Privacy policy

1. Introduction

Fővárosi Vízművek Zártkörűen Működő Részvénytársaság (Waterworks of Budapest Private Company Limited by Shares) (registered seat: 1138 Budapest, Váci út 182., company registration number: 01-10-042451; websites: https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/; https://vizallovedelem.hu; hereinafter: Company/Data Controller) devotes special attention so that its activities comply with the effective statutory requirements, especially with those laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation/GDPR) (hereinafter: Regulation), with the expectations and practices required vis-a-vis and from the water utility service providing sector.

The Data Controller intends to ensure transparency of its data processing activities by issuing this Privacy Policy Information (hereinafter: Information) and by provisions laid down in its related internal policies and regulations, and at the same time inform its customers, applicants and those interested or other natural persons (hereinafter: Data Subjects) of the opportunities provided by their right of self-determination and freedom of information.

The aim of this Information is, on the one hand, to define the lawful conditions and framework of data processing activities affecting personal data and pursued by the Data Controller, ensuring thereby the enforcement of the Data Subjects’ right of self-determination, and, on the other hand, to provide detailed information to the Data Subjects about their rights and the legal remedies available for them, as well as about the measures taken for ensuring the security of their personal data.

The Data Controller has appointed a data protection officer pursuant to Article 37 (1) a) of the Regulation. Contact details of the data protection officer appointed by the Data Controller: Károly Gróf; phone number: 36 1 465 2400; e-mail: adatvedelem@vizmuvek.hu; Postal address: Fővárosi Vízművek Zrt. 1397 Budapest, Pf. 512.

Structure of this Information:
1. Introduction
2. Scope of application of the Information
3. Purpose of the data processing
4. Processing of personal data by main types of the Data Subjects
5. Data processing activities in relation to the public service contract
6. Other data processing activities not related to public service contract
7. Data processing activities associated with the Websites operated by the Company (On-line customer service; Data processing related to surveys and questionnaires; data processing in relation to the Recruitment portal; Entry into contact by way of on-line forms)
8. Other special data processing activities (Data processing for marketing purposes; Data processing with a market research or opinion poll purpose; Profiling in a system that supports bulk mailing; Extraordinary events and damage incidents; Property and asset protection)
9. Transmission of data and activities performed by data processors
10. Rights and legal remedies
11. Data Security
12. Miscellaneous provisions

Should you have a question which is not clearly clarified in this Information, please contact our data protection officer directly as explained in the Introduction or in Section 10 of this Information.

2. Scope of application of the Information

The scope of application of this Information extends

to any data processing activity pursued by the Company as public utility service provider concerning the data of natural persons that are is a customer relationship with the Company, that wish to enter into customer relationship with the Company, that are related to persons being in a customer relationship with the Company in a way so that the processing of their personal data is necessary for the fulfilment of the Company’s service providing activities, and
any data processing activity pursued by the Company not as a public utility service provider concerning the data of natural persons that are is a customer relationship with the Company, that wish to enter into customer relationship with the Company, that are related to persons being in a customer relationship with the Company in a way so that the processing of their personal data is necessary for the fulfilment of the Company’s service providing activities, and
services provided and data processing activities performed in association with the websites https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/; https://www.vizallovedelem.hu operated by the Company, excluding the website related to the WaterPlus Card (www.vizpluszkartya.hu);
data processing performed by the Company for marketing, market research and opinion poll purposes, as well as data processing activities related to extraordinary events and damage incidents;
data processing activities related to property and asset protection performed by the Company concerning the Data Subjects (Section 8.4.) and data processing concerning the data of persons being in other contractual relationship with the Company.

Unless otherwise provided, the scope of application of the Information does not extend to

services or data processing activities associated with the services, other campaigns of and content published by third parties eventually advertising or appearing in any other way on the Website;
services and data processing activities of websites or service providers, to which links placed on this Website lead.

3. Purpose of the data processing

The primary purpose of data processing by the Data Controller in association with the fulfilment of its public service mission is the performance, establishment and maintenance of contracts concluded with its Customers and providing service at an appropriate quality level, with special regard to the provisions of Act CCIX of 2011 on water public utility service (hereinafter: Vksztv.) and those laid down in Government Decree no. 58/2013. (II. 27.) on the implementation of certain provisions of Act CCIX of 2011 on water public utility service (hereiafter: Vhr.). The Data Controller processes personal data for the purpose they were requested. The data processing is conform to its purpose in each phase of the processing. The data are captured and processed in a fair and lawful way. The Data Controller will make every endeavour so that only personal data that are indispensable and suitable for the fulfilment of the purpose of the data processing are processed. Personal data may be processed only to the extent and for a time period required for the fulfilment of the purpose.

The following purposes may serve as grounds for data processing by the Data Controller:

providing service on the basis of the contract concluded with the Customer, and for this reason, identification of the delivery point, examination and making the delivery point suitable for service provision;
determining eligibility for the service;
keeping record on protected user status and processing of special personal data providing grounds for it;
metering of the service provided to the Customer, ensuring the service quality and meeting the service volume requirements;
metering the service item and reading the consumption meter;
determining payment liabilities, billing and management of receivables;
identification of Customers, Applicants, Interested parties and other Data Subjects;
keeping contact with Customers, Applicants, Interested parties and other Data Subjects, management, registration and investigation of their complaints, reports and requirements;
enforcement of claims deriving from a legal relationship;
direct marketing, market research and opinion polls;
on-line customer service via the Website;
enhancement of the Website.

4. Processing of personal data by main types of the Data Subjects

The following types of natural persons may characteristically be Data Subjects of personal data processed in association with the Data Controller’s activities:

Customer (a natural person who concludes a contract with the Data Controller for the provision of public utility and/or not a public utility service)
Registered user (a natural person who has registered him/herself on the Website)
User not having registered on the Website (a natural person who has contacted the Company on the Website without registration)
Applicant (a natural person who enters into contact with the Data Controller for the purpose of using a service, but the contractual relation for delivery of the service will be established later or will not be established at all)
Other Data Subject (a natural person who visits the Website, and/or subscribed for the Data Controller’s newsletter, and/or is a party concerned in a damage incident, and/or who wishes to enter the premises of the Data Controller)
Data of natural persons other than Customers (a natural person who is the owner registered in the property records for the delivery point, or a natural person who acts as representative in representation of a natural person or a legal entity as provided for in Section 6:11 of the Civil Code)

5. Data processing activities in relation to the public service contract

The data processing activities pursued by the Data Controller have in general a mixed legal basis, i.e. they contain data processing authorisations that are based on contract, a legal act, the Data Controller’s legitimate interest or the Data Subject’s consent.

