Privacy policy
EVENTIM.HU - DATA PROTECTION NOTICE
- I. INTRODUCTION:
1. What is this Notice about? (scope of this Notice)
With this data protection notice (hereinafter: “Notice”) we provide information on which personal data of those who visit, register or purchase on the website: http://www.eventim.hu we process, and about the purposes and methods of such data processing. Hereinafter, this website and all of its pages are collectively referred to as the "Websites" and any of them are referred to as the "Website".
The scope of the Notice does not apply to services and data processing activities of third parties (other than the Data Controller) advertising or appearing in any other way on the Websites with their promotions, games, services, campaigns or other published contents, including any link on any of the Website leading to such activities and contents. The data protection notices of the third party providing such services apply to such services, and the Data Controller does not undertake any liability for such data processing activities.
2. What data does qualify as personal data? (definition of personal data)
Personal data means any information relating to an identified or identifiable individual (“Data Subject”). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
3. What does personal data processing mean? (definition of data processing)
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
No automated decision-making is involved in the processing on behalf of Data Controller.
4. Who is the Data Controller? (contact details of the Data Controller)
The above Website is operated by CTS Eventim Hungary Kft (seat: 1139 Budapest, Váci út 91/A 3.em..; Company reg nr. 01-09-877903; represented by Mr. Gyula Kovácska managing director and Mr. Christoph Klinger managing director – both independently; contact information: dataprotection@eventim.hu); this company determines the purpose and means of the processing of personal data and therefore, this company is the Data Controller of the personal data (hereinafter: “Data Controller”).
5. Is there any other company that processes personal data on behalf of the Data Controller? (data processors)
Yes, these companies are called data processors. This Notice lists the data processors involved in the data processing.
6. Who is responsible for the accuracy and lawfulness of the personal data submitted to the Websites? (credibility of personal data)
The Data Controller does not check the personal data provided by the Data Subject, unless otherwise stated in this Notice; and the Data Subject is fully liable for the credibility of the personal data submitted by him or her. The Data Subject (visitor, buyer, user, complainant, etc.) warrants that he or she obtained the consent of the other Data Subject to the processing of all those personal data which such other Data Subject provided or gave access to him or her and which he or she submitted to the Website when visiting the Website or using the services provided by the Data Controller (for instance, when publishing content created by someone else or providing information on someone else, during issuing personalised tickets ). The Data Subject shall take full responsibility for the user content he or she uploads or shares on the Website or publishes in relation to the services provided by the Data Controller. When (e.g. in case of buying tickets, registration, making comments or complaints) the Data Subject provides data (e.g. user name, identification, password, etc.) he or she is liable that it is the Data Subject who uses the services by use of the e-mail address and any other data submitted by him. On the basis of this, the Data Subject who registered the e-mail address and provided other personal data on the Website shall be solely responsible for all actions related to the entries using that e-mail address and those personal data. The Data Controller excludes liability for any damage caused to the Data Subject due to the inaccuracy, lack or change of the personal data (i.e. name, e-mail address) provided by the Data Subject during the use of the services provided by the Data Controller or due to the disability of the Data Subject’s e-mail box to receive new messages.
The personal data of the Data Subject under the age of 16 may only be collected and processed with the consent of an adult person exercising parental supervision vis-à-vis such Data Subject. The Data Controller is unable to check whether the person giving the consent to the data processing (usually the legal representative) is solely authorized to give consents to the data processing, and the Data Controller cannot review the content of the parental consent either. The legal representative of Data Subject warrants that the consent to the data processing complies with applicable laws. In case of the use of services or webshop of the Data Controller by a Data Subject who is under the age of 16 the Data Controller assumes that the appropriate consent of the legal representative has been provided.
7. What is the legislation behind personal data protection? (legislative background)
The Data Controller especially took into consideration the following laws when creating this Notice: Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act No. CXII. of 2011 on Information Self-Determination and Freedom of Information (“Info Act”), Act No. V. of 2013 on the Civil Code (the “Civil Code”), Act No. CVIII. of 2001 on E-commerce Services (“E-commerce Act”), Act No. XLVIII. of 2008 on Advertising Activity (“Advertising Act”).
- II. ABOUT THE DATA PROCESSING
II. 1. FOR TICKET PURCHASERS:
II.1.1. Description and purpose of data processing By purchasing a ticket or gift voucher, a contract for sale will be concluded between the Data Subject and the Data Controller.
For the purposes of performing the contract, in particular for issuing the ticket or the gift voucher and the invoice, possible delivery of the ticket and getting into contact for providing information when changes occur in relation to ticket or to the event, in line with our terms and conditions for ticket refund.
We may also inform you by e-mail about our parking spaces, directions, Organiser's requirements (e.g. bag size)
Legal basis of data processing Article 6(1)(b) of the GDPR – the processing of personal data related to sale of tickets is necessary for the performance of a contract.
Scope of the processed data and their source First and last name, address, invoice name and address (when different from home address), e-mail address, telephone number, shipping name and address (optional). In the course of ticket and gift voucher sale, the date of purchase, the event to be visited with the purchased ticket, the place and date of the event, number and price of purchased tickets and the location of the places will be also registered. In the course of ticket or gift voucher purchase we also control payment information such as name of the card holder, last four digits of the bank card number, bank card type, expiry date and also the notification on the successful / unsuccessful transaction. For certain events, we sell personalized tickets, therefore when purchasing personalized ticket, it is required to provide the place and date of birth, address and mother’s maiden name in addition to the data listed above.
Period of data processing Possible consequences of not providing the above data: failure to purchase a ticket.Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of the event, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. Technical operation of the framework system: CTS EVENTIM AG & Co. KgaA
Data processor and its processing activity: Delivery:GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: 2351 Alsónémedi, Európa u. 2.; contact information: info@gls-hungary.com; phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat), United Parcel Service Deutschland S.à r.l. & Co. OHG (seat: Görlitzer Straße 1, 41460 Neuss, Germany), Online payment: KPS Interactive Media GmbH & Co. KG (seat: Contrescarpe 75A, 28195 Bremen, Germany; contact information: phone number: +49 421 36 66 05; Fax: +49 421 36 66 505; e-mail: heike.luedicke@kps.de), OTP SimplePay: OTP Mobil Kft. (Simple) (1138 Budapest, Váci út 135-139., Cg.: 01-09-174466, Privacy notice: https://simple.hu/adatkezelesi-tajekoztato / , PayPal payment system PayPal (Europe) S.à r.l. et Cie, S.C.A., (283, route d’Arlon, L-1150 Luxembourg) privacy notice: https://www.paypal.com/webapps/mpp/ua/privacy-full
Ii.1.2. Description and purpose of data processing Fulfilling tax and accounting obligations related to ticket and gift voucher sales.
Legal basis of data processing Article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation.The processing of invoicing-related data is in compliance with the legal obligation pursuant to Article 6(1)(c) of the GDPR. In case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply.
Scope of the processed data and their source from the data indicated in the previous point: address, billing name and address (if different from the address), name of the event, total amount of the purchase.
Data processing is mandatory.
Period of data processing If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years.
II.1.3. Description and purpose of data processing We collect and control the bank card data with the aim of verifying that the purchaser and the card holder are the same person and in case the purchaser and the card holder are not the same person, excluding the possibility of misuse of the credit card / credit card fraud.
