DATA MANAGEMENT POLICY

1. Controller

Name: Kultúrpark Zrt.
Address: 1095 Budapest, Soroksári út 60.
Representative of the Controller: Kólya Dániel
Contact of the Controller for data protection matters: adatvedelem@budapestpark.hu

This policy constitutes the Controller’s unilaterally assumed obligation in compliance with Directive (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) and the relevant laws of the member states.

The Controller may unilaterally modify and/or withdraw this policy by simultaneously notifying the Data Subjects. Notification is given at the website and – depending on the nature of the change – by directly notifying the Data Subjects.

2. Purpose of data processing

2.1 Online ticket sales and communication about the technical implementation of the event.

The Controller processes the data of the guests during online sales in order to transfer tickets digitally. Sending a technical email to ticket buyers providing event information and the conditions for participation, time of arrival, objects permitted to be taken to the event site, and other technical information before the event.
Legal basis for data processing: Agreement
The scope of data being processed: Name, email, postal code, unique QR code, Facebook User ID, IP address.
Scheduled end of data processing: Until the end of the event.

2.2 Customer service for guests and visitors

Operating a customer service, receiving and answering enquiries via telephone, Facebook Messenger and email.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to manage the complaints and answer the questions of buyers and guests using the service.
The scope of data being processed: Name, email address, phone number
Scheduled end of data processing: 31 January of the year following data disclosure or until the data subject objects to data processing.

2.3 Checking age when buying alcoholic drinks

When an alcoholic drink is ordered, the service provider may ask the buyer for an ID card with a photo suitable for personal identification that certifies that the holder is at least 18 years old.
Legal basis for data processing: Legal obligation
The scope of data being processed: The data contained in the ID card suitable for personal identification
Scheduled end of data processing: The data is not stored, only viewed.

2.4 Verifying age upon ticket purchase and entry, management of parental consents

When purchasing tickets and upon entering the park, the controller may ask the guest to present an ID card and check the guest’s age. Under-aged persons arriving without their parent must present a pre-completed parental consent for entry.
Legal basis for data processing: Legitimate interest - It is in the controller's legitimate interest to make sure that under-aged and unauthorised guests do not attend the events.
The scope of data being processed: Data contained on the personal identification certificate, signature, witness data, parent’s identification data.
Scheduled end of data processing: The data is not stored, only viewed.

2.5 Entry of persons who have a registered ticket

Issuing registered vouchers in the accreditation system to holders of complimentary tickets, the performers' guests and winners of prize draws. The Controller may ask for the presentation of an ID card for identification upon entry.
Legal basis for data processing: Legitimate interest - It is in the controller's legitimate interest to make sure that unauthorized persons do not enter the event or a specific area.
The scope of data being processed: The data contained in the ID card suitable for personal identification
Scheduled end of data processing: Until the last working day of January of the year following the event or until the data subject objects to data processing.

2.6 Organising private events

Registration of the list of invitees to private events. Sending invitations. Communication with the invitees. Registration of a guest list for entry in a rented site in case of events organized by a third party (e.g. corporate events).
Legal basis for data processing: Legitimate interest – It is in the Controller's legitimate interest to keep contact with and record the data of event participants.
The scope of data being processed: Name, email address, phone number
Scheduled end of data processing: Until the last working day of January of the year following the event or until the data subject objects to data processing.

2.7 Management of declarations signed for taking food from an external resource to the event site

Storing a declaration of liability for the health safety compliance of food taken by guests from an external resource.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to provide security concerning food originating from external resources.
The scope of data being processed: Name, address, signature
Scheduled end of data processing: Until the last working day of January of the year following the event or until the data subject objects to data processing.

2.8 Identification of the owners of lost items or lost safe deposit tickets and storage of the related records.

Keeping record of lost safe deposit tickets or lost and found items so that the returning of lost items can be traced.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to prevent any abuse of personal belongings in case a safe deposit ticket is lost.
The scope of data processed: Data contained on the personal identification certificate, signature
Scheduled end of data processing: Until the last working day of January of the 4th year following the event or until the data subject objects to data processing.

