Oszkar.com Information Note on Data Management and Privacy Policy


Reference number: OSZATASz/2020-1

This Information Note on Data Management and Privacy Policy was prepared to provide you with information about your data managed during the use of the “Oszkár” carpool system (hereinafter referred to as: the Service) and to make you aware of your related rights.

In the Information Note on Data Management, we inform you about personal data management relevant to you in an Oszkár-specific way. In this we will call you on a first-name basis, firstly because it is customary within the Oszkár community, and, on the other hand, to make it easier to understand the information. We hope that you will not take it a disrespect! The Privacy Policy provides a much more general and detailed insight into the legal frameworks related to personal data.

This Information Note and Privacy Policy (INPP), furthermore, the Cookie Policy referred to therein constitutes a part of the General Terms and Conditions of Use of Oszkár (GTCU); you can find the explanation of the concepts used in these (and written in capital letters) in the GTCU, if they are not clear to you. The GTCU can be accessed at: https://www.oszkar.com/misc/policy.php The Cookie Policy is available at: https://www.oszkar.com/login/cookie_policy.php.

It is important that a prerequisite for using the Service is that you read, understand and accept the provisions included in this Information Note on Data Management and Privacy Policy.

If we amend the content of this Information Note on Data Management and Privacy Policy, we will notify you before the change becomes relevant to you.

I. Information Note on Data Management

Who handles your personal information?
In the “Oszkár” System, which incorporates the Website, the Android and iOS mobile applications, your data are handled by Oszkar.com Telekocsi Kft. (hereinafter referred to as: the Service Provider), i.e. we are the Data Controllers. And you are the Data Subject whose data are handled.

You can contact us at the following availabilities:

The address of our headquarters is as follows: 1133 Budapest, Hegedűs Gy. u. 67. 5/4.
E-mail address: info@oszkar.com
Telephone (during working hours: (+36) 1 / 6 333 696
Website: https://www.oszkar.com

In connection with data protection, Attila Prácser (co-founder) is the competent person at our company.


What personal information do we handle about you and on what legal basis?
We ask for data from you depending on the extent to which you are using the functions of the Service.

During the visit of the site (the first contact), we inform you that the Website uses so called “cookies”. A part of these is necessary for the functional operation of the site, and another part of them serves for purposes other than providing the service, therefore their use depends on your consent. In connection with the cookies, you can find detailed information in the Cookie Policy.

During your visit, in addition to the data stored in cookies, your IP-address - from which your visit was initiated - becomes stored on the server temporarily, as well.

The purpose of data management Type The legal basis of data management The type of personal data managed Duration of data management Data transmission
Potential use in technical troubleshooting Non-optional Enforcement of the legitimate interest of the Data Controller (Article 6 Paragraph (1) f) of the GDPR): Ensuring the operational safety of the system IP-address 14 days after the visit Linode LLC (server service provider)

Management of your data that are to be/can be provided to acess or during the use of functions bound to registration:

