on the processing of personal data related to the use of the MOL Bubi public bicycle-sharing system
Introduction
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR), BKK Centre for Budapest Transport (hereinafter referred to as “Data Controller” or “BKK”) provides the following information to data subjects in connection with the processing of personal data by BKK on the processing of personal data in connection with the use of the MOL Bubi public bicycle-sharing system.
Name of data controller | BKK Centre for Budapest Transport (short name: BKK) |
Company seat | 1075 Budapest, Rumbach Sebestyén utca 19–21. |
Data Protection Officer email address | [email protected] |
Phone number (customer service) | +36-1-3-255-255 |
Access to data protection documentation | Data management information (bkk.hu) |
For the purposes of this privacy notice (hereinafter referred to as the „Privacy Notice”), personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the „Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person).
The Data Subjects of the personal data processing under this Privacy Notice are the natural persons who create an account registered in the MOL Bubi system and use the public transport service.
The Data Controller operates a public bicycle-sharing system on the basis of Act XLI of 2012 on Passenger Trans- port Services, and in accordance with the Municipal Decree 20/2012 (III. 14.) of the General Assembly of the Municipality of the Budapest on the performance of Budapest’s transport management tasks. In order to promote and develop bicycle transport, a MOL Bubi bicycle-sharing public transport system has been deployed on the territory of the Budapest, which, as a sustainable form of public transport accessible to everyone, contributes to imp- roving the traffic situation in the capital city, reducing environmental damage, promoting urban cycling and improving transport culture.
The main legislation applicable to the processing under this Privacy Notice and their abbreviations used in this Privacy Notice:
Source of personal data: the Data Subject
Name and purpose of the processing | Legal basis for processing (in case of Article 6(1)(c) or (e) of the GDPR, indication of the exact piece of legislation) | Scope of personal data processed | Duration of processing |
1. Registration Registration for the conclusion of contracts related to the use of the service is possible via the website and the downloaded mobile application. | Article 6(1)(b) GDPR, which requires processing to take steps at the request of the data subject prior to the conclusion the contract. | Identifying data of the registrant: surname and given name, address, date and place of birth, mother’s name Contact details of the registrant: telephone number, email address The registrant’s password (a 6-digit PIN code, which the User can change after logging into the user account) Bankcard details | The Data Controller will store the personal data of the registrant for 30 days after the registration, if the User does not activate the registration, the Data Controller will permanently delete them after 30 days. During this 30-day period, the Data Controller will process the registrant’s personal data solely to facilitate the completion of the registration and may only contact the registrant during this period with a pop-up notification requesting the completion of the registration. If during this period the registrant requests the deletion of his/her data, he/she can do so by sending an email to [email protected]. In the case of completed registration, the Data Controller will manage the registration data until the registration is deleted, or 3 years if not, after which the data will be automatically deleted. |
2. Contact | Pursuant to Article 6(1)(b) GDPR, processing is necessary for the performance of the contract | User name, email address, phone number. | Until the user account is deleted. |
3. Electronic contracting | Pursuant to Article 6(1)(b) GDPR, processing is necessary for the performance of the contract | Identifying data of the registrant: surname and given name, address, date and place of birth, mother’s name Bankcard details | Until the user account is deleted. |
4. Using the MOL Bubi service | Pursuant to Article 6(1)(b) GDPR, processing is necessary for the performance of the contract | Data related to the use of the service: the User’s payment balance, password or unique internal identification number (USER ID) generated by the Bubi system, bank/credit card token data | Until the user account is deleted. |
5. Verification of amounts owed by customers (BKK claims) | Pursuant to Article 6(1)(b) GDPR, processing is necessary for the performance of the contract | Identifying data of the registrant: surname and given name, address, date and place of birth, mother’s name | Until the user account is deleted. |
6. Billing | Article 6(1)(c) GDPR, compliance with a legal obligation Fulfilment of the legal obligation to issue invoices under the provisions of Act C of 2000 on Accounting (Accounting Act) | Mandatory data under the Accounting Act, as well as billing email address, invoice serial number | In the case of a contract, 8 years after the year of approval of the annual accounts of the year of issue of the last accounting document related to the contract, pursuant to Article 169 (2) of the Accounting Act |
7. Mandatory data reporting | Article 6(1)(c) GDPR, compliance with a legal obligation | Billing name and address | Invoicing data: the Data Controller is obliged to keep electronic invoices issued in connection with the service in accordance with the provisions of Articles 165-169 of Act C of 2000 on Accounting and for a period of time and for 8 years after the last invoice is issued, in accordance with Articles 77-78 and 202 of Act CL of 2017 on the Rules of Taxation. |
