Change currency
Wine-tasting tours

LEARN MORE!

Payment method
Top products
Product recommendations

Privacy Policy- H-INS-CAR

Privacy Policy and Data Management

H-INS-CAR Hungária Kft.

Table of Contents

  1. Purpose of Data Processing
  2. Data Controller and Data Processor
  3. Scope of the Policy
  4. Definitions
  5. Principles of Data Processing
  6. Legal Basis for Data Processing
  7. Scope of Processed Data
  8. Data Transfer
  9. Duration of Data Processing
  10. Modification, Deletion, Restriction of Data, Objection to Data Processing
  11. Request for Information
  12. Request for Rectification, Deletion, Restriction, Blocking of Data
  13. Enforcement of Claims
  14. Legal Remedies
  15. Data Security
  16. Logging Data
  17. Cookies
  18. External Intermediary Service Providers
  19. External Web Analytics and Advertising Service Providers
  20. Declaration
  21. Filing Reports and Complaints

Privacy Policy

H-INS-CAR Hungária Kft.

For H-INS-CAR Hungária Kft. (hereinafter: Service Provider), it is of utmost importance and commitment that personal data provided by users on the website https://www.insticketshop.com/ (hereinafter: Website), as well as verbally or in person, are protected and that visitors’ personal rights are not violated.

The Service Provider reserves the right to amend this Privacy Policy in order to comply with changing legislation and internal regulations.

This Policy governs data processing activities related to the services provided by the Service Provider through the Website, in person, by telephone, e-mail, telefax and/or any other means or forum.

The Service Provider strives to comply with the recommendations of the Hungarian National Authority for Data Protection and Freedom of Information, especially the recommendation of 29 October 2015 regarding prior information requirements for data protection.

By using the Service Provider’s website, using or initiating any of its services or applications, you as a User consent to the processing of your personal data in accordance with the provisions of this Privacy Policy.

The Service Provider shall provide information at the time of data collection regarding any additional data processing activities related to the operation of the Website and the Service Provider’s services that may not be specifically listed in this Policy.

I. Purpose of Data Processing

1. The primary purpose of this Policy is to define and comply with the fundamental principles and provisions governing the processing of personal data of natural persons (hereinafter: Users) who come into contact with the Service Provider, in order to ensure the protection of individuals’ privacy in accordance with applicable laws and official guidelines.

2. The purpose of this Policy is to ensure that the Service Provider fully complies with all applicable legal provisions relating to data protection, including but not limited to:

  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information;
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

3. The Service Provider considers it extremely important and is committed to protecting data provided by data subjects through the Website or otherwise, as defined by Act CXII of 2011, and to respecting the informational self-determination rights of data subjects. In this regard, the Service Provider fully complies with all applicable legislation and contributes to ensuring safe internet usage.

The purpose of processing Users’ personal data is to provide the Service Provider’s services, including in particular:

  • identifying Users and distinguishing them from other Users;
  • preventing unauthorized access to personal data;
  • forwarding Users’ data for quotation requests and service bookings;
  • identifying user entitlements;
  • customer service administration;
  • maintaining contact with Users;
  • sending system messages related to the Service;
  • providing hosting for User Content (e.g. service evaluations);
  • developing and improving Website services and user experience;
  • facilitating service search, booking, and quotation requests;
  • enabling the purchase of discount vouchers related to Partners’ service offers;
  • preventing abuse;
  • fulfilling accounting obligations;
  • fulfilling legal obligations toward service provider Partners.

Based on separate consent, the Intermediary may also use Users’ personal data for direct marketing and promotional purposes (e.g. newsletters, e-DM messages, etc.).

The following data (username, surname, first name, country, telephone number, e-mail address), if the quotation request, booking or purchase was made on the Website by bank card, may be transferred by Perfect Day Travel Hungária Kft. (registered office: 1165 Budapest, Kalitka u. 2., company registration number: 01-09-904150, tax number: 14444946-2-42), operator partner of the Website, to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.) as data controller.

The purpose of the data transfer is:

  • customer service assistance;
  • transaction confirmations;
  • fraud monitoring for user protection.

Data processing shall be lawful only if at least one of the following conditions applies:

  • the data subject has given prior and voluntary consent for one or more specific purposes;
  • processing is necessary for compliance with a legal obligation;
  • processing is necessary for the performance of a contract;
  • processing is necessary to protect vital interests of individuals;
  • processing is necessary for the performance of a task carried out in the public interest;
  • processing is necessary for the legitimate interests pursued by the controller or a third party, an exception applies if the data subject’s interests or fundamental rights and freedoms, which require the protection of personal data—particularly if the data subject is a child—take precedence over the previously mentioned legitimate interests.
  • The previous paragraph does not apply to data processing carried out by public authorities in the course of their duties

In summary, the purposes of data processing may be:

  • identifying service users in relation to requests, purchases, or orders made on the Website;
  • sending advertising content by e-mail;
  • sending newsletters and direct marketing communications.

II. Data Controller and Data Processor

Data Controller: H-INS-CAR Hungária Limited Liability Company
Registered Office: Kalitka street 2., Budapest, H-1165
Company Registration Number: 01-09-988386
Tax Number: 23057670-2-42
Customer Service: insticket@inscar.hu
Telephone: +36-1-4021367
Website: https://www.insticketshop.com

An employee of the Data Controller is any person for whose activities the Service Provider assumes full responsibility toward data subjects and third parties.

Partners providing services act as independent data controllers with regard to personal data made available during bookings, quotation requests and voucher purchases.

For direct marketing communications (e.g. newsletters, e-DM messages), the Service Provider independently manages Users’ data.