Legal basis of data processing Article 6(1)(f) GDPR – legitimate interest. Legitimate interest is the prevention of misuse of the credit card /credit card fraud.
Scope of the processed data and their source Scope of the data indicated in the previous point. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of the event, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
II.1.4. Description and purpose of data processing In case of wheelchair users, personal data related to the reduced mobility and health condition will also be collected for the purpose of assessing and managing the specific needs of wheelchair users.
Wheelchair users can enquire and purchase wheelchair and accompanying tickets directly from customer service at info@eventim.hu, where the personal data will be manually entered into the system.
Legal basis of data processing Article 6 (1) a) and Art. 9 (2) (a) of the GDPR – consent.
Scope of the processed data and their source Without the medical data, ticket sales are unfortunately not possible. Therefore, unless the wheelchair user explicitly consents to the processing of this personal data, we will not be able to sell tickets. For wheelchair visitors, in addition to the personal data required for ticket sales, personal data on reduced mobility and health conditions will also be recorded.
Period of data processing Sensitive data are processed only during the time of purchase, otherwise the retention period for ticket sales applies.
II.1.5. Description and purpose of data processing Ticket return insurance
For certain events, the Data Controller may allow the Data Subject to take out a Ticket return Insurance. In this case, the data is processed by Eventim for the purpose of concluding the insurance contract and transmitted to the Insurer for this purpose.
Legal basis of data processing Article 6 (1)(b) of the GDPR- it is necessary for the preparation and performance of a contract to which the data subject is a party
Scope of the processed data and their source Data required for the concluding of the insurance contract: The following data provided by the ticket purchaser as the insurance user: name and e-mail address, date of purchase.Possible consequences of not providing the data: cancellation of the insurance contract.
Period of data processing Data processed for the purpose of concluding the insurance contract will be retained for a general limitation period of 5 years from the date of the taking out the insurance, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. For accounting purposes in accordance with the provisions of the Accounting Act 2000, C. of 2000, § 169. the retention period is 8 years.
Data processor and its processing activity Data will be transferred to the Insurance Company acting as Data Controller which concludes and performs the insurance contract and which processes the personal data in accordance with its Privacy Policy provided below : AWP P&C S.A., Hungarian Branch, Könyves Kálmán körút 48-52, 1087 Budapest, Hungary, Phone: +36 30 649 4040 E-mail: ugyfelszolgalat@mondial-assistance.at
II.1.6. Description and purpose of data processing Data processing related to ticket refund due to cancellation of the event
In certain cases (primarily in case of event cancellation), it is possible to return the tickets purchased, subject to the conditions of the event organiser, after prior verification of the data related to the purchased ticket. The purpose of the processing is to refund the ticket price to the purchaser or ticket holder
Legal basis of data processing Article 6 (1) (b) of the GDPR – the processing of personal data related to sale of tickets is necessary for the performance of a contract (or for refund of the tickets in the event of cancellation)Data processed for identification purposes for refund: first and last name of the ticket purchaser, e-mail address. Date of ticket purchase, order number or other unique identifier of the ticket purchased and the number of tickets,
Scope of the processed data and their source Bank card details required for refund of the ticket price: name of the cardholder, bank account number to be used for crediting, expiry date of the bank card, name of the bank holding the account, IBAN and Swift code if necessary.
Period of data processing Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the (planned) date of the event, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years.
Data processor and its processing activity Microsoft forms is the platform for filling the form for ticket refund (https://support.microsoft.com/en-gb/office/security-and-privacy-in-microsoft-forms-7e57f9ba-4aeb-4b1b-9e21-b75318532cd9), Payment service providers to be used to refund the ticket price: OTP Simple application OTP Mobil Szolgáltató Kft. (Simple) (registered office: 1143 Budapest, Hungária körút 17-19., Cg.: 01-09-174466, web: https://simple.hu/, KPS Wallet (VUNKERS IT EXPERTS, S.L.U.,, https://www.vunkers.com/politica-de-privacidad/), Raiffeisen Bank Zrt. registered office 1133 Budapest, Váci út 116-118.) or Unicredit Bank Hungary Zrt. registered office: 1054 Budapest, Szabadság tér 5-6) - if the data required to execute the bank card credit are not available
II.1.7. Description and purpose of data processing Customer surveys
In order to continuously improve its products and services and to adapt them to the needs of ticket buyers, the Data Controller may ask its customers to participate in customer surveys and to provide feedback on the products and services sold and provided by the Data Controller and its partners. In doing so, the Data Controller uses the information provided by the Data Subject during the purchase process to contact. Survey data will be anonymised.
Legal basis of data processing Article 6(1) (f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller or third party in developing products and services.
Scope of the processed data and their source Data provided by the Data Subject as ticket purchaser when purchasing a ticket (name, address, e-mail).
Period of data processing 6 months from the date of ticket purchase
II. 2. FOR WEBSITE ACCOUNT HOLDERS:
II.2.1. Description and purpose of data processing The purpose of data processing is the registration on the Website and the creation of a user account.
Legal basis of data processing Article 6 (1)(a) of the GDPR - Processing of personal data related to the registration is based on the consent. Possible consequences of failure to provide data: registration is not possible.
Scope of the processed data and their source During the registration, for the purpose of creating a user account, the user shall provide his or her e-mail address and a password. During the registration, the date of the registration and the IP address at the time of registration will also be collected. If the registration is created with Facebook profile, data processing pursuant to point II.6 of this Notice is also carried out. After registration, you can optionally enter the following data: first name, last name, address, billing address.
Period of data processing Personal data related to registration will be processed until the termination of registration, but at latest within the the general limitation period of five (5) years after the last order for the enforcement of claims and rights. In case of enforcing the rights and legitimate claims after the termination of the registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be kept until the final conclusion of these proceedings.
Data processor and its processing activity System operator: CTS EVENTIM AG & Co. KgaA, Hosting provider: Perftech d.o.o., Location:Baragova ulica 7E, 1000 Ljubljana, Slovenia
II.2.2. Description and purpose of data processing The purpose of profiling is to carry out market research, including customer analysis, customer segmentation and running statistics. Furthermore, Data Controller can use this information for the purpose to identify the preferences and interests of the Data Subject to tailor the experience of the Website for the Data Subject and optimize the service.
Legal basis of data processing Article 6 (1)(f) of the GDPR – legitimate interest.The Data Controller has legitimate business, economic interest to know the opinion of the users about the Website, the users’ purchases and habits via the Website, their preferences and other personal characteristics related to the services in order to develop the system in such a way which meets the users’ expectations and answers real market needs.
Scope of the processed data and their source If the Data Subject creates a user account or identifies him/herself for the Data Controller in another way (for instance purchasing a ticket on the Website) it is possible that the Data Controller connects all data collected in relation to the Data Subject, like the data collected when the Data Subject browsed the Website, newsletter tracking data, names, e-mail address, phone number, postal address, Facebook profile data, Google account information, demographic data related to the Data Subject, information on the interests and preferences of the Data Subject, online and offline transaction information, and any contact made with customer service.
