Effective from March 1, 2021

I. Data Controller (Service Provider)

Service Provider’s Name:	Interticket, Inc.
Company Registration:	Massachusetts, US
Company Registration number:	3222273
E-mail contact address:	privacy@corporate.interticket.comm
Website:	www.interticket.com
Customer Service e-mail address:	support@corporate.interticket.comm
Contact for Complaints:	complaints@corporate.interticket.comm

II. Privacy policy employed by the Company

2. Information regarding management of data by Service Provider is continuously available in the footer of the starting page of the interticket.com website operated by the Service Provider.
3. Service Provider reserves the right to modify the Prospectus on Data Management unilaterally. In the event of modification, Service Provider shall notify the User by publishing the changes on the interticket.com website. User accepts the revised Prospectus on Data Management by using the service after the modification takes effect.
4. In order to protect the personal information of its customers and partners, Service Provider considers it important to respect its clients` right to information self-determination. Service Provider shall treat the personal data in a confidential manner and shall apply all security, technical and organizational measures that guarantee the security of data. Service Provider’s data management practices are contained in this Prospectus on Data Management.
5. Service Provider’s principles on privacy are in line with the current data protection legislation, thus especially with the following:

– Act CXII of 2011 on the Right of Informational Self‑Determination and on Freedom of Information (hereinafter referred to as Privacy Act);

 – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); 

– Act V of 2013 on the Civil Code (Civil Code); 

– Act C of 2000 on Accounting (Accounting Act); 

– Act CXXXVI of 2000 on the Prevention and Combating of Money Laundering and Terrorist Financing (PCMLTF);

– Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services (E‑Commerce Act);

– Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Business Advertising Act).

6. Service Provider shall only use personal information based on the legal basis included in the GDPR and solely for the specified purpose.
7. Service Provider is committed that before collecting, recording or handling any personal data of its customers it will publish clear, soliciting Customers’ attention and unambiguous statements which inform Customers of the ways their data is recorded, their purpose and principles. If providing personal data is compulsory by law, the relevant rules and regulations must also be indicated. Those involved must also be informed of the purposes of data processing and by whom the personal data will be handled and processed.
8. If the Company intends to use the personal data provided for purposes other than it was originally provided for, the Company must inform the customer and obtain their express, prior consent and make it possible for the customer to prohibit such use.

III. The legal basis and purpose of data processing, the scope of the processed data, length of data processing, entities entitled to learn personal data

1. Service Provider`s data processing is based on the following legal rights (Paragraph 1 of Section 6 of the GDPR): 

1/a) the individual has given their consent to the processing of their personal data for one or more specific purpose (voluntary consent); 

1/b) data processing is necessary for the fulfilment of such a contract where the affected person is one of the parties or if it necessary to carry out steps required by the affected person before the contract is entered into (fulfilment of the contract);

1/c) data processing is necessary to fulfil the legal obligation for the data controller (legal obligation); 

1/d) data processing is necessary to validate legitimate interest of data controller or a third party (legitimate interest).

2. In case of data processing based on voluntary consent the affected person may withdraw their consent at any time during data processing.
3. Individuals with particular disabilities and children with limited ability may not use services via Service Provider`s system.
4. In some cases processing, storage and forwarding are made mandatory by law of which we will notify users separately.
5. Please note that if the data provider is not providing their own personal data, it is their responsibility to obtain the consent of the person concerned.
6. Personal data may only be handled for a specific purpose. The purpose of data management must be met, data entry and management must be fair and legitimate at all stages of data processing. Only personal data that is essential for achieving the purpose of data processing can be handled to achieve this goal. Personal data can only be handled to the extent and for the duration required to achieve the goal. Service Provider will not use personal data for purposes other than those indicated.

7. Online web shop services (purchase of tickets, vouchers, books, audio recording, parking tickets, etc.) – purchase transaction, entry, notification (one-off purchase)

Purpose of data processing: to ensure the provision of a web shop service on the web site, the order, to fulfil the order, to document the purchase and payment and to fulfil the accounting obligation. Further purpose of data processing is to identify the user as a ticket buyer, as well as to deliver the ordered service and to send notifications (technical notifications related to the performance, such as changes to the performance, cancellation, change of times, parking information etc.), to carry out payment through payment service provider, to register users, differentiate between users, to transfer access data to the event organizer, and to fulfil the contract

Grounds for data processing: fulfilment of a contract, subsection b) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: surname and first name, phone number (optional if customer provides for receiving notifications, email address, password given at pre-registration, delivery address provided for home delivery, the number, date and time of the transaction, customer code, number of the gift card or culture voucher.