III. Scope of the Policy

1. Temporal Scope: This Policy shall enter into force on 1 April 2019 and shall remain in force until revoked or amended.

2. Personal Scope:

  • the Data Controller;
  • employees and Partners;
  • persons whose data are included in data processing activities covered by this Policy;
  • persons whose rights or legitimate interests are affected by data processing.

3. The Service Provider primarily processes the data of natural and legal persons who:

  • contact the Service Provider by telephone, e-mail, website, or Facebook page;
  • apply for positions or contact the Service Provider for other purposes;
  • use the Service Provider’s services in person;
  • maintain employee or partner relationships with the Service Provider.

4. Material Scope: This Policy applies to all personal data processing activities carried out in all organizational units of the Service Provider, regardless of whether processing takes place electronically or on paper.

IV. Definitions

The terms used in this Privacy Notice shall be interpreted in accordance with:

  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information;
  • shall be interpreted in accordance with the definitions set forth in the Definitions section and the definitions set forth in the Terms of Use.

Key definitions in accordance with the Info law:

Personal Data: Data relating to the affected person, in particular the name, identification number, and the characteristics of one or more physical, physiological, mental, economic, cultural or social identities about the subject of the data, as well as the conclusion that may be deduced from the data.

Data Subject: any directly or indirectly determined natural person based on personal data.

Consent: the voluntary and explicit indication of the data subject’s wishes based on appropriate information.

Data Processing: any operation performed on personal data, including collection, recording, storage, use, capturing, organizing, modifying, querying, forwarding, publishing, aligning or linking, blocking, deleting, destroying data, and preventing future use of data as taking photograph or images, recording sounds and physical characteristics (e.g.: finger or palm print, DNA sample, iris image), which are suitable to identify the person, and performing technical tasks related to data management operations, regardless of the method and device used to perform the operations and to the location of the application, if the technical task is carried out on the data.

Data Controller: the natural or legal person determining the purposes and means of processing personal data.

Data Transfer: making data accessible to a specific third party.

Disclosure: making data accessible to anyone.

Data Deletion: rendering data irretrievable.

Data Marking: Providing  an identification code to the data in order to differ from others.

Data Blocking: marking data in order to restrict temporary or permanently its further processing.

Data Processor: a person or organization processing data on behalf of the controller.

V. Principles of Data Processing

The Service Provider processes personal data in accordance with:

  • GDPR;
  • Hungarian data protection legislation;
  • international conventions;
  • EU legal acts;
  • other applicable legal regulations.

The provisions of these rules and the Service Provider’s practices must not violate the principles of data protection.

Personal data may only be processed for specified purposes and only to the extent necessary. At every stage of data processing, the processing must be consistent with the purpose of the processing, and the collection and processing of data must be fair and lawful. The principle of purpose limitation must be upheld.

Only personal data that is essential for achieving the purpose of data processing and suitable for that purpose may be processed. Personal data may be processed only to the extent and for the duration necessary to achieve that purpose. Accordingly, the Service Provider processes only and exclusively data that is absolutely necessary. The principles of proportionality and necessity must be upheld.

Personal data shall be treated as personal data during data processing for as long as a link to the data subject can be reestablished. A link to the data subject can be reestablished if the Service Provider has the technical capabilities necessary for such reestablishment.

During data processing, the accuracy, completeness, —if necessary for the purpose of data processing— and the up-to-date nature of the data must be ensured, as well as the fact that the data subject can be identified only for as long as it is necessary for the purpose of data processing.

By applying appropriate security measures to protect personal data stored in automated data files, the Service Provider shall ensure the prevention of accidental or unlawful destruction, accidental loss, and unauthorized access, alteration, or disclosure.

Provision of personal data by the User is voluntary. The Service Provider processes personal data with the data subject’s consent. Voluntary consent shall also include user behavior whereby the user, by using the website, accepts that all regulations applicable to the use of the website automatically apply to him or her.

The Service Provider transfers personal data to third parties only with the User’s explicit consent or where required by law and the conditions for data processing are met for each individual piece of personal data. The Service Provider will only transfer the database it manages to another Service Provider if the data subject has submitted a request for a quote, placed an order, or made a reservation for a service provided by the other Service Provider. This constitutes the data subject’s explicit consent to such transfer, as the service in question cannot be ordered without the transfer of data.

In accordance with the Service Provider’s services and the purpose of data processing, the data subject expressly agrees that the Service Provider may transfer their personal data to the Partner(s) if the Service Provider has identified the Partner(s) in advance and the Partner(s)’ activities contribute to the Service Provider’s performance of its obligations toward the data subject. The Service Provider disclaims any liability for the lawfulness of data processing by a contractual Partner with whom the Service Provider has a legal relationship

 

No personal data shall be transferred to service providers or processors located in third countries.

VI. Legal Basis for Data Processing

1. Personal data are processed based on the voluntary consent of the data subject after prior information has been provided.

2. Valid consent must meet the following requirements:

  • voluntariness;
  • specificity and clarity;
  • informed nature.

3. Users provide consent by using or initiating the Service Provider’s services.

4. The Data Controller processes personal data with the data subject’s consent, provided that the data subject has voluntarily provided the data. Voluntary consent also includes conduct whereby the User accepts the Website’s regulations and Privacy Policy by using the Website.

5. A clear consequence of consent is that the data subject accepts the fact that their data is being processed. If data processing is based on the data subject’s voluntary consent, the Data Controller is obligated, in cases of doubt, to prove that the data subject has given their consent to the data processing activities.

6. Users may consent to direct marketing communications, which may be withdrawn at any time without justification. The User may also provide consent by checking a specific checkbox when using certain services (e.g., making a reservation or requesting a quote).

