Zásady ochrany osobních údajů
1. Introduction
The purpose of this information is for the Data Controller, i.e. the users of the BLOCK micromobility parking service of AviBike Kft., i.e. the Using the BLOCK – Guards Your Ride application (hereinafter referred to as the App) available for download from the Google Play Store and the App Store, and to provide all relevant information to natural persons (hereinafter referred to as: Users) visiting the website https://www.blockcity.tech/ (hereinafter referred to as: Website) and to assist them in exercising their rights as set out in point 4.
The basis for the information obligation is Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR ), applicable from 25 May 2018, Section 16 of Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv. ), and Section 4 of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society ( Elkertv. ).
The Information has been prepared taking into account the GDPR, the Information Act, and other relevant legislation for each data processing. The list of legislation is contained in Annex 1 of the Information, and the most important concepts are contained in Annex 2.
In developing and applying this notice, the Data Controller has acted in accordance with the findings of the National Authority for Data Protection and Freedom of Information’s recommendation on the data protection requirements for prior information, as well as Article 5 of the GDPR, in particular in the spirit of the principle of actor accountability set out in Article 5(2). The content of the guidelines on transparency of the European Commission’s Working Party 29 has also been implemented in data processing practice.
Obsah
2. Data controller information
3.1. Contact and stay in touch
3.2. Registration-related data processing
3.3. Data processing related to the use of the Application
3.4. Data processing related to complaint handling
3.5. Data processing related to promotional notifications
4.5. Right to restrict data processing
4.6. Right to data portability
5. Procedure for applications to practice law
5.2. Method and deadline for notification
5.4. Information and action costs
6. Data processor data related to the operation of the Application
6.2. Payment of additional services fees
6.3. In connection with invoice issuance
9.1. Data processing for different purposes
9.3. Data protection incidents
10.1. Annex No. 1; The relevant legislation
10.2. Annex No. 2; concepts related to the processing of personal data
2. Data controller information
Company name: AviBike Limited Liability Company
Abbreviated company name: AviBike Kft.
Registered office: 4484 Ibrány, Iskola Street
Company registration number: 15-09-086040
Tax number: 26651383-2-15
Represented by: Szabolcs Szilágyi, CEO
Email address: support@blockcity.tech
Phone number: +36-30/245-0301
3. Data processing processes
3.1 Contact and stay in touch
The User has the opportunity to contact the Data Controller both on the Website and through the App. In addition, the data of the Data Controller’s business partners (their natural person contact persons) is also recorded.
The personal data processed and the purpose of data processing:
|
Osobní údaje |
Purpose of data processing |
|---|---|
|
Název |
Identifying the contact person of a user or business partner. |
|
E-mailová adresa |
Contacting and maintaining contact with the User or business partner with their contact person. |
|
Telefonní číslo |
Contacting and maintaining contact with the User or business partner with their contact person. |
The legal basis for data processing is the User’s voluntary, explicit consent given upon contact (by making a phone call, sending an e-mail) to the processing of his/her personal data for the purposes set out in point 3.2.1 (GDPR Article 6 (1) (a)).
If the Data Controller uses the User’s data for a purpose other than the original data collection, it will inform the User about this and obtain their prior, express consent, or provide them with the opportunity to prohibit the use (see: Section 9.1).
The above personal data of the contact person of the business partners is the legitimate interest of the Data Controller and its business partners (Article 6 (1) of the GDPR)
f) are processed. It is the legitimate interest of both parties to ensure that business communication is effective during the use of the Website and in partnership negotiations and that information about any material circumstances affecting the contract concluded between them can be provided to each other’s designated representative. The right of informational self-determination of the business partners’ contact persons cannot be established, because they have a job-related or contractual obligation to facilitate communication between the parties and to provide their personal data for this purpose. The business partner’s contact person may object to this data processing.
Regarding the duration of data processing, the Data Controller processes the personal data provided until the consent is withdrawn. The User may withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.
The personal data of business partners’ contact persons will be processed for as long as necessary for communication and as long as the relevant legal provisions allow (5 years from the performance or termination of the contract under Act V of 2013, 8 years from the issuance of the invoice under Act C of 2000).
The data processing method is in electronic form.
Taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the data controller shall implement appropriate technical and organizational measures – such as pseudonymization – both when determining the method of data processing and during data processing, the purpose of which is, on the one hand, to effectively implement data protection principles, such as data economy, and, on the other hand, to incorporate the necessary guarantees into the data processing process to meet the requirements of the GDPR and to protect the rights of data subjects.
3.2 Registration-related data processing
The prerequisite for using the App is to register on the dedicated interface after downloading it from the Google Play store or the App Store, during which a user account will be created. Registration is also possible with a Google account and Apple ID.
The personal data processed and the purpose of data processing:
|
Osobní údaje |
Purpose of data processing |
|---|---|
|
Full name |
User identification. |
|
Date of birth |
Determining age and eligibility to use the application. |
|
E-mailová adresa |
Contacting and maintaining contact with the User or business partner with their contact person. |
|
Not |
Statistics management. |
|
Security question |
User identification, for example, facilitating identification according to security protocol in the event of a phone being dead. |
|
Telefonní číslo |
For registration, sending an authentication SMS and performing technical operations. |
|
Password |
Performing technical operations. |
The legal basis for data processing is the performance of the contract concluded between the Data Controller and the User upon registration in the App (Article 6 (1) b) of the GDPR).
The duration of data management is continuous until deletion at the User’s request. If the User does not use the App, branch -subject to Section 6:22. (1) of Act V of 2013 on the Civil Code ( Ptk. ) the last activity will be deleted after 5 years.
The data processing method is electronic. Given that the App cannot be used without knowledge of the personal data included in this section, providing personal data is a prerequisite for concluding a contract.
3.3 Data processing related to the use of the Application
The following is a detailed description of the data processing related to the use of certain functions of the App, as set out in the General Terms and Conditions (hereinafter referred to as: GTC).
Depending on the registration method, in addition to the information specified in Section 3.2, the following personal data of Users will be processed:
|
Osobní údaje |
Purpose of data processing |
|---|---|
|
Location data of the User’s mobile device (GPS coordinates and time of determination of GPS coordinates) |
Informing users about nearby BLOCK stations, for the sake of making the service more convenient. |
|
Information regarding check-in time. |
Avoiding abuse. |
The legal basis for data processing is the performance of the contract concluded between the Data Controller and the User upon registration in the App, given that the above functions are part of the service provided by the Data Controller (Article 6 (1) b) of the GDPR).
The duration of data management is continuous until deletion at the User’s request. If the User does not use the App, account – with regard to Section 6:22. (1) of Act V of 2013 on the Civil Code (Ptk. ) – the last activity will be deleted after 5 years.
The data processing method is in electronic form.
3.4 Data processing related to complaint handling
Users may contact the Data Controller by e-mail or telephone to answer their questions or investigate any complaints. The personal data processed and the purpose of data processing:
|
Osobní údaje |
Purpose of data processing |
|---|---|
|
Název |
Identification of the User. |
|
E-mailová adresa |
To communicate with the User and provide information. |
|
Telefonní číslo |
To communicate with the User and provide information. |
The legal basis for data processing is Data processing based on the Law; GDPR Article 6 (1) c) and (2) of the Info Act. Section 5 (1) b) and Act CLV of 1997 on Consumer Protection. (Fgytv.)
The duration of data management is 5 years from the receipt of the complaint, in accordance with Section 17/A. (7) of the Fgytv. The method of data management is electronic.
3.5 Data processing related to promotional notifications
In order to provide Users with up-to-date information – if they consent to it – promotional notifications
received when using the services within the App. The following information applies to the data processing in this regard:
The personal data processed and the purpose of data processing:
|
Osobní údaje |
Purpose of data processing |
|---|---|
|
Not |
User identification, sending relevant promotional requests. |
|
Date of birth |
User identification, sending relevant promotional requests. |
|
Vehicle type |
User identification, sending relevant promotional requests. |
|
GPS coordinates and the time when the GPS coordinates were determined |
Determining the user’s location and sending relevant promotional requests (nearby) based on that. |
The legal basis for data processing is the User’s consent, which can be given by clicking on the “I accept” button after reading the separate information text related to this (GDPR Article 6 (1) a)).
The personal data provided will be processed until the consent is withdrawn. The User may withdraw his/her consent at any time in the Settings -> My Profile menu item. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.
The data processing method is in electronic form.