Period of data processing Personal data related to registration shall be processed until the termination of the registration, but at latest within a general limitation period of five (5) years from the last order for the purpose of enforcing the claim and right. In case of enforcing the rights and legitimate claims after the termination of the registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be kept until the final conclusion of these proceedings. The Data Subject is entitled to object to the profiling at any time. In such case, the Data Controller may not control the personal data for such purpose.
Data processor and its processing activity Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland
II. 3. FOR THE WEBSITE VISITORS: Cookies keep unique identifier of computers or device and profile information. Cookies are not capable of identifying the visitors of the Websites; however, they are capable of identifying and recognizing the device used by the visitor when visiting the Websites. These cookies may be placed on the computer or device used for visiting the Website by the visitors of the Website during visiting the Websites. 1. What kind of cookies are used on the Website? On the Websites permanent, tracking and cookies related to one work session are used. The permanent cookies enable that the Websites remember the visitor visiting the Website more times, his or her settings and preferences. Cookies related to one work session help the Website recognize the visitor of the Website at the time of the visit even if the visitor of the Websites moves from page to page; but these cookies expire when the visitor leaves the Website. There are several types of cookies used on the Websites; we differentiate them based on their functions, as follows: - Technical cookies: Use of technical cookies enables proper display and operation of the Websites, among others the login to the Websites or managing the purchase of tickets, and they are necessary for the proper display of the Websites. - Functional cookies: Functional cookies enable tracking the browsing of the Websites and the preferences used during browsing; with the help of these, the Websites can remember among others to the registration data, the events checked by the visitor, the language preferences, etc. - Analytical cookies: Analytical cookies enable tracking the behaviour of visitors of the Websites and as a result, based on the use and exploitage of the Website by the visitors, making it possible to develop the Website and to provide an even better user experience and to display more useful content. The Website uses Google Analytics and Google Signals to analyse and optimise the use of the Website.
If the visitor of the Website does not want his or her data concerning the use of the Websites (including the IP address) to be collected and processed by cookies, and he or she wishes to disable them, he or she may download and install the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu.
For this analysis, we use Google Analytics 360, a web analysis service of Google Ireland Ltd. ("Google"), on our website. Google Analytics 360 uses cookies that enable an analysis of the use of our websites. The information generated by the cookie about the use of our websites is in general transferred via a server operated by us in Europe to Google Analytics 360 in the US and stored there. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. You can find out more here: https://business.safety.google/adsprocessorterms/sccs/p2p-intra-group/ (https://business.safety.google/adsprocessorterms/sccs/p2p-intra-group/)
We shorten your IP address on the server we operate before it is transferred to a Google Analytics 360 server. An exception to this are websites that we operate under joint responsibility with our partners, there your information will be transferred to Google Analytics 360 after using IP anonymization on our websites. If you are in the European Union, this function shortens your IP address within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. On behalf of EVENTIM, Google Analytics 360 will use this information to evaluate the use of the websites, to compile reports on the website activities and to provide EVENTIM with further services associated with the use of the website and the Internet. For more information on the terms of use and data protection of Google Analytics 360, please visit:
https://support.google.com/analytics/answer/6004245 (https://support.google.com/analytics//answer/6004245)
Google Signals is session data from websites and apps that Google associates with users who are signed in to their Google Account and who have turned on Ads personalisation. The association of this data with these logged-in users is used to enable cross-device remarketing and the export of key cross-device events to Google Ads. Google Signals is a feature of Google Analytics that allows you to view demographic data and aggregated data on user interest and behaviour. Where you have given your consent to the use of cookies, Google will use other information you have provided to Google for other purposes to pass this information on to us anonymously. This may include, but is not limited to, associating such information with the site and/or app-type visit data collected by Google Analytics. The personal data is collected during the ticketing process and is also processed when you visit the website without registration. For more information about Google Signals, please visit https://support.google.com/analytics/answer/9445345?hl=en#zippy=%2Cin-this-article
Google Optimize is used on our website to enhance the attractiveness, content and functionality of our website. By making new functions and content available to a percentage of our users and statistically evaluating changes in usage, we can regularly improve our offering. Cookies are used for these activities, which are linked to a pseudonymous ID. Google will use this information to evaluate your use of our website and to create reports on the optimization test and the associated website activities. The data protection regulations of Google Analytics 360 defined above apply.
You can prevent the collection of information by Google Optimize by preventing the storage of cookies through an appropriate setting in your browser software or by deactivating tracking in the Cookie Settings. Please note, however, that in this case you may not be able to use all the functions of this website to their full extent.
- Google Ads tracking cookies: On the Websites, information is obtained with the help of Google tracking cookies about the fact that the Website visitor reached the Website after seeing any of our advertisements displayed in the Google system or after clicking on it. Based on the information obtained through tracking cookies, statistics can be made about Website visitors who view or click on our advertisements. Based on content viewed on the Websites, Google is able to display targeted advertisements on the websites of other partners of Google.
If you have finished a ticket purchase from us, a cookie is set by Google Ads, Google Analytics 360. If you enter corresponding search terms in Internet search engines after your purchase, individual recommendations for EVENTIM products and services can be displayed to you on the basis of your purchase with the help of this cookie (search engine marketing).
Your personal data is processed in the process We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you would like to object to the data processing by Google Ads, Google Analytics 360, please click on the following link: Cookie Settings In connection with the use of Google Ads, Google Analytics 360, your personal data is transferred to the US. This data transfer is based on EU standard contractual clauses. This ensures an adequate protection of your personal data.
For further details on data processing by Google Ads, please refer to the corresponding information on data protection: Google: https://policies.google.com/privacy?hl=de (https://policies.google.com/privacy?hl=de) Google Ads: https://policies.google.com/technologies/ads (https://policies.google.com/technologies/ads) Explanation of Google's use of third party data: https://policies.google.com/technologies
/partner-sites (https://policies.google.com/technologies/partner-sites)
- Facebook remarketing cookies: On the Websites we try to get in touch again with previous visitors of the Websites with the help of Facebook remarketing cookies, by showing them advertisement concerning our services. With the help of remarketing cookies, we try to reach those visitors with social media campaign, who have already visited the Websites at least once. More information on facebook cookies is available at: https://www.facebook.com/policies/cookies
- Third party cookies: In connection with some functions on the Websites, third party services also appear (e.g. a link to the Facebook page of an artist), in particular regarding social media sites (e.g. Facebook, Google+ or Twitter), which may contain third party cookies. The regulation of the use of such third party cookies is not covered by the regulations of the Data Controller; in this regard please see the regulations of third parties. Point II.6. of this Notice explains the use of cookies on the Facebook page of the Data Controller.