Personal data of the Data Subjects may get into the Data Controller’s possession in the following ways: Primarily by an act of the Data Subject to make them available directly in order to establish and perform the contract, secondly, in the course of data capturing from the Data Subject (by phone/customer service) and thirdly, by data transmission by the data processor entrusted by the Data Controller to keep contact with the Data Subject.

The Data Controller stores the available data for a time period determined in the legal statutes in a way adapted to the various purposes and legal bases of data retention, or, in the absence of relevant statutory provisions, until termination of the data processing purpose and then it will erase the data by taking the Data Subject’s and its own interests into account. The maximum time period for the data processing varies depending on the kind of legal basis the processing of the Data Subject’s data is based and is adjusted to the time period during which the purpose of the data processing persists.

The Table below summarizes the type of data processed by the Data Controller in association with the fulfilment of its public service mission, together with the relevant legal bases and retention periods related to them:

Data processing activities in relation to the public service contract
	Scope of processed data	Legal basis	Purpose of the data processing	Retention time period
5.1.	Natural identification data of the Customer (name, address, mother’s name, place and date of birth)	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes the Customer’s data in order to be able to identify him/her properly.	For 8 years following the year in which the last accounting document was issued in relation to the contract (Article 169 of the Act C of 2000 on Accounting (hereinafter: Sztv.))
5.2.	Data of the owner of the delivery point	Legal basis based on contract (Article 6 (1) b) of the Regulation)	Primarily the data of the owner of the delivery point may be processed pursuant to Article 2, point 6 of the Vksztv. If the conclusion of the contract or the provision of the service is not possible without the provision of the actual owner’s data, the owner’s personal data will be processed by the Data Controller.	For 8 years following the termination of the contractual legal relationship.
5.3.	Data of the owner of the delivery point	Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	The Data Controller processes the data of the owner of the delivery point on the basis of his/her underlying liability as provided for in Article 2 point 6 of Vksztv., for the purpose of recovering receivables.	With a view to the provisions of Section 5.2., for 8 years following the termination of the contractual legal relationship/until a decision is made by the Data Controller upon objection by the Data Subject.
5.4.	Natural identification data of the Applicant (name, address, mother’s name, place and date of birth)	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes the Applicant’s data in order to be able to identify the Applicant properly.	For 3 year from receipt of the form.
5.5.	Technical data related to the Data Subjects’ property	Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	Such data are captured for recording the technical data related to water supply and sewage services in properties located in our service area. (E.g.: service pipe connection drawing, internal water network drawing, certificate of ownership and data concerning the planned water demand)	Until the expiry of the validity of the Data Controller’s Operator license/until a decision is made by the Data Controller upon objection by the Data Subject.
5.6.	Phone number and e-mail address necessary for keeping contact with the Data Subject	Consent as legal basis (Article 6 (1) a) of the Regulation)	If the Data Subject or the representative of the community – thus especially the house representative – grants his/her consent, the Data Controller will process his/her phone number and e-mail address for keeping contact.	Until withdrawal of the consent/for 6 months following the termination of the established contractual legal relationship.
5.7.	Phone number and e-mail address necessary for keeping contact with the Data Subject	Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	In the case of data necessary for contact keeping, the Data Controller may process phone number for purposes other than the original purpose of the data processing, in order to coordinate the date and time of work to be accomplished on the site, or even for the purpose of recovering eventual arrears from the Data Subject or preventing accumulation of debts.	For 6 months following the termination of the contractual legal relationship/until a decision is made by the Data Controller upon objection by the Data Subject.
5.8.	Data concerning the Data Subject’s consumption and the provision and usage of the service	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The processing of such data are closely interrelated with the performance of the contract. The Data Controller manages and processes data generated in the course of the performance of the contract, with special regard to bill data, requests and claim reports received from the customer, documents, minutes and protocols drawn up in the course of service provision.	For 8 years following the termination of the contractual legal relationship.
5.9.	Data Subject’s complaint in relation to service provision and usage	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation)(Article 17/B. (5) of the Fogytv.)	Processing of such data is closely interrelated with consumer protection legal regulations and with the performance of the contract, therefore, the Data Controller processes the complaints raised in order to comply with its statutory obligations.	For 5 years, pursuant to Section 6:22. (1) of the Act V of 2013 on the Civil Code (hereinafter: Civil Code).
5.10.	Data concerning fees and costs payable and paid by the Data Subjects, data on receivables	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes all the data that are related to the Data Subject’s payment liability and based on which it can be determined whether the Data Subject has met or failed to meet his/her payment liability.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
5.11.	Data required for proving a change of consumer	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes a copy of the deed/document required to prove the change (e.g. purchase and sale contract, contract of donation, lease contract). The Data Subject has the right to delete (cover) the data from/in the copy, which are not necessary for proving the change of consumer.	For 8 years following the termination of the contractual legal relationship.
5.12.	Copy of and data contained in deeds serving for substantiating a legal relationship	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller makes a copy of deeds serving for proving certain legal relationships/legal statuses (such as: certificate of civil status, certificate of ownership, protocol on transfer into possession, owner’s consent, resolution of a Municipality) in order to verify data accuracy and determine the existence of a legal relationship. Identity-card type personal documents are an exception to this rule, the Data Controller does not make copy of such documents.	For 8 years following the termination of the contractual legal relationship.
5.13.	Identification data of delivery point(s) and metering instruments	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller manages and processes technical and technological data related to the delivery point and the metering devices and assigns them to the Data Subject, such as the manufacturing number, the device point number, the VIPAK seal number and its expiry.	After 8 years have lapsed from the date of termination of the public service contract, the correlation between the Data Subject and the identification data will be terminated. The data concerning the delivery point and the technical data of the metering devices will not be erased themselves, they will be retained until the expiry of the validity of the Data Controller’s Operator license.
5.14.	GPS coordinates of the delivery point and the metering devices	Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	Based on its legitimate interest, the Data Controller makes photos of the metering devices and technical facilities in the course of reading the metering devices and technical investigations, at the occasion of which it also captures data on the GPS coordinates of the metering device.	After 8 years have lapsed from the date of termination of the public service contract, the correlation between the Data Subject and the data on the delivery point will be terminated. The data concerning the delivery point and the GPS coordinates of the metering devices will not be erased themselves, they will be retained until the expiry of the validity of the Data Controller’s Operator license.
5.15.	Data of natural persons involved in acting on the basis of a power of attorney or as representatives	Legal basis based on contract (Article 6 (1) b) of the Regulation)	In such a case the data of the person authorised to proceed in administrative matters related to the public service may be processed. The Data Subject will provide the following data as a minimum content requirement: name, place and date of birth, mother’s name, address and signature.	During the validity term of the power of attorney and the authorisation for acting as representative/ for 5 years, as provided for in Section 6:16 of the Civil Code.
5.16.	Phone conversation with the Call Centre	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 17/B. of the Fogytv.)	The Data Controller records and processes the voice recording made of the phone conversation between the Data Subject and the Call Centre in compliance with the requirements prescribed by the relevant statutes – primarily by the Act on consumer protection.	For 5 years from the date of the voice recording (Article 17/B. (3) of the Fogytv.).
5.17.	Voice recording on a conversation and administration at a personal customer care point	Consent as legal basis (Article 6 (1) a) of the Regulation)	Voice recording is necessary for our Company for the purpose of capturing the precise content of the arrangement/administration, quality assurance, improving the efficiency of quality control and preventing misuse of powers and rights.	Withdrawal of the consent/for 5 years from the date of the voice recording.
5.18.	Data generated in the course of entry into contact with the Customer Service	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 89/C. (1) of the Vhr.)	The Customer Service processes the data generated in the course of the relation between the Data Subjects and the Customer Service for the purposes of arranging/administering the matters that have arisen.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
5.19.	Deeds proving a user status to be protected	Statutory obligation as legal basis (Article 6 (1) c) and Article 9 (2) b) of the Regulation) (Article 61/A. of the Vksztv.)	In order to ensure the discounts/allowances for which the protected users are eligible, the Data Controller keeps records, from which it can be clearly determined to which of the discounts/allowances the data subject is entitled. The Data Subject must initiate his/her registration in the records and he/she has to attach to his/her application the documents proving that he/she belongs to the scope of protected users as defined in Government Decree 58/2013. (II.27.).	The data erased from the records, for 5 years from the date of erasure (Article 61/A. (7) of Act CCIX of 2011 on water public utility service)

