so that its activities comply with the effective statutory requirements, especially with those laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation/GDPR) (hereinafter: Regulation), with the expectations and practices required vis-a-vis and from the water utility service providing sector.
The Data Controller intends to ensure transparency of its data processing activities by issuing this Privacy Policy Information (hereinafter: Information) and by provisions laid down in its related internal policies and regulations, and at the same time inform its customers, applicants and those interested or other natural persons (hereinafter: Data Subjects) of the opportunities provided by their right of self-determination and freedom of information.
The aim of this Information is, on the one hand, to define the lawful conditions and framework of data processing activities affecting personal data and pursued by the Data Controller, ensuring thereby the enforcement of the Data Subjects’ right of self-determination, and, on the other hand, to provide detailed information to the Data Subjects about their rights and the legal remedies available for them, as well as about the measures taken for ensuring the security of their personal data.
The Data Controller has appointed a data protection officer pursuant to Article 37 (1) a) of the Regulation. Contact details of the data protection officer appointed by the Data Controller: Károly Gróf; phone number: 36 1 465 2400; e-mail: adatvedelem@vizmuvek.hu; Postal address: Fővárosi Vízművek Zrt. 1397 Budapest, Pf. 512.
Structure of this Information:
1. Introduction
2. Scope of application of the Information
3. Purpose of the data processing
4. Processing of personal data by main types of the Data Subjects
5. Data processing activities in relation to the public service contract
6. Other data processing activities not related to public service contract
7. Data processing activities associated with the Websites operated by the Company (On-line customer service; Data processing related to surveys and questionnaires; Entry into contact by way of on-line forms)
8. Other special data processing activities (Data processing for marketing purposes; Data processing with a market research or opinion poll purpose; Profiling in a system that supports bulk mailing; Extraordinary events and damage incidents; Property and asset protection)
9. Transmission of data and activities performed by data processors
10. Rights and legal remedies
11. Data Security
12. Miscellaneous provisions
Should you have a question which is not clearly clarified in this Information, please contact our data protection officer directly as explained in the Introduction or in Section 10 of this Information.
The Data Controller intends to ensure transparency of its data processing activities by issuing this Privacy Policy Information (hereinafter: Information) and by provisions laid down in its related internal policies and regulations, and at the same time inform its customers, applicants and those interested or other natural persons (hereinafter: Data Subjects) of the opportunities provided by their right of self-determination and freedom of information.
The aim of this Information is, on the one hand, to define the lawful conditions and framework of data processing activities affecting personal data and pursued by the Data Controller, ensuring thereby the enforcement of the Data Subjects’ right of self-determination, and, on the other hand, to provide detailed information to the Data Subjects about their rights and the legal remedies available for them, as well as about the measures taken for ensuring the security of their personal data.
The Data Controller has appointed a data protection officer pursuant to Article 37 (1) a) of the Regulation. Contact details of the data protection officer appointed by the Data Controller: Károly Gróf; phone number: 36 1 465 2400; e-mail: adatvedelem@vizmuvek.hu; Postal address: Fővárosi Vízművek Zrt. 1397 Budapest, Pf. 512.
Structure of this Information:
1. Introduction
2. Scope of application of the Information
3. Purpose of the data processing
4. Processing of personal data by main types of the Data Subjects
5. Data processing activities in relation to the public service contract
6. Other data processing activities not related to public service contract
7. Data processing activities associated with the Websites operated by the Company (On-line customer service; Data processing related to surveys and questionnaires; Entry into contact by way of on-line forms)
8. Other special data processing activities (Data processing for marketing purposes; Data processing with a market research or opinion poll purpose; Profiling in a system that supports bulk mailing; Extraordinary events and damage incidents; Property and asset protection)
9. Transmission of data and activities performed by data processors
10. Rights and legal remedies
11. Data Security
12. Miscellaneous provisions
Should you have a question which is not clearly clarified in this Information, please contact our data protection officer directly as explained in the Introduction or in Section 10 of this Information.
2. Scope of application of the Information
| - data controlling related to public service contracts, performed as a public service provider |
It contains the data of natural persons, who are in customer relation with the Company, wish to be in customer relation with the Company, are related to persons in customer relationship with the Company in a way that controlling their personal data is necessary for the performance of the Company’s services |
|||
| - data controlling related to non-public service contracts, not performed as a public service provider | It contains the data of natural persons, who are in relation with the Company, wish to be in relation with the Company, are related to persons in relationship with the Company in a way that controlling their personal data is necessary for the performance of the Company’s services the following are included: laboratory service, plumbing service, waterproof protection, looking for pipe breakage, hydrant water flow measurement, real estate rental, data controlling related to certain financial transactions (e.g. issuing invoices) |
|||
| - Data controlling by websites operated by the Company (https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/ | the following are included: data controlling by online customer service, data controlling for surveys and questionnaires related to the Company, contacting via online forms |
|||
| - other, special data controlling | the following are included: data controlling for marketing purposes, data controlling for market and public opinion research, data controlling related to extraordinary events and damage incidents, data controlling related to profiling implemented in systems supporting mass mail sending, data controlling related to asset protection |
|||
- data controlling related to contractual relationships other than the above categories |
||||
UNLESS OTHERWISE PROVIDED, THE SCOPE OF APPLICATION OF THE INFORMATION DOES NOT EXTEND TO:
- services or data processing activities associated with the services, other campaigns of and content published by third parties eventually advertising or appearing in any other way on the Website;
- services and data processing activities of websites or service providers, to which links placed on this Website lead.
- For internal data controlling related to the controlling of personal data of the employees of the Company.
3. Purpose of the data processing
The primary purpose of data processing by the Data Controller in association with the fulfilment of its public service mission is the performance, establishment and maintenance of contracts concluded with its Customers and providing service at an appropriate quality level, with special regard to the provisions of Act CCIX of 2011 on water public utility service (hereinafter: Vksztv.) and those laid down in Government Decree no. 58/2013. (II. 27.) on the implementation of certain provisions of Act CCIX of 2011 on water public utility service (hereinafter: Vhr.). The Data Controller processes personal data for the purpose they were requested. The data processing is conform to its purpose in each phase of the processing. The data are captured and processed in a fair and lawful way. The Data Controller will make every endeavour so that only personal data that are indispensable and suitable for the fulfilment of the purpose of the data processing are processed. Personal data may be processed only to the extent and for a time period required for the fulfilment of the purpose.
Purposes belonging to each data controlling - broken down by data type - are contained in sections 5.-8. of this Information.
Purposes belonging to each data controlling - broken down by data type - are contained in sections 5.-8. of this Information.
| - data controlling related to public service contracts, performed as a public service provider | - determination of eligibility for the service - identification of the applicant prior to contracting - contracting - fulfilment of the contract - issuing bills - receivables management, claim enforcement - compliance with consumer protection regulations, complaint handling - quality assurance, increasing the efficiency of quality control, abuse prevention - assessment of procedural rights (examination of power of attorney) - determination of user status to be protected and the discounts available in this regard - termination of contract |
|||
| - data controlling related to non-public service contracts, not performed as a public service provider | - identification of the client prior to contracting - contracting - fulfilment of the contract (including maintaining contact) - assessment of procedural rights (examination of power of attorney) - receivables management, claim enforcement - compliance with consumer protection regulations, complaint handling - quality assurance |
|||
| - Data controlling by websites operated by the Company (https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/) | - online customer service: identification, service provision, information about changes - surveys, questionnaires: satisfaction measurement, service development - contact via online form: contact, identification |
|||
| - other, special data controlling | - data controlling for marketing purposes; business acquisition - data management for market and public opinion polls: research sample compilation, service development - extraordinary events - data management due to damage events: claims management - profiling implemented in a system supporting mass mailing: statistical analysis, increasing cost efficiency, supporting user-friendly communication - data controlling for asset protection: asset protection |
|||
| - data controlling related to contractual relationships other than the above categories | - the purpose of data controlling is determined by the specific legal relationship, the purpose is contained in the contractual provisions or the inseparable annexes of the given contract for each legal relationship |
|||
4. Processing of personal data by main types of the Data Subjects
The following types of natural persons may characteristically be Data Subjects of personal data processed in association with the Data Controller’s activities:
- Customer (a natural person who concludes a contract with the Data Controller for the provision of public utility and/or not a public utility service)
- Registered user (a natural person who has registered him/herself on the Website)
- User not having registered on the Website (a natural person who has contacted the Company on the Website without registration)
- Applicant (a natural person who enters into contact with the Data Controller for the purpose of using a service, but the contractual relation for delivery of the service will be established later or will not be established at all)
- Other Data Subject (a natural person who visits the Website, and/or subscribed for the Data Controller’s newsletter, and/or is a party concerned in a damage incident, and/or who wishes to enter the premises of the Data Controller)
- Data of natural persons other than Customers (a natural person who is the owner registered in the property records for the delivery point, or a natural person who acts as representative in representation of a natural person or a legal entity as provided for in Section 6:11 of the Civil Code)
5. Data processing activities in relation to the public service contract
The data processing activities pursued by the Data Controller have in general a mixed legal basis, i.e. they contain data processing authorisations that are based on contract, a legal act, the Data Controller’s legitimate interest or the Data Subject’s consent.
