General Airport Parking Ltd (headquartered at: 11 Kodály Zoltán Street, 2220 Vecsés, company registration number: 13-09-202600, tax number: 27112874-2-13, represented by managing director Sándor Gagyi, hereinafter referred to as the Data Controller or Company) pays special attention to the protection of personal data, compliance with mandatory legal provisions, and secure and fair data processing during its activities.
The Data Controller: a service provider who rents vehicles to Contracting Partners/end users. The Data Controller builds a database containing personal data in certain specific activities based on cooperation agreements concluded with Contracting Partners, and simultaneously manages this personal data concerning third parties involved.
Data of the Data Controller:
Company name: General Airport Parking Limited Liability Company
Company registration number: 13-09-202600
Headquarters: 11 Kodály Zoltán Street, 2220 Vecsés
Tax number: 27112874-2-13
Contact email: info@bestparking.hu
The Data Controller processes the personal data provided to it in accordance with applicable Hungarian and European legislation and ethical requirements, and always takes the technical and organizational measures necessary for proper secure data processing.
This regulation was prepared taking into account the following applicable legal acts:
• Act CXIX of 1995 on the processing of personal data for research and direct marketing purposes
• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
• Act XLVIII of 2008 on the basic conditions and certain restrictions on economic advertising
• Act CXII of 2011 (Infotv.) on the protection of personal data and access to public interest information; Act LXIII of 1992 on the protection of personal data and access to public interest information; Act C of 2003 on electronic communications and provisions of Chapter XVII; Government Decree no. 16/2003 (IHMR) on special conditions for the processing of data by electronic communications service providers, data security within electronic communications services, and rules on caller identification and call forwarding;
• Government Ordinance no. 226/2003 on reference offers, interconnection agreements, and associated procedural rules, and Government Ordinance no. 277/2003 on detailed procedural rules related to reference offers, interconnection agreements, and rules;
• Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
The Data Controller undertakes to unilaterally comply with this regulation and requests Partners to accept its provisions through a notification available on its website. The Data Controller reserves the right to modify its data protection policy. In case of modifications to the regulation, the updated text will be publicly published.
The personal scope of the Regulation: The Regulation applies to the Company, individuals whose data is included in the data processing subject to the Regulation, and individuals whose rights or legitimate interests are affected by the data processing.
INTERPRETIVE PROVISIONS
In our regulation, the data protection technical terms have the following meanings:
- data file: the totality of data managed in a register;
- data processor: any natural or legal person, or organization without legal personality, who or which, by contract – including contracts concluded pursuant to legal provisions – processes data;
- data controller: the public service provider that produced the electronically mandatory published data of public interest, or whose operation resulted in the creation of such data;
- data processing: any operation or set of operations performed on data, irrespective of the method applied, including collecting, recording, organizing, storing, altering, using, querying, transmitting, disclosing, aligning or combining, restricting, deleting, or destroying data, and preventing further use of data, taking a photograph, sound or image recording, and recording physical characteristics suitable for identifying a person (e.g., fingerprint, DNA sample, iris image);
- data controller: any natural or legal person, or organization without legal personality, who or which determines the purpose of data processing alone or together with others, makes decisions concerning data processing (including the means used), and executes them, or executes them jointly with the data processor;
- data provider: the public service provider who, if the data controller does not publish the data themselves, publishes the data provided by the data controller on a website;
- data marking: marking data with an identifier for the purpose of distinguishing it;
- data transmission: making data accessible to a specific third party;
- data erasure: rendering data unrecognizable in a manner that its restoration is no longer possible;
- data breach: unlawful processing or handling of personal data, including unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction and damage;
- data blocking: marking data with an identifier for the permanent or specified period to restrict further processing;
- criminal personal data: personal data relating to the criminal proceedings or related to the criminal proceedings or prior to them, generated at the authorities authorized to conduct criminal proceedings, and at the organization for criminal enforcement, which can be associated with the individual, as well as personal data relating to the criminal record;
- EEA State: a member state of the European Union and another state that is a party to the agreement on the European Economic Area, as well as a state party to an international agreement between the European Economic Area and a non-party state to the agreement on the European Economic Area, whose citizens enjoy the same legal status as citizens of the European Union and its member states under the international agreement on the European Economic Area;
