Privacy Policy

Effective from April 17, 2025

I. The Data Controller (Service Provider)

Name of the Service Provider:	InterTicket Ltd.
Registered office and mailing address:	1139 Budapest, Váci út 99.
Registering authority:	Budapest Court as Court of Registration
Company registration number:	Cg. 01-09-736766
Tax number:	10384709-2-41
Email address:	interticket@interticket.hu
Website address:	www.jegy.hu
Customer service availability:	Through chat application from any page of Jegy.hu
Customer service email address:	interticket@interticket.hu For online events (live streaming, video): online@interticket.hu
Complaint handling location and contact details:	1139 Budapest, Váci út 99. Balance Building Through chat application from any page of Jegy.hu interticket@interticket.hu On working days between 10:00 - 16:00
Hosting service provider name:	T-Systems Datapark
Hosting service provider address:	1087 Budapest, Asztalos Sándor u. 13.
Data protection registration identifier:	NAIH-54216/2012.
Data Protection Officer email:	adatvedelmi.tisztviselo@interticket.hu

II. Data Protection Principles Applied by the Company

1. The Service Provider, as data controller, undertakes to ensure that all data processing related to its activities complies with the requirements set out in this policy and in the applicable national legislation, as well as in the legal acts of the European Union.

2. Information about the Service Provider's data processing is continuously available in the footer of the homepage of the Jegy.hu website operated by the Service Provider.

3. The Service Provider is entitled to unilaterally modify this Data Protection Policy. In case of modification of the Data Protection Policy, the Service Provider informs the user of the changes by publishing them on the Jegy.hu page. By using the service after the modification takes effect, the user accepts the modified Data Protection Policy.

4. The Service Provider is committed to protecting the personal data of its customers and partners, and considers respecting its customers' right to informational self-determination as highly important. The Service Provider treats personal data confidentially and takes all security, technical and organizational measures that guarantee the security of the data. The Service Provider's data processing practices are contained in this data protection policy.

5. The Service Provider's data protection principles are in accordance with the current legislation on data protection, particularly with the following:

-Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act);

-Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

-Act V of 2013 - on the Civil Code (Civil Code);

-Act C of 2000 - on Accounting (Accounting Act);

-Act LIII of 2017 - on the Prevention and Combating of Money Laundering and Terrorist Financing (AML Act);

-Act CVIII of 2001 - on certain issues of electronic commerce services and information society services (E-commerce Act);

-Act XLVIII of 2008 - on the basic requirements and certain restrictions of commercial advertising activities (Advertising Act).

6. The Service Provider uses personal data based on the legal basis in the GDPR and exclusively for specified purposes.

7. The Service Provider undertakes to make a clear, attention-grabbing and unambiguous statement before collecting, recording, or processing any Personal Data of its Users, informing them of the method, purpose and principles of data collection. In case of mandatory data provision, the legislation ordering the Data Processing must also be indicated. The data subject must be informed of the purpose of the Data Processing and who will process or handle the Personal Data.

8.In all cases where the Service Provider intends to use the provided Personal Data for a purpose other than the original purpose of data collection, it will inform the user of this and obtain their prior, express consent, or provide them with the opportunity to prohibit such use.

III. The legal basis, purpose and scope of data processing, the duration of data processing, and persons entitled to access personal data

1. The Service Provider's data processing is based on the following legal grounds (GDPR Article 6(1)):

a) The data subject has given consent to the processing of their personal data for one or more specific purposes (voluntary consent);

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (performance of contract);

c) Processing is necessary for compliance with a legal obligation to which the controller is subject (legal obligation);

d) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (legitimate interest).

2. In the case of data processing based on voluntary consent, data subjects may withdraw this consent at any stage of data processing.

3. Incapacitated and partially incapacitated minors may not use services through the Service Provider's system.

4. In certain cases, the processing, storage, and transfer of a certain set of provided data is required by law, of which users will be specifically notified.

5. We draw the attention of those providing data to the Service Provider that if they provide personal data other than their own, it is the responsibility of the data provider to obtain the consent of the data subject.

6. Personal data may only be processed for a specific purpose. Data processing must comply with the purpose of data processing at all stages, and the collection and processing of data must be fair and lawful. Only personal data that is essential for achieving the purpose of data processing, suitable for achieving the goal, can be processed. Personal data may only be processed to the extent and for the time necessary to achieve the purpose. The Service Provider does not use personal data for purposes other than those specified.

7. Online webshop service (purchase of tickets, vouchers, books, audio carriers, parking tickets, etc.) - purchase transaction, admission, notification (one-time purchase)

Purpose of data processing: The purpose of data processing is to provide the webshop service available on the website, to process the order, to serve it, to document the purchase and payment, and to fulfill accounting obligations. The purpose of data processing is also to identify the user as a ticket buyer, as well as to fulfill the ordered service, to send related notifications (technical notifications related to the performance, such as changes to the performance, cancellation, time changes, parking information, etc.), to enable payment processing with the help of the payment provider, to register users, to distinguish them from each other, to transfer admission data to the event organizer, and to fulfill the contract.

Legal basis of data processing: performance of the contract, GDPR Article 6(1)(b).

Scope of processed data: first and last name, phone number (data required by the payment provider, but in case of a change in program, venue, or time, it also allows our customer service or the event organizer to immediately notify the ticket buyer), email address, password provided during pre-registration, delivery address if home delivery is requested, transaction number, date and time, customer code, gift voucher number, culture voucher number.

The scope of processed data also includes - in case the ticket is personalized based on the decision of the event organizer - the name of the legitimate user of the ticket and any other personal data possibly required by the event organizer. Considering that the ticket buyer may differ from the legitimate user of the ticket, if the ticket buyer does not provide their own personal data, by providing the data they guarantee that they have authorization from the data subject to provide the data and make statements regarding data processing, and that the data subject has previously been familiarized with the data processing rules.

Deadline for data deletion: 210 days after the last performance featured in the transaction, in case the performance is held at a specified time. In case of an event without a date, the data will be deleted 18 months after the transaction date. If a transaction includes both performances with a date and without a date, we store the transaction-related data until the latest date calculated according to the above.

Possible consequences of failing to provide data: failure of the purchase transaction.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

7.A. If a legal dispute arises in connection with the purchase transaction during the data retention period indicated in point 7, the Service Provider retains the data within the limitation period (5 years); the legal basis for this is the Service Provider's legitimate interest, GDPR Article 6(1)(f). In all other respects, the rules set out in point 7 apply to this data processing as well.