2.9 Photo and video documentation of events, and media communications for promotional purposes.

The Controller makes photo and video recordings as well as promotional videos and live Facebook broadcasts of the events it organizes which may be published on the Controller's website and social media site or used in its advertisements and stored in its organizational databases. For those concerned, the controller designates a "No Photo Zone" within the Park area where no promotional photos or videos are made.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to promote the Organization in an efficient and personalized manner.
The scope of data being processed: Face and body image
Scheduled end of data processing: Until the Data Subject objects.

2.10 Issuing invoices and mandatory documentation related to the service, storing data in order to ensure compliance with the provisions of the Accounting Act.

Issuing invoices relating to the hospitality and event organization activities of the Controller and preparing the mandatory documentation related to the service.
Legal basis for data processing: Legal obligation
The scope of data being processed: Invoicing name and address, email address, phone number, tax number, bank account number
Scheduled end of data processing: 8 years

2.11 Management of bank cards and SZÉP card payment receipts

Management of receipts of payments using bank cards and SZÉP cards at the Controller.
Legal basis for data processing: Legitimate interest - Legitimate interest – account settlement with the bank card provider
The scope of data being processed: Signature
Scheduled end of data processing: By the last working day of January of the year following the event

2.12 Providing VIP services for guests

Submitting a certificate with a photo to the security service necessary for collecting a non-registered entry card (pass)
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to manage deposited documents suitable for personal identification for the delivery of the high-value entry tickets.
The scope of data being processed: The data contained in the ID card suitable for personal identification
Scheduled end of data processing: Until the the entry card (pass) is returned

2.13 Providing infrastructure and services for the event of the partner company

Providing infrastructure and services for an event organized and licensed by an event management partner.
Legal basis for data processing: Legitimate interest - The Controller has a legitimate interest in providing services and providing a venue for a partner company event
The scope of data being processed: Name, email address, postal code
Scheduled end of data processing: Until the last working day of January of the year following the event or until the data subject objects to data processing.

2.14 Registration of VIP guests

The Controller keeps a list of VIP guests and their contact details on the “Hoppá" list for which it provides a card that entitles its holder to discount tickets.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to manage the contact details of VIP guests and to provide services
The scope of data being processed: Name, date of birth, email address, phone number, ID number
Scheduled end of data processing: Until the Data Subject objects.

2.15 Registration for prize draws and related media communication, promotion of the prize draw, drawing the prize, contacting winners

Processing the data of natural persons registered for prize draws managed or implemented by the controller and publication of the same on the controller’s website and social media pages.
Legal basis for data processing: Consent
The scope of data being processed: Name, email address, postal code, photograph, video recording
Scheduled end of data processing: No later than until the last working day of January of the year following the prize draw or the withdrawal of the data subject’s consent.

2.16 Advertising service(s) and measuring satisfaction relating to service(s), conducting research to develop services

Recommendation of events, programs, enquiries for satisfaction measurement, notifying VIP members of promotion campaigns.
Legal basis for data processing: Consent
The scope of data being processed: Name, e-mail address
Scheduled end of data processing: Until the Data Subject withdraws his or her consent.

2.17 Complaint Management

Complaint management. Processing of the data recorded in the Complaint Book stored at the point of sale operating on the Controller’s sites
Legal basis for data processing: Legal obligation
The scope of data being processed: Name, address, phone number, email address, signature
Scheduled end of data processing: 5 years

2.18 Live or recorded television broadcast

Budapest Park enables the press and the media, as separate controllers, to make on-site recordings and broadcasts. For those concerned, the controller designates a "No Photo Zone" within the Park area where no promotional photos or videos are made.
Legal basis for data processing: The independent data processing rights of the press and the media.
The scope of data being processed: Budapest Park does not process data.
Scheduled end of data processing: Budapest Park does not process data.