6. Other data processing activities not related to public service contract

The Table below summarizes the types of data processed by the Data Controller not directly in relation to the fulfilment of a public service mission but in association with the provision of other services (e.g.: laboratory services, water pipe fitting service, watertight protection, detection of pipe bursts, measurement of the water yield of fire hydrants, lease of properties) or other financial transactions (e.g.: issuance of bills), as well as the relevant legal bases and retention periods related to them:

Other data processing activities not related to public service contract
	Scope of processed data	Legal basis	Purpose of the data processing	Retention time period
6.1.	Applicant’s data (name, address, mother’s name, place and date of birth)	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes such data for the purpose of identifying the Customer properly and preparing an offer for him/her.	For six months from the date of placement of the order, if the contract fails to be established.
6.2.	Customer’s data (name, address, mother’s name, place and date of birth)	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller processes such data for the purpose of identifying the Customer properly and making out bills for him/her.	For 8 years following the year when the last accounting document was issued under the relevant contract (Article 169 of the Sztv.)
6.3.	Phone number and e-mail address necessary for keeping contact with the Data Subject	Consent as legal basis (Article 6 (1) a) of the Regulation)	If the Data Subject or the representative of the community – thus especially the house representative – grants his/her consent, the Data Controller will process his/her phone number and e-mail address for keeping contact.	Until withdrawal of the consent/for 6 months following the termination of the established contractual legal relationship.
6.4.	Data of natural persons involved in acting on the basis of a power of attorney or as representative	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The data of the person authorised by power of attorney will be primarily processed for the purpose of arranging/administering the service requested.	During the validity term of the power of attorney and the authorisation for acting as representative/ for 5 years, as provided for in Section 6:16 of the Civil Code.
6.5.	Data concerning the provision and usage of the service concerned	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The processing of such data is closely interrelated with the performance of the contract. The Data Controller manages and processes the data generated during the performance of the contract, thus especially the form in which the the service request has been submitted, the order form, the job card and the performance certificate.	For 8 years following the termination of the contractual legal relationship.
6.6.	Data Subject’s complaint in relation to service provision and usage	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 17/A. (6) of the Fogytv.)	Processing of such data is closely interrelated with consumer protection legal regulations and with the performance of the contract, therefore, the Data Controller processes the complaints raised in order to comply with its statutory obligations.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
6.7.	Data concerning fees and costs payable and paid by the Data Subjects, data on receivables	Legal basis based on contract (Article 6 (1) b) of the Regulation)	The Data Controller manages and processes all the data that are related to the Data Subject’s payment liability and based on which it can be determined whether the Data Subject has met or failed to meet his/her payment liability.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
6.8.	Data generated in the course of entry into contact with the Customer Service	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 89/C. (1) of the Vhr.)	The Customer Service processes the data generated in the course of the relation between the Data Subjects and the Customer Service for the purposes of arranging/administering the matters that have arisen.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
6.9.	Phone conversation with the Call Centre	Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 17/B. of the Fogytv.)	The Data Controller records and processes the voice recording made of the phone conversation between the Data Subject and the Call Centre in compliance with the requirements prescribed by the relevant statutes – primarily by the Act on consumer protection.	For 5 years from the date of the voice recording (Article 17/B. (3) of the Fogytv.).
6.10.	Voice recording on a conversation and administration at a personal customer care point	Consent as legal basis (Article 6 (1) a) of the Regulation)	Voice recording is necessary for our Company for the purpose of capturing the precise content of the arrangement/administration, quality assurance, improving the efficiency of quality control and preventing misuse of powers and rights.	Withdrawal of the consent or for 5 years from the date of the voice recording.