The purpose of data management Type The legal basis of data management The type of personal data managed Duration of data management Data transmission
Enabling registration Non-optional (registration is a prerequisite) Preparation of contract conclusion – Article 6 Paragraph (1) b) of the GDPR First name, last name, e-mail address, username, password (is not stored in a decryptable form) Until the end of registration, i.e. until the conclusion of the Contract. If it fails, they are deleted after 3 days. Server providers
User identification during the login process Non-optional (registration is a prerequisite) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Username, e-mail address, password (is not stored in a decryptable form) Withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server service providers, Google LLC (only the username)
Communication with the Users: - delivery of notifications necessary for the operation of the system - request for help in troubleshooting Non-optional (registration is a prerequisite) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR First name, last name, e-mail address, telephone number, Facebook ID, smartphone device ID Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server service providers, Facebook Ireland Ltd. (e-mail address)
Provision of the exchange of car and passenger contact details Non-optional (registration is a prerequisite) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Username, first name and last name, gender and telephone number. In case of use as a car driver, the licence plate number, brant, type, year of manufacture and colour of the motor vehicle. Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server service providers, Recipient: In connection with the data of the passenger, the car driver at whom he or she has booked a place. In connection with the data of the car driver, the passenger who has booked a place at the Car ad.
Provision of the possibility of SMS notification on set events and verification of the authenticity of the telephone number Non-optional (registration is a prerequisite) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Telephone number, username, location and time information of the reservation Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server service providers, Infobip Ltd. Link Mobility Hungary Kft.
Creation of trust in the potential travel mate during the travel mate searching process Optional az Érintett önkéntes hozzájárulása The voluntary consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR Date of birth, date of registration, occupation, personal introduction, profile picture. Withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) Thus, if you cancel these data or your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server providers
In case of use as a car driver, it is necessary for using the basic functionality of the Service, i.e. to inform the potential travel mates about the availability of free places Optional (it is a prerequisite for using the Service as a car driver) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Details of the trips advertised: Location and time information of departure, arrival and the intermediate stops. Vehicle data related to the ad, comment. Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server providers
In case of use as a passenger, it is necessary for using the basic functionality of the Service, i.e. to enable the reservation of a place through a car driver’s ad Optional (it is a prerequisite for using the Service as a passenger) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Details of place reservation: The number of places reserved, location and time information of the ad involved in the reservation Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server providers
Data required to issue an invoice for compliance with the statutory obligations Non-optional (after the use of a paid service) Fulfilment of a legal obligation (the currently effective tax and accounting acts) Billing name, billing address, data supporting the realization of the economic activity: the day of travel, its destination and the number of passengers The time interval specified in the relevant regulations. Server service providers, Vision-Software Kft., if the ride is paid on-line, the company providing the transportation service
Date necessary for the issuance of an invoice to simplify the process of invoicing (so that the data does not have to be entered again and again) Optional The voluntary consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR) Billing name, billing address Withdrawal of the consent of the Data Subject (in a period of up to 30 days) Server service providers, Vision-Software Kft.
Provision of online electronic payment possibility Optional The voluntary consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR) First name, last name, billing name and address, telephone number and e-mail address Withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server service providers, OTP Mobil Kft.
Enabling the acceptance of online electronic payment Optional The voluntary consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR Billing name, address, bank account number, bank where the account is kept Withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) If you ask for the cancellation of online payment acceptance and the deletion of the related data, or if you cancel your registration, we will delete the data provided in a period of up to 30 days. Server service providers, OTP Mobil Kft.
Provision of GPS-based, real-time travel mate search; enabling the use of the function “Where can I find my driver?” Optional The voluntary and express consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR)

Method: Enabling the “Position sharing” in a mobile application for the given trip.
GPS coordinate of the mobile device 7 days from the start of the trip, or before that, withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) Server providers
Ensuring the effective operation of the rating system Optional Performance of the contract – Article 6 Paragraph (1) b) of the GDPR The text of the rating posted in connection with the trip Until the deadline determined in the rating system (see also the GTCU), withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR), that is, you can cancel the evaluation submitted.

Thereafter, the data will be available until the registration of the evaluated person becomes deleted.
Server providers
Prevention of any abuse or re-registration in case of users who have received a rating other than positive during the use of the System, or who have received a warning due to an abuse under any article of the GTCU, or whose account has been suspended or who have been reclassified into the inquiry-based mediation fee system Non-optional Performance of a contract – Article 6 Paragraph (1) b) of the GDPR and enforcement of a legitimate interest – Article 6 Paragraph (1) f) of the GDPR E-mail address, telephone number, IP-address, device ID, first name and last name, car data, travel data 3 years after the date and time of the last - other than positive - evaluation, or the date and time of suspension or warning, the date and time of reclassification (if several of them exist, the latest one of them) Server providers
Sending a notification encouraging to use the service in a relevant date and time and in a relevant manner Optional The voluntary and express consent of the Data Subject (Article 6 Paragraph (1) a) of the GDPR) Travel data (the role undertaken in the travel, the date and time, furthermore, destination of the travel), e-mail address Withdrawal of the consent of the Data Subject (Article 17 Paragraph (1) b) of the GDPR) Server providers
Provision of the possibility of investigation and retrieval of customer service complaints Non-optional (for customer service inquiries) Fulfilment of a legal obligation – Section 17/A Paragraph (5) and Section 17/B Paragraph (3) of Act CLV of 1997 on Consumer Protection Consumer complaint, comment and the related availability (e-mail address, telephone number or Facebook ID) submitted via an electronic channel or by phone) Fulfilment of a legal obligation – Section 17/A Paragraph (5) and Section 17/B Paragraph (3) of Act CLV of 1997 on Consumer Protection Freshworks Inc. (electronic inquiries) or Fonio Kft or Opennet Kft. (telephone inquiries), Google LLC
Delivery of the stickers ordered and tracking the order status Optional Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Name and mailing/delivery address 60 days after the posting of the sticker ordered Server providers
Authorisation of business providing professional transportation service Non-optional (In case of ToS. 7.6. applies) Performance of the contract – Article 6 Paragraph (1) b) of the GDPR Name of driver, birth date and place, name of mother, address Termination of the contract. Thus, if you cancel your registration, we will either delete these data or transform them in an undecryptable way, in a period of up to 30 days. Server providers