Deadline to erase data: 210 days after the last performance in the transaction, supposed that the performance has a specific date. In case of performance without a specific date, the deadline to erase data is 18 months after the date of transaction. If in the same transaction there are tickets purchased for performances with and without specific date, the later date would be taken into consideration.If a dispute arises in connection with the purchase transaction, Service Provide shall maintain the data for the duration of the dispute; the legal basis of which is legitimate interest of Service Provider, subsection f) of Paragraph 1 of Section 6 of the GDPR.

Possible consequences of failure to provide data: Failure of purchase transaction.

8. Online purchase/renewal of season tickets, gift cards, discount cards, Culture Cards

Purpose of data processing: to ensure the provision of a web shop service on the web site, the order, to fulfil the order, to document the purchase and payment and to fulfil the accounting obligation. Further purpose of data processing is to identify the user as a ticket buyer, as well as to deliver the ordered service and to send notifications (technical notifications related to the performance, such as changes to the performance, cancellation, change of times, parking information etc.), to carry out payment through payment service provider, to register users, differentiate between users, to register the balance on the card, to register purchases made with the card, to register discounts and privileges connected to the card, to provide the rights in connection with the season ticket (including rights for renewal if provided by event organizer), to fulfil the contract. Further purpose of data processing is to provide information on the annual renewal of the season ticket (via email or post), reminder regarding the next performance for the season ticket (via email or post), in case of free season tickets twice monthly notification regarding the events of the venue (via email) to facilitate the choice of User.

Grounds for data processing: fulfilment of a contract, subsection b) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: surname and first name, phone number (optional if customer provides for receiving notifications, email address, password given at pre-registration, delivery address provided for home delivery, the number, date and time of the transaction, customer code, number and balance of the gift card, number and balance of culture card.

Deadline to erase data: 24 months following the date of the transaction for season tickets. In case of gift cards, discount cards, Culture Cards, the deadline to erase data is 6 months following the expiration date, or – if the given card has no expiration date – 18 months following the date of transaction. If a dispute arises in connection with the purchase transaction, Service Provide shall maintain the data for the duration of the dispute; the legal basis of which is legitimate interest of Service Provider, subsection f) of Paragraph 1 of Section 6 of the GDPR. If tax benefits are connected to the purchased card (for instance Culture Card) the data retention period shall be specified in the effective regulations; grounds: subsection c) Paragraph 1 of Section 6 of the GDPR.

Possible consequences of failure to provide data: Failure of purchase transaction.

9. Registration

Purpose of data processing: By choosing a password during the pre-registration process it will be possible for the user to provide their details only once and not at each purchase. Some services are only available to registered users on the web site. Such services include blogging and comment writing, comment rating, and the following functionality (to be notified about artists, venues and events). As a convenience functionality, in a personal menu, users may edit their personal information, view and download their tickets and invoices, follow their comments, already visited pages, reviews, modify following and newsletter subscriptions and if they are part of the membership system, view the balance of their points. Managing multiple personal data stored in the account obviously means profiling as well.

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: email address, password and those personal data that User has provided during purchase or in their account: address, billing address, phone number. Processed data may furthermore be products purchased by User during their orders, date and invoice of the purchases, Comments made by User and their rating, comments, performances, artists, venues rated by the User, artists, venues and performances marked by User to be followed, pages viewed by User, newsletter subscriptions and balance of membership points collected.

Deadline to erase data: Data provided will be handled by Service Provider until such time as User prohibits use for this purpose by unsubscribing.

Possible consequences of failure to provide data: User cannot use the convenience functions and services of the website.

10. Notification service

The Notification Service allows the ticket buyer, in addition to technical information about the event (technical alerts related to the performance, such as changes to the performance, cancellation, change of times, parking information etc.), to use notification services such as pre-performance reminder, rating following the performance, as well as automated announcements (alerts for leaving the basket, ticket available to buy again, etc.).

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: email address, name, optional phone number if user would like to receive the notifications via text message, Facebook Messenger ID if user would like to receive the notifications via Messenger chatbot.

Deadline to erase data: Data provided will be handled by Service Provider until such time as User prohibits use for this purpose by unsubscribing.

Possible consequences of failure to provide data: User cannot use the convenience functions of the website, not notified of changes.

11. Billing

Purpose of data processing: to issue invoice related to the purchase transaction and to retain such for the duration specified in the relevant laws.

