1. Aim of the Policy
This Policy aims to provide the stakeholders with adequate information on the data managed during the maintenance of the website https://oriaskerek.com, maintained by the Company, as well as the source of the data, the aim of the data management, its legal base, duration, the names, addresses and activity of the occasionally involved data- processing third parties, and – in case of transferring personal data of the stakeholder – the legal base of data transfer, its recipient, and information on whether data transfer is being conducted to a third country. This Policy also informs about the rights of the stakeholder.
Anyone can visit the website without having to provide any kind of personal data beyond technically automatic data management. There are, however, such functions that can only be used by simultaneously providing certain types of personal data (name, e-mail address).
2. Expressions used in the Policy:
Personal data: data that can be associated with the stakeholder – especially name, taxpayer identification number, and knowledge on physical, physiological, mental, economic, cultural or social identity -, and any conclusion drawn from the data, in regard to the stakeholder. Furthermore, any information regarding the identified or identifiable natural person („stakeholder”) is classified as personal data: identifiable is such natural person, who can be – directly or indirectly – identified, on the basis of any identifiers (i.e. name, address, number, location data, online identifier, or one or multiple factors regarding their physical, physiological, genetical, mental, economic, cultural or social identity). Stakeholder: any natural persons identified and/or directly or indirectly identifiable on the basis of any defined personal data. User: such natural person that visits the Company’s website, creates an account and provides their personal data in the process. Special data: any data in regard to racial or ethnic heritage, belonging to a national or ethnic minority, political opinion, religious or other ideologies, memberships of any interest representation unions, health status, any addictions or sexual life, respectively criminal personal data, and genetic and biometric data aiming for the individual identification of natural persons. Controller: such natural person or legal entity, or companies without legal personality, that defines (independently or together with others) the aims and measures of personal data management, makes decisions regarding data management (including the measure used) and implements them, or has an assigned Processor implement them. Data management: regardless of the method used, any action or the sum of actions carried out with the data, especially the collection, recording, sorting, storing, proportioning, altering, usage, query, transfer, publication, fine-tuning, combination, introspection of data, its disclosure via transfer, distribution or any other kind of publication, its distraint, deletion and destruction or other forms of preventing further use of data. Photography, making voice or visual recordings.
Data processing: carrying out technical duties in regard to data management, regardless of the method and tools used and the location, supposing the technical duties are carried out on the data. Processor: such natural person or legal entity, as well as public power entities, agencies or any other body, corporations without legal entity, which processes personal data on behalf of the Controller. Data transfer: making data accessible for a defined third party. Access rights of stakeholders: stakeholders are entitled to receive feedback from the Controller whether the management of their personal data is in process, and if so, they are entitled to receive certain information (i.e. aim of data management, categories of affected personal data, the duration of storage of personal data). Objection: stakeholder’s declaration, which objects the management of their personal data, and requests the suspension of data management and the deletion of data that has been processed. Constraint of data management: tagging stored personal data in order to constrain their future management. Data deletion: making data unidentifiable in such way that its future restoration would not be possible anymore. Data tagging: tagging data with an identifier in order to help its differentiation. Data distraint: tagging data with an identifier in order to permanently or temporarily constrain their future management. Destruction of data: complete physical destruction of the data carrier. Third country: any, non-EEA member country.
3. Data of the Company, as Controller
Name: Ferris Wheel Kft. (hereunder: „Company” or „Controller”) Headquarters: 1123 Budapest, Alkotás utca 55-61. Registry court and company registration number: Company Registry Court of Budapest, 01-09-337618 Online contact regarding data management: firstname.lastname@example.org Representative: Banka Edina managing director Contact information of associate responsible for data management: e-mail: email@example.com; telephone: 06 70 636 0629
Only such persons working at the Controller have access to data whose duties explicitly require that (i.e. associates responsible for communication and billing).
The Controller transfers personal data to the below persons/entities (Processors) in order to provide:
• online storage space (operation of e-mail system): name: Google Inc. (1600 Amphiteatre Parkway, Mountain View, California 94043, USA) https://policies.google.com/privacy?hl=hu; as well as TZTeam Kft. headquarters: 1161 Budapest, Rákóczi út 48.