8. Refunds management | Article 6(1)(c) GDPR, compliance with a legal obligation Fulfilment of the legal obligation to issue invoices under the provisions of Act C of 2000 on Accounting (Act on Accounting) | If the customer pays by card, the refund will be automatically credited to the same bankcard. If the Data Controller has the card token data, the refund will be made automatically. For identification purposes, it is necessary to provide the transaction details. The following data may be used to identify the transaction: name, amount and date of purchase, telephone number, first and last 4 digits of the bankcard. | In case of transactions: the Data Controller keeps the bank statement of incoming amounts and the returned compensation, in case of bank cards the OTP POS list for the period prescribed by the Act on Accounting, i.e. in case of accounting documents (and related documentation) for 8 years after the adoption of the annual report of the year of issue of the accounting document. |
9. Pop-up technical messages, emails related to the operation of the application, the performance of the service, which contain information related to the operation of the bicycle- sharing system, the use of the application or the extension of its functions | Article 6(1)(b) GDPR, performance of the contract | User ID, email address, name | Until the user account is deleted. |
10. Keeping a deny list A user placed on the deny list will not be allowed to enter into a new contract. | Article 6(1)(f) GDPR, based on the legitimate interest of the Data Controller. | USER ID (internal user ID number), number of rentals, date | The duration of the placement on the Deny List depends on the unilateral decision of BKK. |
11. Allow access to user location After downloading and logging in to the App, a pop-up window will ask the User to allow the App to use the „Location” feature. The navigation function of the App can be used if the User allows the App to use the „Location” function. In all cases, the User has the possibility to disable the feature on his/her device. | Article 6(1)(a) GDPR, consent of the Data Subject | location data (GPS coordinates of the mobile device) | Until consent is withdrawn or location data is blocked. |
12. Bicycle location data The GPS system installed in bicycles only records smart lock activity (opening/closing location) | Article 6(1)(f) GDPR, based on the legitimate interest of the Data Controller. | Smart Lock activity location data (open/close) Bicycle serial number | Until the user account is deleted |
13. Data retention after account deletion for the purpose of enforcing BKK’s legal claims (e.g. for claims management) | Article 6(1)(f) GDPR, based on the legitimate interest of the Data Controller r. | All the information contained in this notice; except: password, billing address, credit/debit card details | The data will be processed for a period of 5 years after the deletion of the User account at the request of the data subject, i.e. for the period of limitation according to the Civil Code, after which the data will be deleted. |
14. Keeping written customer complaints for the purpose of pursuing legal claims. The Privacy Notice for Customer Service communications is available at the link below: bkk.hu/jogi-tudnivalok/adatvedelem bkk.hu/en/legal-information/data-management-information | Article 6(1)(f) GDPR, based on the legitimate interest of the Data Controller. | The identity and contact details of the complainant (name, address, email address); | In the context of the enforcement of a possible claim, 5 years is the maximum period under Section 6:21-6:25 of the Civil Code (statute of limitations). The date of deletion of data is 31 March of the month following the year in question. |
15. Recording of oral customer complaints received over the telephone by the Call Centre | Article 6(1)(c) GDPR, compliance with a legal obligation, | - Pursuant to Article 17/A (5) of the Consumer Protection Act, the content of the record of the oral complaint, the data related to the complaint, such as the date of the complaint, the method of notification, the type of notification and the interest of the notifying party (bicycle user, authorised representative, legal representative, etc.), the service concerned, the reason for the complaint, a description of the complaint, the claim of the complainant, the name of the person in charge, the action taken; - the response to the complaint and the date of the response to the complaint; - in addition, BKK also makes a voice recording of telephone calls. - Phone number of the person concerned | 3 years from the date of the complaint. Under Article 17/A(7) of Act CLV of 1997 on Consumer Protection, the business must keep the record of the complaint and a copy of the reply for 3 years and present it to the supervisory authorities upon request. The audio recording shall be kept for 5 years pursuant to Section 17/B of the Consumer Protection Act. |
16. Send pop-up direct marketing messages If the User has expressly and voluntarily consented - by clicking on the „Would you like to subscribe to our newsletter?” button on the website or in the Application thus subscribing to Data Controller’s newsletter - the Controller may send the User direct marketing and other marketing content about information, news, promotions and discounts related to MOL Bubi. updates and campaigns | Article 6(1)(a) GDPR, consent of the data subject | User ID, email address, name | Until consent is withdrawn or registration is cancelled. The User can withdraw his/her consent (unsubscribe from the newsletter) in the same simple way as he/she subscribed. In this case, the checkbox „Would you like to subscribe to our newsletter” must be unchecked. From this point onwards, the customer will not receive any form of marketing content. |