If due to potential ticket refunds or for other reasons, the buyer's ticket or other product price needs to be refunded, and the buyer did not provide bank details during the purchase or did not pay by bank card, it may become necessary to request the buyer's bank account number or other data required by the financial institution performing the refund. In these cases, the legal basis for data processing is the data subject's voluntary consent (GDPR Article 6(1)(a)). In all other respects, the rules set out in point 7 apply to this data processing as well.

7.B. For certain events, the event organizer may request additional data during ticket or season ticket sales. This may be due to special security checks at the venue (e.g., closed military facilities, guarded state facilities), special admission requirements, legal requirements (e.g., data needed for accommodation booking), or other reasons established by the event organizer. The controller of these data is not INTERTICKET Ltd., but the event organizer. In these data processing operations - based on a data processing agreement concluded with the event organizer - INTERTICKET Ltd. acts as a data processor. The information regarding the processing of these data is prepared by the event organizer as the data controller, the link of which is published on the website used for the purchase.

8. Online season ticket, gift card, discount card, Culture card purchase/renewal

Purpose of data processing: providing the webshop service related to season ticket purchases, gift card/discount card/culture card purchases, processing orders, serving them, documenting purchases and payments, fulfilling accounting obligations. The purpose of data processing is also to identify the user, as well as to fulfill the ordered service, to send related notifications, to enable payment processing with the help of the payment provider, to register users, to distinguish them from each other, to keep records of the balance on the card, to keep records of purchases made with the card, to keep records of discounts and privileges associated with the card, to ensure rights associated with the season ticket (including renewal pre-rights if provided by the event organizer), to fulfill the contract. The purpose of data processing is also to provide information about the annual renewal opportunity of the season ticket (via email or postal mail), to send reminders about the next season ticket performance (via email or postal mail), in case of free season tickets, to send information twice a month about the performances and events at the venue (via email form) - to help the User make their choice.

Legal basis of data processing: performance of the contract, GDPR Article 6(1)(b).

The scope of processed data also includes - in case the season ticket (gift card, discount card or Culture card - hereinafter collectively referred to as season tickets) is personalized based on the decision of the event organizer - the name of the legitimate user of the season ticket and any other personal data possibly required by the event organizer. Considering that the season ticket buyer may differ from the legitimate user of the season ticket, if the season ticket buyer does not provide their own personal data, by providing the data they guarantee that they have authorization from the data subject to provide the data and make statements regarding data processing, and that the data subject has previously been familiarized with the data processing rules.

Deadline for data deletion: for season tickets, 36 months after the transaction date. For gift cards, discount cards, and Culture cards, if the card has an expiry date, 6 months from the expiry date; if the card does not have an expiry date, 18 months after the transaction. If the purchased card is associated with a tax benefit (e.g., Culture card), the data retention period is prescribed by the applicable legislation, the legal basis is GDPR Article 6(1)(c).

Possible consequences of failing to provide data: failure of the purchase transaction.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

8.A. If during the data retention period indicated in point 8, a legal dispute arises in connection with the purchase transaction, the Service Provider retains the data within the limitation period (5 years); the legal basis for this is the Service Provider's legitimate interest, GDPR Article 6(1)(f). In all other respects, the rules set out in point 8 apply to this data processing as well.

If due to potential season ticket/ticket refunds or for other reasons, the buyer's season ticket or other product price needs to be refunded, and the buyer did not provide bank details during the purchase or did not pay by bank card, it may become necessary to request the buyer's bank account number or other data required by the financial institution performing the refund. In these cases, the legal basis for data processing is the data subject's voluntary consent (GDPR Article 6(1)(a)). In all other respects, the rules set out in point 8 apply to this data processing as well.

8.B. For certain events, the event organizer may request additional data during ticket or season ticket sales. This may be due to special security checks at the venue (e.g., closed military facilities, guarded state facilities), special admission requirements, legal requirements (e.g., data needed for accommodation booking), or other reasons established by the event organizer. The controller of these data is not INTERTICKET Ltd., but the event organizer. In these data processing operations - based on a data processing agreement concluded with the event organizer - INTERTICKET Ltd. acts as a data processor. The information regarding the processing of these data is prepared by the event organizer as the data controller, the link of which is published on the website used for the purchase.

9. Registration

Purpose of data processing: Pre-registration with a password makes it possible for the User to provide their data only once and not during each purchase. Certain services on the website are only available to registered Users. Such services include writing blogs and comments, the ability to rate comments, and the follow function (requesting notifications about creators, venues, programs). As a convenience service, in the personal menu section of the website that opens as a personal account, the user can edit their personal data, view and download their tickets, invoices, track their comments, pages they have previously viewed, ratings they have given, modify their follow services and newsletter subscriptions, and if they are a member of a loyalty program, view their points balance. The processing of diverse personal data stored in the account necessarily also means profiling.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: email address, password, and all personal data provided by the User during purchase or in the account: address, billing address, phone contact. The processed data may include products purchased by the User during their orders, time of purchases, invoice, User's comments and their rating, comments rated by the User, ratings of performances, creators, venues, creators, venues, programs followed by the User, pages viewed by them, newsletter subscriptions, and loyalty points.

Deadline for data deletion: The Service Provider processes the provided data until the User - by unsubscribing - prohibits such use of the data. If the User does not perform any activity, thus does not use any service provided by the Service Provider, the Service Provider deletes the registration after 3 years from registration.

Possible consequences of failing to provide data: the user cannot use the website's convenience functions and services.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

10. Notification service

Purpose of data processing: The notification service allows the ticket buyer to use notification services beyond technical information related to the performance (technical notifications related to the performance, such as changes to the performance, cancellation, time changes, parking information, etc.), such as a reminder before the performance, post-performance evaluation, and automatic notifications (cart abandonment reminder, ticket becoming available for purchase again, etc.).

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: email, name, optionally phone number if the buyer wishes to receive notifications by SMS, Facebook Messenger ID if they wish to receive notifications through Messenger chatbot.

Possible consequences of failing to provide data: the user cannot use the website's convenience functions, does not receive notifications about changes.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

11. Invoicing

Purpose of data processing: issuing accounting documents related to purchase transactions and storing them within the time limits specified by law.

Legal basis of data processing: compliance with a legal obligation, GDPR Article 6(1)(c).