7. If the data subject provides written consent in a manner that also applies to other transactions, the request for consent must be presented in a way that clearly distinguishes it from those other matters. It is important that the consent form be understandable, easily accessible, unambiguous, and written in plain language.

8. Data subjects may withdraw consent at any time. The Data Controller hereby informs the data subjects about this.

9. The withdrawal of consent shall not affect the lawfulness of data processing carried out on the basis of consent prior to its withdrawal; therefore, the withdrawal shall have no retroactive effect and shall apply exclusively to future data processing activities.

10. If the data subject is unable to provide consent due to incapacity or any other unavoidable reason, Act CXII of 2011 provides that, to the extent necessary and for the duration of the impediment to consent, the personal data of the data subject may be processed for the protection of the vital interests of the data subject or another person, as well as for the prevention or elimination of direct threats to the life, physical integrity, or property of persons.

11. In the case of a minor under the age of 14 and any other legally incapacitated User, consent may be provided by the legal representative. A minor who has reached the age of 14 but is under the age of 16, as well as a User with limited legal capacity, may provide consent to data processing with the consent or subsequent approval of their legal representative. A minor User who has reached the age of 16 may provide consent independently, and the validity of their declaration shall not require the consent or subsequent approval of their legal representative. The Service Provider is not in a position to verify the authority of the person providing consent or to examine the content of the legal representative’s declaration; therefore, the User and/or their legal representative warrants that the consent complies with applicable laws. The Service Provider shall consider the appropriate consent of the legal representative to have been duly provided.

12. The User warrants that they have lawfully obtained the consent of the data subject for the processing of any personal data relating to third-party natural persons that are provided or made accessible during the use of the service.

13. Unless otherwise provided by law, the Service Provider may process the collected personal data without obtaining additional separate consent, and even after the withdrawal of the User’s consent, for the purpose of fulfilling legal obligations applicable to the Service Provider (including, in particular, accounting obligations and contractual obligations towards Partners), or for the enforcement of the legitimate interests of the Service Provider or a third party, provided that the enforcement of such interests is proportionate to the restriction of the right to the protection of personal data.

VII. Scope of Processed Data

The User bears sole responsibility for the authenticity and accuracy of personal data provided.

The scope of processed personal data is influenced and partly determined by the nature of the Services and by applicable electronic commerce, accounting, and advertising regulations, particularly:

  • Section 13/A of Act CVIII of 2001 on Electronic Commerce Services;
  • Section 6 of Act XLVIII of 2008 on Commercial Advertising Activities.

Requests for Quotations, Vehicle Rental, Orders, Community Pages

The data subjects include all natural persons who wish to contact the Data Controller for quotation requests, vehicle rental, orders, or the sale/purchase of services and products, or who wish to receive regular information about the Data Controller’s news, promotions, and discounts by subscribing to direct marketing or newsletters.

Data processed during booking or quotation requests may include:

  • name;
  • e-mail address;
  • telephone number;
  • address (country, postal code, city, street, house number);
  • driver’s license number;
  • residence card;
  • identity card or passport;
  • tax card;
  • tax number where applicable.

The User may also share additional personal data in the comments section with the Service Provider.

Quotation Request

The process related to quotation requests is as follows:

  1. The data subject may contact the Data Controller by completing forms on the Website or through other means.
  2. Data submitted through the Website are forwarded to the Data Controller via e-mail.
  3. Employees respond to inquiries and send replies through the same communication channel unless otherwise requested.

Processed data:

  • name;
  • e-mail address.

Duration of processing: until the purpose is fulfilled.

Vehicle Rental, Orders, and Other Sales Activities

The activity and process involved in the data processing are as follows:

  1. The data subject may submit their data and vehicle rental or order request to the Data Controller through any available method or platform.
  2. The Data Controller shall contact the data subject using the contact details provided by the data subject, coordinate the vehicle rental or order request, and provide free information regarding the services of the Data Controller.
  3. Any additional data obtained by the Data Controller during the course of contact, such as operational or other information relating to the data subject’s business, shall be linked with the data provided by the data subject and treated as business secrets by the Data Controller.
  4. Following clarification of the order request, the Data Controller shall either provide an offer to the data subject or send the relevant contract.
  5. Upon signing of the contract, the Data Controller shall commence performance of the services for the data subject.
  6. Following contractual completion of the services, the Data Controller and the data subject shall prepare a certificate of completion or an official record.
  7. The Data Controller shall archive the contracts and certificates of completion in accordance with its own Archiving Policy.
  8. The data subject voluntarily consents that, if they provide their e-mail address and/or telephone number during submission of the order request, the Data Controller may contact them through such channels in order to clarify the order or to confirm the data subject’s order.

The Data Controller communicates with data subjects exclusively where the data subject contacts the Data Controller through a social media platform, and accordingly the purpose of the data becomes relevant in such cases.

Processed data:

  • name;
  • e-mail address;
  • address (country, postal code, city, street, house number);
  • driver’s license number;
  • residence card;
  • identity card or passport;
  • tax card;
  • tax number where applicable.

Duration of processing: until the purpose is fulfilled.

Social Media Platforms

  1. Presence on social media platforms, especially Facebook, serves the purpose of sharing, publishing, and marketing Website content. Through the social media page, users can also stay informed about the latest promotions.
  2. By following or liking content, users voluntarily consent to the processing of their data according to the platform’s rules.
  3. The data subject may provide textual and numerical evaluations of the Data Controller, where the relevant social media platform allows such functionality.
  4. The Data Controller may publish photographs and video recordings on its social media pages, particularly on its Facebook page, relating to various events, the Data Controller’s services, and other activities. The Data Controller may connect its Facebook page with other social media platforms in accordance with the rules of the facebook.com social networking platform; therefore, publication on the Facebook page shall also include publication on such connected social media platforms.
  5. Where the recording does not qualify as a mass event recording or a recording of a public appearance (Section 2:48 of the Hungarian Civil Code), the Data Controller shall always obtain the written consent of the data subject prior to publishing the images.
  6. The data subject may obtain information regarding data processing on the relevant social media platform directly on that platform; accordingly, information regarding data processing related to the Facebook page may be obtained at the relevant Facebook information page.