Grounds for data processing: to meet legal obligation, subsection c) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: first and family name, billing address provided for billing, number, date and time of the transaction, contents of invoice, tax number in case of VAT receipt (if provided by customer).

Deadline to erase data, period of data processing: 8 years or as specified in the currently effective legislation on taxation and accounting. 

Possible consequences of failure to provide data: Failure of purchase transaction.

12. Personalized offers, profiling

Purpose of data processing: Profiling helps users to see relevant and personalized offers on the website and in the newsletters` recommendations. Profiling helps data processors to create the most appropriate offers for the customers.

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: email address, name, address, information relating to the use of the website (time of the visit, duration, pages viewed, clicks on the page, search engine usage), basket usage (order identifier, products, product categories, values), purchases (transaction date, value, product, its category, discounts used, method of payment), technical information (IP address, cookie ID, browser type, device type, Google, Facebook, Hotjar, Findgore, Prefixbox identifiers, source page), newsletter and notification message usage information (time of opening the email, its tool, click-through links, purchase data), blog-related data (comments, ratings, click-through links).

The logic of profiling: the offer system offers a list of events to be displayed on the website and in the messages sent by Service Provider that are likely to be the most relevant to the customer.

Deadline to erase data: Data provided will be handled by Service Provider until such time as User prohibits use for this purpose by unsubscribing.

Possible consequences of failure to provide data: offers not relevant to the user are displayed on the website and the newsletters, User cannot use the convenience functions of the website.

13. Electronic newsletter

Purpose of data processing: Sending email newsletters containing advertisements to interested users. If a user subscribes to the newsletter, Service Provider can send newsletters at a frequency at its own discretion. Service Provider shall endeavour to offer events relevant to the reader of the newsletter based on the user`s place of residence, previous purchases and other data collected through profiling.

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: name, email address, post code, phone number and data collected through profiling.

Deadline to erase data: Data provided will be handled by Service Provider until such time as User prohibits use for this purpose by unsubscribing. To unsubscribe from the newsletter, click the Unsubscribe link at the bottom of the newsletter. The personal data will be deleted within 10 working days of receiving this request.

Possible consequences of failure to provide data: User is not notified of the events.

14. Participation in Service Provider`s loyalty program

Purpose of data processing: to provide participation in the loyalty program offered by Service Provider available to regular users of the interticket.com website.  

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: name, email address, post code, phone number and data collected through profiling.

Deadline to erase data: Data provided will be handled by Service Provider until such time as User prohibits use for this purpose by unsubscribing. 

Possible consequences of failure to provide data: User cannot take part in the loyalty program offered by Service Provider.

15. Cookie management

Cookies are variable content alphanumeric information packets sent by the web server that are stored on the user’s computer and stored for a predetermined validity period. The use of cookies allows to query some data of the website’s visitor and track their internet usage. Cookies help to keep track of user’s interests, internet usage patterns and the website visit history in order to ensure that the user’s shopping experience is optimal. Since cookies are used as a kind of tag that allows a web page to recognize a visitor returning to the page, by using them valid username and password for that site can also be stored. If the browser sends back a previously stored cookie, the service provider processing the cookie has the ability to link the current visit of the user to previous ones but only to relating to their own content.

The information sent by the cookies makes it easier to recognize web browsers therefore users can receive relevant and “personalized” content. Cookies make browsing more convenient, including online data security needs and relevant advertising. With the help of cookies, Service Provider can also create anonymous statistics on page viewers’ habits, so can better customize the look and content of the page.

Service Provider’s website uses two types of cookies:

– Temporary Cookies – session use (session–id) cookies necessary for the use of the website. Their use is essential for navigating on and for the functioning of the website. Without them, the site or parts of it will not be displayed, browsing becomes obstructed, placing tickets in the basket or bank payment cannot be properly implemented.

– Permanent cookies that will remain on the device, depending on the settings of the web browser, for a long time or until they are deleted by the user. Within these there are internal and external cookies. Internal cookies are created if the Service Provider’s server installs the cookie and the data is forwarded to its own database. If the cookie is installed by the Service Provider’s server, but the data is forwarded to an external service provider, an external cookie is used. Third party cookies placed by a third party in the user’s browser (Google Analytics, Facebook Pixel) are external cookies. These are put in the browser if the visited website uses services provided by a third party. The purpose of permanent cookies is to ensure that the site operates at the highest level in order to increase user experience.