Scope of processed data: first and last name, billing address provided for invoice issuance, transaction number, date and time, content of the document, tax number (if provided by the buyer), and email address for sending and possibly resending the invoice.

Deadline for data deletion, duration of data processing: 8 years, or the period specified in the current tax and accounting legislation.

Possible consequences of failing to provide data: failure of the purchase.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service and marketing department staff.

Data processor: The technical conditions for invoicing are provided by: Számlázz.hu, KBOSS.hu Ltd. (tax number: 13421739-2-13, company registration number: 13-09-101824, headquarters: 2000 Szentendre, Táltos u. 22/b).

12. Personalized offers, profiling

Purpose of data processing: Profiling helps ensure that the User encounters relevant, personalized offers in the website's and newsletters' recommendations. Profiling helps the data processor to compile the most suitable offer for its customers.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: email, name, address, information related to website use (time of visit, duration, viewed pages, clicks on pages, search usage), cart usage (order ID, products, their product categories, values), purchases (transaction time, value, product, its category, discount used, payment method), technical information (IP address, cookie ID, browser type, device type, Google, Facebook, Hotjar, Findgore, Prefixbox IDs, source page), newsletter and notification message usage data (email opening time, device, clicked links, purchase data), data related to the blog system usage (comments, ratings, clicked links).

No automated decision-making takes place in connection with profiling.

Logic of profiling: based on the processed data, the recommendation system offers a list of programs deemed most suitable for the buyer to be displayed on the website and in messages sent by the Service Provider.

Possible consequences of failing to provide data: non-relevant offers appear for the User on the website and in newsletters, the User cannot use convenience services tied to registration.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service and marketing department staff.

13. Electronic newsletter

Purpose of data processing: Sending email newsletters containing advertisements to interested parties. If the user subscribes to the newsletter, the Service Provider may send them a newsletter with a frequency at its own discretion. The Service Provider strives, where possible, to offer events in the newsletter that are relevant and of interest to the reader based on residence, previous purchases, and other data collected in the context of profiling.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: name, email address, postal code, phone number, and data collected in the context of profiling.

Deadline for data deletion: The Service Provider processes the provided data until the User - by unsubscribing - prohibits such use of the data. The newsletter can be unsubscribed from by clicking on the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days from the receipt of the request for deletion. If the User does not perform any activity, thus does not use any service provided by the Service Provider, the Service Provider deletes the newsletter subscription after 3 years from subscription.

Possible consequences of failing to provide data: the User does not receive notifications about programs.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service and marketing department staff.

14. Participation in the Service Provider's loyalty program

Purpose of data processing: to ensure participation in the loyalty program announced by the Service Provider for regular buyers of the Jegy.hu website.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: name, email address, postal code, phone number, and data collected in the context of profiling.

Possible consequences of failing to provide data: the User cannot participate in the loyalty program announced by the Service Provider.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

15. Cookie Management

A cookie is an alphanumeric information package with variable content sent by the webserver, which is stored on the User's computer and is stored for a predetermined validity period. The use of cookies allows for querying certain user data and tracking internet usage. Cookies help track the data subject User's interests, internet usage habits, and website visit history to optimize the User's shopping experience. Since cookies function as a kind of label that allows the website to recognize returning visitors, their use can also store valid usernames and passwords on the given page. If the browser returns a previously saved cookie, the cookie manager service provider has the opportunity to connect the user's current visit with previous ones, but only in terms of its own content.

With the help of information sent by cookies, web browsers are more easily recognizable, making it possible for Users to receive relevant and "personalized" content. Cookies make browsing more convenient, including online data security needs and relevant advertisements. With the help of cookies, the Service Provider can also create anonymous statistics about the habits of site visitors, enabling us to better personalize the site's appearance and content.

The Service Provider's website uses two types of cookies:

-Temporary cookies - session cookies essential for using the site. Their use is essential for navigating the website, for the functionality of the website. Without accepting these, the website or parts of it may not appear, browsing becomes hindered, and adding tickets to the cart and bank payment cannot be properly implemented.

-Permanent cookies, which, depending on the web browser's settings, remain on the device for a longer period or until the User deletes them. Among these, we can talk about internal or external cookies. If the Service Provider's web server installs the cookie and the data is forwarded to its own database, we talk about an internal cookie. If the cookie is installed by the Service Provider's web server, but data is transferred to an external service provider, we talk about an external cookie. Such external cookies are also third-party cookies, which are placed in the User's browser by a third party. These are placed in the browser if the visited website uses the services provided by a third party. The purpose of permanent cookies is to ensure the highest possible functioning of the given page in order to increase the user experience.

During the visit to the website, the User can give their consent for permanent cookies to be stored on the User's computer and for the Service Provider to access them by clicking on the cookie warning button on the login page.

The User can set and prevent cookie-related activities using the browser program. Cookie management is usually available in the browsers' Tools/Settings menu under Privacy/History/Custom Settings, labeled as cookie, cookie, or tracking. However, we would like to point out again that without the use of cookies, the User may not be able to use all the services of the website, especially payment services. For more information about cookies, click on the link in the cookie warning bar that appears on the Jegy.hu page.

Purpose of data processing: conducting payment transactions with the payment provider, identifying users, distinguishing them from each other, identifying users' current sessions, storing data provided during those sessions, preventing data loss, identifying users, tracking them, and web analytics measurements.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: identification number, date, time, and the previously visited page.

Duration of data processing: temporary cookies are stored until the user closes all browsers of that type. Permanent cookies are stored for 1 year on the user's computer or until the User deletes them.

Possible consequences of failing to provide data: inability to fully use the website's services, failure of payment transactions, inaccuracy of analytical measurements.

Source of personal data: data automatically generated by the IT system.

Recipients of personal data, categories of recipients: none.

This website uses Microsoft Clarity, a web analytics tool provided by Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). Clarity allows for analyzing website traffic and user interactions. The information obtained helps us improve our website's usability and user experience. The data collection process is carried out through cookies.

The system records and processes the following data: IP address, geolocation data, session identifier, user interactions, clicks, scrolls, mouse movements, unique user identifier, visit date and time.

Collected data is automatically deleted after 13 months. Fields containing sensitive information (such as forms, search fields) are blurred during data collection, and their content is not recorded.

In certain cases, data may also be transferred to the United States, which is a third country outside the European Union and the European Economic Area. Microsoft Corporation has the appropriate data protection certificates, so the data transfer complies with GDPR requirements.