Processed data:

  • name;
  • e-mail address.

Duration of processing: until deletion requested by the data subject.

Reviews

After successful bookings, the Service Provider may request reviews from Users. Reviews may be published publicly, either with the User’s name and city or anonymously with city indication.

Marketing Communications

Data processed for marketing purposes may include:

  • first and last name;
  • e-mail address;
  • travel habits;
  • user behavior (orders, bookings, quotation requests, etc.).

Newsletter subscriptions are voluntary.

Processed data:

  • name;
  • e-mail address.

The purpose of newsletter processing is to provide general or personalized information regarding promotions, events, news, and service changes.

Newsletters are sent only with prior consent.

The newsletter database is reviewed every three years, and renewed consent is requested. If no renewed consent is received within 15 days after the confirmation request, the User’s data are deleted.

The Data Controller may compile statistics regarding newsletter readership and clicks.

On social media sites, particularly on the news feed of a Facebook page, users can subscribe by clicking the “Like” link on the site, and can unsubscribe by clicking the “Dislike” link found there, or can use the news feed settings to remove unwanted news feeds appearing. You can find information on social media news feeds, subscriptions and unsubscriptions, and the data processing practices of the respective social media site on the social media site itself.

Duration of processing: until deletion requested by the data subject.

Prize Games

Participation in prize games is voluntary.

Scope of data subjects: All natural persons who wish to participate in a prize game organized by the Data Controller by providing their personal data.

Scope and purpose of processed data:

  • first name – identification, basis for the drawing;
  • telephone number – contact purposes;
  • e-mail address – contact purposes.

The purpose of data processing is the identification of the data subjects during the drawing process and maintaining contact with them.

The activities and process involved in the data processing are as follows:

  1. The data subject may register for the prize game by providing their personal data in accordance with the rules of the prize game.
  2. The Data Controller shall record the data electronically and/or on paper and conduct the drawing in accordance with the rules of the game.
  3. The Data Controller shall notify the winners using the contact details provided by them.
  4. In accordance with the applicable game rules, the Data Controller may publish the names of the winners on the Website and make them accessible to other data subjects and third parties; therefore, the Data Controller draws the attention of participants to consider participation in the prize game with this fact in mind.
  5. In accordance with the purpose of the data processing, the data subject voluntarily consents to being contacted by the Data Controller through the contact details provided, in order to inform them of any possible cancellation or impediment to the prize game, clarify the collection of the prize, respond to any complaints, or take other actions related to such complaints.

Duration of data processing: until the purpose of the processing has been fulfilled.

A separate data file shall be created for each data processing activity; therefore, each individual data processing activity shall be subject to notification requirements.

VIII. Data Transfer

Quotation Requests and Bookings

In the case of quotation requests or bookings, the Service Provider may transfer the User’s personal data to the intermediary Partner for the purpose of preparing quotations.

Transferred data may include:

  • name;
  • e-mail address;
  • telephone number;
  • address;
  • driver’s license number;
  • pet ownership information;
  • comments;
  • selected payment method.

IX. Duration of Data Processing

Data Related to Service Usage

The Service Provider shall continue to process personal data related to quotation requests and orders initiated by the User as booking data in the event that the offer or order is accepted; in the event of rejection of the offer, such personal data shall be processed for a period of 6 months. The Service Provider shall process personal data for a period of 8 years pursuant to Section 169 of Act C of 2000 for the purpose of fulfilling accounting obligations and obligations owed to Partners, and for the limitation period specified in Act XCII of 2003 on the Rules of Taxation.

Data for Marketing Purposes

Marketing-related data are processed until the User withdraws consent.

Termination of a Website service or deletion of a Facebook application does not automatically withdraw marketing consent.

Customer Service

Complaints, questions, and requests sent to customer service are stored for 6 months after submission, except ongoing cases.

X. Modification, Deletion, Restriction of Data, Objection to Processing

1. Users may request modification of booking-related data through the Partner or Service Provider. If the User notifies the Service Provider of their intention to modify their data via the customer service email address, the Service Provider will forward the request to the Partner, if it is necessary.

2. Consent for direct marketing may be withdrawn:

  • via the unsubscribe link in electronic messages;
  • by e-mail to insticket@inscar.hu;
  • by postal mail.

3. In cases other than those specified above – with the exception of mandatory data processing required by law – the User may request the deletion of their personal data from the Service Provider by sending a request to the e-mail address insticket@inscar.hu. The Service Provider shall also delete the User’s personal data without the data subject’s request if the processing is unlawful; the purpose of the data processing has ceased to exist; the statutory retention period for the data has expired; deletion has been ordered by a court or by the Hungarian National Authority for Data Protection and Freedom of Information; or if the data processing is incomplete or inaccurate and such condition cannot lawfully be remedied, provided that deletion is not excluded by law. Instead of deletion, the Service Provider shall restrict (block) the personal data if requested by the User, or if, based on the available information, it may be presumed that deletion would hurt the legitimate interests of the User. The Service Provider shall process such restricted personal data only for as long as the purpose of the data processing exists that excludes the deletion of the personal data. Following the withdrawal of the User’s consent, the Service Provider may continue to process the personal data relating to the data subject in accordance with Section IX.