- Google tag manager:
The Website uses Google Tag Manager, a tag management application/service provided by Google Inc., which allows you to create, update and manage tags. Tags are small code elements on websites that are used, among other things, to measure traffic and visitor behavior, as well as to determine the impact of online advertising. With the help of Google Tag Manager, you can set the conditions under which the individual code elements are activated. This allows user interactions to be tracked and cookies can also be set and read. Google Tag Manager does not manage data, but ensures the activation of tags that collect data, e.g. the users’ IP address is managed. You can find more information about Google Tag Manager at the following link: https://support.google.com/tagmanager/answer/6102821?hl=hu
- Stay 22
Eventim works with the Stay22 (Stay22 Technologies Inc., 917 Mont-Royal Ave E. Montreal QC H2J 1X3, Canada) third party service provider partner network and we use their hotel map plug-in on our website. The hotel card provided by Stay22 is embedded in our webshop. If you follow the included affiliate links and then take advantage of the offers, you may receive affiliate rewards from Stay22. In order to track whether you have taken advantage of the offers, the third party provider needs to know that you have followed the affiliate link used on our website. For the purposes of attribution of the affiliate links mentioned above, affiliate links may be accompanied by certain values that are part of the link or may be stored in some other way, such as a cookie.
The scope of the data processed: These cookies can be turned off by disabling the setting of targeted cookies in the cookie settings.
Legal basis for processing: your explicit consent in accordance with Article 6. para (1) (a) of the GDPR.
For more information, please visit https://www.stay22.com/privacy and for information about Stadia Maps Ltd. services, please visit https://stadiamaps.com/privacy/
II.3.1. Description and purpose of data processing With respect to functional, analytical, Google Ads, Facebook remarketing and third party cookies:
The Data Controller uses cookies collectively for identifying the Website visitors or users, administrating the “shopping cart”, tracking the way of browsing of the Websites by the visitors and their preferences, and to enhance Website user experience, as well as to provide content related services on the Websites and the services offered to be provided by the Data Controller on the Websites, as well as to contact the Data Subject with advertisement.
Legal basis of data processing Article 6(1)(a) of the GDPR – consent.Personal data is processed based on the consent of the Website visitor, which can be given by clicking on the “Accept”-button of the pop-up window on the Website; by clicking on “Change Settings” the Website visitor is able to choose among the options on the Cookie settings/policies site.Data Subject agrees that we may contact him or her with our advertisement within the framework of Google Ads or Facebook remarketing campaign. In case of data processing based on consent, the Data Subject is entitled to withdraw his/her consent at any time.
Scope of the processed data and their source The cookies carry the unique identification number of the computer or device used for visiting the Website (IP address), the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.
Possible consequences of not providing data: website content is not fully displayed.
Period of data processing Personal data is processed until the end of visiting the Website or until the consent is withdrawn. Cookies placed on the computer or device of the Website visitor will stay there until the user of the computer or device deletes them. The data sent by us and linked to cookies will be automatically deleted by Google after 14 months. The maximum lifetime of Google Analytics cookies is 2 years. In case of Facebook remarketing cookies the period is 180 days.
Data processor and its processing activity Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5 Ireland), Facebook (Meta Ireland Platforms Limited, (székhely: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2) Írország, elérhetőség adatvédelmi kérdésekben: https://www.facebook.com/policy.php
II.3.2. Description and purpose of data processing technical cookies: To ensure and provide the content related services on the Website and the services offered to be provided by the Data Controller on the Website (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website).
Legal basis of data processing Article 6(1)(f) of the GDPR – legitimate interest. The legitimate interest: to ensure the provision of the service and to enable the Data Controller to filter the unlawful use or unlawful content from the Website.
Scope of the processed data and their source The cookies carry the unique identification number of the computer or device used for visiting the Website, the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.
Period of data processing Personal data is processed until the end of visiting the Website or until the objection.
2. How can you disable placing cookies on your computer or device?
Website visitors can disable placing cookies on their computer or device by adequate browser settings. Further, the visitors of the Website can choose on the “Cookie settings/policies” site of the Website whether the functional, analytical, tracking or third party cookies may be enabled in the course of browsing the Website. The changes can be amended anytime on the ”Cookie settings/policies” site. However, it should be noted that disabling cookies on the computer or device may result that the user experience will be compromised; in such case, the visitor of the Website may not reach certain elements of the Website in the form as if the placing of cookies had been enabled. When disabling functional cookies, the Website visitor does not allow among others that we send him or her reminders about the products placed in the shopping cart, or that the Websites remember his or her language preferences etc. When disabling analytical cookies, the Website visitor does not allow among others that we analyse his or her activity on the Websites in order to display tailored content on the Website, or contact him or her with personalised offers at the contact points provided by him or her (if he or she provided such data, e.g. in the course of registration). When disabling Google Ads tracking cookies, the Website visitor does not allow cookies to be placed on his computer in connection with advertisements, especially when clicking on advertisements. When disabling third party cookies, the Website visitor does not allow that third parties, in particular social media sites (e.g. Facebook, Google+ or Twitter) place cookies on his or her computer or device used for visiting the Website.
Consent management
In order to obtain data protection-compliant consent for using cookies and services requiring consent on our website, we use the tool of the consent manager provider consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden, website: www.consentmanager.de.
The consent tool records, logs, and saves the website visitor's settings. To ensure that the selected settings can be clearly assigned to the respective website visitor, certain user information (including the IP address) is collected, transmitted, and stored by the consent tool.
For further information, please refer to the privacy policy of consentmanager AB: https://www.consentmanager.de/datenschutz/
Legal basis: Article 6 para. 1 point f of the GDPR (legitimate interest of the Data controller)
II. 4. PROCESSING OF DATA RELATED TO SENDING NEWSLETTERS AND DIRECT MARKETING :
II.4.1. Description and purpose of data processing General newsletters
The Data Controller may send electronic message containing general advertisement to the Data Subject’s email address, at a specified frequency or regularity, providing information about current news, events, discounts, promotions, new functions, games, etc.
When subscribing to the newsletter, it may be chosen by clicking on the “Subscribe to our Weekly guide!” button or on the https://www.eventim.hu/hu/user-subscription/subscription.html?newsletter_email= page in connection with which topics newsletters and in relation to which artist concert notification are wished to be received from the Data Controller.
Legal basis of data processing Article 6(1)(a) of the GDPR – consent. Processing of personal data related to newsletter and direct marketing is based on the explicit consent of the Data Subjects which can be expressed by ticking the relevant checkbox.
Scope of the processed data and their source The Data Controller hereby notifies the Data Subjects that the newsletters sent to them carry tracking pixels which allow the Data Controller to prepare statistics regarding the successfulness or unsuccessfulness of marketing campaigns. The tracking pixel carried within the newsletter enable the Data Controller to track whether and when the addressee opened the newsletter, and which references of the email were opened by the Data Subject (newsletter tracking data). Collecting newsletter tracking data is used by the Data Controller to conduct research with the aim of general marketing and optimize the use of newsletters. For those who have not previously purchased a ticket: When subscribing to receiving newsletter, the Data Subject shall provide his or her first and last name and e-mail address. When subscribing for the newsletter, the time and date of subscribing and the IP address at the time of subscribing will also be registered, furthermore, the Data Controller also collects newsletter tracking data.For previous ticket purchasers who have consented to this data processing, in addition to the above, the scope of the data processed the name and email address provided by the ticket purchaser at the time of purchase.Possible consequences of not providing the data: it is not possible to subscribe to the newsletter.
Period of data processing Data processing lasts until the consent is withdrawn, i.e. until unsubscribing.