Personal data of the Data Subjects may get into the Data Controller’s possession in the following ways: Primarily by an act of the Data Subject to make them available directly in order to establish and perform the contract, secondly, in the course of data capturing from the Data Subject (by phone/customer service) and thirdly, by data transmission by the data processor entrusted by the Data Controller to keep contact with the Data Subject.
The Data Controller stores the available data for a time period determined in the legal statutes in a way adapted to the various purposes and legal bases of data retention, or, in the absence of relevant statutory provisions, until termination of the data processing purpose and then it will erase the data by taking the Data Subject’s and its own interests into account. The maximum time period for the data processing varies depending on the kind of legal basis the processing of the Data Subject’s data is based and is adjusted to the time period during which the purpose of the data processing persists.
The Table below summarizes the type of data processed by the Data Controller in association with the fulfilment of its public service mission, together with the relevant legal bases and retention periods related to them:
Personal data of the Data Subjects may get into the Data Controller’s possession in the following ways: Primarily by an act of the Data Subject to make them available directly in order to establish and perform the contract, secondly, in the course of data capturing from the Data Subject (by phone/customer service) and thirdly, by data transmission by the data processor entrusted by the Data Controller to keep contact with the Data Subject.
The Data Controller stores the available data for a time period determined in the legal statutes in a way adapted to the various purposes and legal bases of data retention, or, in the absence of relevant statutory provisions, until termination of the data processing purpose and then it will erase the data by taking the Data Subject’s and its own interests into account. The maximum time period for the data processing varies depending on the kind of legal basis the processing of the Data Subject’s data is based and is adjusted to the time period during which the purpose of the data processing persists.
The Table below summarizes the type of data processed by the Data Controller in association with the fulfilment of its public service mission, together with the relevant legal bases and retention periods related to them:
| Scope of the controlled data | Legal basis | Purpose of data controlling: | Retention time | |
|---|---|---|---|---|
5.1. |
Customer’s natural personal identification data (first and last name, birth first and last name, address, mother’s name, place and date of birth, telephone number, email address) |
Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation ,- pursuant to Vhr 56.) paragraph (1) |
The Data Controller controls the Customer’s data for the purpose of proper identification Customer identification is required for concluding a contract, fulfilling a contract, managing accounts receivable, and validating claims related to the contract. |
For 8 years from the year of issuance of the last accounting document related to the contract (Act C of 2000 on Accounting (hereinafter: Sztv.) 169.§) |
| 5.2. | Data of the owner of the consumption site | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
Mainly the data of the owner of the consumption site can be controlled, pursuant to Section 2.6 of the Vksztv. . . If the conclusion of the contract and the provision of services are not possible without providing the data of the actual owner, the personal data of the owner will be controlled by the Data Controller. |
8 years following termination of the contractual relationship. |
| 5.3. | Data of the owner of the consumption | Legitimate interest as legal basis (Article 6, Paragraph (1), Clause f) of the Regulation) |
The Data Controller controls the data of the owner of the consumption site based on the underlying liability pursuant to Section 2 (6) of the Vksztv., for the purpose of enforcing receivables. | With respect to Section 5.2., for 8 years following the termination of the contractual relationship/ based on the Data Subject’s objection, until the decision made by the Data Controller. |
| 5.4. | Applicant’s natural identification data (first and last name, birth first and last name, address, mother’s name, place and date of birth, telephone number, email address) |
Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation ,- pursuant to Vhr 56.) (1)) |
The Data Controller controls the Applicant’s data for the purpose of proper identification of the Applicant. Identification of the Applicant is necessary for the determination of the eligibility for the service. |
3 year from the receipt of the form. |
| 5.5. | Technical data related to the property of the Data Subjects | Legitimate interest as legal basis (Article 6, Paragraph (1), Clause f) of the Regulation) |
On properties located in our service area, technical data related to water and wastewater services are recorded for registration purposes. (E.g.: connection plan, internal water network plan, title deed and data on planned water demand) Data registration is necessary for the fulfilment of the contract. |
Until the validity period of the Operator's license of the Data Controller / until the decision made by the Data Controller based on the Data Subject's objection. |
| 5.6. | Data related to the Data Subject’s consumption provision and use of the service | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
Controlling these data is closely related to the fulfilment of the contract. The Data Controller manages the data generated during the performance of the contract, with particular regard to invoice data, requests from customers, claims, documents and records taken during the service. |
8 years following termination of the contractual relationship. |
| 5.7. | Complaints related to provision and use of the service by the Data Subject | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation Fogytv. 17/B.§ (5)) |
Controlling of these data is closely related to consumer protection regulations and the fulfilment of the contract, so the Data Controller handles the complaints that arise in order to comply with legal obligations. | For 5 years pursuant to Article 6:22 (1) of Act V. of 2013 on the Civil Code (hereinafter referred to as Civil Code.) |
| 5.8. | Data related to fees and costs payable and paid by the Data Subject, data of receivables | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls all data related to the Data Subject's payment obligation, from which it can be determined whether the Data Subject has fulfilled the payment obligation or not. Controlling of the data is necessary for the fulfilment of the contract, the management of outstanding debts and the enforcement of claims arising from the contractual relationship. |
For 5 years pursuant to Article 6:22 (1) of the Civil Code. |
| 5.9. | Data necessary to certify the change of consumer | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls the copy of the document necessary for the change and to prove that the change has taken place (e.g. purchase contract, gift agreement, rental contract). The Data Subject has the right to delete (cover out) the data from the copy that are not necessary to verify the change of consumer. Controlling these data is necessary to the fulfilment of the contract. |
8 years following termination of the contractual relationship. |
| 5.10. | Copy and data of documents supporting legal relationship | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller makes copies of individual documents certifying the legal relationship (e.g.: birth certificates, title deeds, transfer of ownership minutes, owner's consent, Municipal resolution) in order to establish the correctness of the data and the legal relationship. So, the purpose of data controlling is contracting and to fulfil the contract, as well as potential claims enforcement related to the contract. Certificate-type personal documents are exceptions, of which the Data Controller does not make copies. |
8 years following termination of the contractual relationship. |
| 5.11. | Identification data of the point of consumption and meters | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls technical data related to the consumption site and meters, including factory number, meter location number, VIPAK number, expiry date, and connects them to the Data Subject. The purpose of data controlling is the fulfilment of the contract. | After 8 years following the termination of the public utility contract, the connection between the Data Subject and the identification data expires. Technical data of the place of consumption and measuring devices are not deleted by themselves, they are kept until the validity period of the Operator's license of the Data Controller. |
| 5.12. | GPS coordinates of the consumption site and meters | Legitimate interest as legal basis (Article 6, Paragraph (1), Clause f) of the Regulation) |
Based on the legitimate interest of the Data Controller, during meter reading and technical investigations, the data Controller takes photographs of the meters and technical facilities, during which it also records the data of the GPS coordinates of the meter. The purpose of data controlling is the fulfilment of the contract. | After 8 years following the termination of the public utility contract, the connection between the Data Subject and points of consumption data expires. GPS coordinates of the point of consumption and meters are not deleted by themselves, they are kept until the validity period of the Operator's license of the Data Controller. |
| 5.13. | Data of natural persons concerned by authorization and representation | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
Primarily, the data of the person authorized to administer the public service may be processed. The name, place and date of birth, mother's name, address, and signature are provided by the Data Subject as a minimum content element. The purpose of data controlling is to assess procedural rights. |