2.19 Providing venues for video and photo shooting to external partners

Budapest Park provides an opportunity for its partners, performers, sponsors and lessees of the event site to make photo or video recordings or a live broadcast of the public event. For those concerned, the controller designates a "No Photo Zone" within the Park area where no promotional photos or videos are made.
Legal basis for data processing: Based on the partner’s privacy notice
The scope of data being processed: Budapest Park does not process data.
Scheduled end of data processing: Budapest Park does not process data.

2.20 Website monitoring using the Hotjar service

Hotjar enables its user to measure and evaluate the use of the website e.g. mouse clicks, mouse movements and keystrokes (except for personal identification data), page scrolling and other activities on the pages and websites visited
Legal basis for data processing: legitimate interest - it is in the Controller's legitimate interest to optimize and monitor its services.
The scope of data being processed: Email address, IP address
Scheduled end of data processing: Until the last working day of January of the year after the processing of data or until the data subject objects to data processing.

2.21 Management of cookies

The controller places cookies and web beacons on the website to identify a person who has already visited the website; to explore the visitor's interests; to improve the visitor's user experience and to display personalized ads to the visitor as well as to improve the security of its website.
Legal basis for data processing: Legitimate interest - it is in the Controller's legitimate interest to optimize and monitor its services.
The scope of data being processed: Unique ID number, dates, times.
Scheduled end of data processing: Until the end of the workflow

2.22 Google Analytics

It measures the traffic data of the website in a way that the data transmitted are not suitable for identifying the data subjects
Legal basis for data processing: Legitimate interest - it is in the Controller's legitimate interest to optimize and monitor its services.
The scope of data being processed: The data transmitted are not suitable for identifying the data subject
Scheduled end of data processing: The last working day of January of the 4th year after the end of data processing.

2.23 Google Adwords

A remarketing function that allows the website to display relevant ads to users who have previously visited the site
Legal basis for data processing: Legitimate interest - It is in the legitimate interests of the organisation to conduct direct marketing
The scope of data being processed: Unique ID number, dates, times.
Scheduled end of data processing: The last working day of January of the 4th year after the end of data processing.

2.24 IT data backups

Operation of IT systems and infrastructure, including the operation of workstation servers and network elements as well as archiving, saving and restoring data in case of damage.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to regularly save and archive the data of its information systems to ensure business continuity.
The scope of data being processed: All categories of digital data collected or processed by the Organization
Scheduled end of data processing: The organization stores the backup of the IT system for 30 days. Archived data is stored for 5 years.

2.25 Operating an electronic video surveillance system

Protecting the Controller's site and assets, protecting the physical integrity and assets of the Controller's employees and guests, investigating the circumstances of eventual accidents or crimes
Legal basis for data processing: Legitimate interest - It is in the controller's legitimate interest to preserve its assets and protect the physical integrity of its guests and operate an electronic video surveillance system to be able to investigate the circumstances of any criminal acts.
The scope of data being processed: The image and video recording of the natural person (hereinafter jointly referred to as footage)
Scheduled end of data processing: 15 days.

2.26 Data processing related to the GDPR

Data processing related to the GDPR
Legal basis for data processing: Legal obligation
The scope of data being processed: Name, Data Protection ID, request by Data Subject, date, type, content and result of request, date, documentation and result of incident
Scheduled end of data processing: Not for disposal

2.27 Processing customer data for the purpose of enforcing legal and other claims

The controller retains the personal data of the guests, persons interested and partners who are in contact with it for the purpose of enforcing claims during the general retention period after the data is disclosed
Legal basis for data processing: Legitimate interest - It is in the controller's legitimate interest to record the personal data of data subjects who are in contact with it during the general retention period.
The scope of data being processed: Name, address, phone number, email address, IP address
Scheduled end of data processing: The last working day of January of the 4th year after the end of data processing.

3. Advertisement of services

Recommendation of events and programs
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to carry out direct marketing.
The scope of data being processed: Name, e-mail address
The data subject disclosed the following data to the controller while using a service. The Controller hereby informs the data subject that the purpose of data processing relating to the data processed during the activities set forth in Section 2 has been reclassified on the grounds of legitimate interest and such data will be used for direct marketing purposes. The Controller has lawfully processed the data of the data subjects for other data processing purposes.
Source of data: The data source is the Controller's own database of ticket buyers.
Scheduled end of data processing: Until the Data Subject objects.