Data processor and its processing activity For the purpose of sending newsletter and promotion e-mails: Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact information: +49 30 7680 780), Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland), Facebook (Meta Ireland Platforms Limited, seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, contact or data protection issues: https://www.facebook.com/policy.php
II.4.2. Description and purpose of data processing data processing for direct marketing purposes (individual offers)
Once the data subject has purchased a ticket, the controller may send occasionally individual emails or special offers for a specific group to the data subject about similar events, services and services, promotions (in some cases by post) and birthday emails. These emails are sent to the address provided at the time of ticket purchase.
Legal basis of data processing Article 6(1)(f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller or third party. The legitimate interest of the Data Controller is to inform Data Subjects about changes in products and services, to advertise the products and services and to carry out marketing activities.
Scope of the processed data and their source Data provided by the Data Subject when purchasing a ticket (name, e-mail, address).
Period of data processing From the date of purchase of the ticket until 5 years after the event, but no later than the date of the objection of the Data subjects concerned.
II.4.3. Description and purpose of data processing Subscribe to notification
The purpose of the Processing is to notify the Data Controller of upcoming events, special offers, cancellations, changes to purchased events, the status of tickets added to the shopping cart and not yet purchased, and other important information when you subscribe to the notification.
The data subject can give his/her consent to receive notifications of special offers under the tab "Subscribe to notifications" or at https://www.eventim.hu/hu/notifications.html. Notifications are short messages that appear in the notification centre of the computer or on the lock screen of the phone.
Legal basis of data processing Article 6(1)(a) of the GDPR – consent. The data processing is based on the explicitconsent of the data subject.
Scope of the processed data and their source e-mail address, IP address, type of browser, interests. Possible consequences of not providing the data: it is not possible to subscribe to notifications
Period of data processing The data processing lasts until the consent is withdrawn, i.e. until you unsubscribe.The data subject has the right to unsubscribe at any time by turning off the notifications in the browser settings.
Data processor and its processing activity Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact: +49 30 7680 780), Google (Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland), Facebook (Meta Ireland Platforms Limited, seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland; for data protection issues contact: https://www.facebook.com/policy.php
II.4.4. Description and purpose of data processing Targeted online marketing ads via Facebook and Google
Identification of individual advertising audiences based on a customer list[1] and identification of "Other advertising audiences[2]"
Legal basis of data processing Based on the explicit consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
Scope of the processed data and their source E-mail address of previous customers or registrants. Possible consequences of not providing data: ads cannot be displayed
Period of data processing The processing lasts until consent is withdrawn or at latest until the data/registration is deleted. The data subject has the right to object to the processing at any time.
Data processor and its processing activity Facebook (Meta Ireland Platforms Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland), Privacy policy concerning to data processing: www.facebook.com/legal/terms/dataprocessing, Google (Google Ireland Limited, Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Privacy policy concerning to data processing: https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20200816.html
II.4.5. Description and purpose of data processing Fan report
The Data Controller provides the opportunity for data subjects to share their opinions on the Website about the events they have participated in.
Legal basis of data processing Article 6 (1) (a) of the GDPR – consent. The data processing is based on the explicit consent of the data subject.
Scope of the processed data and their source e-mail address, name, text of the opinion. ossible consequences of non-providing data: the opinion cannot be published
Period of data processing If the Data Controller publishes the opinion as a report, the data processing period shall be 2 years from the date of publication of the opinion. If the opinion is not published, the Data Controller shall delete the data without delay.
II.4.6. Description and purpose of data processing In the case of subscriptions to newsletters and notifications, and the sending of individual offers the purpose of profiling data processing is to allow the Data Controller to assess the individual interests of the data subject in order to develop and address personalised offers to the data subject.
From a comparison of the listed personal data, we draw conclusions regarding the consumption habits of the persons concerned, as well as their expected shopping preferences and interests. We use these conclusions in order to be able to develop offers tailored to the individual concerned, and to be able to send the offers to the appropriate target group.
Legal basis of data processing In the case of subscribing to the newsletter and alerts Article 6 (1) (a) of the GDPR – consent. The data processing is based on the explicit consent of the data subject.In the case of individual offers, profiling is based on Article 6 (1) (f) of the GDPR, - on the legitimate interest of the Data controller or a third party
Scope of the processed data and their source In the case of subscribing to the newsletter and alerts the data provided when subscribing to the newsletter and notifications
In the case of individual offers, the data provided when purchasing the ticket (name, address, e-mail address and, from the data of the purchases, the event to be visited with the purchased ticket) will be used for the individual offer. Possible consequences of not providing data: it is not possible to personalize offers.
Period of data processing In the case of subscribing to the newsletter and alerts The data processing lasts until the consent is withdrawn, i.e. until unsubscription. in the case of a legitimate interest, until the Data subject objects.The data subject has the right to object to profiling at any time. In case of an objection, the Data Controller may no longer process the personal data for this purpose.
II. 5. FOR INQUIRERS, COMPLAINANTS:
II.5.1. Description and purpose of data processing Personal data are processed by the Data Controller with the aim to handle related to complaints, questions, comments and problems arising in connection with ordered products or services. Legal basis of data processing Article 6(1) ( c ) – to comply with a legal obligation to which the Data Controller is subject, for feedback, opinions, questions: Article 6(1)(a) GDPR consent. The Data Controller allows the Data Subjects to make a complaint via email (info@eventim.hu) or by post at the address of 1139 Budapest, Váci út 91/A 3.em. The processing of personal data for the investigation, settlement and handling of complaints is the legitimate interest of the Data Controller and the data subjects, as the processing of such data is necessary for the enforcement of consumer protection and civil law rights and interests in connection with the purchase and use of services on the Website. In the course of complaint handling, the complainant shall provide personal data related to his or her previous purchase, his or her first and last name, address or invoice address, phone number, delivery name and address, if different from the above, e-mail address and order number (if applicable).
Scope of the processed data and their source In the case of a complaint via phonecall, the following personal data are added to the scope of the processed data: caller ID, date and time of the call, audio recording of the telephone conversation and other personal data provided during the conversation. The Data Controller informs the Data subjects that, in the event that the complaint is made by telephone, the Data Controller will record the audio of the call after having informed the data subject about that. Possible consequences of not providing the above information: failure to respond to telephone calls and opinions
Period of data processing The complaints and responses will be retained for three (3) years from the time of the complaint, for enforcing the rights and legitimate interests of the Data Controller and of the Data Subject (or if the limitation period for enforcing rights is longer, then until the end of that period). If the complaint is made via email and the complainant is not registered on the Website, the e-mail address of the complainant will be erased on the ninetieth (90th) day from the resolution of the issue, with the exception of unique cases when the legitimate interest of the Data Controller justifies the longer retention of the personal data, in which case erasure will be made when this legitimate interest ceases to exist. The Data Controller shall keep the audio recording of the complaint made via phonecall for a period of three (3) months from the date of the recording.
II. 6. FOR SIGNING IN WITH SOCIAL MEDIA ACCOUNT AND PRIZE GAMES:
II.6.1. Description and purpose of data processing The Data Controller processes personal data in the course of its activities on social networking sites, for the purpose of sharing or "liking" certain content, products, promotions or the website itself.
Legal basis of data processing Article 6(1)(a) of the GDPR – consent. The data subject has given his or her voluntary consent to the processing of his or her personal data on social networking sites.