For the validity period of the authorization and representation/5 years pursuant to Article 6:16 of the Civil Code. |
| 5.14. | Telephone conversation with the phone customer service | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation Fogytv. 17/B.§) |
The Data Controller records and handles the audio recording of the conversation between the Data Subject and the customer service as defined in the applicable laws, primarily in the Act on Consumer Protection. The purpose of data controlling may be - depending on the content of the conversation - contract fulfilment or complaint handling. |
5 years from the date of making the recording (Fogytv, 17/B.§ (3)). |
| 5.15. | Data generated during contacting the customer service | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation) (Vhr.89/C.§ (1)) |
Data generated at the customer service during the contact between the customer service and the Data Subject are controlled for administrative purposes and for the fulfilment of the contract. |
Civil Code For 5 years pursuant to Article 6:22 (1) of the Civil Code |
| 5.16. | Documents verifying user status to be protected | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) and Article 9, Paragraph (2) b) of the Regulation) (Vksztv. Article 61/A.) |
The Data Controller keeps records in order to ensure the benefits of the users to be protected, from which it can be clearly determined which range of benefits the data subject is entitled to. Inclusion in the records must be initiated by the Data Subject, and the documents specified in Government Decree (58/2013.(II.27.)) to prove belonging to the user group to be protected must be attached to the application. | After the expiry of the eligibility, the registered data are deleted (pursuant to Article 61/A (7) of Act CCIX of 2011 on water public services). |
6. Other data processing activities not related to public service contract
The Table below summarizes the types of data processed by the Data Controller not directly in relation to the fulfilment of a public service mission but in association with the provision of other services (e.g.: laboratory services, water pipe fitting service, watertight protection, detection of pipe bursts, measurement of the water yield of fire hydrants, lease of properties) or other financial transactions (e.g.: issuance of bills), as well as the relevant legal bases and retention periods related to them:
| Scope of the controlled data | Legal basis | Purpose of data controlling: | Retention time | |
|---|---|---|---|---|
| 6.1. | Data of the Applicant (name, address, mother’s name, place and date of birth) |
Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls the data for the purpose of identifying the Ordering Party and preparing a proposal. So, the purpose of data controlling is to identify the other party prior to contracting. |
If contracting fails, six months from the date of ordering. |
| 6.2. | Data of the Ordering Party (name, address, mother’s name, place and date of birth) |
Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls the data for the purpose of identifying the Ordering Party and preparing invoices. Identification of the Client is required for concluding a contract, fulfilling a contract and validating claims related to the contract. |
For 8 years following the issuance of the last accounting document related to the contract (Sztv.169.§). |
| 6.3. | Telephone number and email address required to maintain contact with the Data Subject | Consent as legal basis (Article 6, Paragraph (1), Clause a) of the Regulation) |
If the Data Subject or the representative of the community - thus in particular the common representative of the apartment buildings - consents, the Data Controller shall control the telephone number and e-mail address necessary for contact. The purpose of data controlling is the fulfilment of the contract. |
Until the consent is withdrawn/ 6 month following the duration of the concluded contract. |
| 6.4. | Data of natural persons concerned by authorization and representation | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
Data of the authorized person is primarily controlled for the purpose of administering the requested services. The purpose of data controlling is to assess procedural rights. |
For the validity period of the authorization and representation/5 years pursuant to Article 6:16 of the Civil Code. |
| 6.5. | Data related to the provision and provision and use of the use of the service | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
Controlling these data is closely related to the fulfilment of the contract. The Data Controller controls the data generated during the fulfilment of the contract, in particular the application form, order form, worksheet and certificate of completion. |
8 years following termination of the contractual relationship. |
| 6.6. | Complaints related to provision and use of the service by the Data Subject | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation (Fogytv. 17/B.§ (6)) |
Controlling of these data is closely related to consumer protection regulations and the fulfilment of the contract, so the Data Controller handles the complaints that arise in order to comply with legal obligations. | Civil Code 5 years pursuant to Article 6:22 (1) of the Civil Code |
| 6.7. | Data related to fees and costs payable and paid by the Data Subject, data of receivables | Legal basis for contracting (Article 6, Paragraph (1), Clause b) of the Regulation) |
The Data Controller controls all data related to the Data Subject's payment obligation, from which it can be determined whether the Data Subject has fulfilled the payment obligation or not. The data is necessary for the fulfilment of the contract and the enforcement of claims arising from the contractual relationship.. |
Civil Code 5 years pursuant to Article 6:22 (1) of the Civil Code. |
| 6.8. | Data generated during contacting the customer service | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation) (Vhr.89/C.§ (1)) |
Data generated at the customer service during the contact between the customer service and the Data Subject are controlled for administrative purposes and for the fulfilment of the contract. | For 5 years pursuant to Article 6:22 (1) of the Civil Code |
| 6.9. | Telephone conversation with the phone customer service | Legal obligation as legal basis (Article 6, Paragraph (1), Clause c) of the Regulation) (Fogytv. 17/B.§) |
The Data Controller records and handles the audio recording of the conversation between the Data Subject and the customer service as defined in the applicable laws, primarily in the Act on Consumer Protection. The purpose of data controlling may be - depending on the content of the conversation - contract fulfilment or complaint handling. |
5 years from the date of making the recording (Fogytv, 17/B.§ (3)). |
7. Data processing activities associated with the Websites operated by the Company
(https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/)
A separate Privacy Policy Information has been drawn up concerning the management of cookies used on our Websites, which is accessible from the following site: https://www.vizmuvek.hu/en/data-protection.
7.1. Data processing activities at the on-line Customer Service
The Data Controller operates an on-line customer service as an electronic service for its Customers. The purpose of the on-line customer service is to ensure reception of electronic inquiries from the Customers and display contract-related data for the registered Customers. Our existing and future Customers can use the services provided by the on-line customer service even without registration, but certain categories of arrangement/administration (e.g. service request submission, ordering services) are subject to registration. In case of inquiries initiated with or without registration the personal data provided will be assigned in the Company’s central database to the Data Subject being in a public service or other contractual legal relationship with the Company and later on the legal bases, data processing purposes and retention time periods specified in Chapters 5 and 6 will be governing for such personal data.
7.1.1. Registration
There are four ways available for the Data Subjects for initiating registration for the purpose of using the on-line administration services.
In case of registration with the data of the Ügyfélkapu (Client Gateway) the Data Subjects can use the Data Controller's on-line administration services by using their username and password registered for their own Ügyfélkapu. As far as the identification process subject to providing the data of the Ügyfélkapu is concerned, the governmental body responsible for the central state electronic services (Central Client Registration Records), i.e. the minister responsible for e-government is considered as Data Controller. Information concerning data processing related to identification by using the Ügyfélkapu data are provided and for the data subjects’ exercising their rights is ensured by the Ministry of the Interior (as Data Controller). In order that the registration be successful, the Data Subject has to provide at the occasion of the registration, in addition to identifying the natural person, data requested on the registration data sheet (e-mail address, phone number, device point ID number).
In case of registration other than by using Ügyfélkapu data the Data Subject is to provide the data requested in the registration data sheet (Data Subject’s name, e-mail address, phone number, device point ID number, current account ID number, business partner number, manufacturing number of the device). The Data Controller reserves the right to prescribe the provision of certain data in the registration data sheet as a condition for the registration (E.g.: e-mail address for the confirmation of the registration), and to change the data content of the registration data sheet, delete certain data field or to create new ones, especially if it is made necessary or justified by the users’ needs or changes in relevant legislation. The Data Controller will inform the Data Subjects of the changes in each case.