To whom do we transfer personal information?
We may forward your data to the below organisations also referred to in the above table, who fulfil data processing roles:

Server service providers:

Data Processor name: Linode LLC
Headquarters: 329 E. Jimmie Leeds Road, Suite A Galloway, NJ 08205, United States of America
The scope of data transmitted: Complete
The location of data management: Unit 1, Volt Avenue, NW10 6PW London, United Kingdom (Telecity Powergate Data Center)
The purpose of data transmission: The servers leased by the Service Provider (Oszkár) are located in the server park of Linode LLC at the above address, and
the management and storage of all data takes place here.
Data management policy: https://www.linode.com/privacy

Data Processor name: Vision-Software Kft.
Headquarters: 1149 Budapest, Pósa Lajos utca 51.
The scope of data transmitted: first name, last name, billing name, billing address (in connection with the enterprise management system) and all the data managed (in connection with the server service)
The purpose of data transmission: Provision of operation of the enterprise management system and provision of server services for reporting purposes Safe data management regulated based on a separate contract.


Other data processors:

Data Processor name: OTP Mobil Szolgáltató Kft.
The scope of data transmitted: name, address, telephone number, e-mail address, bank account number
The purpose of the data transmission: provision of customer service help to users during online payments, confirmation of transactions and fraud monitoring performed for the protection of users. Payment management and transaction-security (fraud) checks for online payment acceptance.
Data management policy: http://simplepay.hu/vasarlo-aff

Data Processor name: Facebook Ireland Ltd.
Headquarters: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland 
The scope of data transmitted: e-mail address, telephone number
The purpose of data transmission: Displaying of relevant ads
Data management policy: https://www.facebook.com/about/privacy/update/printable

Data Processor name: Google LLC.
Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043 United States of America
The scope of data transmitted: Data stored in a corporate cloud store: username (in statements), data of winners of prize competitions
The purpose of data transmission: Preparation of internal reports of the Service Provider (Oszkár), keeping records by using the “Google Drive” service
Data management policy: https://policies.google.com/privacy?hl=hu

Data Processor name: Fonio-Voip Kft.
Headquarters: H-6900 Makó, Bajcsy-Zsilinszky lakótelep A/4 lépcsőház B épület 4. emelet 13.
The scope of data transmitted: The recorded audio material of customer service calls, telephone number
The purpose of data transmission: Provision of customer service by phone
Data management policy: http://fonio.hu/documents/tac

Data Processor name: Freshworks, Inc.
Headquarters: 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, United States of America
The scope of data transmitted: Customer service inquiries, e-mail address, username, Facebook ID
The purpose of data transmission: Provision of electronic customer service
Data management policy: https://www.freshworks.com/privacy/

Data Processor name: Infobip Ltd.
Headquarters: 86 Jermyn Street, 5. floor, SW1Y 6AW London, United Kingdom
The scope of data transmitted: Telephone number, username
The purpose of data transmission: Ensuring the sending of SMS notifications, verification of the authenticity of the telephone number with SMS confirmation
Safe data management regulated based on a separate contract.