7. Data processing activities associated with the Websites operated by the Company
(https://www.vizmuvek.hu; https://ugyfelszolgalat.vizmuvek.hu/; https://www.vizallovedelem.hu)

A separate Privacy Policy Information has been drawn up concerning the management of cookies used on our Websites, which is accessible from the following site: https://www.vizmuvek.hu/en/data-protection

7.1. Data processing activities at the on-line Customer Service

The Data Controller operates an on-line customer service as an electronic service for its Customers. The purpose of the on-line customer service is to ensure reception of electronic inquiries from the Customers and display contract-related data for the registered Customers. Our existing and future Customers can use the services provided by the on-line customer service even without registration, but certain categories of arrangement/administration (e.g. service request submission, ordering services) are subject to registration. In case of inquiries initiated with or without registration the personal data provided will be assigned in the Company’s central database to the Data Subject being in a public service or other contractual legal relationship with the Company and later on the legal bases, data processing purposes and retention time periods specified in Chapters 5 and 6 will be governing for such personal data.

7.1.1. Registration

There are four ways available for the Data Subjects for initiating registration for the purpose of using the on-line administration services.

In case of registration with the data of the Ügyfélkapu (Client Gateway) the Data Subjects can use the Data Controller's on-line administration services by using their username and password registered for their own Ügyfélkapu. As far as the identification process subject to providing the data of the Ügyfélkapu is concerned, the governmental body responsible for the central state electronic services (Central Client Registration Records), i.e. the minister responsible for e-government is considered as Data Controller. Information concerning data processing related to identification by using the Ügyfélkapu data are provided and for the data subjects’ exercising their rights is ensured by the Ministry of the Interior (as Data Controller). In order that the registration be successful, the Data Subject has to provide at the occasion of the registration, in addition to identifying the natural person, data requested on the registration data sheet (e-mail address, phone number, device point ID number).

In case of registration other than by using Ügyfélkapu data the Data Subject is to provide the data requested in the registration data sheet (Data Subject’s name, e-mail address, phone number, device point ID number, current account ID number, business partner number, manufacturing number of the device). The Data Controller reserves the right to prescribe the provision of certain data in the registration data sheet as a condition for the registration (E.g.: e-mail address for the confirmation of the registration), and to change the data content of the registration data sheet, delete certain data field or to create new ones, especially if it is made necessary or justified by the users’ needs or changes in relevant legislation. The Data Controller will inform the Data Subjects of the changes in each case.

In case of pre-registration, if the Data Subject has an e-mail address and consent for it associated with a service legal relationship, or he/she launches an administration process at the On-line Customer Service, in that case the Company will pre-register the Data Subject at its On-line Customer Service. The Data Subject will be informed of the pre-registration in a confirmation e-mail. The confirmation e-mail will contain a “Confirm registration and provide a new password” link. If the Data Subject wants to use the registration opportunity, he/she can continue the registration process by clicking on the link. Failing confirmation, the Data Subject’s pre-registration will be automatically deleted after 30 days have lapsed. The Company’s aim with the pre-registration is to ensure the provision of the services offered by the On-line Customer Service, by simplifying the registration process.

In case of registration combined with arrangement/administration of a matter, in submitting his/her request, the Data Subject is to provide the data necessary for the registration, in addition to those needed for the arrangement/administration of the matter (e-mail address, phone number). After having admitted the request, the Data Controller performs the registration of the Data Subject to the on-line customer service.

Scope of processed data: Name, e-mail address, phone number, device point ID number, manufacturing number of the device of the Data Subject. If the registration is made by using Ügyfélkapu data, the scope of the processed data will extend to the mother’s name of the Data Subject and the place and date of his/her birth.

Purposes for which the data stored in the On-Line Customer Service system are used:

The data controller stores the e-mail address, name, password and profile data belonging to the registration also in its on-line customer service system and uses them for log into the on-line customer service, generating password reminders and sending validating e-mails.

Purposes for which the data stored in the Data Controller’s system and related to a registration are used:

log into the on-line customer service, identification of the Data Subject, provision of services offered by the on-line portal;
provision of services subject to registration to the on-line customer service, such as, among others: sending e-mail notifications about the reading reporting periods, issuing bills, notifications about the date and time of on-the-spot work accomplishment, confirmation on the launching of an administration process;
sending notifications about changes made to and opportunities offered by the on-line customer service.

Legal basis for the data processing: as a general rule, the Data Subject’s consent (Article 6 (1) a) of the Regulation), and in case of pre-registration, the Company’s legitimate interest (Article 6 (1) f) of the Regulation). In case of registration by using Ügyfélkapu data, the legal basis for the data processing for the data regarding the mother’s name, place and date of birth of the Data Subject is a statutory provision as provided for in Article 6 (1) c) of the Regulation.

Duration of the data processing: the Data Controller will process the data until the consent is withdrawn or the registration is deleted.

Storage and access to the processed data:

The Data Controller assigns the data provided in the course of the registration to the data of the Data Subject being in an identified public service legal relationship with it, or managed under other, non-public service legal relationship and will manage and process them as defined in Chapters 5 and 6.

The data provided under the registration process will be processed by the Data Controller and will not be transmitted to any data processor or other data controllers. Such persons – especially agents and employees – acting on behalf of the Data Controller will have access to the data, who need to know them in order to fulfil their duties, and who are aware of their obligations with regard to managing such data.

7.1.2. Management of inquiries not involving registration

The data provided in the course of inquiries launched without and not resulting in registration will be captured in the Company's central database. If the report in question can be assigned to an existing or a newly contracting Data Subject as far as its subject-matter is concerned, in that case, the report will be assigned in the central database to the Data Subject being in the corresponding public service legal relationship or in other, non-public service contractual relationship with the Data Controller and will be further managed and processed as defined in Sections 5 and 6. If the report in question cannot be assigned, as far as its subject-matter is concerned, to any contracted Data Subject, in that case it will be further managed and processed according to the provisions of Section 6. A confirmation e-mail will be sent about the successful report to the e-mail address provided at the occasion of making the report, but the e-mail address provided will not be used further in the future by the Data Controller.