4. The User may object to the processing of their personal data by sending a request to the customer service e-mail address insticket@inscar.hu:

  • if the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation applicable to the Service Provider or for the enforcement of the legitimate interests of the Service Provider, the data recipient, or a third party, except in cases of mandatory data processing;
  • if the use or transfer of personal data is carried out for direct marketing, public opinion polling, or scientific research purposes; and
  • in any other cases specified by law.

5. If the Service Provider determines that the User’s objection is justified, it shall terminate the data processing – including further data collection and any data transfers – restrict (block) the data, and notify all persons to whom the personal data affected by the objection had previously been transferred, as well as inform them of the objection and the measures taken on the basis thereof, provided that such recipients are required to take steps in order to enforce the right of objection.

6. If the data processing was prescribed by law (for example, accounting-related processing), the Service Provider may not delete the User’s data; however, it shall not transfer the personal data to the data recipient if it agrees with the objection or if a court has established the legitimacy of the objection.

XI. Request for Information

  • The User shall be entitled at any time to request information regarding their personal data processed by the Service Provider in connection with the services of the Website by contacting the Service Provider at the e-mail address insticket@inscar.hu or by telephone at +36 1/4021367. Upon the User’s request, the Service Provider shall provide information regarding the data relating to the User processed by the Service Provider or by a data processor engaged by the Service Provider in connection with the relevant service, including the source of the data, the purpose, legal basis, and duration of the data processing, the name and address of the data processor, the legal basis and recipient of any data transfers, as well as activities related to the data processing. The Service Provider shall provide the requested information within a maximum period of 30 days from the submission of the request.
  • Pursuant to Act CXII of 2011 and Article 15 of Regulation (EU) 2016/679, the data subject has the right to information, also referred to as the “right of access.” In exercising this right, the Data Controller shall provide information regarding:
  1. processed data;
  2. categories of data;
  3. purposes and legal basis;
  4. duration of processing;
  5. where applicable, the duration of data storage, or, if this is not possible, the criteria used to determine that period,
  6. where applicable, if the data were not collected from the data subject, any available information regarding their source,
  7. where applicable, automated decision-making, including profiling, as well as understandable information regarding the logic involved and the significance of such processing and its expected consequences for the data subject,
  8. the details of the data processor, if a data processor has been engaged,
  9. the circumstances and effects of a data breach and the measures taken to address it, and
  10. in the event of the transfer of the data subject’s personal data, the legal basis, purpose, and recipient of the transfer.

 

  • The provision of information shall be free of charge if the data subject has not submitted a request for information to the Data Controller concerning the same scope of data during the same calendar year. In other cases, the person requesting the information may be charged a fee. If the data were processed unlawfully or the request for information resulted in rectification, the fee already paid shall be reimbursed.
  • Courts, public prosecutors, investigative authorities, misdemeanor authorities, administrative authorities, the Hungarian National Authority for Data Protection and Freedom of Information, as well as other authorities authorized by law, may contact the Service Provider for the purpose of requesting information, disclosure or transfer of data, or making documents available. The Service Provider shall provide the personal data that are strictly necessary for achieving the purpose of the authority’s request, provided that the requesting authority has specified the exact purpose and scope of the requested data.
  • Pursuant to Act CXII of 2011, the provision of information must be refused in certain cases. The Data Controller hereby draws the attention of data subjects to this fact. According to the law, information must be refused:
  1. if, pursuant to a law, international treaty, or binding legal act of the European Union, the Data Controller receives personal data in such a manner that the transferring data controller simultaneously indicates restrictions on the rights of the data subject guaranteed under the relevant law, or other restrictions concerning the processing of the data;
  2. for the protection of the external and internal security of the state, including national defense, national security, the prevention or prosecution of criminal offences, the security of the penitentiary system, as well as for state or municipal economic or financial interests, significant economic or financial interests of the European Union, and for the prevention and detection of disciplinary and ethical violations related to professional activities, breaches of employment or occupational safety obligations – including all cases involving supervision and control – and furthermore for the protection of the rights of the data subject or others.
  • The Data Controller shall annually notify the Hungarian National Authority for Data Protection and Freedom of Information of all rejected information requests by 31 January of the year following the relevant reporting year.