Scope of the processed data and their source The name and public profile photo of such users who registered on Facebook/Google+/Twitter/Pinterest/YouTube/Instagram etc. social media, and “liked” the Website of the Data Controller, for the purposes of sharing and liking some content, product and discounts of the Websites or the Websites itself. Facebook shares the above data with the Data Controller as anonym statistical data to enable the Data Collector as the administrator of the Facebook fan page to publish more targeted, relevant information for the page’s visitors. Facebook applies pop-up windows to notify the visitors of the page on the use of cookies and to the collection of the above personal data. Data Controller as the administrator of the Facebook fan page recommends to become familiar with the Facebook’s “Cookies & Other Storage Technologies” policy (available here: https://www.facebook.com/policies/cookies/) and the Facebook Data Policy (available here: https://www.facebook.com/about/privacy) prior to using on the Facebook fan page.
Period of data processing The data processing lasts as long as the data subject "likes" and/or follows the Data Controller and/or the Website on the relevant social media site.
II.6.1. Description and purpose of data processing From time to time the Data Controller publishes prize games on the interfaces defined by it, on its Website, or on its Facebook fan page and on http://blog.eventim.hu/. Data processing takes place on the interface announcing by each prize game, For the purpose of managing these prize games, and for the purposes of paying taxes and contributions.
The current rules are available at the Website, or at following link: https://blog.eventim.hu/jatekszabalyzat/.
Legal basis of data processing Article 6 (1)(a) of the GDPR – consent. The consent of the players participating in the prize game. The legal basis for the delivery of the prize and the identification of the winner is the performance of a contract based on Article 6(1)(b) of the GDPR. In the case of the fulfilment of a tax or contribution obligation in connection with the prize, the legal basis is the fulfilment of a legal obligation pursuant to Article 6(1)(c) GDPR.
Scope of the processed data and their source The Data Controller collects and controls surname, first name and e-mail address of participants of the game.Possible consequences of not providing the data: it is not possible to participate in the prize draw. In the case of a prize game announced on Facebook, the name of the winners will be published on the Facebook page. The Data Controller may process the tax identification number, address, mother's name, place and date of birth of the data subject in connection with the fulfilment of tax and accounting obligations in relation to the prize.
Period of data processing Facebook's data management is governed by: Meta Platforms Ireland Ltd. ("Meta") - more information about the data retention periods applied by Meta at the following link: https://www.facebook.com/legal/terms/businesstools. The Controller will delete the personal data of the participants in the game after the game has ended and the prizes have been delivered, or until the consent is withdrawn, if earlier. If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. (Article 78(3) and 202(1) of Act CL of 2017 on the Rules of Taxation. In the case of accounting documents: 8 years (Article 168-169 of the Act C of 2000 on Accounting). In practice, this is the case if the data form part of the documents supporting the accounts.
Data processor and its processing activity If using Facebook: Facebook (Meta Ireland Platforms Limited (head office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2) Ireland, contact for data protection issues: https://www.facebook.com/policy.php, Delivery (in the case of prizes in phisical form): GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: 2351 Alsónémedi, Európa u. 2.; contact information: info@gls-hungary.com; phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat),United Parcel Service Deutschland S.à r.l. & Co. OHG (seat: Görlitzer Straße 1, 41460 Neuss, Germany)
II.6.2. Description and purpose of data processing The Data Controller operates a fan page within website under https://www.facebook.com which can be found on https://www.facebook.com/Eventim.HU/ (the “Facebook fan page”). Facebook collects the personal data of the visitors of this Facebook fan page by using cookies and it generates anonym statistical data from them.
Legal basis of data processing Article 6(1)(a) of the GDPR – consent. Processing of personal data related to social media sites is based on the voluntary consent of the Data Subject. Facebook shares the above data with the Data Controller as anonym statistical data to enable the Data Collector as the administrator of the Facebook fan page to publish more targeted, relevant information for the page’s visitors. Facebook applies pop-up windows to notify the visitors of the page on the use of cookies and to the collection of the above personal data. Data Controller as the administrator of the Facebook fan page recommends to become familiar with the Facebook’s “Cookies & Other Storage Technologies” policy (available here: https://www.facebook.com/policies/cookies/) and the Facebook Data Policy (available here: https://www.facebook.com/about/privacy) prior to using on the Facebook fan page.
Scope of the processed data and their source Personal data collected on the Facebook fan page are as follows: demographic data (age, sex, marital status, profession); data concerning the interests of the visitors (buying habits, product and service preferences), geographical data. Possible consequences of failure to provide data: comments and visitor comments are not possible.
Data processor and its processing activity Meta Platforms Ireland Ltd. ("Meta") - For more information about Meta's data retention periods, please visit: https://www.facebook.com/legal/terms/businesstools. The Data Controller and Meta, the operator of the Facebook social networking site, are joint controllers within the meaning of Article 26 of the GDPR when using the Page Plugin, as the administrators acting on behalf of the Data Controller and Meta jointly determine the purposes and means of the processing. The parties' obligations regarding the joint processing of data are set out in the Joint Controller Agreement ("Controller Addendum"), available here: https://www.facebook.com/legal/controller_addendum and https://www.facebook.com//legal/terms/businesstools_jointprocessing.
II. 7. FOR THOSE WHO SEND E-MAIL TO THE CORPORATE E-MAIL ADDRESS
II.7.1. Description and purpose of data processing Review and reply to unexpected messages sent to the corporate email address info@eventim.hu.
Legal basis of data processing Article 6(1)(a) of the GDPR - voluntary consent of the data subject. The
Scope of the processed data and their source Data Controller may receive e-mails, like spam messages, unexpected e-mails, or job applications at the corporate inbox; in which case the Data Controller controls personal data such as the sender’s e-mail address, name, other voluntarily provided personal data based on the voluntary consent of the person sending the e-mail. Possible consequences of not providing the data: it is not possible to contact with Data subject.
Period of data processing Depending on the content of the unsolicited e-mail, the data processing may last until the consent is withdrawn, or it will be erased without further delay (if the e-mail carries unlawful content or if it was sent in error).
II. 8. PROCESSING OF CONTACT DATA
Description and purpose of data processing The purpose of the data processing is to enable the Data Controller to contact and maintain direct contact with its partners, their employees, contact persons - i.e. the data Subject - in the course of its business activities.
Legal basis of data processing Pursuant to Article 6 (1) (f) of the GDPR, the legal basis for processing is the legitimate interest of the Data Controller or third party.
Scope of the processed data and their source The Data Controller processes the data of the Data Subjects for the purposes of maintaining contact with the contracting partner. Scope of Data Subjects: name, position, e-mail address, telephone number. Source of the Data: the Data Subject or the Company's business partner, the contracting party. The Company presumes that its Clients and Business Partners have appropriate authorisation or consent from the Data Subject in relation to the provided data originating from the natural person or have given them information about the provision of their personal data.
Period of data processing the period necessary for the purposes of processing, which may in some cases correspond to the term of a contractual relationship, but not longer than the period until the withdrawal of consent or the period for the exercise of any right of recourse (5 years from the performance of the contract (limitation period)
II. 9. DATA PROCESSING IN RELATION TO THE EXERCISE OF DATA SUBJECT’S RIGHTS
Description and purpose of data processing The Data Controller keeps a record of the exercise of the data subject's rights in order to ensure the principle of accountability under the regulations of the GDPR, to keep a record of the exercise of the data subject's rights in relation to the processing of his or her personal data and to keep documents relating to the exercise of those rights, and to keep a record of the number of times the Data Subject has exercised his or her data subject rights.