In case of inquiries launched without and not resulting in registration, the Data Controller manages and processes the following data, by groups of matters of administration:

In case of meter index reporting: the Data Subject will be identified on the basis of the device point ID number and manufacturing number of his/her meter, the reported data will be processed meter index number, photo, any remark).

In case of launching an administration process – by providing the data of the meter: the Data Subject will be identified on the basis of the device point ID and manufacturing number of his/her meter. The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry.

In case of launching an administration process – without providing the data of the meter: The e-mail address and phone number provided in making the report will be captured as data for contact keeping for the concerned inquiry. They will be used for sending notifications on the successful report and about information related to the report and its arrangement/administration.

Making an appointment for a personal customer care point (coordination of date and time): the Data Subject has to provide his/her e-mail address. The Data Controller will use the e-mail address provided exclusively for the following purpose and then it will delete it: sending a confirmation e-mail about the date and time of the appointment, confirmation on success of cancellation of the appointment if made so, notification of the Data Subject about the closing hours of the customer care point and on the deletion of the appointment reserved.

7.1.3. Management of registered inquiries

The Data Controller will manage and process the data provided at the on-line customer service for reporting a request or for launching and administration process, as defined in Chapters 5 and 6. The on-line customer service does not store these data, it only ensures an electronic interface for launching and displaying administration processes, replacing thereby the paper-based administration.

7.2. Data processing in relation to surveys and questionnaires concerning the Data Controller

The Data Controller determines the scope of personal data processed and managed during the surveys and in the questionnaires, by respecting the principle of “purpose limitation”.

Purpose of the data processing: Surveying Customer (the Data Subjects’) satisfaction and adapting the services offered by the Data Controller to the needs and expectations on the basis of the result of the survey.

Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).

Duration of the data processing: the Data Controller manages and processes the data provided until the consent is withdrawn, except if a statute prescribes the obligation of data processing.

Data processing in relation to surveys and questionnaires concerning the Data Controller
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		The Data Subject's e-mail address, phone number and postal address		Consent as legal basis (Article 6 (1) a) of the Regulation)	Surveying Customer (the Data Subjects’) satisfaction and adapting the services offered by the Data Controller to the needs and expectations on the basis of the result of the survey.	Until withdrawal of the Data Subject’s consent.

7.3. Data processing activities on the Recruitment portal

Purpose of data processing on the Recruitment portal: search for future employees for the Data Controller, keeping records about the job-seekers, providing tailored services for the applicants, storing CVs, sending notifications to the applicants. The Data Subjects provides the data for the Data Controller for the purpose of establishing an employment relationship.

Scope of processed data: The Data Subject’s name, date of birth, e-mail address, phone number, postal address, CV, photo, motivation letter, and the document(s) certifying his/her qualification.

Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).

Duration of the data processing: as a general rule, until withdrawal of the consent by the Data Subject. The Data Controller manages and processes the data provided on the Recruitment portal for 12 months from the last log-in to the portal, the time period of processing non-confirmed registration requests is 30 days. The Data Subject is entitled to have his/her CV deleted, and cancellation of the registration made on the Recruitment portal is also ensured by the Data Controller.

Data processing activities on the Recruitment portal
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		The Data Subject’s name of birth, e-mail address, phone number, postal address, CV, photo, motivation letter, and the document(s) certifying his/her qualification.		Consent as legal basis (Article 6 (1) a) of the Regulation)	The Data Controller has set up a Recruitment portal for the purposes of searching for potential employees, keeping records about the job-seekers, providing tailored services for the applicants, storing CVs, sending notifications to the applicants.	Until withdrawal of the Data Subject’s consent/for 30 days/12 months.

7.4. Entry into contact by way of an on-line form

There is an opportunity for the Data Subject to enter into contact with the Data Controller via its Website and to initiate the ordering of various services, enrol for participation at certain events, and for using that opportunity he/she has to fill in an on-line form in order to enter into contact with the Data Controller.

Purpose of the data processing: enter into contact with the Data Subject and identify the Data Subject.

Scope of processed data: Name, e-mail address and phone number of the Data Subject.

Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).

Duration of the data processing: the Data Controller will manage and process the data until withdrawal of the consent, or if an order is placed for a service, for 8 years following the performance of the service, or if no service is used, in that case for 6 months.

Entry into contact by way of an on-line form
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		Name, e-mail address and phone number of the Data Subject		Consent as legal basis (Article 6 (1) a) of the Regulation)	The Data Subject is to provide the data requested on the on-line form serving for entry into contact with the Data Controller.	Until withdrawal of the Data Subject’s consent/for 8 years/6 months.

8. Other special data processing activities

8.1. Data processing for marketing purposes

Purpose of the data processing: forwarding of information leaflets, offers and information about campaigns related to the Data Controller’s services to the Data Subject.

Scope of processed data: The Data Subject’s e-mail address, phone number, postal address and consent granted for being contacted for direct marketing purposes.

Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).

Duration of the data processing: as a general rule, until withdrawal of the consent by the Data Subject.

Data processing for marketing purposes
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		The Data Subject's e-mail address, phone number and postal address		Consent as legal basis (Article 6 (1) a) of the Regulation)	Forwarding of information leaflets, offers and information about campaigns related to the Data Controller’s services to the Data Subject.	Until withdrawal of the Data Subject’s consent.

8.2. Data processing for market research and opinion poll purposes

Purpose of the data processing: if the Data Subject has granted his/her consent to the processing of his/her data for opinion poll and market research purposes, the Data Controller will contact the Data Subject by using his/her provided data (name, e-mail address, phone number and mailing address) in order to set up an anonymous research sample that does not include personal data. The Data Controller will use the data used for the above-defined purposes for making statistics in a manner unsuitable for identifying the person who has provided the data.

Scope of processed data: The Data Subject’s e-mail address, phone number, postal address, consent granted for being contacted for market research and opinion poll purposes, market research and contact lists.

Legal basis for the data processing: the Data Subject’s consent, in each case (Article 6 (1) a) of the Regulation).

Duration of the data processing: until withdrawal of the consent by the Data Subject.