Data processing is based on the user's consent, in accordance with GDPR Article 6(1)(a). The user is entitled to withdraw their consent at any time. Withdrawal of consent does not affect the legality of data processing operations performed prior to the withdrawal.

16. Geolocation

If the User accesses the service from a mobile device (e.g., smartphone), when downloading the application, the program may request permission to use location data for functions requiring geolocation (e.g., use of the "nearby" function).

Purpose of data processing: With the user's permission, the application can offer personalized searches that take into account where the user is located at that moment. Location data, as information, is not stored in the Data Controller's system, it only enables the use of certain functions available in the given transaction (more precise search, "nearby" function, etc.).

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: the user's geographical location at a given time, IP address.

Duration of data processing: 3 days.

Possible consequences of failing to provide data: inability to fully use the mobile device's services.

Source of personal data: data automatically generated by the IT system.

Recipients of personal data, categories of recipients: none.

17. Statistical data

The data controller may use the data for statistical purposes. The use of data in statistically aggregated form shall not contain the name of the data subject user or any other data suitable for their identification in any form.

18. Data Technically Recorded During the Operation of the System

The technically recorded data includes the data of the User's login computer that is generated during the use of the service and is logged by the data controller's system as an automatic result of technical processes (e.g., IP address, session ID). Due to the operation of the internet, these automatically recorded data are automatically logged by the system without a separate statement or action by the User - by using the internet. These data cannot be linked to other User personal data - except in cases where such connection is made mandatory by law. Only the Data Controller has access to the data. Log files that are automatically technically recorded during the operation of the system are stored in the system for a period justified from the point of view of ensuring the system's operation.

19. Recording of Phone Conversations

The Service Provider records incoming and outgoing phone calls to customer service.

Purpose of data processing: enforcement of the rights of customers and the data controller, providing evidence for potential legal disputes, providing evidence for subsequent verification and supporting the irrecoverability of a claim, as well as subsequent proof of agreements, quality assurance, and fulfillment of legal obligations.

Legal basis of data processing: the data subject's voluntary consent.

Scope of processed data: identification number, phone number, called number, date and time of the call, recording of the phone conversation, and other personal data provided during the conversation.

Deadline for data deletion: five years.

Possible consequences of failing to provide data: lack of telephone assistance.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

20. The Service Provider's Customer Correspondence (Email) and Chat Communication

Chat communication is not available on all pages; the relevant data processing rules are applied only if chat communication is used on the given page.

Purpose of data processing: to provide customer service assistance and complaint handling for buyers and users.

Legal basis of data processing: the data subject's voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: The Service Provider processes the email and chat communication received by it together with the data subject's email address, any additional personal data possibly provided by the data subject, as well as date and time data, according to the rules set out in this notice. During chat communication, providing an email address is mandatory because this allows the Service Provider to coordinate parallel complaint handling. Providing additional personal data (name, phone number, etc.) may become necessary during complaint handling for the substantive handling of the request.

Deadline for data deletion: The Service Provider processes the provided data until the User - with an individual request to the Service Provider's customer service - requests its deletion. If the data subject does not state otherwise, the Service Provider deletes the data three years after the complaint is closed. If legislation prescribes a mandatory retention period for documents created during complaint handling, the Service Provider shall keep the relevant documents until the end of the document retention period prescribed by the current legislation.

Possible consequences of failing to provide data: the data subject cannot use the Service Provider's customer service services.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

The Service Provider does not forward personal data to third parties.

21. Web Analytics Measurements

Google Analytics, as an external service provider, helps with the independent measurement of website traffic and other web analytics data. For information about the handling of measurement data, please visit: http://www.google.com/analytics. The Service Provider uses Google Analytics data exclusively for statistical purposes, to optimize the operation of the site.

Source of personal data: data automatically generated by the IT system.

Recipients of personal data, categories of recipients: none.

22. Other Data Processing

We provide information about data processing not listed in this notice at the time the data is collected. We inform our customers that courts, prosecutors, investigative authorities, regulatory authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, and other bodies authorized by law may contact the Service Provider to provide information, communicate data, transfer data, or make documents available. The Service Provider provides personal data to authorities - if the authority has specified the exact purpose and scope of data - only to the extent and to the degree that is essential for the realization of the purpose of the request.

23. The Data Controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the provided data. When providing an email address, any user also assumes responsibility that they are the only one using the service from the provided email address. Due to this responsibility, all liability related to logins from a given email address is exclusively borne by the user who registered that email address. If the user provides personal data other than their own, it is their responsibility to obtain the consent of the data subject.

24. Those entitled to access personal data are the Service Provider's employees or individuals in a contractual relationship with the Service Provider, employees of the courier service involved in product delivery (if the buyer requested delivery), and Data Processors.

III/A. Special data processing related to major sporting events

(specific information regarding major sporting events is presented in italic text for easier readability)

1. According to the agreement between Interticket Ltd. and MLSZ (Hungarian Football Federation), Interticket Ltd. is authorized to sell tickets for Hungarian national team matches based on MLSZ's mandate. The ticket sales process and the essential elements of data processing were jointly determined by MLSZ and Interticket, the ticket sales process is implemented with the cooperation of MLSZ, as MLSZ is the organizer of the matches, so MLSZ and Interticket Ltd. act as joint data controllers during ticket sales.

2. Presentation of specific data processing cases related to certain major sporting events and the scope of processed data

The ticket sales is implemented according to the following data processing process:

a) Ticket purchase online or at the box office with a club card or by providing personal data

b) Verification in the Sports Administration Registry (hereinafter: SRNY) in case of personalized ticket sales

c) Verification of Fan Club membership, validation of discounts

d) Issuance of ticket

e) Ticket exchange

f) Forwarding the ticket barcode to the Puskás Arena entry system

g) Transferring report data to MLSZ

3. Ticket purchase [data processing according to points a)-d)]

Data processing process, purpose and identity of the data controller

The buyer can purchase tickets for Hungarian national team matches held at Puskás Arena both at the box office and online.

Tickets can be purchased in person at InterTicket's nationwide ticket office network. The contact details of the ticket offices can be found on the Jegy.hu website.

Box office ticket purchase

If the buyer wants to buy a ticket at the box office and the sales are personalized, they must provide three mandatory data (name, date and place of birth), which must be entered into Interticket Ltd.'s ticket sales system, and mother's name as optional data.

The purchase can also be made for another person, in which case the data processing does not differ from when someone purchases a ticket in their own name.