In case of pre-registration, if the Data Subject has an e-mail address and consent for it associated with a service legal relationship, or he/she launches an administration process at the On-line Customer Service, in that case the Company will pre-register the Data Subject at its On-line Customer Service. The Data Subject will be informed of the pre-registration in a confirmation e-mail. The confirmation e-mail will contain a “Confirm registration and provide a new password” link. If the Data Subject wants to use the registration opportunity, he/she can continue the registration process by clicking on the link. Failing confirmation, the Data Subject’s pre-registration will be automatically deleted after 30 days have lapsed. The Company’s aim with the pre-registration is to ensure the provision of the services offered by the On-line Customer Service, by simplifying the registration process.
In case of registration combined with arrangement/administration of a matter, in submitting his/her request, the Data Subject is to provide the data necessary for the registration, in addition to those needed for the arrangement/administration of the matter (e-mail address, phone number). After having admitted the request, the Data Controller performs the registration of the Data Subject to the on-line customer service.
Scope of processed data: Name, e-mail address, phone number, device point ID number, manufacturing number of the device of the Data Subject. If the registration is made by using Ügyfélkapu data, the scope of the processed data will extend to the mother’s name of the Data Subject and the place and date of his/her birth.
Purposes for which the data stored in the On-Line Customer Service system are used:
The data controller stores the e-mail address, name, password and profile data belonging to the registration also in its on-line customer service system and uses them for log into the on-line customer service, generating password reminders and sending validating e-mails.
Purposes for which the data stored in the Data Controller’s system and related to a registration are used:
Duration of the data processing: the Data Controller will process the data until the consent is withdrawn or the registration is deleted.
Storage and access to the processed data:
The Data Controller assigns the data provided in the course of the registration to the data of the Data Subject being in an identified public service legal relationship with it, or managed under other, non-public service legal relationship and will manage and process them as defined in Chapters 5 and 6.
The data provided under the registration process will be processed by the Data Controller and will not be transmitted to any data processor or other data controllers. Such persons – especially agents and employees – acting on behalf of the Data Controller will have access to the data, who need to know them in order to fulfil their duties, and who are aware of their obligations with regard to managing such data.
7.1.2. Management of inquiries not involving registration
The data provided in the course of inquiries launched without and not resulting in registration will be captured in the Company's central database. If the report in question can be assigned to an existing or a newly contracting Data Subject as far as its subject-matter is concerned, in that case, the report will be assigned in the central database to the Data Subject being in the corresponding public service legal relationship or in other, non-public service contractual relationship with the Data Controller and will be further managed and processed as defined in Sections 5 and 6. If the report in question cannot be assigned, as far as its subject-matter is concerned, to any contracted Data Subject, in that case it will be further managed and processed according to the provisions of Section 6. A confirmation e-mail will be sent about the successful report to the e-mail address provided at the occasion of making the report, but the e-mail address provided will not be used further in the future by the Data Controller.
In case of inquiries launched without and not resulting in registration, the Data Controller manages and processes the following data, by groups of matters of administration:
In case of meter index reporting: the Data Subject will be identified on the basis of the device point ID number and manufacturing number of his/her meter, the reported data will be processed meter index number, photo, any remark).
In case of launching an administration process – by providing the data of the meter: the Data Subject will be identified on the basis of the device point ID and manufacturing number of his/her meter. The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry.
In case of launching an administration process – without providing the data of the meter: The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry. They will be used for sending notifications on the successful report and about information related to the report and its arrangement/administration.
Making an appointment for a personal customer care point (coordination of date and time): the Data Subject has to provide his/her e-mail address. The Data Controller will use the e-mail address provided exclusively for the following purpose and then it will delete it: sending a confirmation e-mail about the date and time of the appointment, confirmation on success of cancellation of the appointment if made so, notification of the Data Subject about the closing hours of the customer care point and on the deletion of the appointment reserved.
7.1.3. Management of registered inquiries
The Data Controller will manage and process the data provided at the on-line customer service for reporting a request or for launching and administration process, as defined in Chapters 5 and 6. The on-line customer service does not store these data, it only ensures an electronic interface for launching and displaying administration processes, replacing thereby the paper-based administration.
Purpose of the data processing: Assessing the satisfaction of Customers (Data Subjects) and, based on the results, coordinating and developing the Data Controller's services with their needs.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: the Data Controller manages and processes the data provided until the consent is withdrawn, except if a statute prescribes the obligation of data processing.
7.3. Entry into contact by way of an on-line form
There is an opportunity for the Data Subject to enter into contact with the Data Controller via its Website and to initiate the ordering of various services, enrol for participation at certain events, and for using that opportunity he/she has to fill in an on-line form in order to enter into contact with the Data Controller.
Purpose of the data processing: enter into contact with the Data Subject and identify the Data Subject.
Scope of processed data: Name, e-mail address and phone number of the Data Subject.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: the Data Controller will manage and process the data until withdrawal of the consent, or if no service is used, in that case for 6 months.
7.1. Data processing activities at the on-line Customer Service
7.1.1. Registration
In case of registration with the data of the Ügyfélkapu (Client Gateway) the Data Subjects can use the Data Controller's on-line administration services by using their username and password registered for their own Ügyfélkapu. As far as the identification process subject to providing the data of the Ügyfélkapu is concerned, the governmental body responsible for the central state electronic services (Central Client Registration Records), i.e. the minister responsible for e-government is considered as Data Controller. Information concerning data processing related to identification by using the Ügyfélkapu data are provided and for the data subjects’ exercising their rights is ensured by the Ministry of the Interior (as Data Controller). In order that the registration be successful, the Data Subject has to provide at the occasion of the registration, in addition to identifying the natural person, data requested on the registration data sheet (e-mail address, phone number, device point ID number).
In case of registration other than by using Ügyfélkapu data the Data Subject is to provide the data requested in the registration data sheet (Data Subject’s name, e-mail address, phone number, device point ID number, current account ID number, business partner number, manufacturing number of the device). The Data Controller reserves the right to prescribe the provision of certain data in the registration data sheet as a condition for the registration (E.g.: e-mail address for the confirmation of the registration), and to change the data content of the registration data sheet, delete certain data field or to create new ones, especially if it is made necessary or justified by the users’ needs or changes in relevant legislation. The Data Controller will inform the Data Subjects of the changes in each case.
In case of pre-registration, if the Data Subject has an e-mail address and consent for it associated with a service legal relationship, or he/she launches an administration process at the On-line Customer Service, in that case the Company will pre-register the Data Subject at its On-line Customer Service. The Data Subject will be informed of the pre-registration in a confirmation e-mail. The confirmation e-mail will contain a “Confirm registration and provide a new password” link. If the Data Subject wants to use the registration opportunity, he/she can continue the registration process by clicking on the link. Failing confirmation, the Data Subject’s pre-registration will be automatically deleted after 30 days have lapsed. The Company’s aim with the pre-registration is to ensure the provision of the services offered by the On-line Customer Service, by simplifying the registration process.
In case of registration combined with arrangement/administration of a matter, in submitting his/her request, the Data Subject is to provide the data necessary for the registration, in addition to those needed for the arrangement/administration of the matter (e-mail address, phone number). After having admitted the request, the Data Controller performs the registration of the Data Subject to the on-line customer service.
Scope of processed data: Name, e-mail address, phone number, device point ID number, manufacturing number of the device of the Data Subject. If the registration is made by using Ügyfélkapu data, the scope of the processed data will extend to the mother’s name of the Data Subject and the place and date of his/her birth.
Purposes for which the data stored in the On-Line Customer Service system are used:
The data controller stores the e-mail address, name, password and profile data belonging to the registration also in its on-line customer service system and uses them for log into the on-line customer service, generating password reminders and sending validating e-mails.
Purposes for which the data stored in the Data Controller’s system and related to a registration are used:
- ensuring the possibility of logging in to the online customer service, identifying the Data Subject, providing services provided on an online interface;
- provision of services subject to registration to the on-line customer service, such as, among others: sending e-mail notifications about the reading reporting periods, issuing bills, notifications about the date and time of on-the-spot work accomplishment, confirmation on the launching of an administration process;
- sending notifications about changes made to and opportunities offered by the on-line customer service.
Duration of the data processing: the Data Controller will process the data until the consent is withdrawn or the registration is deleted.