Data processing for market research and opinion poll purposes
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		The Data Subject's e-mail address, phone number and postal address		Consent as legal basis (Article 6 (1) a) of the Regulation)	If the Data Subject has granted his/her consent to the processing of his/her data for opinion poll and market research purposes, the Data Controller will use the Data Subject's provided data (name, e-mail address, phone number and mailing address) for setting up an anonymous research sample that does not include personal data.	Until withdrawal of the Data Subject’s consent.

8.3. Extraordinary events – Damage incidents

Purpose of the data processing: administration/arrangement of damage claims.

Scope of processed data: Name, mother’s name, postal address, bank account number of the Data Subject, name of the insurance company, insurance policy number, name, badge number, phone number of the person proceeding on behalf of the authority, invoice, tortfeasor’s declaration, protocol drawn up on the damage, damage incident file, and, eventually expert(s’) opinion.

Legal basis for the data processing: The Data Controller’s or a third party’s legitimate interest (Article 6 (1) f) of the Regulation).

Duration of the data processing: 5 years in case of documents used for the arrangement/administration of damage claims, and 8 years in case of the issued invoices and transaction certificates.

Data transfer: documentations generated in the course of the arrangement/administration of damage claims are necessarily sent to the competent insurance companies and insurance brokers for assessment of the damage claim. If the complexity of the case justifies, an expert or an official body might also be involved.

Extraordinary events – Damage incidents
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		Name, mother’s name, postal address, bank account number of the Data Subject, name of the insurance company, insurance policy number, name and address of the witness(es), name, badge number, phone number of the person proceeding on behalf of the authority, invoice, tortfeasor’s declaration, protocol drawn up on the damage, damage incident file, and, eventually expert(s’) opinion		Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	It is inevitable that the Data Controller manages and processes, either as injured party or tortfeasor, personal data relating to third parties for the purpose of arranging/administering damage claims.	For 5 years pursuant to Section 6:22 (1) of the Civil Code.
		Invoices and transaction certificates issued		Legitimate interest as legal basis (Article 6 (1) f) of the Regulation)	It is inevitable that the Data Controller manages and processes, either as injured party or tortfeasor, personal data relating to third parties for the purpose of arranging/administering damage claims.	For 8 years following the year when the last accounting document was issued (Article 169 of the Sztv.)

8.4. Profiling in a system that supports bulk mailing

The purpose of data processing: to record and maintain the contact details (name, email address) necessary for communication with the Data Subject, for providing information by electronic means related to the use of public services, and for sending marketing messages and offers. To collect and monitor data on the delivery result and readership of emails, statistically analyze clicks on links in mailings using a heat map, identify the most cost-effective way to deliver mail, and identify and develop transparent, understandable, and user-friendly information. The heat map (profile) is only processed and analyzed in an aggregated and anonymous way.

Scope of data processed: Name and email address of the Data Subject as recipient, the fact of successful/unsuccessful delivery of the email, the time of delivery, the time of opening the letter, whether the link embedded in the letter was clicked (heat map).

Legal basis for processing: Legitimate interest of the controller or a third party (Article 6(1)(f) of the Regulation).

Time of data processing: Based on the validity of the consent to the processing of the e-mail addresses of the Data Subjects, with the data automatically deleted upon the expiry of consent (e.g. revocation). The general retention period for correspondence stored in the electronic information system which is not part of the master data is 5 years.

Profiling in a system that supports bulk mailing
		Data Processed		Legal basis	Purpose of the data processing	Retention period
		Name and email address of the Data Subject as recipient, the fact of successful/unsuccessful delivery of the email, the time of delivery, the time of opening the letter, whether the link embedded in the letter was clicked (heat map).		Legitimate interest as a legal basis (Article 6 (1) f) of the Regulation)	Communication to the Data Subject, electronic information related to the use of public services, and the registration and maintenance of contact details (name, email address) for sending marketing messages and offers. To collect and monitor data on the delivery result and readership of emails, statistically analyze clicks on links in mailings using a heat map, identify the most cost-effective way to deliver mail, and identify and develop transparent, understandable, and user-friendly information.	Until the withdrawal of the Data Subject's consent to the processing of his/her email address / the general retention period for mail qualifying as non-personal data stored in the mail system is 5 years.

8.5. Property and asset protection

8.5.1. Camera system

The Data Controller is considered a body fulfilling a public service mission and it operates, in compliance with its statutory obligations, an electronic surveillance and recording system (hereinafter: camera system) in its premises, central office building and customer service offices for the purpose of protecting property and assets, the critical infrastructure, preventing, detecting and proving any breach of law, catching those who breach the law in the act and protecting human life and preventing bodily injury. The Data Controller meets its obligation to inform those concerned by warning pictograms indicating the locations of the cameras and by a summarizing information leaflet. A separate Privacy Policy Information has been drawn up concerning the camera system, which is accessible from the following site: https://www.vizmuvek.hu/hu/adatkezeles.

8.5.2. Access control system

Purpose of the data processing: to ensure protection of property and assets in the Data Controller's premises.

Scope of processed data: Name, residential address, number of ID document and phone number (in case of a partner card) of the Data Subject.

Legal basis for the data processing: it is necessary for the performance of a task by the Data Controller carried out in the public interest (Article 6 (1) e) of the Regulation). In the case of partner cards, the Data Controller processes the Data Subject’s phone number on the basis of his/her consent (Article 6 (1) a) of the Regulation).

Duration of the data processing: The validity of a visitor’s card expiries upon it has been returned to the receptionist and the corresponding data will be erased from the access control system within 24 hours. Data relevant to partner cards will be deleted from the access control system after 6 months have lapsed from the date of their return to the receptionist or withdrawal.

Access control system
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		Name, residential address and personal identity document number of the Data Subjects		Performance of a task carried out in the public interest as legal basis (Article 6 (1) e) of the Regulation)	The Data Controller processes the Data Subjects’ data for the purpose of protecting property, assets and key infrastructure.	For 24 hours in case of visitors/while in case of partners, for 6 months following the termination of the contractual partnership relationship.
		Data Subject’s phone number, in case of partner cards		Consent as legal basis (Article 6 (1) a) of the Regulation)	The Data Controller manages and processes the Data Subject’s phone number for the purpose of contact keeping.	Until withdrawal of the Data Subject’s consent/for 6 months.