XII. Request for Rectification, Deletion, Restriction, Blocking of Data

  • Right to Rectification: The data subject is entitled to request the rectification of inaccurate personal data relating to them, and the Data Controller shall comply with such request without undue delay. Depending on the purpose of the data processing, the data subject shall also have the right to request the completion of incomplete personal data by means of a supplementary statement. Furthermore, the Data Controller shall rectify personal data without a request from the data subject if the personal data do not correspond to reality and the correct personal data are available to the Data Controller.
  • Pursuant to Act CXII of 2011 and Regulation (EU) 2016/679 of the European Parliament and of the Council, the Data Controller shall be obliged to erase personal data (in addition to the cases specified above) if the processing of the data is unlawful:
  1. if the data are incomplete or inaccurate and such condition cannot lawfully be remedied, provided that deletion is not excluded by law;
  2. if the purpose of the data processing has ceased to exist or the statutory retention period for the data has expired;
  3. if deletion has been ordered by a court or authority;
  4. if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  5. if the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  6. if the personal data must be erased in order to comply with a legal obligation applicable to the Data Controller;
  7. if the personal data were collected in relation to the offering of information society services directly to children as referred to in Article 8(1) of Regulation (EU) 2016/679.
  • If the Data Controller has made personal data public for any reason and is obliged to erase such data in accordance with the above provisions, it shall take all reasonable steps, including technical measures while taking into account available technology and implementation costs, to inform other data controllers processing the data that the data subject has requested the deletion of any links to, or copies or replications of, such personal data.
  • The data controller informs data subjects of the limitations of the EU regulation on the right to erasure or the “right to be forgotten”:
  1. exercising the right of freedom of expression and information;
  2. compliance with a legal obligation requiring processing under Union or Member State law applicable to the Data Controller, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
  3. reasons of public interest in the area of public health;
  4. archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679, as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. the establishment, exercise, or defense of legal claims.
  • Right to Restriction of Processing (Blocking): The data subject may request the restriction of data processing by the Data Controller.
  • If deletion would infringe the legitimate interests of the data subject, the data shall be restricted (blocked), provided this may reasonably be presumed based on the available information. Such restricted personal data may only be processed for as long as the purpose of the data processing exists that excludes deletion of the personal data. Personal data shall also be clearly restricted where the data subject contests the accuracy or correctness of the personal data and the inaccuracy or incorrectness of the data cannot be determined. In such case, the restriction shall remain in effect for the period necessary for the Data Controller to verify the accuracy of the personal data.
  • Pursuant to the EU Regulation, personal data shall be restricted if:
  1. the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
  2. the Data Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
  3. the data subject has objected to the processing; in such case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.
  • Restricted data (with the exception of storage) may only be processed if the data subject has given consent, or where processing is necessary for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for important public interests of the Union or of a Member State.
  • The law may restrict the rights of the data subject to rectification, erasure, and restriction for the protection of the external and internal security of the state, including:
  1. national defense;
  2. national security;
  3. the prevention or prosecution of criminal offences;
  4. the penitentiary system;
  5. state or municipal economic or financial interests;
  6. significant economic or financial interests of the European Union;
  7. disciplinary and ethical violations related to professional activities;
  8. the prevention and detection of breaches of employment or occupational safety obligations, including supervision and monitoring in all cases;
  9. the protection of the rights of the data subject or others.
  • The Data Controller shall be obliged, within a maximum period of 15 days from receipt of the request, to inform the data subject of its decision regarding the request – unless the delay is duly justified – and/or rectify, erase, or restrict the data, or take other measures in accordance with the request, provided that there is no legal obstacle preventing such action.
  • The Data Controller shall notify the data subject in writing of the rectification, erasure, or restriction of processing of their personal data, as well as all recipients to whom the data had previously been transferred or disclosed for the purposes of processing. Upon the data subject’s request, the Data Controller shall inform the data subject of such recipients. Notification may be omitted if, in view of the purpose of the data processing, it does not infringe the legitimate interests of the data subject, or if notification proves impossible or would involve disproportionate effort. The Data Controller shall also inform the data subject in writing if the exercise of the data subject’s rights cannot be fulfilled for any reason, and shall precisely indicate the factual and legal grounds for such refusal, as well as the legal remedies available to the data subject, including the right to initiate proceedings to the Hungarian National Authority for Data Protection and Freedom of Information and to the court.

XIII. Enforcement of Claims

  • The Service Provider shall regard requests received from the e-mail address previously provided to the Service Provider as requests originating from the User. In the case of requests submitted from another e-mail address or in writing, the User may only submit such request if they have properly verified their status as a User in the manner specified by the Service Provider or by law.
  • If the data processing carried out by the Service Provider is not based on the consent of the data subject, but rather was abusively initiated by a third party, the data subject may request the deletion of personal data relating to them that were published by another User, as well as request information regarding the data processing, provided that they appropriately verify their identity and their connection to the personal data concerned.
  • In the event of the User’s death, any close relative of the User, or any person designated as a beneficiary in the User’s will, may request the deletion of data relating to the User by presenting the death certificate or sending a copy thereof to the customer service address insticket@inscar.hu, provided that they also verify their relationship to the User.

XIV. Legal Enforcement Options

  • Right to Object: The data subject may object to the processing of their personal data and to profiling where:
  1. the processing (or transfer) of personal data is necessary solely for the enforcement of the rights or legitimate interests of the Data Controller or the data recipient, except in cases of mandatory data processing;
  2. the use or transfer of personal data is carried out for direct marketing, public opinion polling, or scientific research purposes;
  3. the exercise of the right to object is otherwise permitted by law.
  • The Data Controller shall examine the objection and inform the applicant in writing of the outcome within the shortest possible time following submission of the request, but no later than within 15 days. Such examination shall result in the simultaneous suspension of the data processing. If the objection is well-founded, the Data Controller shall terminate the data processing, including any further data collection and data transfers, shall restrict (block) the data, and shall notify all partners to whom the personal data concerned by the objection had previously been transferred of the objection and of the measures and decisions taken on the basis thereof. The notified parties shall also be obliged to take the necessary measures to enforce the right to object.
  • If the data subject disagrees with the decision of the Data Controller, or if the Data Controller fails to comply with the prescribed deadline, the data subject shall be entitled to initiate court proceedings within 30 days from communication of the decision.
  • Judicial Enforcement: The data subject may initiate legal proceedings in front of a court in the event of a violation of their rights. The court shall act with priority in such matters. The Data Controller shall prove that the data processing complies with applicable laws.
  • Statutory Rules Regarding Compensation and Damages for Infringement: If the Data Controller violates the personality rights of the data subject through unlawful processing of personal data or by breaching data security requirements, the data subject shall be entitled to claim compensation for non-material damages from the Data Controller.
  • In the event of an alleged violation related to the processing of personal data, the data subject may apply to the competent regional court, or in Budapest to the Budapest-Capital Regional Court, or may initiate an investigation with the Hungarian National Authority for Data Protection and Freedom of Information (President: Dr. Attila Péterfalvi, 1024 Budapest, Szilágyi Erzsébet fasor 22/C., ugyfelszolgalat@naih.hu, +36-1-3911400, naih.hu).