Data Processor name: Link Mobility Hungary Kft.
Headquarters: 1064 Budapest, Andrássy út 68. fszt. B02
The scope of data transmitted: Telephone number, username
The purpose of data transmission: Ensuring the sending of SMS notifications, verification of the authenticity of the telephone number with SMS confirmation
Data management policy: https://seeme.hu/szerzodesi-feltetelek

The above partners only act as a Data Processor, i.e. the rights and obligations related to the use of your personal data are determined by us as the Data Controller for them. This means that the Data Processors cannot bring any decision regarding data management, they may not process any personal data for their own purposes, furthermore, they shall be obliged to store and retain the data according to our provisions.

For authorities
If the authorized authorities (e.g. the police, the prosecutor’s office, the court, the National Tax and Customs Office, or the NAIH) submit a request for personal data managed by the Data Controller in the way provided for by the relevant regulations, the Data Controller shall transmit the personal data requested in order to comply with its statutory obligation.


Automatic and manual moderation
In order to ensure compliance with the terms and conditions set out in the GTCU (in particular, with regard to the prohibition of disclosure of contact details), we moderate certain data automatically, or, if necessary, by means of human intervention. The scope of data concerned:

  • The text of internal messages. The exclusive purpose of moderation is to ensure that no contact details can be transmitted prior to the acceptance of a place reservation or parcel delivery offer. This way we protect you, so that we can help you in case of a potential problem in the event of any failure of the reservation, together with the protection of our own interests, to prevent any circumvention of the system. Accordingly, messages sent after the reservation will not be moderated.

  • Introductory text

  • All data entered for a travel, including also the content of the comment section


Profiling
Within the System, we apply automated profiling in several places and we use it to analyze and predict reliability and movement-related features. In connection with these, we inform you as the data subject and ask for your express consent before using any of the features, as a consequence of which our profiling activities would cover you, as well.

Profiling relevant to persons posting car driver’s ads (car drivers:

  • On the basis of the data of the ads posted, we perform personalized communication to encourage posting of ads. For example, if you travel frequently before major holidays, in possession of this information, we will remind you in a personalized way to post an ad before another major holiday, if you have not yet posted an ad for the given holiday.
  • We may reclassify you to another kind of accounting system on the basis of the place reservation realization rate related to the ads posted. If, in case of a car driver, the reservations of places are fulfilled only to an outstandingly poor extent, by reclassifying him or her to the Inquiry-based mediation fee system (see also Article 9.2 of the GTCU), we will motivate the car driver to conduct an advertising practice to ensure that persons who reserve a place at him or her can actually travel with him or her. In case of permanently and outstandingly poor statistics, we exercise our right to suspend.
  • On the basis of the character of ads, we may oblige you to purchase a business package (see also Article 7 of the GTCU)
Profiling affecting persons booking a place through car driver ads (passengers):

  • On the basis of data of ads that are relevant to reservation of places, we conduct personalized communication, with the aim of encouraging further successful booking of places
  • In case of a permanently and outstandingly poor place reservation cancellation ratio, we exercise our right to suspend.

It is important that if you feel that automated decision-making has or had an adverse effect on you, you can express your point of view, lodge an objection against the decision or request human intervention at our contact details.

Exclusion of special-category personal data management
Although we manage photos in the System, this is not considered special data management, as we do not handle them by any special device that allows for the unique identification or authentication of natural persons. So we cannot determine who is depicted by the photo uploaded and we are not trying to do so either.

Related websites
The Website contains links and references that guide visitors to other websites. These websites are not owned by us, we only provide access to them, but we do not assume any obligation or liability for these websites or the information placed on them.

Access through other channels
We reserve the possibility of providing access to the System for our external partners through our existing and consisting of developed REST API. For example, the communication with the server towards Oszkár mobile applications takes place through this API, as well. Through this, it is possible to access exclusively to those of your data to which the user of API would be authorized to have access also through the website, so there is only a difference in the access channel.