8.5.3. Permission for entry to a protected area

Purpose of the data processing: providing the opportunity for the Data Subject for staying in certain parts of the protected areas.

Scope of processed data: Name, e-mail address, personal identity document number and signature of the Data Subject.

Legal basis for the data processing: it is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6 (1) c) of the Regulation).

Duration of the data processing: The data will be processed in the year the permission is applied for. If a given permission expires and its validity is not extended, in that case the Data Controller will erase the data from its system after 6 months have lapsed from the date of expiry of the permission. If the Data Subject requests erasure of his/her data prior to the expiry of such 6 months, in that case the Data Controller will take measures without delay in order to erase them. If the data have been erased, the permission will be withdrawn and there will not be opportunity any more for using it.

Permission for entry to a protected area
		Scope of processed data		Legal basis	Purpose of the data processing	Retention time period
		Data generated in the course of applying for a permission for entry to a protected area		Statutory obligation as legal basis (Article 6 (1) c) of the Regulation) (Article 9/B. of Fbőtv.)	Ensuring the opportunity for staying in certain parts of protected areas for the Data Subject, compliance with a statutory obligation.	For 18 months from receipt of the form.

9. Transmission of data and activities performed by data processors

9.1 Data transfer

Data may be disclosed to Recipients only on the basis of the Data Subject’s consent, performance of a contract, authorisation granted by a statute or legitimate interest of the Data Controller or a third party concerned by the data transfer.

The Data Controller will inform the Data Subject (if it is possible, necessary and reasonable) already at the time of conclusion of the contract, capturing the data or prior to the data transfer about the fact, legal basis and purpose of the data transfer, about the eventually applicable limitations and the rights of the Data Subject.

The Data Controller provides data regularly to governmental bodies determined in a legislative act, at intervals and with content defined by the legislative act. When disclosing personal data to Recipients, the Data Controller bears in mind that the public authorities which can have access to personal data under a case study in accordance with EU law or the law of the member state are not considered Recipients.

In case of ad hoc provision of data based on requirements laid down in a legal act (e.g.: data request received from an investigative authority, public prosecutor’s office, court, national security service, a public notary, the tax authority) the Data Controller will ascertain the legal basis of the data processing in each case and should any doubt arise, it will involve a legal expert.

It is the proceeding governmental body authorised to request data that is responsible in each case for the lawfulness of the data request, the Data Controller has limited opportunity and responsibility. The Data Controller excludes any liability for damages or loss eventually suffered by the Data Subject as a consequence of fulfilment of data provisioning obligations towards the authorities.

It will transmit personal data only if its legal basis is unequivocal and its purpose and the identity of the recipient of the data transfer is clearly defined. It will document the data transfer in each case in a way so that its course and lawfulness can be proven.

In addition to the above, the Data Controller transmits personal data to Recipients only if the Data Subject has given his/her consent to it in an unequivocal way. In case of data transfer subject to consent from the Data Subjects, the Data Subject will make his/her statement in knowledge of the identity of the recipient and of the purpose of the data transfer.

The Data Controller will log the data transfers in order that it can be established to whom, on the basis of what legal basis and for what purpose it transmits the personal data. The data captured in the electronic log can be made known and used only for the purpose of controlling the lawfulness of the data processing, enforcing the data security requirements and for conducting a criminal proceeding. The above prohibitions and limitations are governing for the case of termination of the customer relation as well. The Data Controller reserves the right to transfer its receivables to (a) third parti(es) by assignment, in accordance with the rules laid down in the Civil Code. Upon the assignment the identity of the obligee will change and the Data Controller will transfer the data related to the assigned claim to the party having the status of new obligee.

The Data Controller as a business association fulfilling a public service mission is subject to the scope of application of the regulations on protection of the documents of archives. Pursuant to Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives, data generated at the Data Controller qualify as public records, for the retention and storage of which the provisions of the Act referred to, the document management regulations issued on the basis of the Act and an archive plan are governing.

The Data Controller will keep records on the archives according to the relevant regulations even if the purpose of the processing of the personal data included in the document has ceased to exist. In this case the legal basis for the data processing is, in accordance with Article 89 (1) of the Regulation, processing for archiving purposes in the public interest according to the statutory provisions on archives and their documents.

The Data Controller will provide information to the Data Subjects, upon request, about the rules and regulations relevant to the retention and storing of documents of archives.

The following Table summarizes the recipients of regular data transfers by the Data Controller, along with the legal bases for data transfer relevant to them and the scope of the Data Subjects affected:

Data transfers performed by the Budapest Waterworks regularly

9.2. Data processing

The Data Controller reserves the right to use the services of data processors in fulfilling its activities, on the basis of a permanent or ad hoc mandate. The Data Controller is obliged at the same time, in outsourcing certain public service activities carried out by it (use of the services of a data processor) to inform or obtain a preliminary authorisation from the Hungarian Energy and Public Utility Regulatory Authority of and for the outsourcing, in accordance with Article 45 of the Vksztv. A mandate for permanent data processing may primarily be given for fulfilling administrative tasks related to customer relations and provision of services, as well as for maintenance of the IT system. Services of a data processor may only and exclusively be used on the basis of a written contract. The Data Controller determines the data processor’s rights and obligations in relation to processing of personal data within the frames and limits defined by the relevant statutes. The Data Controller is responsible and accountable for the lawfulness of instructions related to data processing operations.

The Data Controller ensures, by stipulating contractual provisions providing sufficient guarantee and by taking appropriate organisational and technical measures, that during the data processor’s activities the rights of the Data Subjects are not violated and that the data processor can get to know personal data of if it is indispensable for fulfilling its tasks.

If it is possible for the Data Controller, it will inform the Data Subjects about the fact that it uses Data processors (and their identity) and about the activities they are authorised to perform, already at the time of capturing the data. Upon request, the Data Controller will provide information, even beyond the scope of information included in the relevant information leaflet, to the Data Subjects about the identity of the data processor, the details of the data processing activity it carries out, thus especially about the operations performed and the instructions given to the data processor.

The scope of data processors the services of which the Data Controller uses is continuously changing.