XV. Data Security

  • The Service Provider shall take the necessary technical and organizational measures and establish the necessary procedural rules in order to ensure the security of personal data provided or made accessible by the User throughout the entire data processing operation.
  • The Service Provider stores Users’ personal data at its guarded and alarm-protected registered office located in Hungary, at H-1165 Budapest, Kalitka street 2.
  • As Data Controller, the Service Provider guarantees – particularly with regard to expertise, reliability, and resources – that it shall implement the technical and organizational measures necessary to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the national regulations and international data protection conventions, including measures ensuring the security of processing.
  • The Service Provider shall ensure that persons authorized to access personal data undertake confidentiality obligations with respect to all personal data they become aware of, unless they are otherwise already subject to an appropriate statutory duty of confidentiality.
  • The Service Provider possesses appropriate hardware and software tools and undertakes to implement technical and organizational measures suitable for ensuring the lawfulness of data processing and the protection of the rights of data subjects.
  • Tasks related to IT security require particular care on the part of the Data Controller, especially with regard to:
  • measures ensuring protection against unauthorized access, including the protection of software and hardware devices and physical protection (access control, network protection);
  • measures ensuring the recoverability of data files, including regular backups and the separate and secure handling of copies (mirroring, backup procedures);
  • protection of data files against viruses (virus protection);
  • physical protection of data files and the devices carrying them, including protection against fire, water damage, lightning strikes, and other natural hazards, as well as ensuring the recoverability of damage resulting from such events (archiving, fire protection).

XVI. Logging Data

  • During use of the Website, visits to the Website and certain conversion events (e.g. registration, booking, quotation requests, package bookings) are recorded. Such data are continuously logged by the system for the purpose of preventing misuse, preparing statistics, and monitoring the operation and performance of the Website’s services, and are retained together with the personal data relating to the relevant event.

XVII. Cookies

  • In order to provide personalized services and convenience features, browser cookies store the last six viewed services for 30 days, the date and time of the most recent page visit, the language used by the browser, the selected currency, and the closing of the newsletter pop-up window. The use of browser cookies may be refused by selecting the appropriate settings in the browser(s); however, in such case the User will not be able to use these convenience features.
  • The Service Provider created its website using the unas.hu portal, and the Website operates using the engine of this platform. The www.unas.hu portal and the websites created through it may use the cookies specified below; however, the Service Provider itself does not use such cookies in any manner. The cookies used may communicate between the User’s device and the www.unas.hu portal, but they do not transfer or disclose any data to the Service Provider. Therefore, with regard to such cookies, the privacy policy of the www.unas.hu portal shall apply.

The cookies that may be used by the www.unas.hu portal and the websites created through it, and their purposes, are as follows:

  1. Strictly Necessary Cookies
  • Such cookies are indispensable for the proper functioning of the Website. Without accepting these cookies, the Service Provider cannot guarantee that the Website will function as expected or that the User will be able to access all requested information.
  • These cookies do not collect personal data from the data subject or any data that may be used for marketing purposes.
  • Strictly necessary cookies include, for example, performance cookies, which collect information on whether the Website functions properly and whether any operational errors occur. By indicating potential errors, these cookies assist the Service Provider in improving the Website and also indicate which parts of the Website are the most popular.
  1. Functional Cookies
  • These cookies ensure a consistent appearance of the Website tailored to the needs of the data subject and remember settings selected by the data subject (for example: color, font size, layout).
  1. Targeting Cookies
  • Targeting cookies ensure that advertisements displayed on the Website correspond to the interests of the data subject. The Website primarily contains advertisements related to the services and products offered by the Service Provider and aims to facilitate access to more favorable offers for the data subject.
  1. Third-Party Cookies
  • The Website may display cookies provided by third parties – such as social media platforms – which enable the sharing or liking of specific content and may transmit information to the third party, which may later use such information to display advertisements to the data subject on other websites.
  1. Cookies also help improve the ergonomic design of the Website, support the creation of a user-friendly Website, and enhance the online experience of visitors.

XVIII. External Intermediary Service Providers

  • With regard to content made available within the Services and shared on various social media platforms, the operator of the external service enabling the sharing of such content (e.g. iWiW, Twitter, Facebook) shall qualify as the data controller of the personal data, and its own terms of use and privacy policy shall govern its activities. In the case of services embedded within the Services but maintained by an external service provider (e.g. the “Ask Us, We Answer” feature provided by Facebook), the operator of the given service shall likewise act as the data controller.
  • When installing applications available on the Service Provider’s website, the User voluntarily provides to the Service Provider the personal data specified in the information made available by Facebook Inc. during the installation process, in compliance with Facebook Inc.’s privacy policy. If a Facebook application refers to this notice, the Privacy Policy shall govern the Service Provider’s data processing; otherwise, Facebook’s privacy policies shall govern data processing within the Facebook service (e.g., deleting an application, posting comments, etc.). Apps can be deleted in Facebook’s user settings (https://www.facebook.com/settings?tab=applications) (under the “Apps” menu item).
  • The Service Provider’s website may also contain links directing users to websites not operated by the Service Provider and intended solely for the information of visitors. The Service Provider has no influence over the content or security of websites operated by partner companies and therefore assumes no responsibility for them.
  • In view of Section 155(4) of Act C of 2003, according to which “data may only be stored on or accessed from the electronic communications terminal equipment of a subscriber or user on the basis of the clear and comprehensive information provided to the user or subscriber concerned, including information relating to the purpose of the data processing, and their consent,” the provisions described in Section XVI provide information regarding the analytical tools used by the Service Provider, namely cookies.