- data subject: any identified or identifiable natural person based on personal data;
- third country: any state that is not an EEA State;
- third party: any natural or legal person, or organization without legal personality, who or which is not the data subject, data controller, or data processor;
- consent: the voluntary and specific expression of the data subject’s will, based on appropriate information, by which the data subject gives their unambiguous consent to the processing of their personal data – in full or in part – concerning them;
- mandatory organizational regulation: an internal data protection regulation adopted by a group of data controllers or data controllers operating in several countries, including at least one EEA State, approved by the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), which ensures the protection of personal data of the data controller or group of data controllers by the unilateral commitment of the data controller or group of data controllers when transferring personal data to a third country;
- publicly available data of public interest: any information or knowledge recorded in any form or manner, regardless of the method of handling, its independent or collective nature, including the assessment of authority, competence, organizational structure, professional activities, including its effectiveness, the types of data held, and the regulations governing operation and management, and data related to management, contracts concluded, other than those falling within the concept of publicly available data of public interest, as required by law to be disclosed, made known, or made accessible for the performance of state or local government tasks or other tasks defined in legislation, in the possession of or related to an organization or person performing state or local government tasks or other tasks defined in legislation;
- special data: personal data relating to racial or ethnic origin, political opinion or party affiliation, religious or other beliefs, membership of interest representation organizations, sexual life, physical or mental health, pathological addiction, as well as criminal personal data;
- disclosure: making data accessible to anyone;
- personal data: any data relating to an identified or identifiable natural person – in particular, the name of the individual, identifier, as well as one or more physical, physiological, mental, economic, cultural, or social characteristics characteristic of the individual – and any inference drawn from the data relating to the individual;
- objection: a statement by the data subject objecting to the processing of their personal data, and requesting the termination of processing or deletion of the processed data;
- data processing: performing technical tasks related to data processing, regardless of the method and means of executing the tasks, and the location of the application, provided that the technical task is performed on the data;
- data destruction: complete physical destruction of the data carrier containing the data;
- physical or mental health, pathological addiction, as well as criminal personal data;
- physical or mental health, pathological addiction, as well as criminal personal data;
- publicly available data of public interest: making data accessible to anyone, regardless of the data carrier or the mode of data transmission;
- personal data: making data accessible to anyone, regardless of the data carrier or the mode of data transmission.
DATA PROCESSING PRINCIPLES
Personal data may only be processed for specified purposes, in exercising rights, and fulfilling obligations. Data processing must comply with the purpose of processing at all stages, and data collection and processing must be fair and lawful. Only personal data that is essential for the realization of the purpose of processing and suitable for achieving the purpose may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
Personal data must retain its quality throughout the processing until the data subject’s connection can be restored. The connection with the data subject can be restored if the data controller has the technical conditions necessary for restoration. During data processing, the accuracy, completeness, and – if necessary for the purpose of data processing – up-to-dateness of the data must be ensured, and the data subject may only be identified for the duration necessary for the purpose of data processing. The processing of personal data must be considered fair and lawful if a person who wishes to learn the data subject’s opinion for the sake of ensuring freedom of expression visits the data subject’s place of residence or habitual residence, provided that the data subject’s personal data is handled in accordance with the provisions of this law and the personal inquiry is not for business purposes. Personal inquiries may not take place on a public holiday as defined by the Labor Code. Personal data may only be processed with the consent of the data subject or if a law or – based on a law, within the scope defined therein – a municipal decree orders it for reasons of public interest (mandatory data processing).
Personal data may only be processed for specified purposes, in exercising rights, and fulfilling obligations. Data processing must comply with this purpose at all stages. Only personal data that is essential for the realization of the purpose of processing, suitable for achieving the purpose, may be processed, and only to the extent and for the duration necessary to achieve the purpose. Personal data may only be transmitted and different data processing operations may only be linked if the data subject has consented to it or the law permits it, and if the conditions of data processing are met for each personal data.