• technical background (fulfilling system administrator and system supervisory duties, and operating Controller’s servers on both physical and operating system levels): name: TZTeam Kft. headquarters: 1161 Budapest, Rákóczi út 48.
• technical background in regard to the website, fulfilling duties in regard to development: name: Life-Changer Ltd, headquarters: 18 Old Lane, Great Manchester M11 1BE, Manchester, UK.
Only such persons working at the Processors have access to data whose duties explicitly require that (i.e. storage space administrators, system administrators, system supporting staff, web developer).
The Processor providing storage space services does not transfer personal data outside of the EEA.
5. Personal data under management and its protection
5.1 If User visits the Company’s website, the Controller’s system automatically stores the User’s IP address, country, the browser used, the type and version number of the device and operating system, the language settings, the date of visit and data regarding the visit of the website. PHPSESSID and Google Analytics cookies: This data is automatically used by the system to generate statistical data, which the Company only uses for website-related analysis, gathering of statistical information and the technical development of the IT system. This data may be used to draw conclusions about website usage and given devices, however, no personal data is used. The data is only used anonymously. Storage of above data in respect to persons does not take place.
5.2 On the basis of the User’s decision, the Controller – in regard to the use of its services – may manage data, especially: name, address, phone number, e-mail address.
5.3 If User sends an e-mail to the Company, the Controller stores the User’s name and e-mail address and manages it to the extent and for the duration required in order to be able to provide its services. In case of e-mails sent by User, the Controller deletes the e-mail address on the 90th day following the conclusion of User’s e-mail request, except, if – in individual cases – the fulfillment of the contract or the Controller’s lawful right requires the further management of personal data, until such lawful interest exists. In such cases, the Controller individually informs the User.
5.4 The storage of personal data takes place in a password protected, regularly supervised system. Access to such data is constrained, the communication takes place via a secured channel.
5.5 References to external, non-Company operated websites (links i.e. to Instagram, Facebook), which may manage personal data, can be found at https://oriaskerek.com. The User may gather information about the data management taking place on such third-party websites via their respective Policies, or at the operator of their website.
6. Further types of data managed by the Company
settings. However, upon disabling the cookies, the User acknowledges that given site would not be able to operate to the fullest.
You may get more information on cookie preference settings within the browser via below links: • Internet Explorer: https://support.microsoft.com/en-au/help/17442/windows-
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies- website-preferences
• Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDeskt op&hl=en
6.4 While operating the systems, the following types of data are technically stored: such data of the login computer of User, that is generated while using the service and which get stored as the automatic result of technical processes by the Controller’s system. The automatically stored data is automatically logged by the system at each login and logout, without the need for any specific declaration or action from the User’s end.
6.5 Upon entering the website, The Company stores the User’s IP address in connection to providing the service and thus for the reasons of lawful fulfilment of contract and lawful use of the website (i.e. in order to filter unlawful use as well as unlawful content), without the need for any specific consent from the User’s end.
6.6 The Company does not monitor the personal data it receives. For the adequacy of such personal data, the person providing the data is solely responsible. User guarantees that – while using the services provided – they have lawfully obtained the consent of other natural persons in case User provides their personal data (i.e. in case of publishing content generated by the User).
Personal data of persons under the age of 16 can only be managed if their guardians give their consent to it. The Company is not able to check the entitlement of the person giving the statement of consent, its contents, so the User and their guardians guarantee that the method of giving consent corresponds to the relevant law. In the absence of a statement of consent, the Controller does not collect personal data from stakeholders under the age of 16 – with the exception of the IP address used to visit the website, which is stored automatically given the nature of internet services.
6.7 By providing their e-mail address, User takes responsibility for the fact that User solely controls given address. Therefore, all responsibility regarding logins and/or data used to log in to given address lies with the User registering the e-mail address and providing the data.
6.8 Controller’s system may collect data on the activity of Users, which cannot be linked to other data provided by Users during registration, nor to data being generated while using other websites or services.