Storage and access to the processed data:
The Data Controller assigns the data provided in the course of the registration to the data of the Data Subject being in an identified public service legal relationship with it, or managed under other, non-public service legal relationship and will manage and process them as defined in Chapters 5 and 6.
The data provided under the registration process will be processed by the Data Controller and will not be transmitted to any data processor or other data controllers. Such persons – especially agents and employees – acting on behalf of the Data Controller will have access to the data, who need to know them in order to fulfil their duties, and who are aware of their obligations with regard to managing such data.
7.1.2. Management of inquiries not involving registration
In case of inquiries launched without and not resulting in registration, the Data Controller manages and processes the following data, by groups of matters of administration:
In case of meter index reporting: the Data Subject will be identified on the basis of the device point ID number and manufacturing number of his/her meter, the reported data will be processed meter index number, photo, any remark).
In case of launching an administration process – by providing the data of the meter: the Data Subject will be identified on the basis of the device point ID and manufacturing number of his/her meter. The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry.
In case of launching an administration process – without providing the data of the meter: The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry. They will be used for sending notifications on the successful report and about information related to the report and its arrangement/administration.
Making an appointment for a personal customer care point (coordination of date and time): the Data Subject has to provide his/her e-mail address. The Data Controller will use the e-mail address provided exclusively for the following purpose and then it will delete it: sending a confirmation e-mail about the date and time of the appointment, confirmation on success of cancellation of the appointment if made so, notification of the Data Subject about the closing hours of the customer care point and on the deletion of the appointment reserved.
7.1.3. Management of registered inquiries
7.2. Data processing in relation to surveys and questionnaires concerning the Data Controller
Purpose of the data processing: Assessing the satisfaction of Customers (Data Subjects) and, based on the results, coordinating and developing the Data Controller's services with their needs.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: the Data Controller manages and processes the data provided until the consent is withdrawn, except if a statute prescribes the obligation of data processing.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| The Data Subject's e-mail address, phone number and postal address | Consent as legal basis (Article 6 (1) a) of the Regulation) |
Assessing the satisfaction of Customers (Data Subjects) and, based on the results, coordinating and developing the Data Controller's services with their needs. . | Until withdrawal of the Data Subject’s consent. | |
7.3. Entry into contact by way of an on-line form
There is an opportunity for the Data Subject to enter into contact with the Data Controller via its Website and to initiate the ordering of various services, enrol for participation at certain events, and for using that opportunity he/she has to fill in an on-line form in order to enter into contact with the Data Controller.
Purpose of the data processing: enter into contact with the Data Subject and identify the Data Subject.
Scope of processed data: Name, e-mail address and phone number of the Data Subject.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: the Data Controller will manage and process the data until withdrawal of the consent, or if no service is used, in that case for 6 months.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| Name, e-mail address and phone number of the Data Subject | Consent as legal basis (Article 6 (1) a) of the Regulation) |
The Data Subject provides the data specified in the online contact form to the Data Controller. The purpose of data controlling is establishing contact and identification. | Until withdrawal of the Data Subject’s consent/6 months. | |
8. Other special data processing activities
8.1 Data processing for marketing purposes
Purpose of the data processing providing the Data Subject with informative material, promotions, offers about the Data Controller's services and, as a result, acquiring business
Scope of processed data: The Data Subject’s e-mail address, phone number, postal address and consent granted for being contacted for direct marketing purposes.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: as a general rule, until withdrawal of the consent by the Data Subject.
8.2. Data processing for market research and opinion poll purposes
Purpose of the data processing: if the Data Subject has granted his/her consent to the processing of his/her data for opinion poll and market research purposes, the Data Controller will contact the Data Subject by using his/her provided data (name, e-mail address, phone number and mailing address) in order to set up an anonymous research sample that does not include personal data, and service development based on the data.. The Data Controller will use the data used for the above-defined purposes for making statistics in a manner unsuitable for identifying the person who has provided the data.
Scope of processed data: The Data Subject’s e-mail address, phone number, postal address, consent granted for being contacted for market research and opinion poll purposes, market research and contact lists.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: until withdrawal of the consent by the Data Subject.
8.3. Extraordinary events – Damage incidents
Purpose of the data processing: administration/arrangement of damage claims.
Scope of processed data: Name, mother’s name, postal address, bank account number of the Data Subject, name of the insurance company, insurance policy number, name, badge number, phone number of the person proceeding on behalf of the authority, invoice, tortfeasor’s declaration, protocol drawn up on the damage, damage incident file, and, eventually expert(s’) opinion.
Legal basis for the data processing: The Data Controller’s or a third party’s legitimate interest (Article 6 (1) f) of the Regulation).
Duration of the data processing: 5 years in case of documents used for the arrangement/administration of damage claims, and 8 years in case of the issued invoices and transaction certificates.
Data transfer: documentations generated in the course of the arrangement/administration of damage claims are necessarily sent to the competent insurance companies and insurance brokers for assessment of the damage claim. If the complexity of the case justifies, an expert or an official body might also be involved.
8.4. Profiling in a system that supports bulk mailing
The purpose of data processing: to record and maintain the contact details (name, email address) necessary for communication with the Data Subject, for providing information by electronic means related to the use of public services, and for sending marketing messages and offers. To collect and monitor data on the delivery result and readership of emails, statistically analyse clicks on links in mailings using a heat map, identify the most cost-effective way to deliver mail, and identify and develop transparent, understandable, and user-friendly information. The heat map (profile) is only processed and analysed in an aggregated and anonymous way.
Scope of data processed: Name and email address of the Data Subject as recipient, the fact of successful/unsuccessful delivery of the email, the time of delivery, the time of opening the letter, whether the link embedded in the letter was clicked (heat map).
Legal basis for processing: Legitimate interest of the controller or a third party (Article 6(1)(f) of the Regulation).
Time of data processing: Based on the validity of the consent to the processing of the e-mail addresses of the Data Subjects, with the data automatically deleted upon the expiry of consent (e.g. revocation). The general retention period for correspondence stored in the electronic information system which is not part of the master data is 5 years.
8.5. Property and asset protection
8.5.1. Camera system
The Data Controller is considered a body fulfilling a public service mission and it operates, in compliance with its statutory obligations, an electronic surveillance and recording system (hereinafter: camera system) in its premises, central office building and customer service offices for the purpose of protecting property and assets, the critical infrastructure, preventing, detecting and proving any breach of law, catching those who breach the law in the act and protecting human life and preventing bodily injury. The Data Controller meets its obligation to inform those concerned by warning pictograms indicating the locations of the cameras and by a summarizing information leaflet. A separate Privacy Policy Information has been drawn up concerning the camera system, which is accessible from the following site: https://www.vizmuvek.hu/en/data-protection.
Purpose of the data processing: to ensure protection of property and assets in the Data Controller's premises.
Scope of processed data: Name, residential address, number of ID document and phone number (in case of a partner card) of the Data Subject.
Legal basis for the data processing: it is necessary for the performance of a task by the Data Controller carried out in the public interest (Article 6 (1) e) of the Regulation). In the case of partner cards, the Data Controller processes the Data Subject’s phone number on the basis of his/her consent (Article 6 (1) a) of the Regulation).
Duration of the data processing: The validity of a visitor’s card expiries upon it has been returned to the receptionist and the corresponding data will be erased from the access control system within 24 hours. Data relevant to partner cards will be deleted from the access control system after 6 months have lapsed from the date of their return to the receptionist or withdrawal.
Purpose of the data processing providing the Data Subject with informative material, promotions, offers about the Data Controller's services and, as a result, acquiring business
Scope of processed data: The Data Subject’s e-mail address, phone number, postal address and consent granted for being contacted for direct marketing purposes.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: as a general rule, until withdrawal of the consent by the Data Subject.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| The Data Subject's e-mail address, phone number and postal address | Consent as legal basis (Article 6 (1) a) of the Regulation) |
Delivery of information materials, promotions and offers on the Data Controller's services to the Data Subject. The purpose of data controlling is business acquisition. | Until withdrawal of the Data Subject’s consent. | |
8.2. Data processing for market research and opinion poll purposes
Purpose of the data processing: if the Data Subject has granted his/her consent to the processing of his/her data for opinion poll and market research purposes, the Data Controller will contact the Data Subject by using his/her provided data (name, e-mail address, phone number and mailing address) in order to set up an anonymous research sample that does not include personal data, and service development based on the data.. The Data Controller will use the data used for the above-defined purposes for making statistics in a manner unsuitable for identifying the person who has provided the data.