17. Send direct marketing messages by email: If the User has given his/her explicit and voluntary consent - by ticking the „Would you like to subscribe to our newsletter” button on the website or in the Application thus subscribing to the Controller’s newsletter - the Controller may send the User direct marketing and other marketing content about information, news, promotions and discounts related to MOL Bubi updates and campaigns. | Article 6(1)(a) GDPR, consent of the data subject | Email, name | Until consent is withdrawn or registration is cancelled. The User can withdraw his/her consent (unsubscribe from the newsletter) in the same simple way as he/she subscribed. In this case, the checkbox „Would you like to subscribe to our newsletter” must be unchecked. From this point onwards, the customer will not receive any form of marketing content. |
18. Camera surveillance At public bicycle stations. At the monitored stations, the Data Controller shall place a notice on the use of the electronic security system. | Legal basis for processing necessary for the performance of a task carried out in the public interest pursuant to Article 6(1)(e) of the GDPR BKK may record images/ photographs and audio recordings for the purposes set out in Article 8 (2) - (3) of the Passenger Transport Act under the conditions set out in Article 8 (4) of the Act and at the locations specified in Article 8 (5) (e) of the Act. | image and voice of the persons concerned | Pursuant to Paragraph (9) of Section 8 of the Passenger Transport Act., BKK deletes the recording on the 16th day after the recording. |
19. Partnership enquiries via the BKK website https://molbubi.hu/hu/partneri-megkereses/ | Article 6(1)(a) GDPR, consent of the data subject | name, email address, telephone number of the natural person concerned | Until the withdrawal of consent, but no later than 1 year after the partner’s request. |
The Data Controller informs the User that the bankcard acceptance service is provided by OTP Bank Nyrt., so the data controller of the provided bankcard data is OTP Bank Nyrt, which processes these data according to its own data management information.
The Data Controller does not process bank card/credit card data, it only processes token data.
The Data Controller operates the MOL Bubi public bicycle-sharing system, which requires the processing of personal data for its use. The legal basis for the processing of personal data relating to each of the processing purposes in the table is Article 6(1)(f) of the General Data Protection Regulation (processing necessary for the purposes of the legitimate interests pursued by the controller or a third party, see rows 10, 12, 13, 14 of the table).
As a result of the balancing of interests carried out by the Data Controller in this context:
The Data Controller assesses that the legal basis for the processing of data for the purposes indicated in rows 10, 12-14 of the above table is in accordance with the legitimate interest under Article 6(1)(f) of the GDPR, given that the Data Controller has a legitimate interest in the MOL Bubi public bicycle system, which as a sustainable form of public transport is accessible to everyone and has been developed in the territory of Budapest, to contribute to improving the transport situation in the capital city, reducing environmental damage, promoting urban cycling and improving transport culture. The processing of the data shall not adversely affect the interests or fundamental rights and freedoms of the Data Subjects in such a way as to override the legitimate interests of the Data Controllers (the specific interests or fundamental rights and freedoms of the Data Subject shall not prevail over the interest).
The legitimate interest exists | The legitimate interest is sufficiently determined, genuine and actual, since the processing is actually necessary for the effective performance of the Data Controller’s tasks. |
The processing is necessary | The processing is necessary for the purposes of the legitimate interest, since without it the business objective of the Data Controller - to provide its services as efficiently as possible and with the highest level of satisfaction - could not be achieved. |
The processing constitutes a proportionate restriction on the data subject | The interests, fundamental rights and freedoms of the Data Subjects are not violated during the data processing. The interests of the Data Subject are not protected to a higher degree than the interests of the Data Controller. Given that the Data Subject is duly informed of the processing concerning him or her at the time of data collection and that the effects of the processing are fully foreseeable due to the way in which the processing is carried out, the proportionality standard in this respect is shifted towards permissibility. The proportionality of the restriction is also enhanced by the fact that the Data Controller provides the Data Subject with full, clear and comprehensible information at the time of data collection on the scope of the personal data processed, the basis, the method and the time of processing, and the Data Subject’s rights in relation to the processing. |
Subject to Article 21 of the GDPR, the Data Controller expressly draws the attention of the Data Subjects, clearly and separately from any other information, to the fact that each Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data for the pur- poses of the processing specified in this Notice, based on Article 6(1)(f) of the GDPR.