7. Features of data management types
7.1 Customer data
Aim of data management: purchase made via www.oriaskerek.com, billing, customer registry and differentiation, order fulfilment, documentation of purchases and payments, fulfilment of accounting duties, customer contact.
Legal base of data management: voluntary consent of the stakeholder, as well as section (2) of § 169 of the Hungarian Accounting Act.
Types of managed personal data: identification number, date, time, name, e-mail, name, quantity and price of ordered tickets.
Duration of data management:
• ordering of tickets: name of customer and e-mail address until the sale and purchase of products, while duration is 8 years in respect to further data, corresponding to section (2) of § 169 of the Hungarian Accounting Act.
In case of card payments, data of the card and payment transaction is managed by PayPal Inc. (2211 North First Street, San Jose, California 95131).
• in case of card payments, the payer’s identification number, amount, date and time of the transaction towards PayPal Inc. (2211 North First Street, San Jose, California 95131).
Legal base of data transfer: point b) of section (1) of article 6 on GDPR, as well as the voluntary consent of the stakeholder.
Possible consequences of data service default: the customer cannot use the services of www.oriaskerek.com (cannot make a purchase).
7.2 Reporting of quality objections
Aim of data management:
Addressing quality objections arising in respect to the services provided by the Company.
Legal base of data management: voluntary consent of the stakeholder, as well as section (7) of § 17/A. of the Hungarian Consumer Protection Law.
Types of managed personal data: identification number, name and e-mail address of the customer (consumer), name and price of the product, date of the purchase and error reporting, description of the error, claim of the customer (consumer) and the method of settlement.
Duration of data management:
• 5 years on the basis of section (7) of § 17/A of the Hungarian Consumer Protection Law, in respect to complaint reports and copies of the replies to written complaints.
Possible consequences of data service default: failing to address the quality objection of the customer.
7.3 Logging of server www.oriaskerek.com
At the time of visit to www.oriaskerek.com, the web server automatically logs user activity.
Aim of data management: during a visit to the website, the operator stores visitor data in order to monitor the operation of its services, provide customized attendance and prevent misuse.
Legal base of data management: point f) of section (1) of article 6 on GDPR (the Company’s rightful interest in the safe operation of its website).
Types of managed personal data: identification number, date, time, address of the site visited.
Duration of data management:
• 2 weeks
Processors: Google Inc. (1600 Amphiteatre Parkway, Mountain View, California 94043, USA) https://policies.google.com/privacy?hl=hu; as well as TZTeam Kft.
Processor duties: providing online storage space
The Company does not link the data generated from analyzing logging stocks to other types of information, it does not endeavor to identify the User.
Address of the sites visited, or date and time data cannot be used to identify the stakeholder in their own right, however, when combined with other types of data, they can accommodate conclusions to be drawn in regard to the User.
Data management of external service providers in regard to logging: The html code of www.oriaskerek.com is independent of the Company, and contains links coming from and pointing to external servers. The server of the external service provider is in direct relationship with the User’s computer. It is important to note that the providers of such links are able to collect user data (i.e. IP address, data of the browser and operating system, movement of the cursor, address of the site visited and date of visit), given the direct connection with their server and the direct communication with the user’s browser. In such cases, they may not inform the Controller. Such activity does not classify as data management carried out by the Controller, and Controller does everything in its power to prevent and filter such types of data management.
IP address is such number sequence that can unequivocally identify user computers and mobile devices connected to the internet. With the help of IP addresses, a user computer may even be geographically localized. Address of the visited sites, or date and time data cannot be used to identify the stakeholder in their own right, however, when combined with other types of data (i.e. data provided during registration), they can accommodate conclusions to be drawn in regard to the user. The possibly customized contents are provided to the user by the server of the external service provider.
By using the internet and visiting websites, the user accepts both data management carried out by storing website visitor data through a web server, and data management with the aim of web auditing, given the fact that these are data management types widespread on the internet. More information is provided on data management carried out by the servers of external service providers below.
Below service providers’ code has been embedded in the website’s code with the aim of monitoring users and providing customized recommendations: google.com, doubleclick.net, cloudfront.net, googletagmanager.com, google-analytics.com, googleadservices.com, facebook.net.