Scope of processed data: The Data Subject’s e-mail address, phone number, postal address, consent granted for being contacted for market research and opinion poll purposes, market research and contact lists.
Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).
Duration of the data processing: until withdrawal of the consent by the Data Subject.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| The Data Subject's e-mail address, phone number and postal address | Consent as legal basis (Article 6 (1) a) of the Regulation) |
In the case of the Data Subject's consent for public opinion and market research, the Data Controller uses the data provided by the Data Subject (name, e-mail address, telephone number, mailing address) for the purpose of compiling an anonymous research sample that does not contain personal data, to contact the Data Subject, and to develop the services based on the data. The Data Controller uses the data used for the previously defined purposes for statistical purposes in a way that is not suitable for personal identification. | Until withdrawal of the Data Subject’s consent. | |
8.3. Extraordinary events – Damage incidents
Purpose of the data processing: administration/arrangement of damage claims.
Scope of processed data: Name, mother’s name, postal address, bank account number of the Data Subject, name of the insurance company, insurance policy number, name, badge number, phone number of the person proceeding on behalf of the authority, invoice, tortfeasor’s declaration, protocol drawn up on the damage, damage incident file, and, eventually expert(s’) opinion.
Legal basis for the data processing: The Data Controller’s or a third party’s legitimate interest (Article 6 (1) f) of the Regulation).
Duration of the data processing: 5 years in case of documents used for the arrangement/administration of damage claims, and 8 years in case of the issued invoices and transaction certificates.
Data transfer: documentations generated in the course of the arrangement/administration of damage claims are necessarily sent to the competent insurance companies and insurance brokers for assessment of the damage claim. If the complexity of the case justifies, an expert or an official body might also be involved.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| Name, mother’s name, postal address, bank account number of the Data Subject, name of the insurance company, insurance policy number, name and address of the witness(es), name, badge number, phone number of the person proceeding on behalf of the authority, invoice, tortfeasor’s declaration, protocol drawn up on the damage, damage incident file, and, eventually expert(s’) opinion | Legitimate interest as legal basis (Article 6 (1) f) of the Regulation) |
It is inevitable that the Data Controller manages and processes, either as injured party or tortfeasor, personal data relating to third parties for the purpose of arranging/administering damage claims. | For 5 years pursuant to Section 6:22 (1) of the Civil Code. | |
| Invoices and transaction certificates issued | Legitimate interest as legal basis (Article 6 (1) f) of the Regulation) |
It is inevitable that the Data Controller manages and processes, either as injured party or tortfeasor, personal data relating to third parties for the purpose of arranging/administering damage claims. | For 8 years following the year when the last accounting document was issued (Article 169 of the Sztv.) | |
8.4. Profiling in a system that supports bulk mailing
The purpose of data processing: to record and maintain the contact details (name, email address) necessary for communication with the Data Subject, for providing information by electronic means related to the use of public services, and for sending marketing messages and offers. To collect and monitor data on the delivery result and readership of emails, statistically analyse clicks on links in mailings using a heat map, identify the most cost-effective way to deliver mail, and identify and develop transparent, understandable, and user-friendly information. The heat map (profile) is only processed and analysed in an aggregated and anonymous way.
Scope of data processed: Name and email address of the Data Subject as recipient, the fact of successful/unsuccessful delivery of the email, the time of delivery, the time of opening the letter, whether the link embedded in the letter was clicked (heat map).
Legal basis for processing: Legitimate interest of the controller or a third party (Article 6(1)(f) of the Regulation).
Time of data processing: Based on the validity of the consent to the processing of the e-mail addresses of the Data Subjects, with the data automatically deleted upon the expiry of consent (e.g. revocation). The general retention period for correspondence stored in the electronic information system which is not part of the master data is 5 years.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period |
|---|---|---|---|
| Name and email address of the Data Subject as recipient, the fact of successful/unsuccessful delivery of the email, the time of delivery, the time of opening the letter, whether the link embedded in the letter was clicked (heat map). | Legitimate interest as a legal basis (Article 6(1)(f) of the Regulation) |
Communication to the Data Subject, electronic information related to the use of public services, and the registration and maintenance of contact details (name, email address) for sending marketing messages and offers. To collect and monitor data on the delivery result and readership of emails, statistically analyse clicks on links in mailings using a heat map, identify the most cost-effective way to deliver mail, and identify and develop transparent, understandable, and user-friendly information. |
Until the withdrawal of the Data Subject's consent to the processing of his/her email address / the general retention period for mail qualifying as non-personal data stored in the mail system is 5 years. |
8.5. Property and asset protection
8.5.1. Camera system
The Data Controller is considered a body fulfilling a public service mission and it operates, in compliance with its statutory obligations, an electronic surveillance and recording system (hereinafter: camera system) in its premises, central office building and customer service offices for the purpose of protecting property and assets, the critical infrastructure, preventing, detecting and proving any breach of law, catching those who breach the law in the act and protecting human life and preventing bodily injury. The Data Controller meets its obligation to inform those concerned by warning pictograms indicating the locations of the cameras and by a summarizing information leaflet. A separate Privacy Policy Information has been drawn up concerning the camera system, which is accessible from the following site: https://www.vizmuvek.hu/en/data-protection.
8.5.2. Access control system
Purpose of the data processing: to ensure protection of property and assets in the Data Controller's premises.
Scope of processed data: Name, residential address, number of ID document and phone number (in case of a partner card) of the Data Subject.
Legal basis for the data processing: it is necessary for the performance of a task by the Data Controller carried out in the public interest (Article 6 (1) e) of the Regulation). In the case of partner cards, the Data Controller processes the Data Subject’s phone number on the basis of his/her consent (Article 6 (1) a) of the Regulation).
Duration of the data processing: The validity of a visitor’s card expiries upon it has been returned to the receptionist and the corresponding data will be erased from the access control system within 24 hours. Data relevant to partner cards will be deleted from the access control system after 6 months have lapsed from the date of their return to the receptionist or withdrawal.
| Scope of processed data | Legal basis | Purpose of the data processing | Retention time period | |
|---|---|---|---|---|
| Name, residential address and personal identity document number of the Data Subjects | Performance of a task carried out in the public interest as legal basis (Article 6 (1) e) of the Regulation) |
The Data Controller processes the Data Subjects’ data for the purpose of protecting property, assets and key infrastructure. |
For 24 hours in case of visitors/while in case of partners, for 6 months following the termination of the contractual partnership relationship. | |
| Data Subject’s phone number, in case of partner cards | Consent as legal basis (Article 6 (1) a) of the Regulation) |
The Data Controller manages and processes the Data Subject’s phone number for the purpose of contact keeping. . |
Until withdrawal of the Data Subject’s consent/ for 6 months following the submission or revocation of the partner card. | |
9. Transmission of data and activities performed by data processors
9.1 Data transfer
AData may be disclosed to Recipients only on the basis of the Data Subject’s consent, performance of a contract, authorisation granted by a statute or legitimate interest of the Data Controller or a third party concerned by the data transfer.
The Data Controller will inform the Data Subject (if it is possible, necessary and reasonable) already at the time of conclusion of the contract, capturing the data or prior to the data transfer about the fact, legal basis and purpose of the data transfer, about the eventually applicable limitations and the rights of the Data Subject.
The Data Controller provides data regularly to governmental bodies determined in a legislative act, at intervals and with content defined by the legislative act. When disclosing personal data to Recipients, the Data Controller bears in mind that the public authorities which can have access to personal data under a case study in accordance with EU law or the law of the member state are not considered Recipients.
In case of ad hoc provision of data based on requirements laid down in a legal act (e.g.: data request received from an investigative authority, public prosecutor’s office, court, national security service, a public notary, the tax authority) the Data Controller will ascertain the legal basis of the data processing in each case and should any doubt arise, it will involve a legal expert.