Legal basis of data processing Pursuant to the Article 6(1)(f) of the GDPR the Legitimate interest of the Controller. The Data Controller has a legitimate interest in being able to justify when and what action it has taken in relation to the Data Subject's requests and thereby complied with the provisions of the GDPR. The Data Controller can demonstrate compliance by keeping separate records in view of the potentially large number of Data Subject’s requests.
Scope of the processed data and their source The applicant's personal identification data, the content of the request, and the content of the data subject's exercise of rights record (name of the data subject as the person asserting the right, method and date of receipt of the application, subject of the application, time and method of taking measures restricting or denying the exercise of the data subject's right, as well as its legal and factual reasons, the fact that the data subject's right has been ensured, the date of fulfillment of the Data Subject's request).
Period of data processing 5 years
II.10. DATA MANAGEMENT RELATED TO THE WHISTLEBLOWING REPORTING SYSTEM
Description and purpose of data processing We have created an online portal for reporting violation. The whistleblowing system allows you to contact us and report compliance and legal violations without fear of reprisals. Provided that this is legally permissible, violations can be reported without providing personal data. We process personal data to the extent that it is communicated to us to verify a report made through the reporting center and to investigate suspected compliance and violations. We may have additional questions. For this purpose, we communicate through this whistleblowing system. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. However, as part of the whistleblowing reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.
During anonymous communication with us, your IP address and current location are never stored. After submitting the report, the reporter will receive access data to the mailbox of the online portal so that he can continue to communicate with us in a protected manner. In order to achieve the stated purpose, it may also be necessary to transfer personal data to external bodies, such as law firms, criminal or competition authorities within or outside the European Union.
Legal basis of data processing point c) of Article 6 (1) of the GDPR
Scope of the processed data and their source: We process the data that the notifier provides us in connection with the notification.
In addition, we also process the data of the persons named by the person reporting the abuse during the reporting of violations (e.g. the name or position of the person who caused the violation, the name or position of the persons also affected by the violation, a description of the behavior or actions of the person concerned in relation to the reported violation of duty, which may contribute to the for their identification).
Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting abuse, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process whistleblower reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated.
The data controller of the whistleblowing system The whistleblowing online portal is operated by CTS EVENTIM AG &Co. We use it together with KGaA, Contrescarpe 75a, 28195 Bremen, Germany. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us and compliance@eventim.de . at address.
Data processor: Deloitte
II.11. DATA PROCESSING RELATED TO THE COMPLIANCE SYSTEM
Description and purpose of data processing EVENTIM Compliance operates an independent, impartial and confidential Compliance reporting system. Employees and third parties, including customers and suppliers, have the opportunity to report potential violations through confidential reporting channels and thus contribute to their clarification.
Legal basis of data processing point c) of Article 6 (1) of the GDPR
Scope of the processed data and their source: the data provided by the Notifier. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. However, as part of the abuse reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.
Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting Compliance case, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process Compliance reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated.
The data controller of the online Compliance reporting portal We use the Compliance system together with the company is CTS Eventim Austria GmbH Compliance Mariahilferstraße 41-43, A-1060 Wien, Österreich. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us or at the following e-mail address compliance@eventim.at
- III. DATA PROCESSORS
The Data Controller may share (besides its own competent staff) the personal data with the below companies as data processors for the below purposes:
-Operation of software and IT framework related to ticketing
CTS EVENTIM AG & Co. KgaA
- Delivery: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: H-2351 Alsónémedi, Európa u. 2., Hungary; contact information: info@gls-hungary.com, phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
United Parcel Service Deutschland S.à r.l. & Co. OHG (seat: Görlitzer Straße 1, 41460 Neuss, Germany) - Online payment: KPS Payment GmbH & Co. KG (seat: Contrescarpe 75A, 28195 Bremen, Germany)
- OTP SimplePay: OTP Mobil Kft. (Simple) (1138 Budapest, Váci út 135-139., Cg.: 01-09-174466, Privacy notice: https://simple.hu/adatkezelesi-tajekoztato /
- PayPal payment system PayPal (Europe) S.à r.l. et Cie, S.C.A., (283, route d’Arlon, L-1150 Luxembourg) privacy notice: https://www.paypal.com/webapps/mpp/ua/privacy-full
- Hosting provider: Perftech d.o.o. : Baragova ulica 7E, 1000 Ljubljana, Slovenia
- Partners of the Data Controller (ticket sellers): Ticket seller partners of the Data Controller are listed on the http://www.eventim.hu/hu/outletek/ website. - For the purpose of sending newsletter and promotion e-mails: Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact information: +49 30 7680 780)
- Social media platforms and marketing cookies:
Facebook (Meta Ireland Platforms Limited (seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, data protection: https://www.facebook.com/policy.php)
Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4, Ireland) - Event organizers: The personal data of the Data Subjects may be transferred to event organizers in case of some events mainly for the purpose of purchasing tickets for the event or for admission to the event.. In such cases EVENTIM may be considered a data processor in respect of such data, and the exact data of the recipient event organizers will be given in a separate notice to the Data Subjects and these data processing operations will be further governed by the Event organisers' own privacy policy as data controllers. - Other data transfers:
In individual cases, the Data Subject has the possibility to subscribe on the website to newsletters and mailings (in some cases sent by post) from certain event organisers (promoters), their service providers or other third parties by giving the appropriate consent and to consent to the transfer or forward of data to these promoters on a case-by-case basis for similar purposes. In the event of a data transfer, the Data controller shall log and record the data subject's consent and shall the Data Controller transfers the Data Subject's personal data indicated in the data subject's consent to the relevant promoters and they will process it as independent data controllers in their sole discretion and at the own risk of the Data Subject in accordance with the terms of their own privacy policy and subject under data protection legislation. The transfer of personal data is based on Article 6 (1) (a) of the GDPR as and it is based on the explicit consent of the Data Subject. The scope of the personal data processed for the purpose of the transfer: according to the consent. The Data Controller shall delete the data no later than 30 days after the event.
In case of an exceptional authority request or request of other organizations, if authorized by the law, the Data Controller is obliged to provide information, communicate, transfer data or provide documentation, in particular, the Data Controller may make the personal data of the Data Subject accessible in case of an official request made by the court, the police; infringement of IP rights, property rights or other infringement of law or in case of reasonable suspicion of the above or in case of endangering or violating the Data Controller’s interests or the provision of its Services. In such cases the Data Controller transfers personal data to the requester – in the event it determined the exact purpose and scope of data – only to the extent necessary to achieve the purpose of the request. - Data transfer to third countries It may occur that the Data Controller transfers personal data to a service provider seating outside of the European Union, a so called “third country”. In case the personal data is transferred to a third country, the Data Controller guarantees that data transfer is only carried out to a country which is qualified as secure country by the European Commission. The Data Controller requires from all recipients of personal data to take appropriate security measures to protect personal data when transmitted to third countries, by applying the general data protection clause of Article 46 (2) of the GDPR. - Web Analytics Measurements Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), as an independent, external provider supports the independent measure of the frequency of visits and other web analytical data of the Websites. Detailed information on the data processing can be found at the following link: http://www.google.com/analytics. The Data Controller uses the data provided by Google Analytics solely for statistical purposes and to optimize the operation of the website.