Ticket purchase is not generally subject to identity verification. However, MLSZ, as the organizer, may decide to require the buyer to present their Club Card, Football Card (hereinafter collectively: fan card) or ID card during the ticket purchase.

Club Cards issued by club teams can also be used for ticket purchases at matches organized by MLSZ.

The data provided in connection with the ticket purchase is processed by Interticket Ltd., who performs commission sales on behalf of MLSZ. MLSZ's role in data processing is limited to being able to prescribe personalized ticket sales, and processing the provided data for entry and compliance with security regulations, as separately detailed below.

Interticket Ltd. issues an invoice for the purchase to the buyer, for which it processes the buyer's name and address.

The purpose of data processing related to personalized ticket and season ticket sales is to implement ticket sales in accordance with stadium security requirements according to Sports Act 72/B. §.

Based on the referenced legislation, the data may be used for criminal or misdemeanor proceedings initiated due to a crime or misdemeanor committed at the sports event venue or during approach to or departure from the sports event venue, as well as for exclusion from participation in the sports event.

Data processing related to ticket sales in case of the application of an entry system is mandatory based on Sports Act 72. § (3) and (4), but the use of a fan card is only mandatory if MLSZ makes it mandatory for the given match.

Prior to ticket purchase, Interticket Ltd. verifies the existence of discounts due to Fan Club membership and applies discounts in case of personalized ticket sales.

In case of mandatory identity verification:

-for the purchase, the buyer must present their fan card or ID card (in case of purchase on behalf of another person, the fan card or ID card of the person in whose name the ticket will be issued is required),

-with the fan card number (barcode), the name, place and date of birth data (and mother's name data if provided when obtaining the card) required for ticket purchase can be loaded using the fan card register,

-in the absence of this, the data required for ticket purchase is recorded in the system by the cashier based on the provided ID card or fan card data.

If the fan card is not a prerequisite and must be presented for ticket purchase, the data required for ticket purchase is recorded by the cashier based on information provided by the buyer and issues the ticket based on this, but may request presentation of the club card or ID card to verify the data.

However, in case of personalized ticket sales, it must be taken into account that identity verification is also carried out during entry, and if the data on the ticket and the data on the ID card do not match, the buyer cannot be admitted to the match.

The IT system behind the ticket purchase examines, based on the provided buyer data, whether the given person is banned, prohibited or excluded (i.e., it queries the Sports Administration Registry - SRNY).

If there is a match based on the previously provided personal data, the buyer may provide their mother's name even if they did not provide it initially. The system then performs another check. This option is not available to the buyer if they purchase with a Club Card or Football Card.

A person who is in the SRNY for the given match and/or venue cannot purchase a ticket for the match, and a ticket cannot be purchased for such a person.

In case of a positive response (banned/prohibited or excluded status), the personal data of the buyer or the ticket claimant is not stored in the ticket system, but the data of the data subject is available in the SRNY log, which can be traced back to the fact that even the purchase attempt is considered a misdemeanor.

If the buyer or ticket claimant is not in the SRNY, then the personal data required for the buyer's ticket purchase (name, place and date of birth, optionally mother's name) is stored in the database of the central ticket sales IT system.

During personalized ticket sales, the name and date of birth data are also placed on the ticket.

Online ticket purchase

Data required for ticket purchase:

-in case of personalized ticket sales: name, place and date of birth, one optional data: buyer's mother's name, and

-in case of ticket sales tied to a fan card, the card number and PIN code.

During online purchase, ticket purchase takes place in a web system operated by Interticket Ltd. The scope of processed personal data and the ticket purchase process are the same as the process that takes place at the box office.

If ticket sales for a given match are not personalized and purchased online, Interticket Ltd. only processes the data provided by the ticket buyer during registration.

If they provide the data with a club card, they must enter the card number and the associated secret PIN code into the system, and the IT system loads the personal data required for the purchase based on the provided data.

If payment was made by bank card, the buyer themselves provides the data requested by the relevant bank on the payment service provider's own interface; in this regard, Interticket Ltd. does not access the card data, does not perform data processing operations.

Duration of data processing

Interticket Ltd. processes the data provided during registration in the online ticket sales system until the registration is deleted or the consent is withdrawn.

The data processed for ticket sales is deleted from the ticket sales system 60 days after the match - unless the authority authorized to do so calls on MLSZ, as the organizer, to retain the data for a further maximum of 30 days - the personal data is deleted in accordance with legal requirements.

Interticket Ltd. keeps the invoices for 8 years as accounting documents.

Legal basis of data processing

The legal basis for data processing is the legal obligation according to GDPR Article 6(1)(c), as based on Sports Act 72. § (1), the organizer may use a security entry and control system suitable for unique identification of participants (hereinafter: entry system), and in the case of sporting events of high security risk and increased security risk in the sport of football - if the National Police Headquarters ordered the obligation to use an entry system, or if the organizer decides independently - an entry system is used.

Based on paragraph (2) of the same section, in case of using an entry system, the organizer, or the person selling tickets on behalf of the organizer, may only sell personalized tickets or season tickets.

Based on paragraph (4) of the same section, the organizer or the person selling tickets on behalf of the organizer is entitled to establish the spectator's identity based on an ID card suitable for proving identity when selling the ticket, season ticket, and during entry.

Based on paragraph (5) of the same section, in case of using an entry system, the organizer or the person selling tickets on behalf of the organizer may compare the spectator's identity with the data of the SRNY when selling the ticket or season ticket.

In the case of registration performed on the online interface, the legal basis for data processing is the buyer's voluntarily provided consent according to GDPR Article 6(1)(a).

Issuing and keeping an invoice is a legal obligation according to GDPR Article 6(1)(c), issuing an invoice is required by Section 159(1) of Act CXXVI of 2007 on Value Added Tax, and keeping it is required by Section 169(2) of Act C of 2000 on Accounting.

The legal basis according to GDPR Article 6(1)(b) related to the performance of a contract also generally appears behind the data processing related to ticket purchase, as without processing the data provided for ticket purchase, Interticket Ltd. cannot sell a ticket to the buyer.

4. Ticket exchange

Data processing process, purpose and identity of the data controller

If the buyer has purchased a personalized ticket and would like to transfer it to another person, this is possible through ticket exchange. The ticket exchange is carried out by Interticket Ltd. at the buyer's request.

Regarding the ticket exchange, the data processing described for the ticket purchase process must also be carried out for the new ticket owner, with the difference that Interticket Ltd. does not issue an invoice to the new ticket owner.