In such a case, the Data Controller may no longer process the personal data, unless the Controller proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject or are related to the establishment, exercise or defence of legal claims.
The processing of personal data detailed in this Privacy Notice does not involve automated decision-making or profiling.
Data Controller undertakes to ensure the security of the personal data it processes. Taking into account the state of science and technology and the costs of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, the Data Controller shall take technical and organisational measures and establish procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration.
The Data Controller also undertakes to require all third parties to whom it transfers or discloses the data on whatever legal basis to comply with the requirement of data security.
The Data Controller shall ensure a level of data security appropriate to the level of risk, including, where applicable:
In determining the appropriate level of security, explicit account should be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
The Data Subject’s data is stored on the Data Controller’s secure internal servers, which are protected to the highest IT security standards. Remote access is only possible for a limited number of authorised persons, only via a virtual private network, after authentication. All modifications to the data processing carried out by t he User and the Service Provider are logged. Data will not be copied to any other physical medium.
Data Controller operates the IT tools used to process the personal data recorded, as follows:
1. Name of the data processor: | Csepel Kerékpárgyártó és Forgalmazó Zrt. |
Address of the data processor: | 1211 Budapest, Duna Lejáró 7. |
Email address: | [email protected] |
Name of the sub-processor: | Nextbike GmbH Market-leading European company specialised in public bicycle-sharing, responsible for MOL Bubi IT implementation and service operation |
Address of the sub-processor: | Thomasiusstrasse 16, 04109 Leipzig |
Email address: | [email protected] |
Data management related activities: | Carrying out technical tasks related to data processing operations (servers, background software, application development, operation), which facilitate the contractual provision of the service, the monitoring of its operation and the prevention of abuse, as well as the provision of information to Users. |
Scope of data processed: | - personal data of the natural person using the rented bicycle:
|
Name of sub-processor: | Meta-INF Kft. The official partner of Atlassian Software Systems Pty Ltd. in Hungary, vendor of the JIRA licence, developer and operator. Meta-INF Ltd. creates an interface between Nextbike and JIRA |
Name of sub-processor: | 1192 Budapest, Taksony utca 6. fszt. 1. |
Name of sub-processor: | [email protected] |
Data management related activities: | Carrying out technical tasks related to data processing operations that facilitate the contractual provision of the service (monitoring, error management system), and checking its operation. Implementation and operation of monitoring and fault reporting systems. |
Scope of the data processed: |
|
2. Name of the data processor: | Neosoft Informatikai Szolgáltató Kft. |
Address of the data processor: | 8000 Székesfehérvár, Távirda utca 2/A 2. floor. 1. |
Data management related activities: | To provide a platform necessary to perform mass mailings of newsletters to BKK’s registered customers contained in the MOL Bubi database |
In the event of a request from a public authority, the requested data will be transmitted to the public authority.
Data Controller shall inform the Data Subject, without undue delay, but within one month of receipt of the request, of the action taken in response to the request, at the contact details provided by the Data Subject. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay.
You, as the Data Subject, can exercise your rights below by contacting:
In person:
At any BKK customer service centre or ticket office.
In writing:
Your right to be informed
Data Controller is obliged, if the personal data originate from the Data Subject at the time of obtaining the personal data, to provide the following information on the processing to the Data Subjects:
The obligation to provide the information described above need not be fulfilled if the Data Subject already has the information referred to in these points.
If the personal data have not been obtained from the Data Subject, the Data Controller shall provide the Data Subject with the above information and, in addition, the following information:
If the personal data have not been obtained from the Data Subject, the obligation to provide information does not apply if:
Your right of access
You have the right to receive feedback from the Data Controller as to whether or not your personal data are being processed and, if such processing is taking place, you have the right to access your personal data and the following information:
The Data Controller will provide you with a copy of the personal data processed. The Controller may charge a reasonable fee based on administrative costs for any additional copies you request. If you have made a request by electronic means, the information shall be provided in a commonly used electronic format unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.
Your right to rectification and completion
Upon your request, the Controller shall correct inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
Your right to erasure
You have the right to ask the Data Controller to delete personal data concerning you. The Controller is obliged to delete personal data concerning you without undue delay in the following cases:
A request for erasure cannot be granted if the processing is necessary:
Your right to restriction of processing
You have the right to have the Controller restrict processing at your request if one of the following conditions is met:
Where processing has been restricted based on the above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You as a data subject who has obtained restriction of processing shall be informed by BKK before the restriction of processing is lifted. The restriction shall apply until the reason indicated by you renders data storage necessary. You may request restriction of processing in case, for instance, you believe that Data Controller has unlawfully processed your data, however it is necessary for authority or judicial proceedings initiated by Data Controller that those data are not deleted by Data Controller. In this case, the Data Controller will continue to store the personal data until requested by the authority or the court, after which the data will be deleted.