· IV. WHAT ARE YOUR RIGHTS RELATED TO THE DATA PROCESSING?
The detailed rights and remedies of the individuals – which include Employees and the people listed in Section 1 – are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Employer provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.
In the course of Data processing, the Data Subject is entitled especially to the rights set out in this point.
o Right to information and access
o Right to rectification
o Right to deletion
o Right to restriction of data processing
o Right to data portability
o Right to object
o Right to withdraw consent
Right to information and access The Data Subject is entitled to receive information about the facts related to the data processing prior the start of the data processing. The Data Subject is entitled to request information on his or her personal data and on the processing thereof. The Data Controller provides the opportunity to the Data Subject to receive information on the personal data processed and to receive copy or extract of the documents containing the personal data. The Data Subject is entitled to receive information as to whom, for which purpose and in what scope his or her personal data processed by the Data Controller have been forwarded. The Data Controller is obliged to provide information regarding the personal data and the processing thereof. The Data Controller is obliged to provide information in writing and in plain language without undue delay, but within one (1) month from the submission of the request at the latest. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than within one (1) month on the reasons of lack of taking measures, and inform the Data Subject on the possibility of the legal remedy before the court and the Hungarian National Authority for Data Protection and Freedom of Information.
Right to rectification The Data Subject is entitled to request the rectification and correction of his or her personal data. Furthermore, having regard to the aim of the data processing, he or she is entitled to request the supplementation of the incomplete personal data. The Data Subjects are recommended to review their personal data from time to time in order for the optimal use of the services provided by the Data Controller and if necessary, to contact the Data Controller to clarify their data as described above. Within five years of the death of the Data Subject the rights of access, rectification, restriction and deletion shall be exercised by the person authorized by the Data Subject in a public document or a private document with full probative value placed at the Data Controller or failing that, close relatives of the Data Subject shall exercise these rights. Right to deletion The Data Subject is entitled to request the deletion of his or her personal data: a) for which the Data Controller does not have the consent or statutory authorization to control (right of objection), b) that are no longer necessary in relation to the purposes for which they were collected or otherwise processed, c) regarding which the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing, d) that have been unlawfully processed, e) that have to be erased for compliance with a legal obligation. Right to restriction of data processing Instead of deletion, the Data Controller restricts the processing of personal data in the following cases: a) upon the request of the Data Subject, when the Data Subject challenges the accuracy of the personal data; in such case the restriction lasts until the Data Controller verifies the accuracy of the personal data, or b) when the Data processing is unlawful and the Data Subject opposes the deletion of the personal data and requests the restriction on the use of the personal data instead, or c) when the Data Controller no longer needs the personal data for the purpose of data processing, but the Data Subject requires that for its legal interests, or d) when the Data Subject has objected to data processing, but it is necessary to determine, whether the legal interests of the Data Controller override those of the Data Subject.
The Data Controller will communicate any rectification or deletion of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller informs the individual about those recipients if he/she so requests.
Right to data portability The Data Subject is entitled to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and is entitled to transmit those data to another Data Controller. Right to object The Data Subject is entitled to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data which is necessary for reasons of public interest or for carrying out a task falling within the scope the Data Controller’s public powers or for enforcing the legal interests of the Data Controller or a third party. In case of objection, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which relate to filing, enforcing or defence of legal claims. Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such reason, which includes profiling if it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The user may object to the data processing based on legitimate interests by sending an e-mail to the Data Controller at dataprotection@eventim.hu. Where the legal basis for the processing is the legitimate interest of the Controller, the Controller has carried out and may continue to carry out the balancing of interests test in accordance with the relevant provisions of the GDPR. The user has the right to view the legitimate interest assessment test prepared in relation to the processing based on legitimate interests, upon request, by sending an e-mail to the Data Controller at dataprotection@eventm.hu or by post.
Right to withdraw consent The Data Subject may withdraw his or her consent without reasoning given to the data processing at any time. Withdrawal of consent does not affect the legitimacy of the data processing based on consent given prior to withdrawal.
· V. HOW CAN YOU EXERCISE YOUR RIGHTS?
The Data Subject may submit his or her request for information, correction, deletion or locking to the following e-mail address: dataprotection@eventim.hu. In case the Data Subject contacts the Data Controller with respect to this Notice, asks questions, makes comments, this information will be retained and used by the Data Controller for the purpose of providing adequate answer. The Data Controller is obliged to provide information regarding the request for correction, locking or deletion in writing and in plain language without delay, but no later than within one (1) month from the submission of the request. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than one (1) month on the grounds of measures, and inform the Data Subject on the possibility of the legal remedy to turn to the court and the Hungarian National Authority for Data Protection and Freedom of Information. The Data Controller informs the Data Subject and those to whom personal data has been forwarded for the purposes of data processing on the correction, locking and deletion. The information may be omitted if it does not infringe the rightful interest of the Data Subject taking into consideration the purpose of the data processing.
· VI. HOW CAN YOU SEEK LEGAL REMEDY?
In case of any disagreement between the Data Subject and the Data Controller in connection with the data processing, it is advisable to contact the responsible personnel of the Data Controller before taking any legal actions. In order to remedy the violation of his or her rights, the Data Subject is entitled to turn to the courts or to the Hungarian National Authority for Data Protection and Freedom of Information. When the Data Subject turns to the court, he or she is entitled to initiate a litigation at the competent court within the geographical area in which the Data Subject resides or has his or her habitual residence, instead of the competent court based on the seat of the Data Controller. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information: Address: 1055 Budapest, Falk Miksa u. 9-11, Hungary Postal address: 1363 Budapest, Pf.: 9. Phone number: +36 (1) 391-1400 E-mail address: ugyfelszolgalat@naih.hu Webpage: www.naih.hu
· VII. HOW CAN WE UPDATE THIS NOTICE?
The Data Controller reserves the right to modify this Notice in the future at its discretion in particular in case of the change of law, or a change in the applicable data protection practice to ensure that the Notice provides relevant and adequate information about the collecting and processing of the personal data of the Data Subjects.
Dated: Budapest, 2024.11.21.
[1] Facebook Customer List Audience / Google Customer Match: a database of personal data of Users who have already registered or purchased on the Website is uploaded by the Data Controller to Facebook or Google, which is transformed and encrypted using various algorithms or "hash" codes, and the customer list containing the data replaced by these encrypted codes is then matched by Facebook or Google with their own user profiles and, in the event of a match, the Data Controller displays advertisements to Users who match both lists.
[2] Custom Audience / Google Similar Audience: the list of Users with similar interests to those registered or purchasing on the Website, created according to the criteria set out in the previous point, is matched by Facebook or Google with its own users, selected by the Data Controller according to demographic or geographical criteria, not included in this list, and the Data Controller displays advertisements to these users as a target audience.
In any case, the Data Controller shall not know the data of the users to whom Facebook or Google publishes its advertisements