Duration of data processing

For storing the data of the new ticket buyer, the rules described for ticket purchase apply.

Legal basis of data processing

The legal basis for data processing regarding ticket exchange is GDPR Article 6(1)(b) towards the previous ticket owner for the performance of the contract with them, which includes the possibility of ticket exchange. For the new ticket owner, the legal basis for data processing is the same as described for ticket purchase.

5. Forwarding the ticket barcode to the Puskás Arena entry system

Data processing process, purpose and identity of the data controller

Interticket Ltd. is obligated to forward the barcode of the ticket given during ticket purchase to the Puskás Arena entry system. The barcode itself does not contain personal data, but along with other data, Interticket Ltd. and MLSZ can identify who the purchaser of the ticket is (in case of personalized ticket sales).

Forwarding the barcode is essential, as without it, the entry system would not recognize valid tickets.

Duration of data processing

The barcode loses its personal data quality when Interticket Ltd. and MLSZ delete the personal data associated with it that they have accessed. The rules described for ticket purchase apply to deletion.

Legal basis of data processing

The legal basis for data processing is GDPR Article 6(1)(b) for the performance of the contract between Interticket Ltd. and the buyer, as without the data transfer, entry to the match cannot be ensured in case of using an entry system.

6. Transferring report data to MLSZ

As part of this data processing, Interticket Ltd. transfers personal data to MLSZ, as the organizer of Hungarian national team matches, in accordance with applicable legislation. In this case, MLSZ acts as the data controller. As part of the data processing, MLSZ receives the data provided for ticket purchase in the ticket sales system provided by Interticket Ltd., supplemented with precise seating data. The purpose of data processing is for MLSZ, as the match organizer, to fulfill its tasks related to entry and safe organization as prescribed by the Sports Act. Additionally, MLSZ's processing of the data is also required by UEFA Safety and Security Regulations points 16.01, 16.02, and 16.03, which require MLSZ to have the personal data of ticket owners. Based on personal data linked to seats, MLSZ can identify the ticket owner, provide information about their person to healthcare personnel arriving in case of a medical emergency, and processing the data is also necessary for making reports or taking measures in case of misdemeanors, crimes, or violations of ground rules.

7. Special rules for wheelchair ticket buyers and their companions

Data processing process, purpose

In some stadiums, for certain matches or events, there is an opportunity to watch matches from places specially designed for wheelchair users or people with mobility impairments, and occasionally, there is a limited opportunity to reserve parking spaces designed for people with mobility impairments. These places can only be used with proof of eligibility, and eligibility verification takes place during the online ticket purchase process and during entry. Ticket and parking space requests must be submitted to Interticket Ltd. via a dedicated online form. By submitting the online form, the wheelchair ticket buyer expressly consents to the processing of their data as detailed below, including that the data controller processes data related to their health condition in order to provide special wheelchair spaces and parking spaces. The following data must be provided on the online form: email address to which the tickets are to be delivered, name, place and date of birth, mother's name data, both for the wheelchair user or mobility-impaired buyer and for their companion (if suitable space is provided for the companion at the given event), and additionally, the wheelchair buyer's mobility impairment card number.

The identity of the data controller and the duration of data processing are the same as described for online ticket purchase.

The legal basis for data processing is the data subject's explicit consent, which is given as described above by filling out and submitting the online form to the data controller (GDPR Article 6(1)(a)).

For major sporting events, if the User requests a wheelchair ticket or accompanying escort ticket, or if they have an observation requiring investigation regarding data matching, they need to fill out a Google Form. The data received through the Form is deleted by the Service Provider on the sixtieth day following the Match. For Google's Privacy Policy and Terms of Service, click here .

III/B. Special rules for online events

1. Personal buyer account

Online events can be live or recorded theatrical or other performances, events, etc., for which the Buyer acquires the right to view - at the time or period specified during ticket purchase - by purchasing a ticket.

Purpose of data processing: A personal buyer account is required to view online events. To set up a personal buyer account, an available, valid email address, as well as a name and password are required. After providing the data, the Service Provider's system sends a message to the specified email address, requesting confirmation. The rights to view individual content are linked to the personal buyer account. The creation of a personal buyer account is not the same as the registration detailed in Section III/9 of this Data Protection Policy, which is optionally offered, not mandatory, for non-online events. For technical reasons, accordingly, users registered according to Section III/9 also need to set up a personal buyer account if they wish to view an online event. Registration and the personal buyer account are therefore not related, their use is independent of each other.

Legal basis of data processing: performance of contract, GDPR Article 6(1)(b).

Scope of processed data: email address, name, password.

Deadline for data deletion: The Service Provider processes the provided data until the User requests the deletion of the personal buyer account. If the User does not perform any activity, thus does not use the service provided by the Service Provider, the Service Provider deletes the account 3 years after the last user activity.

Possible consequences of failing to provide data: the User cannot view online events.

Source of personal data: the data subject.

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

2. IP address

Purpose of data processing: The Service Provider provides its service for online events - if no other information is found in the description of the given performance - free from territorial restrictions. However, for some performances, territorial restrictions may be possible due to limitations of copyright, performance rights, or other reasons. In these cases, the Service Provider draws the attention of Buyers to these restrictions in the description of the event before purchase. In case of territorial restriction, the Service Provider is entitled to check the Buyer's IP address to verify compliance with the territorial restriction, and to deny access if the viewing location would violate the territorial restriction.

Legal basis of data processing: performance of contract, GDPR Article 6(1)(b).

Scope of processed data: IP address.

Deadline for data deletion: Until the end of the viewability of the online event.

Possible consequences of failing to provide data: the User cannot view online events whose viewability is geographically restricted.

Source of personal data: the data subject (via machine communication).

Recipients of personal data, categories of recipients: the personal data is accessed by the Service Provider's customer service staff.

IV. Data Transfer, Designation of Data Processors

1. By using the service, the User agrees that the Service Provider may transfer the data to the following partners. The legal basis for data transfer: performance of the contract, GDPR Article 6(1)(b).

1.1. In the case of data processing indicated in III. 7.-8, to the organizer of the given event so that the event organizer can directly and immediately provide information about the cancellation of the event, changes in time, or any important circumstances affecting the viewer, and in case of cancellation, can directly handle the refund or exchange of tickets, admit the buyer to the event, and fulfill the contract (proper execution of the performance). With the data transfer, the organizer of the given event becomes an independent data controller with respect to the transferred data. Data transfer may also take place in such a way that the Service Provider allows appropriate access to its ticket management IT system ("Tickets system") to the event organizer. Scope of processed data: data provided in III. 7-8.