4. Measuring customer satisfaction and conducting research to develop services

The controller performs satisfaction measurement among ticket buyers and conducts research to improve the services.
Legal basis for data processing: Legitimate interest - It is in the Controller's legitimate interest to process data for the purpose of developing its services.
The scope of data being processed: Name, e-mail address
The data subject disclosed the following data to the controller while using a service. The Controller hereby informs the data subject that the purpose of data processing relating to the data processed during the activities set forth in Section 2 has been reclassified on the grounds of legitimate interest and such data will be used for measuring customer satisfaction and conducting research to develop its services. The Controller has lawfully processed the data of the data subjects for other data processing purposes.
Source of data: The data source is the Controller's own database of ticket buyers.
Scheduled end of data processing: Until the Data Subject objects.

5. The consequence of failure to provide data

The possible consequence of failure to provide data: The objective of data management may fail.

6. The scope of Data Subjects

Persons who registered on www.budapestpark.hu, the contact persons they have provided, guests who have purchased tickets or were invited to events at Budapest Park, and the guardians of guests who are below the age of 18.

7. Data to be supplied obligatorily

On the data supply platforms, the Controller does not indicate separately the obligation of data supply if all data are to be supplied. On the platforms where not all data must be supplied, the Controller marks with an asterisk (*) the fields where data must be supplied.

8. Children

Our products and services are not for people aged under 16, therefore people aged under 16 should not give their personal data to the Controller. Should we learn that we collected personal data from people aged under 16, we will take the actions required for deleting the data at the earliest date possible.

9. Engagement of a data processor

During the processing of data, the controller transfers data to data processor(s) it has engaged for the performance of the contract.
Categories of data processors: IT operators, web hosting providers, web content developer, security service provider, internet payment service provider, ticket portals, contracted call centre, hostess provider, web provider, social media sites, billing service provider, partner event organizer, marketing agencies, legal advisor, GDPR consultant, photo-video provider, event organizer, Google G-Suit,

Categories of recipients: Courier services, forwarding agents, the Hungarian Post, Authorities

10. Entities authorized to access the data

The Controller may not transfer the accessed data to third parties, except for the data processor(s) specified in paragraph 9. The recorded data may only be accessed by the Controller’s employees and the designated employees of the data processor(s).
The Controller may not deliver the recordings to third parties except for the security service provider specified in paragraph 9. The recordings may only be accessed by the Controller and the designated employees of the data processor(s).
The recordings earlier made by the electronic surveillance system can be accessed by the Data Protection Manager, the Security Manager, the IT Operator and the Managing Director/CEO. The Data Subject may access the recordings exclusively made about him/her – upon request – in the presence of one of the a.m. persons. Access shall at all times be requested from the Data Protection Manager in writing.
The Controller shall in all cases draw up minutes about the fact of access, and the minutes shall be stored by the company for 1 year.

10.1 Persons entitled to limit the images of the electronic surveillance system

The images recorded by the electronic surveillance system may only be limited in cases where the Controller perceived an event that presumably endangers the purpose intended to be achieved by the electronic surveillance system.
Exclusively the processing of those recordings may be limited upon request by the Data Subject that were made about him/her. The Data Subject shall request blocking from the Data Protection Manager in writing, indicating its purpose and the expected period.
The Controller shall draw up minutes about each step of the process, and the minutes shall be stored by the Controller for 1 year.

11. Processing data received from third parties

Should the User/Partner not supply their own data to the Controller but those of another natural person, it is the exclusive responsibility of the User/Partner to ensure that the data were supplied with the knowledge, consent and appropriate notification of such a natural person. The Controller is not obliged to check the existence of these conditions. The Controller draws the attention of the User/Partner to the fact that if they fail to fulfill this obligation and for that reason the Data Subject enforces a claim against the Controller, the Controller may transfer the enforced claim and the amount of the related damage to the User/Partner

12. Rights of the Data Subjects

The Data Subject may request the following from the Controller at the contacts set forth in paragraph 1:

The Data Subject may make use of the above rights at any time.
Furthermore, the Data Subject may forward the request to the Controller at one of the contacts set forth in paragraph 1.