II. Privacy Policy


1. Commitment and obligations of the Service Provider
The Service Provider, as the Data Controller takes the obligation to

◦ always perform the data management activities related to its Services in accordance with the relevant legal requirements (in particular, the data management provisions of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services; Act CXII of 2011 on Informational Self-Determination and Freedom of Information, furthermore, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2011 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive no. 95/46/EC (“General Data Protection Regulation”)) and the current security requirements;

◦ Service Provider shall take the obligation to take care about the security of data, furthermore, to take all the necessary technical and organisational measures and establish the procedural rules which ensure that the recorded, stored or managed data are protected, furthermore, it shall prevent their destruction, unauthorized use and unauthorized alteration;

◦ It shall take the obligation to call on any third parties to keep the above provisions and their related obligations, to whom it may potentially transmit or hand over data.

Service Provider shall be obliged to

• make the Information Note on Data Management and Privacy Policy accessible at the www.oszkar.com website continuously and in a visible place.

• keep records on the data management activities performed by it and on the transmission of personal data, with the content according to Article 30 of the GDPR,

• handle the personal data confidentially to protect the personal data of users and the data subjects, and to take all security, technical, organizational and organisational measures that guarantee the security of data managed.

• ensure that the automatically recorded data cannot be linked to the personal data of the user – unless allowed by the law.

• ensure that all of its Partners agree to be bound by the content of this Policy.

• take into account the current state of science and technology in determining and applying measures serving for the security of data,

• protect the information during data management, so that only those authorized can have access to them, furthermore, to ensure that the information keeps its accuracy and completeness during their recording and processing.

• Service Provider must establish the Website and its user interfaces so that the authorized User can have access to it when needed.

• Service Provider must make its system protected - in the expected way - against any risks of varying probability on the rights and freedoms of data subjects, against computer-aided fraud, sabotage, vandalism, espionage, fire and flood, computer viruses, computer burglaries, etc.

• If a regulation or a final official decision obliges the Service Provider to transmit personal data available to it, the Service Provider shall comply with it. Service Provider excludes all liability for consequences of data transfer realized based on a regulation or a final official decision.

• As it is generally known – thus also known by the User – the use of the Internet is not 100 percent secure. However, even with the utmost care taken, it cannot be ruled out that the attacks may be successful and cause damage to the User or the Service Provider itself. The Service Provider shall be exempted from liability if he can prove that the damage was a result of an unavoidable cause outside the scope of data management. The damages do not have to be reimbursed to the extent to which they originated from the intentional or grossly negligent behaviour of the injured party.

2. Definitions
Explanation of the most commonly used terms:

Data subject
A natural person, identified based on any personal data or identifiable - directly or indirectly.

Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Consent
The consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Controller
It means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law. In respect of this Policy, the Service Provider qualifies a data controller as the Service Provider independently determines the purposes and means of handling personal data, brings and implements decisions on data management or had them performed by the data processor.

Data management
It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data processor
It means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Recipient
It means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Privacy incident
It is a breach of security resulting in an accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data which are transmitted, stored or otherwise managed.


Profiling
The assessment of personal characteristics of natural persons taking place within the framework of any automated management of personal data, in particular, the analysis and prediction of features related to the data subject’s workplace performance, economic situation, health status, personal preferences or fields of interests, reliability or behaviour, dwelling place or movement; if it has a legal effect on the data subject or if it affects him or her to a similarly significant extent.


3. Data security
3.1. Precautions

Taking into account the current state of science and technology, furthermore, the costs of implementation, the character, scope, circumstances and objectives of data management, furthermore, the risk on the rights and freedoms of natural persons of varying probability and severity, the Data Controller and the data processors shall implement the following appropriate technical and organisational measures to guarantee data security of a level adequate to the degree of risks:

a) ensuring the continuous confidentiality, integrity, availability and resilience of the systems and services used to manage personal data;

Service Provider shall operate the IT tools used to manage the data so that the personal data managed can only be accessed by those authorized to it (confidentiality of data), but the availability should be continuous (availability) for them.