1.2. In the case of III. 11, to the service provider providing the technical conditions for invoicing, as Data Processor, which is: Számlázz.hu, KBOSS.hu Ltd. (tax number: 13421739-2-13, company registration number: 13-09-101824, headquarters: 2000 Szentendre, Táltos u. 22/b). Scope of processed data: data provided in III. 11.

1.3. The sending of emails to Users, and if the data subject has given permission for profiling, tasks related to this, are performed as data processor by Wanadis Commercial and Service Provider Ltd. (1118 Budapest, Rétköz u. 7.), or Emarsys eMarketing Systems AG (Marzstrasse 1, 1150 Vienna, Austria) based on a contract with the data controller.

1.4. For all transactions where the product/service fee can be paid via online banking service, the Service Provider transfers the data to the financial institutions involved in the purchase process, which handle the payment. The transfer of the listed data is required by the financial institution for processing the payment; the scope of requested data varies by financial institution. The Service Provider does not access personal data provided on the financial institution's own data request pages. The following financial institutions may appear as payment providers on the website; the table also includes the data that the given financial institution requires to be transferred. (Not all payment financial institutions appear on the website at a given time.) The data required by financial institutions may change, especially with regard to the introduction of so-called strong customer authentication - with different deadlines by bank.

Payment Provider Name	Transferred Data (scope of processed data)
OTP	transaction amount, name, address, IP number
OTP Mobil Ltd. / SIMPLE	email address, phone number
CIB	transaction amount
K&H	transaction amount, currency
Barion	name, email address

-OTP Mobil Ltd. / SIMPLE / SimplePay Privacy Policy can be viewed at the following link: https://simplepay.hu/adatkezelesi-tajekoztatok/

-Barion Payment Zrt. is an institution supervised by the National Bank of Hungary, its license number: H-EN-I-1064/2013.

1.5. If the User purchases with a specific discount-providing tool, the Data Controller forwards the buyer data required by the company or financial institution providing the discount. For information about the related data processing rules, the User can directly request information from the company providing it. The Data Controller processes the identifiers and other data of such tools automatically only to the extent that the provider company requires it - for executing the purchase and providing the discounts. The following companies and financial institutions may appear on the website; the table also includes the data that the given company or financial institution requires to be transferred. (Not all payment providers or companies appear on the website at a given time.)

Payment Provider Name	Transferred Data (scope of processed data)
OTP SZÉP card	transaction amount, name, address, email address, IP number
Sponsorem	transaction amount, card number, currency
Supershop	transaction amount, card number, name, date of birth, email address
MKB SZÉP card	transaction amount
Cafe T-rend	transaction amount, card number

1.6. In the case of III/A, if personalized tickets/season tickets are issued for the given match(es), and the ticket/season ticket owner may request printing of the ticket/season ticket on a plastic card, InterTicket Ltd. forwards the data of the ticket/season ticket, as well as the data of the ticket/season ticket owner (name, place and date of birth, delivery address, and other delivery data provided by the ticket buyer) to the contractor performing the printing and delivery:

Company name: Szűcs Network Hungary Ltd Headquarters address: 4400 Nyíregyháza, Rákóczi u. 98. Company registration number: 15-09-073764 Tax number: 14617623-2-15

2. The Service Provider, as Data Controller, is entitled and obliged to transfer all personal data in its possession that it has properly stored to the competent authorities if it is obliged to do so by law or by a final authority order. The Data Controller cannot be held responsible for such data transfer and the consequences arising from it.

3. The Service Provider performs data transfers not indicated above only with the prior and informed consent of the User.

V. Method of Storing Personal Data, Security of Data Processing

1. The Service Provider's computer systems and other data storage locations are located at its headquarters and at its data processors.

2. In choosing and operating the IT tools used for processing personal data during service provision, the Service Provider ensures that the processed data:

a) is accessible to those authorized (availability);

b) its authenticity and authentication are ensured (authenticity of data processing);

c) its integrity can be verified (data integrity);

d) is protected against unauthorized access (confidentiality of data).

3. The Service Provider protects the data with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility due to changes in the technology used.

4. To protect electronically managed data sets in its various records, the Service Provider ensures through appropriate technical solutions that the stored data - except where permitted by law - cannot be directly linked and associated with the data subject.

5. Taking into account the state of the art, the Service Provider takes technical, organizational, and structural measures to protect the security of data processing that provide a level of protection appropriate to the risks associated with data processing.

6. During data processing, the Service Provider maintains:

a) confidentiality: it protects the information so that only those who are authorized can access it;

b) integrity: it protects the accuracy and completeness of the information and the method of processing;

c) availability: it ensures that when the authorized user needs it, they can actually access the desired information, and the related tools are available.

7. The IT system and network of the Service Provider and its partners are equally protected against computer-aided fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer break-ins, and other attacks. The operator ensures security through server-level and application-level protection procedures.

8. During the automated processing of personal data, the Service Provider takes additional measures to ensure:

a) prevention of unauthorized data entry;

b) prevention of the use of automated data processing systems by unauthorized persons using data transmission equipment;

c) the ability to check and establish to which bodies personal data has been or may be transmitted using data transmission equipment;

d) the ability to check and establish which personal data has been entered into automated data processing systems and when and by whom;

e) the recoverability of installed systems in case of malfunction; and

f) that a report is generated on errors occurring during automated processing.

9. In determining and applying measures to ensure data security, the Service Provider takes into account the state of technological development. Among several possible data processing solutions, it must choose the one that provides a higher level of protection for personal data, unless it would represent a disproportionate difficulty.

10. The Service Provider takes technical, organizational, and structural measures to protect the security of data processing that provide a level of protection appropriate to the risks associated with data processing.

11. Electronic messages transmitted over the internet, regardless of protocol (email, web, ftp, etc.), are vulnerable to network threats that can lead to unfair activity or disclosure, modification of information. To protect against such threats, the Service Provider takes all reasonably expected precautions. It monitors the systems to record any security deviations and provide evidence for any security event. System monitoring also allows for checking the effectiveness of the precautions applied. However, the Internet is, as is known to Users, not 100% secure. The Service Provider is not liable for any potential damages caused by unavoidable attacks despite the greatest expected care.