XIX. External Web Analytics and Advertising Service Providers

  • The Service Provider uses external web analytics and advertising service providers for the operation of the Website, which carry out their activities independently from the Service Provider.
  • The Service Provider may also use the Google Analytics and Google Ads services of Google inc.. Google Inc. uses cookies and web beacons for the purpose of collecting information and assisting in the analysis of Website usage. Information stored by cookies (including the User’s IP address) is stored on servers operated by Google Inc. in the United States. Google Inc. may transfer the collected information to third parties where required by law or where such third parties process the information on behalf of Google Inc.. As part of Google Ads remarketing services, Google Inc. places tracking cookies on Users’ devices that monitor visitors’ online behavior and, based on such behavior and interests, make advertisements available to Users on other websites. Tracking cookies also enable Google Inc. to identify the User on other websites. Google Privacy Policy contains further information regarding Google Inc.’s data processing practices. Additional useful information concerning Google’s data-related activities, the disabling of cookies, and advertisement personalization is available at: http://www.google.com/policies/privacy/

XX. Declaration

The User declares that:

  1. During data processing, the Service Provider considers itself bound by the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
  2. During data processing, personal data that come to the knowledge of the Service Provider may only be accessed by those Employees and external Partners who have duties related to the given data processing activity.
  3. In accordance with the principle of transparency, the Service Provider ensures that the currently effective Privacy Policy is continuously accessible to data subjects, thereby ensuring that the Website processes visitors’ personal data confidentially and in compliance with applicable legal requirements, guarantees their security, implements technical and organizational measures, and establishes procedural rules in order to fully comply with data protection principles.
  4. The Service Provider shall take all IT and other measures necessary to facilitate secure data processing related to data storage, processing, and transfer, and shall ensure the preservation of the data it processes.
  5. To the extent possible, the Service Provider shall take all measures necessary to protect the personal data it processes against unauthorized access, alteration, disclosure, deletion, damage, or destruction, and shall guarantee the technical conditions required for such protection.
  6. The Service Provider does not verify the personal data provided to it and excludes liability for the accuracy thereof.
  7. The Service Provider shall transfer personal data to third parties only exceptionally and only where the data subject has expressly consented thereto, or where permitted by law, and only if the conditions for lawful processing are fulfilled with regard to each individual personal data item, or where such transfer is indispensable for the performance of the service. The Service Provider shall connect its database with another service provider’s database only under the same conditions.
  8. The Service Provider carries out its activities exclusively in Hungary and is not part of a multinational corporate group; therefore, it is not required to implement or maintain binding corporate rules.
  9. The Service Provider shall not transfer or disclose personal data to a data controller or data processor located in a third country.
  10. The Service Provider shall maintain records of data transfers made to domestic data controllers, including the date of the transfer, the legal basis and recipient of the transfer, the scope of the personal data transferred, and any other data required by applicable legislation governing data processing.
  11. For the purpose of monitoring measures related to data protection incidents and informing data subjects. The Service Provider shall maintain records containing the scope of the personal data affected, the categories and number of data subjects concerned by the incident, the date, circumstances, effects, and remedial measures related to the incident, as well as any other data required by applicable legislation governing data processing.
  12. By applying appropriate security measures, the Service Provider shall ensure the protection of personal data stored in automated databases against accidental or unlawful destruction, accidental loss, unauthorized access, alteration, or dissemination.

XXI. Filing Reports and Complaints

  1. The Data Controller shall ensure that the data subject may communicate complaints regarding the ordered service and/or the conduct, activities, or omissions of the Data Controller either verbally (in person or by telephone) or in writing (in person, through a document delivered by another person, by post, or by electronic mail).
  2. Scope of data subjects: All natural persons who wish to communicate complaints regarding the ordered service and/or the conduct, activities, or omissions of the Data Controller, either verbally or in writing.
  3. The purpose of processing the collected data is the identification of the complaint and compliance with statutory obligations, including the recording of mandatory data.

The scope of processed data in the case of a complaint includes:

  • complaint identification number;
  • name*;
  • date of receipt of the complaint*;
  • telephone number;
  • date and time of the call*;
  • personal data provided during the conversation;
  • billing/postal address;
  • service subject to the complaint;
  • attached documents;
  • reason for the complaint*;
  • the complaint itself*.
  1. The purpose of data processing is to enable the submission of complaints and maintain contact with the data subject.
  2. The activities and process involved in the data processing are as follows:
  • The data subject communicates their complaint to the Data Controller verbally (in person or by telephone) or in writing (in person, through a document delivered by another person, by post, or by electronic mail).
  • If the data subject submits the complaint verbally, the Data Controller shall prepare a complaint report form or minutes containing equivalent information.
  • If the data subject wishes to submit the complaint in writing, they shall have the opportunity to do so.
  • The Data Controller shall process the complaint and respond within the shortest possible time.
  • The Data Controller shall resolve any complaints that may arise as soon as possible and in accordance with the common interests of the parties.
  1. Duration of data processing: Pursuant to Section 17/A (7) of Act CLV of 1997, the Data Controller shall mandatorily retain the minutes recorded regarding the complaint and a copy of the response for a period of 5 years from the date of recording.

In the event of a violation of the right to informational self-determination, reports and complaints may be submitted to:

National Authority for Data Protection and Freedom of Information
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410

You may file a report or complaint regarding content that is harmful to minors, incites hatred, or is discriminatory; corrections; or violations of the rights of deceased persons or defamation:

National Media and Communications Authority
H-1015 Budapest, Ostrom street 23-25.
Postal Address: H-1525 Budapest, P.O. Box 75
Telephone: +36 (1) 457-7100
Fax: +36 (1) 356-5520

 

In the event of any legal dispute, the Hungarian version of the Privacy Policy and Data Management shall prevail.

Budapest, 1 April 2017.