The Service Provider shall operate the IT equipment used to manage the data and the system has been designed so that the authenticity and authentication of personal data managed can be ensured (authenticity of data management), which is ensured by a wide-ranging logging system that adequately supports and verifies the controlled modifiability and integrity of personal data (data integrity);

b) in case of a physical or technical incident, the ability to restore access to personal data and the availability of data latest in 3 working days;

c) the regular implementation of testing, assessment and evaluation of the efficiency of technical and organizational measures brought to guarantee the security of data management; due at least every six months.


Taking the usual level of general technical development level in the market as the basis, our IT system and network is protected against computer-aided fraud, espionage, sabotage, vandalism, fire and flood, furthermore, computer viruses, computer burglaries and denial-of-service attacks. It shall ensure security by server-level and application-level security procedures.

Risks taken into account when determining the appropriate level of security are:

• the risk of accidental or unlawful destruction, loss or alteration of personal data,
• the risk arising out of any unauthorized disclosure of personal data or unauthorized access to personal data.

3.2. Managing incidents

Reporting the privacy incident to the supervisory authority

The Data Controller shall report the privacy incident to the supervisory authority - competent under Article 55 of the GDPR - without any undue delay, and, if possible, latest in 72 hours after learning about the data protection incident; unless the privacy incident is unlikely to pose a risk to the rights and freedoms of natural persons.

Informing the data subject about the privacy incident

If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject - without any undue delay - about the data protection incident.

The rights of Users and data subjects
1. Right of access
The data subject shall have the right to obtain access to the personal data and the following information:
a a) the copy of the personal data (additional copies at extra cost);
b) the purposes of the processing;
c) the categories of personal data concerned;
d) data related to automated decision-making and profiling;
e) information on the source in case of data import;
f) the recipients to whom the personal data have been or will be disclosed;
g) information and guarantees related to data transmission to a third country;
h) the duration of the storage and its aspects;
i) the rights of the data subject;
j) the right to turn to the competent authorities.

2. Right to rectification
The data subject shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right of erasure (right to be forgotten)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
c) the data subject objects to the processing (see also Article 6) and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in the conditions for consent of children to the processing of personal data.
The data subject cannot exercise the right to erasure if the data management is required:
a) for compliance with a legal obligation;
b) for the enforcement of legal claims.

4. The right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed:
a) with the data subject’s consent, or
b) for the establishment, exercise or defence of legal claims, or
c) for the protection of the rights of another natural or legal person, or
d) for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the data controller before the restriction of processing is lifted.

5. The right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on a consent or necessary for the performance of a contract to which one of the parties is the data subject, or if it is necessary for taking the steps requested by the data subject before the conclusion of the contract; and
b) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible.

6. The right to object
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The Service Provider shall examine the protest in the shortest possible time but latest in 15 days after the submission of the request, bring a decision whether or not it was well-founded, and notify the applicant about the result thereof.

7. Rights related to automated individual decision-making, including profiling
Within the framework of the profiling activity, the Service Provider analyzes the system usage habits of the Data Subjects. For more details please see the Profiling Part of the Information Note on Data Management.

The data subject shall be authorized to request human intervention, express their standpoint and lodge an objection to the decision.

8. These rights may be exercised at the central e-mail address of the Service Provider, in a message within the System or by postal mail. In case of a question, objection or comment related to the data management of the User, you can contact the staff of the Service Provider at the following e-mail address: info@oszkar.com or contact the Service Provider in writing by a registered letter or by a registered letter with an acknowledgement of receipt.

9. The provision of information to the User is free of charge, if the person requesting the information has not yet submitted a request to the Service Provider for the provision of data regarding the same set of data. In other cases, reimbursement of costs may be established. Any cost reimbursement that has already been furnished shall be repaid in case the data have been processed unlawfully, or if the request for information has resulted in rectification.

10. Service Provider may only refuse to inform the data subject only for legitimate reasons. In the event of refusal to provide information, the Service Provider shall inform the data subject in writing that the refusal of the provision of information took place on the basis of which provision of Act CXII of 2011 on Informational Self-Determination and Freedom of Information. In the event of refusal to provide information, the Service Provider shall inform the data subject about the possibility of judicial remedy and submission of an appeal to the Hungarian National Authority for Data Protection and Freedom of Information. Service Provider shall inform the Hungarian National Authority for Data Protection and Freedom of Information about the rejected applications by 31 January in the year following the subjected year.