VI. Rights of Data Subjects

1. The data subject may request information about the processing of their personal data, and may also request the rectification of their personal data, or - except for mandatory data processing - its deletion, withdrawal, may exercise their right to data portability and objection in the manner indicated when the data was collected, or at the Service Provider's contact details given in Section I of this Data Protection Policy.

Changes in personal data or requests for the deletion of personal data may be communicated via the registered email address or by postal mail through a private document with full probative force containing a written statement. In addition, some personal data may be modified by changes made on the page containing the personal profile.

2. Right to information

The Service Provider takes appropriate measures to provide the data subjects with information regarding data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The right to information may be exercised in writing through the contact details given in Section I of this Data Protection Policy. Upon request, after verifying their identity, the data subject may also be given information orally.

3. Right of access

The data subject has the right to obtain from the Service Provider, through the contact details provided in Section I, confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to learn:

- what personal data; - on what legal basis; - for what purpose of data processing; - for how long is being processed; furthermore,

- when, on what legal basis, to which of their personal data was access provided or to whom was their personal data transferred;

- from what source their personal data originates;

- whether automated decision-making is used, including profiling, as well as its logic.

The Service Provider shall provide a copy of the personal data undergoing processing to the data subject upon their request, free of charge for the first time, after which an administrative cost-based, reasonable fee may be charged. In order to ensure the fulfillment of data security requirements and protect the rights of the data subject, the Service Provider must verify the identity of the data subject and the person exercising the right of access, for this purpose, providing information, viewing of data, or issuing copies thereof is also tied to the identification of the data subject's person.

The Data Controller considers a request for information sent by email to be authentic only if it is sent from the User's registered email address - unless the data subject identifies themselves in another credible way. Requests for information should be sent by email to interticket@interticket.hu.

4. In the case of transfers of personal data to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

5. At the request of the data subject, the Service Provider shall provide the information electronically. The data controller shall provide the information within a maximum of one month from the submission of the request.

6. Right to rectification

The data subject has the right to request, through the contact details provided in Section I, that the Service Provider modify some of their personal data. If the data subject can credibly prove the accuracy of the corrected data, the Service Provider shall fulfill the request within a maximum of one month, and shall notify the data subject at the contact provided by them.

7. Right to erasure

The data subject - if the data processing is based on their consent - has the right to request that the Service Provider erase personal data concerning them without undue delay, and the controller shall have the obligation to erase personal data concerning the data subject without undue delay, if there is no other legal basis for the processing of the data.

After fulfilling a request for the deletion or modification of personal data, the previous (deleted) data can no longer be restored.

8. Erasure of data cannot be initiated if the processing is necessary for one of the following reasons: for compliance with a legal obligation under Union or Member State law to which the controller is subject, or for the establishment, exercise, or defense of legal claims of the Service Provider.

9. Right to restriction of processing (data locking)

The data subject has the right to request, through the contact details provided in Section I, that the Service Provider restrict the processing of their personal data (by clearly marking the restricted nature of the processing and ensuring separate processing from other data) if:

-they contest the accuracy of the personal data (in this case, the Authority restricts the processing for a period enabling the verification of the accuracy of the personal data);

-the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

-the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or

-the data subject has objected to processing (in this case, the restriction applies for the period during which it is verified whether the legitimate grounds of the controller override those of the data subject).

10. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. The Service Provider shall inform the data subject before the restriction of processing is lifted.

11. Right to data portability

The data subject has the right, through the contact details provided in Section I, to receive the personal data concerning them, which they have provided to the Service Provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Authority in relation to automated data processing operations.

12. Right to object

The data subject has the right to object, through the contact details provided in Section I, to the processing of data if, in their opinion, the Service Provider would not appropriately process their personal data for the purpose specified in the relevant data processing notice. In this case, the Service Provider must demonstrate that the processing of personal data is justified by compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or that are related to the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the data shall no longer be processed for such purposes.

13. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the processing:

-is necessary for entering into, or performance of, a contract between the data subject and the data controller;

-is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

-is based on the data subject's explicit consent.

14. Right to withdraw consent

The data subject shall have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

15. Procedural rules

The Service Provider shall, without undue delay, but in any event within one month of receipt of the request, inform the data subject of the action taken on a request under Articles 15 to 22 of the GDPR. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Service Provider shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means unless otherwise requested by the data subject.

16. If the Service Provider does not take action on the request of the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

17. The Service Provider shall provide the requested information and communication free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Service Provider may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

18. The Service Provider shall communicate any rectification, erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Service Provider shall inform the data subject about those recipients if the data subject requests it.

19. The Service Provider shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the Service Provider may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in electronic form, unless otherwise requested by the data subject.

20. Compensation and damages

Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage. The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

VII. Legal Remedies:

1. For your questions or comments, please contact the Data Protection Officer at the contact details detailed in Section I of this Data Protection Policy.

2. Right to judicial remedy: In case of infringement of their rights, the data subject may take legal action against the data controller. The court shall handle the case as a priority.

3.Data protection authority proceedings: Complaints can be filed with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Headquarters: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf.: 9.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

APPENDIX

Definitions used in this Data Protection Policy

1. personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future;

4. profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

5. controller: the legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;

6. processor: a legal person which processes personal data on behalf of the controller;

7. recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

8. third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

9. consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

10. data processing: the performance of technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical tasks are performed on the data;

11. data erasure: making the data unrecognizable in a way that their restoration is no longer possible;

12. EEA State: a Member State of the European Union and a State party to the Agreement on the European Economic Area, as well as a State whose citizens enjoy the same status as citizens of States party to the Agreement on the European Economic Area based on an international agreement between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;

13. data subject: any natural person identified or identifiable - directly or indirectly - on the basis of specific personal data;

14. user: a natural person who registers on the Service Provider's website or makes purchases without registration;

15. third country: any State that is not an EEA State;

16. disclosure: making personal data available to anyone;

0 item in the basket

jegy.hu

Privacy Policy

I. The Data Controller (Service Provider)

II. Data Protection Principles Applied by the Company

III. The legal basis, purpose and scope of data processing, the duration of data processing, and persons entitled to access personal data

III/A. Special data processing related to major sporting events

III/B. Special rules for online events

IV. Data Transfer, Designation of Data Processors

V. Method of Storing Personal Data, Security of Data Processing

VI. Rights of Data Subjects

VII. Legal Remedies:

APPENDIX

Warning! The basket time limit is about to expire!