Your right to object
You may object to the processing of your personal data if the legal basis for the processing is:
In the event of the exercise of the right to object, the Controller may no longer process the personal data, unless it proves that the processing is justified by compelling legitimate grounds which override the interests or rights of the Data Subject or are related to the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
Your right to data portability
You have the right to receive personal data relating to you which you have provided to a Controller in a structured, commonly used, machine-readable format, and the right to transmit such data to another Controller without hindrance from the Controller to whom you have provided the personal data, if:
In exercising the right to data portability, you have the right to request, where technically feasible, the direct transfer of personal data between controllers.
The exercise of the right to data portability must be without prejudice to the right to erasure. The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.
Right to withdraw your consent
You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.
Your right to legal remedy
Contacting the Data Controller
We recommend that you send the Data Controller your request or complaint regarding the processing of your personal data before initiating legal or administrative proceedings, so that we can investigate and remedy it in a satisfactory manner, or, if justified, comply with any of your requests or claims under the previous point.
The Data Controller shall, without undue delay, investigate the matter, take action on the request and provide information to the Data Subject in the event of the Data Subject’s assertion of a right to data processing, request for information on data processing or objection and complaint regarding data processing, in accordance with the previous point, within the time prescribed by the applicable legislation. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended as provided for by law.
If the Data Subject has submitted the request by electronic means, the information shall be provided by the Data Controller by electronic means where possible, unless the Data Subject requests otherwise. If the Data Controller does not act on the Data Subject’s request without delay, but at the latest within the time limit laid down by law, it shall inform the Data Subject of the reasons for the failure to act or the refusal to act and of the possibility for the Data Subject to take legal or administrative action in accordance with the following.
In order to exercise your rights in relation to data processing or if you have any questions or doubts about the data processed by the Controller, or if you wish to obtain information about your data, lodge a complaint or exercise any of your rights under the previous section of this Privacy Notice, you may do so at the contact details of the Controller listed in Section I of this Privacy Notice.
Initiation of legal proceedings
The Data Subject may take legal action against the Data Controller or, in the context of processing operations within the scope of the Data Processor’s activities, against the Data Processor, if the Data Subject considers that the Data Controller or a Data Processor acting on his behalf or at his instructions is processing his personal data in breach of the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union. The court has jurisdiction to hear the case. The lawsuit may also be brought, at the choice of the Data Subject, before the competent court of the place of residence or domicile of the Data Subject. You may also bring a civil action against BKK. The General Court has jurisdiction to decide on the action. The lawsuit can be brought in principle before the Metropolitan Court of Budapest, which is competent for the seat of BKK, or, at your option, before the court of your place of residence.
Submitting a complaint to the supervisory authority
If you believe that your data is unlawfully processed by the Data Controller, without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., email: [email protected], phone: +36 (1) 391-1400, fax: +36 (1) 391-1410, website: www.naih.hu), in particular in the Member State where you have your habitual residence, place of work or place of the alleged infringement, if you consider that the Controller restricts the exercise of your rights or refuses to exercise them (request for an investigation), and if you consider that the processing of your personal data by the Controller or by a processor appointed or regulated by the Controller infringes the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union (request for a public authority procedure).
Name and address of Data Controller
Everybody has the right to the protection of personal data concerning them, thus accordingly, natural persons have the right to know who, where, when and for what purpose uses their personal data. This is required by the General Data Protection Regulation of the European Union (GDPR), and from among Hungarian legislation, by Act CXII of 2011 on the right to informational self-determination and on the freedom of information ("Privacy Act"). The data controller - in this case BKK - must prepare a data protection information and to inform its Customers in an appropriate and understandable way.
Name of data controller | BKK Budapesti Közlekedési Központ Zártkörűen Működő Részvénytársaság (BKK Zrt.) |
Company seat | 1075 Budapest, Rumbach Sebestyén utca 19–21. |
Customer Service email address | |
Adatvédelmi tisztviselő elérhetősége | |
Phone number (customer service) | +36-1-3-255-255 |
Access to data protection documentation | Data management information (bkk.hu) and https://molbubi.hu/ |
Previous documents