When visiting the website, users can give their consent to storing permanent cookies stored on their computer that can be accessed by the Service Provider by clicking on the cookie alert button on the sign in page.

Users can configure and prevent cookie related activities by using the browser program. To manage cookies, users can usually use the Cookies or Cookie tracing option in Privacy/History/Custom Settings menu under Tools/Settings menu of their browser. Please note however that without the use of cookies it is possible that User will not be able to use every service provided by the website, thus especially the payment options. For further information on cookies please click on the link provided on the cookie alert banner on interticket.com website. 

Purpose of data processing: carrying out payment transactions with the payment service provider, identifying and distinguishing users, identifying user’s current session, storing data created during the session, preventing data loss, identifying and tracking users, web analytics.

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: identification number, date, time and the previously visited webpage.

Period of data processing: temporary cookies are stored until all websites of the same type are closed. Permanent cookies are stored on the user’s computer for a year or until the user deletes them.

Possible consequences of failure to provide data: unavailability of certain services of the website, unsuccessful payment transactions, inaccuracies in analytics.

16. Location 

If a user uses the service from a mobile device (e.g. smartphone), when the application is downloaded the program may ask for permission to use the location as data (egg. when using the “near” feature) for features that require location.

Purpose of data processing: If consent is given by the user, the application can provide such personalized searches that takes into account where the user is currently located. The location as data is not stored in the data processor`s system it is only facilitating the use of certain functions during a given transaction (more exact search, the “near” feature).

Grounds for data processing: voluntary consent of the affected person, subsection a) Paragraph 1 of Section 6 of the GDPR.

Scope of processed data: the geographical location of the user at a certain time, IP address.

Scope of data processing: 3 days 

Possible consequences of failure to provide data: inability to use all services of the mobile device

17. Statistics

Data controller can use the data for statistical purposes. The use of data in a statistically aggregated form cannot contain the name or any other identifiable information of the user in any form.

18. Data technically recorded during the operation of the system

Technically recorded data are data from the user’s computer that has logged in that are generated when the service is being used and which are logged by the data management system of the data controller as automatic results of technical processes (egg. IP address, session ID). Due to the way the Internet works, the automatically recorded data will automatically be logged by the system, using the Internet, without a separate declaration or action from the User. The Internet does not work without this automatic server-client communication. Such data cannot be linked to other personal data of the User – with the exception of personal data for compliance with a legal obligation. This data can only be accessed by the data controller. Logs technically, automatically recorded during the operation of the system will be stored in the system for a reasonable period of time necessary for the operation of the system.

19. Recording phone calls

Service provider records incoming and outgoing phone calls of its customer services.

Purpose of data processing: to enforce the rights of customers and data controller, to provide evidence for possible disputes, to provide evidence to support subsequent verification and the possible un-collectability of a claim, and subsequent proof for agreements, quality assurance, compliance with legal obligations.

Grounds for data processing: voluntary consent of the person concerned.

Scope of processed data: identification number, caller’s phone number, called number, data and time of the call, audio recording of the call as well as other personal information provided during the call.

Deadline to erase data: 5 years. 

Possible consequences of failure to provide data: inability to access help via phone. 

20. Service Provider`s correspondence with customers (email) 

If you would like to contact our company you can get in contact with the Service Provider on the contact details provided in this information leaflet or via the contacts specified on the website. Service Provider deletes all received emails, together with sender’s name, email address, date, time and other personal data provided in the email no later than 5 years after the disclosure. 

21. Web analytics

Google Analytics as an external service provider helps to independently measure website visits and other web analytics data. For detailed information on how measured data is handled please visit the following link: http://www.google.com/analytics. Google Analytics data is used by the Service Provider for statistical purposes only to optimize the functionality of the site.

22. Other data management

We provide information on data management not specified in this document at the time of the registration of such data. Please note that the court, prosecutor, investigating authority, offense authority and administrative authority, National Authority for Data Protection and Freedom of Information, Hungarian National Bank as well as other bodies under the authorization of the legislation may request Service Provider to provide information, provide and hand over data or provide documents. Service Provider shall only disclose personal information to the authorities – if the authority has specified the exact purpose and the scope of data – to the extent necessary for the purposes of the request.

23. Data controller shall not check the provided personal information. The person providing the information will be solely responsible for the compliance of the provided information. When Users provide their email address, they assume responsibility that only they will use the Service from this email address. In this respect the person who registers the email address will be responsible for every login used with the given email address. If User is not providing their own personal data, they have the duty to obtain consent from the affected person.
24. People in the employment of or in contractual relationships with Service Provider, employees of the courier company arranging the delivery of the products as well as the data processors will be entitled to get to know the personal data.