7.4 Cookie management of www.oriaskerek.com
With the aim of providing customized service, the Company places a small data package (cookie) on the User’s computer, which will be analyzed during the next visit. When the browser sends back a previously saved cookie, the service provider operating the cookies has the opportunity to link the previous visits of the user to the actual one, but only in respect to its own content.
Aim of data management: identification and differentiation of users, identification of the user’s actual session, storage of the data provided in the course, prevention of data loss, web analytical measurements.
Legal base of data management: consent of the stakeholder.
Types of managed personal data: identification number, date, time, address of the site visited previously.
Duration of data management:
• 1 year
Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) https://policies.google.com/privacy?hl=hu; as well as TZTeam Kft.
Processor duties: providing online storage space.
Cookies valid until end of session will be removed from the computer upon closing the browser. Cookies with a certain validity (permanent cookies) will be stored on the computer until their deletion, or until their validity expires.
7.5 Photography and other forms of telerecording, as well as making and using voice recordings
Aim of data management: the use and publication of personal data with the aim of promoting the services of the Company and boosting its public image via printed, digital or other informative, promotional resources; use and publication on the website of the Company, coverage on the given event; documentation of the happening of given event (in the intercompany processes).
In case of voice recording: oral complaint, remark, information and administration regarding ticket purchase or other issues.
Legal base of data management: consent of stakeholder (point a) section (1) of § 5 of the Act on Informational Self-determination and Freedom of Information; point a) section (1) article 6 on GDPR); in case of underage stakeholders, the consent of guardian(s).
In case of recordings of crowd scenes and public appearance, where illustration is not individual, the consent of the stakeholders is not necessary for the making and use of the recording.
Types of managed personal data: face and portrait of the stakeholder, as well as any data linked to the stakeholder or any conclusion drawn; voice of the stakeholder.
Duration of data management: until the fulfilment of given data management goal, as well as the revocation of the stakeholder’s consent or the fulfilment of deletion claims, but at most, 3 years following the making of the recording. For storage beyond this time, the Company individually asks the consent of the stakeholder.
Associates responsible for marketing at the Controller have access to personal data in order to be able to fulfil their duties.
– online storage space (operation of e-mail system): name: Google Inc. (1600 Amphiteatre Parkway, Mountain View, California 94043, USA) https://policies.google.com/privacy?hl=hu; as well as TZTeam Kft.
– providing technical background (fulfilling system administrator and system supervisory duties): name: TZTeam Kft. headquarters: 1161 Budapest, Rákóczi út 48.
– providing technical background in regard to the website, fulfilling duties in regard to development: name: Life-Changer Ltd, headquarters: 18 Old Lane, Great Manchester M11 1BE, Manchester, UK.
8. Stakeholder rights and enforcement possibilities
8.1 Stakeholder may request from the Controller:
• information on personal data under management (Controller informs on the factual data),
• access rights to their personal data,
• amendment of their managed personal data,
• deletion, distraint of their managed personal data – with the exception of compulsory data management -, by marking the factual sections of data,
• constraint of data management,
• objection (in case of data management based on lawful interest),
• data portability rights as stakeholders are entitled to them (only in relation to data managed on a contractual basis, in the case of automatic data management),
• judicial remedy.
8.2 In connection with the above, User may reach out to the Company via the contact information provided in section 3. If the stakeholder experiences the unlawful management of their personal data, resulting in injury, then Controller must provide reimbursement to the stakeholder (Stakeholder may put forward a petition on reimbursement in court).
In case of violation of stakeholder’s personal rights, stakeholder may demand compensation from the Controller.
If stakeholder experiences the unlawful management of their personal data, they may raise a complaint at the Hungarian National Authority for Data Protection and Freedom of Information (headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; postal address: 1530 Budapest, Pf. 5.; telephone: 06 -1- 391-1400; telefax: 06-1-391-1410; e- mail: firstname.lastname@example.org).
Stakeholder may also take the matter of unlawful personal data management to court. The suit may be filed at the court assigned to Controller’s headquarters, or as per the choice of the stakeholder, at the court assigned to stakeholder’s residency.