The Data Processor uses the services of the following undertakings and persons as data processors under a long-term data processing commission:

List of undertakings performing data processing activities for Budapest Waterworks

10. Rights and legal remedies

Rights and legal remedies
	Rights	Explanations
1.	Information and access to personal data	The Data Subject has the right to get to know his/her personal data stored by the Data Controller, to get and control the information related to their processing, and is entitled to get access to the personal data (e.g. information about the purpose and legal basis of the processing, when will the data be erased, request a copy of the contract and get the voice recording).
2.	Right to rectification and to supplement the personal data	The Data Subject has the right to contact the Data Controller in order to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. (e.g. in case of a change in her/her name, for providing a new phone number).
3.	Right to restriction of processing	The Data Subject has the right to obtain from the Data Controller restriction of processing where one of the following applies: • the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data, • the data processing is unlawful and the Data Subject opposes the erasure of the data, s/he’d rather request the restriction of their use, • the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims, • the Data Subject objects to the processing: in such a case the restriction will concern the period pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.
4.	Right to erasure (“right to be forgotten”)	The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: • the personal data are no longer necessary in relation to the purposes for which the Data Controller collected or otherwise processed them, • the Data Subject withdraws his/her consent on which the processing is based, and where there is no other legal ground for the processing, • the Data Subject objects to the processing on grounds relating to his or her particular situation, and there are no legitimate grounds for the processing, • the Data Subject objects to processing of personal data concerning him or her for direct marketing purposes, including profiling, if it is related to direct marketing, • the personal data are unlawfully processed by the Data Controller; • the personal data have been collected in relation to the offer of information society services intended directly for children. The Data Subject may not exercise his/her right to erasure/right to be forgotten to the extent that processing is necessary: • for exercising the right of freedom of expression and information; • for reasons of public interest in the area of public health; • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or • for the establishment, exercise or defence of legal claims.
5.	Right to data portability	The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to and stored in the Data Controller’s system and use them further on for his/her own purposes, where the processing is based on consent or a contract, and the processing is carried out by automated means. This entitlement is limited to the scope of data provided by the Data Subject in each case, there is no opportunity for data portability concerning other data (e.g. statistics).
6.	Right to object to the processing of personal data	The Data Subject has right to object at any time to processing of personal data concerning him or her which is based on the legal basis that processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (e.g.: profiling, direct marketing), or the legal basis that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In such a case our Company may no longer process the personal data unless our Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

The Data Controller will inform the Data Subject of the measures it has taken without undue delay, within 30 days from the date of receipt of any request. If the Data Subject has submitted the request in an electronic way, the Data Controller will provide the information also electronically, except if the Data Subject requests it otherwise.

Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either charge a reasonable fee for satisfying the request or refuse to act on the request. The Data Controller is to bear the burden of demonstrating the manifestly unfounded or excessive character of the request. If there arises a doubt on the Data Controller’s side as to the identity of the natural person submitting the request, it may ask the provision of further information for confirming the identity of the person submitting the request.

The Data Subject can resort directly to the Data Controller’s data protection officer with general questions concerning data protection: Károly Gróf; phone number: +36 (1) 465 2400; e-mail: adatvedelem@vizmuvek.hu; mailing address: Budapest Waterworks Co. Ltd. 1397 Budapest, Pf. 512.

In relation to the lawfulness of the processing of his/her personal data by the Data Controller, the Data Subject may initiate a procedure to be conducted by the Hungarian National Authority for Data Protection and Freedom of Information (abbreviated name: NAIH; registered office: 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf. 9., website: www.naih.hu, phone number: +36 (1) 391 1400, fax: +36 (1) 391 1410, central e-mail address: ugyfelszolgalat@naih.hu), or may turn to the regional court competent for his/her place of residence („right to an effective judicial remedy”).

Within five years following the Data Subject’s death, the rights vested on the deceased person in his/her life may be exercised by a person authorised by the Data Subject by an administrative instruction or by a statement made at the Data Controller in a public document or in a private document with full probative force. If the Data Subject did not make such a legal statement, a close relative as defined in the Civil Code is also entitled to enforce the rights vested on the deceased person in his/her life within five years following the Data Subject’s death, even failing such a legal statement. The person who exercises the Data Subject’s rights can prove the fact and date of the Data Subject’s death by presenting the death certificate or a court decision, and may prove his/her own identity – and his/her quality as close relative – by a public document.

11. Data Security

The Data Controller will take every required and necessary measure in order to ensure security of the data, provide for an appropriate level of protection and prevent any unauthorised access and change to them, and prevent them from transmission, disclosure, deletion or destruction, as well as accidental destruction or damage.

The Data Controller will choose and operate such IT assets for the processing of the personal data that guarantee that the processed data are accessible only to authorised persons (availability), the authenticity of the data is ensured (authenticity of data processing), it can be proven that they are unchanged (data integrity), and they are protected against unauthorised access (data confidentiality).

Each IT system and assets used in the management, processing and record keeping on personal data by the Data Controller are accessible only to employees entitled to perform data processing, thereby the integrity of the data is ensured.

In carrying out mass data processing tasks in its internal administration system, the Data Controller also uses such robotised, new, innovative data processing technologies, which are suitable for replacing live human resources and allow at least partially automatised data processing.

The Data Controller decided on the usability of robotised technologies and remote meter reading systems depending on the data protection impact assessment conducted prior to using and operating such robotised technologies and remote meter reading systems.

The Data Controller also introduces appropriate organisational measures in order to ensure data security.

If a personal data breach occurs, the Data Controller will inform the Data Subject – except if the data breach does not entail risks concerning the rights and freedoms of natural persons – and the supervisory authority of the data breach without undue delay, but not later than within 72 hours. In order to control the measures related to the data breach, inform the supervisory authority and inform the Data Subject, the Data Controller keeps records, which include the scope of personal data affected by the data breach, the scope and number of data subjects affected, as well as the date, circumstances and impacts of the data breach and the measures taken for eliminating it.

12. Miscellaneous provisions

The Data Controller reserves the right to amend this Privacy Policy Information unilaterally, by providing preliminary information to the Data Subjects via the Website.

This Privacy Policy Information is valid as of 01.05.2022

Budapest Waterworks

Tisztelt Felhasználó!