Personal data may be transmitted from the country to a third country – regardless of the data carrier or the mode of data transmission – to a data controller or data processor in a third country only if the data subject has expressly consented to it, or if the law permits it, and if personal data protection is ensured during the processing or handling of transferred data in the third country. In the case of mandatory data processing, the purpose and conditions of data processing, the scope and accessibility of the data to be processed, the duration of data processing, and the person of the data controller are determined by the law or municipal decree ordering data processing.
The disclosure of personal data may be ordered from public interest – with the explicit designation of the data – by law. In all other cases, the consent of the data subject is required for disclosure, and written consent is required for special data. In case of doubt, it must be presumed that the data subject has not given their consent. The consent of the data subject must be considered given for the data communicated or handed over by the data subject for the purpose of disclosure during the data subject’s public appearance.
In proceedings initiated at the request of the data subject, the consent of the data subject to the processing of their necessary data must be presumed. The data subject must be made aware of this fact. The data subject may also give their consent to the data controller in writing within the framework of a contract concluded with the data controller. In this case, the contract must contain all the information that the data subject must know for the processing of personal data, including in particular the definition of the data to be processed, the duration of data processing, the purpose of use, data transmission, the use of data processors. The contract must unmistakably state that the data subject, by signing, consents to the processing of their data as defined in the contract. The right to the protection of personal data and the personality rights of the data subject – unless otherwise provided by law – must not be violated by other interests of data processing, including the disclosure of publicly available data, which also includes data of public interest.
PRINCIPLES OF DATA PROCESSING
The Data Controller bases the processing of personal data in all its activities on either law or voluntary consent. In some cases, data processing is based on other legal grounds or Article 6 of Law No. CXII of 2011 in the absence of consent.
The Data Controller utilizes the services and collaboration of the following Data Processors in its activities:
Data Processor details:
Company Name: Veritas-BalanCz Limited Liability Company
Headquarters: 8354 Karmacs, Kisfaludy Street 26
Purpose of data transmission: accounting, management of the early debt collection process with data content defined by law.
Company Name: Dr. Molnár Miklós Viktor Law Firm
Headquarters: 1065 Budapest, Nagymező Street 45, I/2.
Purpose of data transmission: resolution of potential legal issues (enforcement, assertion of claims) with the necessary data.
The Data Controller generally delivers online newsletters and electronic direct marketing messages containing news, updates, and business offers to subscribers to its website newsletters (also known as VIP members) monthly but no more than twice a week.
To subscribe to the newsletter, providing the name and email address is mandatory, which is essential for message delivery. The data is processed until the data subject requests deletion. Each newsletter includes a direct unsubscribe link. The user is responsible for the accuracy of the provided personal data.
Data processing duration, deadline for data deletion: In the case of accounting documents, in accordance with Article 169 (2) of Law No. C of 2000 on accounting, these data must be retained for 8 years. The accounting documents directly and indirectly supporting accounting (including main accounts, as well as analytical or detailed records), must be kept in a readable form for at least 8 years, so that they can be retrieved based on accounting references. Persons authorized to access data: Personal data may be processed by the Data Controller’s employees, within the above principles.
DATA PROCESSING SECURITY
The Data Controller protects data especially against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction and damage. Together with its server operators, the Data Controller implements technical, organizational, and organizational measures to ensure data security, providing an adequate level of protection in relation to the risks associated with data processing.
RIGHTS OF THE DATA SUBJECTS
The data subject may request information about the processing of their personal data at the contact details specified in this Regulation, and may request the correction of their personal data, or, except for data processing required by law, their blocking or deletion.
At the request of the data subject, the Data Controller provides information about the data processed by it, or by a data processor appointed by it or according to its instructions, as well as about their source, purpose, legal basis, duration, the name and address of the data processor, and their data processing activities, the circumstances and consequences of the data protection incident, and the measures taken to remedy it, and, in the case of data transfers, about the legal basis and recipient of the data transfer.