It is the proceeding governmental body authorised to request data that is responsible in each case for the lawfulness of the data request, the Data Controller has limited opportunity and responsibility. The Data Controller excludes any liability for damages or loss eventually suffered by the Data Subject as a consequence of fulfilment of data provisioning obligations towards the authorities.
It will transmit personal data only if its legal basis is unequivocal and its purpose and the identity of the recipient of the data transfer is clearly defined. It will document the data transfer in each case in a way so that its course and lawfulness can be proven.
In addition to the above, the Data Controller transmits personal data to Recipients only if the Data Subject has given his/her consent to it in an unequivocal way. In case of data transfer subject to consent from the Data Subjects, the Data Subject will make his/her statement in knowledge of the identity of the recipient and of the purpose of the data transfer.
The Data Controller will log the data transfers in order that it can be established to whom, on the basis of what legal basis and for what purpose it transmits the personal data. The data captured in the electronic log can be made known and used only for the purpose of controlling the lawfulness of the data processing, enforcing the data security requirements and for conducting a criminal proceeding. The above prohibitions and limitations are governing for the case of termination of the customer relation as well. The Data Controller reserves the right to transfer its receivables to (a) third parti(es) by assignment, in accordance with the rules laid down in the Civil Code. Upon the assignment the identity of the obligee will change and the Data Controller will transfer the data related to the assigned claim to the party having the status of new obligee.
The Data Controller as a business association fulfilling a public service mission is subject to the scope of application of the regulations on protection of the documents of archives. Pursuant to Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives, data generated at the Data Controller qualify as public records, for the retention and storage of which the provisions of the Act referred to, the document management regulations issued on the basis of the Act and an archive plan are governing.
The Data Controller will keep records on the archives according to the relevant regulations even if the purpose of the processing of the personal data included in the document has ceased to exist. In this case the legal basis for the data processing is, in accordance with Article 89 (1) of the Regulation, processing for archiving purposes in the public interest according to the statutory provisions on archives and their documents.
The Data Controller will provide information to the Data Subjects, upon request, about the rules and regulations relevant to the retention and storing of documents of archives.
The following Table summarizes the recipients of regular data transfers by the Data Controller, along with the legal bases for data transfer relevant to them and the scope of the Data Subjects affected:
Data transfers performed by the Budapest Waterworks regularly
9.2. Data processing
The Data Controller reserves the right to use the services of data processors in fulfilling its activities, on the basis of a permanent or ad hoc mandate. The Data Controller is obliged at the same time, in outsourcing certain public service activities carried out by it (use of the services of a data processor) to inform or obtain a preliminary authorisation from the Hungarian Energy and Public Utility Regulatory Authority of and for the outsourcing, in accordance with Article 45 of the Vksztv. A mandate for permanent data processing may primarily be given for fulfilling administrative tasks related to customer relations and provision of services, as well as for maintenance of the IT system. Services of a data processor may only and exclusively be used on the basis of a written contract. The Data Controller determines the data processor’s rights and obligations in relation to processing of personal data within the frames and limits defined by the relevant statutes. The Data Controller is responsible and accountable for the lawfulness of instructions related to data processing operations.
The Data Controller ensures, by stipulating contractual provisions providing sufficient guarantee and by taking appropriate organisational and technical measures, that during the data processor’s activities the rights of the Data Subjects are not violated and that the data processor can get to know personal data of if it is indispensable for fulfilling its tasks.
If it is possible for the Data Controller, it will inform the Data Subjects about the fact that it uses Data processors (and their identity) and about the activities they are authorised to perform, already at the time of capturing the data. Upon request, the Data Controller will provide information, even beyond the scope of information included in the relevant information leaflet, to the Data Subjects about the identity of the data processor, the details of the data processing activity it carries out, thus especially about the operations performed and the instructions given to the data processor.
The scope of data processors the services of which the Data Controller uses is continuously changing.
The Data Processor uses the services of the following undertakings and persons as data processors under a long-term data processing commission:
List of undertakings performing data processing activities for Budapest Waterworks
AData may be disclosed to Recipients only on the basis of the Data Subject’s consent, performance of a contract, authorisation granted by a statute or legitimate interest of the Data Controller or a third party concerned by the data transfer.
The Data Controller will inform the Data Subject (if it is possible, necessary and reasonable) already at the time of conclusion of the contract, capturing the data or prior to the data transfer about the fact, legal basis and purpose of the data transfer, about the eventually applicable limitations and the rights of the Data Subject.
The Data Controller provides data regularly to governmental bodies determined in a legislative act, at intervals and with content defined by the legislative act. When disclosing personal data to Recipients, the Data Controller bears in mind that the public authorities which can have access to personal data under a case study in accordance with EU law or the law of the member state are not considered Recipients.
In case of ad hoc provision of data based on requirements laid down in a legal act (e.g.: data request received from an investigative authority, public prosecutor’s office, court, national security service, a public notary, the tax authority) the Data Controller will ascertain the legal basis of the data processing in each case and should any doubt arise, it will involve a legal expert.
It is the proceeding governmental body authorised to request data that is responsible in each case for the lawfulness of the data request, the Data Controller has limited opportunity and responsibility. The Data Controller excludes any liability for damages or loss eventually suffered by the Data Subject as a consequence of fulfilment of data provisioning obligations towards the authorities.
It will transmit personal data only if its legal basis is unequivocal and its purpose and the identity of the recipient of the data transfer is clearly defined. It will document the data transfer in each case in a way so that its course and lawfulness can be proven.
In addition to the above, the Data Controller transmits personal data to Recipients only if the Data Subject has given his/her consent to it in an unequivocal way. In case of data transfer subject to consent from the Data Subjects, the Data Subject will make his/her statement in knowledge of the identity of the recipient and of the purpose of the data transfer.
The Data Controller will log the data transfers in order that it can be established to whom, on the basis of what legal basis and for what purpose it transmits the personal data. The data captured in the electronic log can be made known and used only for the purpose of controlling the lawfulness of the data processing, enforcing the data security requirements and for conducting a criminal proceeding. The above prohibitions and limitations are governing for the case of termination of the customer relation as well. The Data Controller reserves the right to transfer its receivables to (a) third parti(es) by assignment, in accordance with the rules laid down in the Civil Code. Upon the assignment the identity of the obligee will change and the Data Controller will transfer the data related to the assigned claim to the party having the status of new obligee.
The Data Controller as a business association fulfilling a public service mission is subject to the scope of application of the regulations on protection of the documents of archives. Pursuant to Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives, data generated at the Data Controller qualify as public records, for the retention and storage of which the provisions of the Act referred to, the document management regulations issued on the basis of the Act and an archive plan are governing.
The Data Controller will keep records on the archives according to the relevant regulations even if the purpose of the processing of the personal data included in the document has ceased to exist. In this case the legal basis for the data processing is, in accordance with Article 89 (1) of the Regulation, processing for archiving purposes in the public interest according to the statutory provisions on archives and their documents.
The Data Controller will provide information to the Data Subjects, upon request, about the rules and regulations relevant to the retention and storing of documents of archives.
The following Table summarizes the recipients of regular data transfers by the Data Controller, along with the legal bases for data transfer relevant to them and the scope of the Data Subjects affected:
Data transfers performed by the Budapest Waterworks regularly
9.2. Data processing
The Data Controller reserves the right to use the services of data processors in fulfilling its activities, on the basis of a permanent or ad hoc mandate. The Data Controller is obliged at the same time, in outsourcing certain public service activities carried out by it (use of the services of a data processor) to inform or obtain a preliminary authorisation from the Hungarian Energy and Public Utility Regulatory Authority of and for the outsourcing, in accordance with Article 45 of the Vksztv. A mandate for permanent data processing may primarily be given for fulfilling administrative tasks related to customer relations and provision of services, as well as for maintenance of the IT system. Services of a data processor may only and exclusively be used on the basis of a written contract. The Data Controller determines the data processor’s rights and obligations in relation to processing of personal data within the frames and limits defined by the relevant statutes. The Data Controller is responsible and accountable for the lawfulness of instructions related to data processing operations.