11. In order to control the measures related to the privacy incident, furthermore, to inform the data subject, the Service Provider keep records that include the scope of the personal data concerned, the scope and number of data subjects affected by the potential privacy incident, the date, time, circumstances, effects of the privacy incident and the measures taken to remedy it, furthermore, the other data specified in the law that provides for data management.

5. Judicial and other right enforcement possibilities
1. In the event of any violation of his rights, furthermore, in cases specified in Section 21 of Act CXII of 2011 on Informational Self-Determination and Freedom of Information, the User may turn to the court against the Data Controller. The court shall give priority to the matter.

2. Service Provider shall be obliged to demonstrate that the data management is in compliance with the law. In cases according to Section 21 Paragraph (5) and (6) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information, the data importer shall be obliged to demonstrate the lawfulness of the data transfer to him.

3. Bringing a judgement in the lawsuit belongs to the jurisdiction of the tribunal court. According to the preference of the data subject, the lawsuit may also be initiated before the tribunal court according to the place of residence or dwelling place of the data subject. Persons who otherwise do not have any legal capacity in the lawsuit may be a party to the lawsuit, too. The Hungarian National Authority for Data Protection and Freedom of Information can intervene in the case for the sake of success of the data subject.

4. If the court upholds the application, it will oblige the Service Provider to provide the information, to correct, block or delete the data, to annul the decision brought by automated data processing, to take into account the data subject’s right to protest, furthermore, the release the data requested by the data importer specified in Section 21 of Act CXII of 2011 on Informational Self-Determination and Freedom of Information.

5. If the court rejects the request of the data importer in cases set out in Section 21 of Act CXII of 2001 on Informational Self-Determination and Freedom of Information, the Service Provider shall be obliged to delete the personal information of the data subject in 3 days after the communication of the judgement. Service Provider shall be obliged to delete the data even if the data importer does not turn to the court before the deadline specified in Section 21 Paragraph (5) and (6) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information.

6. The court may order the disclosure of its judgement - to be published with the identification data of the data controller - if it is required by the interests of data protection and the rights of a greater number of data subjects protected by this law.

7. In any issue related to personal data, one can also request the help of the Hungarian National Authority for Data Protection and Freedom of Information.

Name: Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C
Telephone: 36 (1) 391-1400
Fax: 36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Domain: www.naih.hu

6. Compensation and grievance fees
1. If the Service Provider causes any damage to others by violating the requirements for data security or by unlawfully handling the data of the User, he shall be obliged to refund them.

2. If the Service Provider violates the personality right of the data subject by violating the requirements for data security or by unlawfully handling the data of the data subject, the data subject may claim a grievance fee from the data controller.

3. Service Provider shall be liable for any damages caused by the data processor towards the data subject, and the Service Provider shall also be obliged to pay the grievance fee due to the data subject in case of any violation of the personality rights of the data subject caused by the data processor. The Service Provider shall be exempted from liability for the damages caused and from the obligation to pay a grievance fee if he can prove that the damage or the violation of the personality right of the data subject was a result of an unavoidable cause outside the scope of data management.

4. The damage does not have to be refunded and the grievance fee cannot be claimed if the violation of the right caused by the infringement of the personality right was caused by the deliberate or grossly negligent behaviour of the data or if the damage was caused by the deliberate or grossly negligent behaviour of the injured party.


7. Final provisions
1. Service Provider reserves the right to amend this Policy at any time, unilaterally. Service Provider shall inform the User about the amendment of this Policy by publishing a notification at the Website www.oszkar.com.

2. The Policy of a uniform structure will become available on the Website at least fifteen (15) days prior to the amendment’s entry into force.

3. After the amendment enters into force, the Service Provider shall obtain the declaration of the User /made with active contribution/ again - at the time of first use after the amendment - on the acceptance of the amended Data management policy.



Budapest, 13rd of Feb, 2020 (Effective: from 14th of Feb, 2020)