IV. Data forwarding, specifying the Data Processors

1. By using the Service, User agrees that Service Provider may forward data to the following partners. Grounds for data forwarding: fulfilment of a contract, subsection b) Paragraph 1 of Section 6 of the GDPR.

– to the organizer of the given event in order to make it possible for the organizer of the event to inform customer directly and without delay if the event is cancelled, its time is changed or of any other detail that might be of interest, furthermore, if the event is cancelled, to refund or exchange tickets directly, and to allow entry to the event and fulfil the contract (appropriate management of the event). With the data transfer the organizer of the given event will become an independent data processor in relation to the transferred data. Data transfer may also take place in such a way that the Service Provider gives the organizer of the event suitable access to the IT system used for ticketing (Tickets system).

– Tasks related to sending emails to the Users and if the person concerned has given permission for profiling, any tasks related to such are carried out by Wanadis Kereskedelmi és Szolgáltató Kft. (1118 Budapest, Rétköz u. 7.), or Emarsys eMarketing Systems AG (Marzstrasse 1, 1150 Vienna, Austria) as data processors, based on their contracts with data controller. 

– to OJT Kft.- which provides customer services (Only relevant to those customers who use Service Provider`s contact information to seek help, information or voice a complaint.

– Service Provider will hand over those data to financial institutions that take part in the purchase process by carrying out the payment which are required by the financial institution for executing the payment. The range of required data may vary by financial institutions. Service Provider will not obtain any of the personal data provided at the financial institution`s own data request page.

2. Service Provider as Data Controller is entitled and obliged to transmit to the competent authorities any personal data that is available and is legally stored which is subject to statutory or legally binding obligation by a public authority. Data Controller cannot be held responsible for such data transmission or consequences resulting from such.
3. Service Provider performs the above-mentioned data transfer only in the case of prior and informed consent of the User.

V. The method of storing personal data, security of processing

1. Service Provider`s IT systems and other data retention systems are located at its own seat and at its data processors`. 
2. Service provider selects and manages the IT tools used to manage personal data in the provision of the service so that the data:

2/a) is available for those entitled (availability); 

2/b) authenticity and validation is provided (data authenticity); 

2/c) integrity can be verified (data integrity); 

2/d) is protected against unauthorized access (data confidentiality). 

3. Service Provider will protect the data with appropriate measures, especially against unauthorized access, alteration, transmission, disclosure, deletion or loss, as well as accidental destruction, harm, as well as unavailability due to any change to the technology used.
4. In order to provide security to the data stored electronically in its various registers, Service Provider shall ensure, by using suitable technology, that the stored data could not be directly linked and linked to the data subject, unless permitted by law.
5. Service Provider will employ such technical, structural and organizational measures to defend the security of data management that provides appropriate levels of security to the risks arising in connection with data management.
6. During data processing Service Provider shall maintain: 
7. a) confidentiality: to protect information so that only persons authorized are able to access it;
8. b) integrity: to protect accuracy and totality of information and method of processing; 
9. c) availability: to ensure that if an eligible user needs it, they can actually access the required information and have the tools available for such.
10. Service Provider’s IT System and network, as well as its partners`, are protected against computer‑assisted fraud, espionage, sabotage, vandalism, fire, flood, furthermore against computer viruses, cyber intrusions and attacks leading to refusal of Services. Service Provider uses server‑level and application‑level protection features to ensure security.
11. In the automated processing of personal data, Service Provider provides additional measures

8/a) to prevent unauthorized data entry;

8/b) to prevent the use of automatic data processing systems by unauthorized persons by means of data transmission devices;

8/c) verifiability and determination of which bodies personal data has been or may be transmitted to by means of data transmitting equipment;

8/d) verifiability and determination of when and who entered which personal data into the automatic data-processing systems;

8/e) the recoverability of installed systems in case of malfunction and

8/f) reports are prepared on errors occurring during automated processing.

9. Service Provider shall take into account the prevailing development of technology when determining and applying measures for data security. If there are several possible solutions for data processing, the one that ensures the highest possible protection of personal data must be chosen unless this would be disproportionate.
10. Service Provider shall ensure the protection of data procession security by such means of technical, organizational and institutional measures that provide a level of protection appropriate to the risks associated with data processing.
11. Electronic messages transmitted via the Internet are vulnerable to network threats irrespective of protocol (email, web, ftp, etc.) which may result in fraudulent activity or disclosure or modification of information. Service Provider shall take all reasonable precautions to protect from such threats. Service Provider shall monitor the Systems in order to record any security deviation and to provide proof in case of all security related events. However, the Internet is commonly – therefore, also to the User – known to be not one hundred percent secure. Service Provider shall not be responsible for damages caused by inevitable attacks despite its best efforts.