For the verification of the lawfulness of data transfers and for informing the data subject, the Data Controller maintains a register of data transfers, which includes the date of the transfer of personal data it manages, the legal basis and recipient of the transfer, the description of the personal data transferred, and other data determined in the legislation regulating data processing.
The period of retention of the data in the records of data protection and their transfers may be limited by the legislation regulating data processing. Within this limitation, shorter periods of five years for personal data and twenty years for special data cannot be established.
The Data Controller is obliged to provide information as soon as possible from the submission of the request, but no later than 25 days, in a comprehensible form, at the request of the data subject. This information is free of charge if the requester has not requested information about the same data in the current calendar year. In other cases, a fee may be charged. The amount of the fee can also be determined within the contract concluded between the parties. The fee already paid must be refunded if the data was processed unlawfully, or if the request for information led to the correction of the information. The Data Controller is obliged to correct inaccurate personal data.
Personal data must be deleted by the Data Controller if its processing is unlawful, if requested by the data subject, if it is incomplete or inaccurate – and this condition cannot be legally corrected – provided that deletion is not excluded by law, if the purpose of data processing has ceased, the statutory storage period has expired, or if it has been ordered by a court or by the Data Protection Commissioner. The data subject and all those to whom the data subject’s personal data has been transferred for data processing purposes must be informed of the correction or deletion. Notification may be omitted if it would affect the legitimate interests of the data subject regarding the purpose of data processing. The data subject may object to the processing of personal data, if the processing of personal data (transfer) is necessary solely for the exercise of the rights or legitimate interests of the data controller or the recipient of the data, except if the processing of personal data is required by law, the use or transfer of personal data is for direct business acquisition, opinion polls, or scientific research purposes, and the exercise of the right to object is otherwise permitted by law.
The Data Controller is obliged to examine the objection as soon as possible from the submission of the request, but no later than 15 days, and to inform the applicant in writing of the result. If the objection is justified, the Data Controller is obliged to terminate the data processing – including the collection and subsequent transfer of data – and to block the data, as well as to inform all those to whom the personal data affected by the objection has been previously transferred and who are obliged to take action to respect the right of objection. Notification to the data subject may only be refused in exceptional cases, as provided for in section 9, paragraph (1), and in section 19 of Law No. 112/2011. In this case, the Data Controller informs the data subject in writing under which provision of the law the information is denied. In case of refusal to provide information, the Data Controller informs the data subject about the right to appeal to the court and to the Authority.
With regard to rejected requests, the Data Controller informs the Authority by 31 January of the following year. In case of violation of their rights, the data subject may appeal to the court or to the data protection authority, and this is brought to the attention of the complainant.
In case of violation of their rights, the data subject may appeal to the court and may exercise their rights under Law No. 112/2011 on the right to information and freedom of information and the Civil Code.
Information about appeal and complaint rights can be obtained at the following coordinates: Name: National Authority for Data Protection and Freedom of Information Address: 9-11 Falk Miksa Street, 1055 Budapest. Postal address of the Authority: Pf. 9., 1363 Budapest. Telephone: 06-1-391-1400 Fax: 06-1-391-1410 E-mail: ugyfelszolgalat@naih.hu, Website: www.naih.hu
For damage caused by illegal data processing, the Data Controller is responsible in accordance with the relevant laws.
The Data Controller is obliged to compensate for damage caused by illegal data processing of the data subject’s data or by the violation of data security requirements. The Data Controller is liable to the data subject for damage caused by a data processor as well. The Data Controller is exempt from liability if it can prove that the damage was caused by an exonerating reason beyond the scope of data processing. Damage does not need to be reimbursed to the extent that it stems from intentional or grossly negligent behavior of the injured party. The general civil liability of the Data Controller is regulated by the Civil Code.
At the request of the data subject, the Data Controller provides detailed information on the possibilities for exercising their rights.
This Regulation enters into force on April 1, 2024.
Vecsés, April 1, 2024
General Airport Parking Limited Liability Company