The Controller manages or rejects (by giving reasons) the report at the latest within 1 month after submitting the request, or in an exceptional case by a longer deadline permitted by law. The Data Subject shall be notified about the result of the inspection in writing.

12.1 The cost of notification

The Company provides information and takes actions for the first time free of charge.
Should the Data Subject request the same data – which did not change during that period - twice within a month, the Controller shall charge an administrative fee.

12.2 Refusing to provide information

The Organization as a Controller rejects the request for notification if the Data Subject’s request is clearly unfounded and s/he is not entitled to the notification, or if it can prove that the Data Subject possesses the requested information.

If the Data Subject’s request is exaggerated due to its especially repeating nature, the Organization may refuse to take actions based on the request if

12.3 Right to object

The Data Subject may at any time object to processing his/her personal data based on legitimate interest or official authority.
In this case the Organization shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
If the compelling legitimate grounds of the objection are established, data processing shall be terminated within the shortest time possible – also including data transfer and further data collection. Notification shall be sent about the objection to everyone to whom the Data Subject’s data were forwarded.
The request is managed free of charge, except for unfounded or extreme requests, where the Controller may charge an appropriate, reasonable fee to cover its administrative costs. The Data Subject may turn to court if s/he does not agree with the decision made by the Controller

13. Publication of data

The Controller shall not publish the recordings of the electronic surveillance system.

14. Data transfer to a third country or an international organization

The Controller does NOT forward the personal data and recordings of Data Subjects to a third country or an international organization outside the European Economic Area.

15. Information about data security actions

The controller processes data in a closed system, based on its Information Security Policy.
The Controller provides for default and integrated data protection. To that end, the Controller applies appropriate technical and organizational actions in order to:

The Controller applies reasonable physical, technical and organizational security actions to protect the Data Subjects’ data, especially against their accidental, unlawful and illegitimate annihilation, loss, change, transfer, use, access or processing. The Controller shall immediately notify the Data Subject in the case of using and unlawfully accessing personal data, which is known and involves a high risk for the Data Subject.
If it is necessary to transfer the Data Subject’s data, the Controller shall provide for the appropriate protection of the transferred data, e.g. by encrypting the data file. The Controller shall be held fully responsible for the processing of the Data Subject’s data by third parties.
The Controller shall also carry out appropriate and regular backup saves in order to protect the Data Subject’s data against annihilation or loss

16. Analytic Services

The Controller uses the Google Analytics service to track page statistics and user demographic data, interests and website behaviour. Furthermore, the Organization uses the Google Search Console for website search optimization and customer satisfaction measuring. Google provides the opportunity to limit the use of analytical services. Visit Google’s page to unsubscribe from the use of data by Google Analytics.
https://tools.google.com/dlpage/gaoptout

17. Legal remedies

If any data subject finds that

  1. the Controller restricts the enforcement of its rights or rejects its request to this effect may initiate, by notifying the Hungarian National Authority for Data Protection and Freedom of Information, an investigation aiming at reviewing the legality of the Controller's action;
  2. the Controller is in breach of legal requirements for the processing of personal data during processing the data subject's personal data
    • may request the Hungarian National Authority for Data Protection and Freedom of Information to carry out the data protection authority procedure; or
    • may start an action against the Controller before the court competent according to the data subject’s home address or permanent residence, at the data subject’s discretion.

Contact information of the Hungarian National Authority for Data Protection and Freedom of Information:

President: Dr Attila Péterfalvi,
Address: 1024 Budapest, Szilágyi Erzsébet fasor 22/C,
Phone: +36-1-3911400
E-mail: ugyfelszolgalat@naih.hu
www.naih.hu

Budapest, 15.07.2019.