The Data Controller ensures, by stipulating contractual provisions providing sufficient guarantee and by taking appropriate organisational and technical measures, that during the data processor’s activities the rights of the Data Subjects are not violated and that the data processor can get to know personal data of if it is indispensable for fulfilling its tasks.
If it is possible for the Data Controller, it will inform the Data Subjects about the fact that it uses Data processors (and their identity) and about the activities they are authorised to perform, already at the time of capturing the data. Upon request, the Data Controller will provide information, even beyond the scope of information included in the relevant information leaflet, to the Data Subjects about the identity of the data processor, the details of the data processing activity it carries out, thus especially about the operations performed and the instructions given to the data processor.
The scope of data processors the services of which the Data Controller uses is continuously changing.
The Data Processor uses the services of the following undertakings and persons as data processors under a long-term data processing commission:
List of undertakings performing data processing activities for Budapest Waterworks
10. Rights and legal remedies
| Rights | Explanations | |||
|---|---|---|---|---|
| 1. | Information and access to personal data | The Data Subject has the right to get to know his/her personal data stored by the Data Controller, to get and control the information related to their processing, and is entitled to get access to the personal data (e.g. information about the purpose and legal basis of the processing, when will the data be erased, request a copy of the contract and get the voice recording). | ||
| 2. | Right to rectification and to supplement the personal data | The Data Subject has the right to contact the Data Controller in order to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. (e.g. in case of a change in her/her name, for providing a new phone number). | ||
| 3. | Right to restriction of processing | The Data Subject has the right to obtain from the Data Controller restriction of processing where one of the following applies: • the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data, • the data processing is unlawful and the Data Subject opposes the erasure of the data, s/he’d rather request the restriction of their use, • the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims, • the Data Subject objects to the processing: in such a case the restriction will concern the period pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject. |
||
| 4. | Right to erasure (“right to be forgotten”) | The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: • the personal data are no longer necessary in relation to the purposes for which the Data Controller collected or otherwise processed them, • the Data Subject withdraws his/her consent on which the processing is based, and where there is no other legal ground for the processing, • the Data Subject objects to the processing on grounds relating to his or her particular situation, and there are no legitimate grounds for the processing, • the Data Subject objects to processing of personal data concerning him or her for direct marketing purposes, including profiling, if it is related to direct marketing, • the personal data are unlawfully processed by the Data Controller; • the personal data have been collected in relation to the offer of information society services intended directly for children. The Data Subject may not exercise his/her right to erasure/right to be forgotten to the extent that processing is necessary: • for exercising the right of freedom of expression and information; • for reasons of public interest in the area of public health; • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or • for the establishment, exercise or defence of legal claims. |
||
| 5. | Right to data portability | The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to and stored in the Data Controller’s system and use them further on for his/her own purposes, where the processing is based on consent or a contract, and the processing is carried out by automated means. This entitlement is limited to the scope of data provided by the Data Subject in each case, there is no opportunity for data portability concerning other data (e.g. statistics). | ||
| 6. | Right to object to the processing of personal data | The Data Subject has right to object at any time to processing of personal data concerning him or her which is based on the legal basis that processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (e.g.: profiling, direct marketing), or the legal basis that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In such a case our Company may no longer process the personal data unless our Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. | ||
The Data Controller will inform the Data Subject of the measures it has taken without undue delay, within 30 days from the date of receipt of any request. If the Data Subject has submitted the request in an electronic way, the Data Controller will provide the information also electronically, except if the Data Subject requests it otherwise.
Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either charge a reasonable fee for satisfying the request or refuse to act on the request. The Data Controller is to bear the burden of demonstrating the manifestly unfounded or excessive character of the request. If there arises a doubt on the Data Controller’s side as to the identity of the natural person submitting the request, it may ask the provision of further information for confirming the identity of the person submitting the request.
The Data Subject can resort directly to the Data Controller’s data protection officer with general questions concerning data protection: Károly Gróf; phone number: +36 (1) 465 2400; e-mail: adatvedelem@vizmuvek.hu; mailing address: Budapest Waterworks Co. Ltd. 1397 Budapest, Pf. 512.
In relation to the lawfulness of the processing of his/her personal data by the Data Controller, the Data Subject may initiate a procedure to be conducted by the Hungarian National Authority for Data Protection and Freedom of Information (abbreviated name: NAIH; registered office: 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf. 9., website: www.naih.hu, phone number: +36 (1) 391 1400, fax: +36 (1) 391 1410, central e-mail address: ugyfelszolgalat@naih.hu), or may turn to the regional court competent for his/her place of residence („right to an effective judicial remedy”).
Within five years following the Data Subject’s death, the rights vested on the deceased person in his/her life may be exercised by a person authorised by the Data Subject by an administrative instruction or by a statement made at the Data Controller in a public document or in a private document with full probative force. If the Data Subject did not make such a legal statement, a close relative as defined in the Civil Code is also entitled to enforce the rights vested on the deceased person in his/her life within five years following the Data Subject’s death, even failing such a legal statement. The person who exercises the Data Subject’s rights can prove the fact and date of the Data Subject’s death by presenting the death certificate or a court decision, and may prove his/her own identity – and his/her quality as close relative – by a public document.
11. Data Security
The Data Controller will take every required and necessary measure in order to ensure security of the data, provide for an appropriate level of protection and prevent any unauthorised access and change to them, and prevent them from transmission, disclosure, deletion or destruction, as well as accidental destruction or damage.
The Data Controller will choose and operate such IT assets for the processing of the personal data that guarantee that the processed data are accessible only to authorised persons (availability), the authenticity of the data is ensured (authenticity of data processing), it can be proven that they are unchanged (data integrity), and they are protected against unauthorised access (data confidentiality).
Each IT system and assets used in the management, processing and record keeping on personal data by the Data Controller are accessible only to employees entitled to perform data processing, thereby the integrity of the data is ensured.
In carrying out mass data processing tasks in its internal administration system, the Data Controller also uses such robotised, new, innovative data processing technologies, which are suitable for replacing live human resources and allow at least partially automatised data processing.
The Data Controller decided on the usability of robotised technologies and remote meter reading systems depending on the data protection impact assessment conducted prior to using and operating such robotised technologies and remote meter reading systems.
The Data Controller also introduces appropriate organisational measures in order to ensure data security.
If a personal data breach occurs, the Data Controller will inform the Data Subject – except if the data breach does not entail risks concerning the rights and freedoms of natural persons – and the supervisory authority of the data breach without undue delay, but not later than within 72 hours. In order to control the measures related to the data breach, inform the supervisory authority and inform the Data Subject, the Data Controller keeps records, which include the scope of personal data affected by the data breach, the scope and number of data subjects affected, as well as the date, circumstances and impacts of the data breach and the measures taken for eliminating it.
The Data Controller will choose and operate such IT assets for the processing of the personal data that guarantee that the processed data are accessible only to authorised persons (availability), the authenticity of the data is ensured (authenticity of data processing), it can be proven that they are unchanged (data integrity), and they are protected against unauthorised access (data confidentiality).
Each IT system and assets used in the management, processing and record keeping on personal data by the Data Controller are accessible only to employees entitled to perform data processing, thereby the integrity of the data is ensured.
In carrying out mass data processing tasks in its internal administration system, the Data Controller also uses such robotised, new, innovative data processing technologies, which are suitable for replacing live human resources and allow at least partially automatised data processing.
The Data Controller decided on the usability of robotised technologies and remote meter reading systems depending on the data protection impact assessment conducted prior to using and operating such robotised technologies and remote meter reading systems.
The Data Controller also introduces appropriate organisational measures in order to ensure data security.
If a personal data breach occurs, the Data Controller will inform the Data Subject – except if the data breach does not entail risks concerning the rights and freedoms of natural persons – and the supervisory authority of the data breach without undue delay, but not later than within 72 hours. In order to control the measures related to the data breach, inform the supervisory authority and inform the Data Subject, the Data Controller keeps records, which include the scope of personal data affected by the data breach, the scope and number of data subjects affected, as well as the date, circumstances and impacts of the data breach and the measures taken for eliminating it.
12. Miscellaneous provisions
The Data Controller reserves the right to amend this Privacy Policy Information unilaterally, by providing preliminary information to the Data Subjects via the Website.
Budapest Waterworks