VI. Data subjects` rights 

1. Data subject may request information on the use of their personal data, furthermore may request correction and, with the exception of compulsory data processing, erasure or revocation of such, may exercise their right to recording and to object as indicated at the time of data recording a well as via the contacts of Service Provider specified in Section 1 of the present document.

Requests for changes in personal details or for deleting personal details can be sent from the registered email address or by post, via a written, fully conclusive private document expressing such request. Certain personal data can also be modified using the website’s personal profile page.

2. Right to be informed: Service Provider shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing via the contacts specified in section I of the present Information on Data Processing document. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. 
3. Right of access by the data subject: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

–	purposes of the processing;
–	the categories of personal data concerned;
–	the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
–	the envisaged period for which the personal data will be stored

–   the right to request rectification or erasure or restriction of processing of personal data; 

–   the right to lodge a complaint with a supervisory authority; –   any available information as to the source of data;

–    the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Data Controller shall only see credible any information request sent by email – unless the person concerned otherwise identifies the credibility – if the request is sent from the User`s registered email address. Requests for information must be sent via email to the contact address mentioned in the header.

4. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
5. The Service Provider shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. Service Provider shall provide information to data subject by electronic means. Information shall be provided within a maximum of one month from the request.
6. Right to rectification: Affected people may request from Service Provider to rectify or complete the processed personal data. 

If personal data is not accurate and accurate data is available to the data controller, the data controller shall rectify the personal data.

7. Right to erasure: The data subject shall have the right to obtain from the Service Provider the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: 

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;; 

– the data subject withdrew consent on which the processing is based and where there is no other legal ground for the processing;

– the data subject objects to the processing and there are no overriding legitimate grounds for the processing; 

– the personal data have been unlawfully processed;

– the personal data have to be erased for compliance with a legal obligation in Union or Member State law; 

– the personal data have been collected in relation to the offer of information society services.

The previous (erased) data can no longer be recovered after the request for erasure or modification has been completed.

8. Erasure of the data cannot be requested if the processing is necessary for either of the following reasons: for compliance with a legal obligation which requires processing by Union or Member State law or if the data are needed for the establishment, exercise or defence of legal claims of Service Provider.
9. Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; 

– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; 

– the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or 

– the data subject has objected to processing; in this case restriction shall apply for a period enabling the verification whether the legitimate grounds of the controller override those of the data subject.

10. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. The data subject shall be informed by the Service Provider before the restriction of processing is lifted.
11. Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. 
12. Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
13. Automated individual decision-making, including profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply of the data processing

– is necessary for entering into, or performance of, a contract between the data subject and a data controller;

– is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

– is based on the data subject’s explicit consent.

14. Right to withdrawal: The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
15. Procedural rules: Service Provider shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Service Provider shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
16. If the Service Provider does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
17. Service Provider shall provide the requested information and any communication free of cha Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Service Provider may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.
18. The Service Provider shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
19. The Service Provider shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Service Provider may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
20. Compensation and grievance money: Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the data protection regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

 ANNEX

Definitions used in the present Information on Data Processing document

1. personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. restriction of processing: means the marking of stored personal data with the aim of limiting their processing in the future;
4. profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. controller: means the legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
6. processor: means a legal person which processes personal data on behalf of the controller;
7. recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
8. third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data; 
9. consent: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 
10. data processing: carrying out technical tasks connected to data processing operations, irrespective of the method and tool used to carry out this operations as well as the place of application, provided that the technical task is carried out on the data;
11. data erasure: making the data unrecognizable in such a way that they may not be restored;
12. EEA country: a member state of the European Union and another state party to the Agreement on the European Economic Area, as well as a state the national of which enjoy the same legal state as a citizen of the state party to the Agreement on the European Economic Area on the basis of the agreement between the European Union and its member states and a state not party to the Agreement on the European Economic Area;
13. data subject: any specified natural person identified or – directly or indirectly – identifiable by personal data;
14. customer: any natural person who registers on the website of Service Provider or carries out a purchase without registration:
15. third country: any stat the is not a member of the EEA;
16. disclosure: making personal data available for anyone.