4. User rights
It is important for the Data Controller that data processing meets the requirements of fairness, lawfulness and transparency. In light of this, the individual data subject rights are briefly presented in this section, and they are then explained in more detail in Annex 3 of the information.
The User may request free information about the details of the processing of his/her personal data, and in cases specified by law, may request their correction, deletion, blocking or restriction of processing, and may object to the processing of such personal data. The User may address the request for information and the requests included in this point to the contact details included in point 2.
4.1 Access jogging
The user can receive feedback on the processing of his/her personal data and access this personal data and the details of its processing.
4.2 Jogging for correction
At the request of the user, inaccurate personal data concerning him/her will be corrected without undue delay, or has the right to request incomplete personal data – including through an additional declaration – its addition.
4.3 Right to erasure
At the user’s request, personal data concerning him or her will be deleted if their processing is no longer necessary, or if he or she withdraws his or her consent, or objects to the processing, or if their processing is unlawful.
4.4 Jogging to oblivion
User’s request for deletion – if you require – The Data Controller shall endeavour to notify any additional data controllers who The user has become aware of, or could become aware of, any data that may have been made public.
4.5 Right to restrict data processing
At the request of the User, data processing will be restricted if the accuracy of the personal data is disputed, or the data processing is unlawful, or the User objects to the data processing, or if the personal data provided is no longer needed.
4.6 Right to data portability
The user may receive the personal data concerning him or her provided in a structured, widely used, machine-readable format, or may transmit these to another data controller.
4.7 Right to object
The User has the right to object at any time, for reasons relating to his or her own situation, to the processing of his or her personal data based on legitimate interest (see point 3.1.2). In this case, the processing of the personal data will cease, unless it is proven that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User or which are related to the establishment, exercise or defence of legal claims. In the event of an objection, the personal data will generally no longer be processed for this purpose.
4.8 Responding to requests
Applications must be processed as soon as possible after their submission, but no later than 30 days – 15 days in case ofobjection are examined, and a decision is made on the merits of each request, of which the requester is informed in writing. If the User’s request is not fulfilled, the decision will state the factual and legal reasons for rejecting the request.
4.9 Legal remedies
The Data Controller considers the protection of personal data important and respects the User’s right to informational self-determination, therefore it tries to respond to all requests in a correct manner and within a deadline. In view of this, before resorting to any official or judicial claim, the Data Controller asks the User to please contact – for the purpose of making a complaint or question – in order to resolve any objections as soon as possible.
If the request is unsuccessful, User
• You can enforce your rights before a court based on Act V of 2013 on the Civil Code (the lawsuit can also be initiated before the court competent for the User’s place of residence or stay; the list of courts and their contact details can be viewed via the following link:http://birosag.hu/torvenyszekek), and
If the request is unsuccessful, User
• According to the provisions of the Infotv., you can contact the National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa utca 9-11.; telephone: +36-1-391-1400; fax: +36-1-391-1400; fax: +36-1-391-1400; fax: +36-1-391-1400: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu; website: https://. www.naih.hu/panaszuegyintezes-rendje.html; online filing: https://www.naih.hu/online-uegyinditas.html; hereinafter: NAIH) and file a complaint.
5. Procedure for applications to practice law
5.1 Notify recipients
In all cases, the recipients to whom the User’s personal data have been disclosed will be notified of any correction, deletion or restriction of data processing, unless this proves impossible or would require a disproportionate effort. Upon the User’s request, the Data Controller will provide information about these recipients.
5.2 Method and deadline for notification
Actions taken in response to requests under point 4 shall be reported no later than one month after receipt of the request. inside – unless the User requests otherwise – the Data Controller provides information in electronic form. This deadline is necessary in case of – given the complexity of the application and the number of applications –
may be extended by a further two months. The deadline The User will be informed about the extension, indicating the reasons for it, within one month of receiving the request.
At the User’s request, verbal information may also be provided, provided that the User proves their identity in another way. If no action is taken following the request, the User will be informed of the reasons for this within one month of its receipt at the latest, and that he or she may file a complaint with the NAIH and exercise his or her right to judicial remedy (section 4.9).
5.3 Control
In exceptional cases, if there are reasonable doubts about the identity of the natural person submitting the request, the Data Controller may request the provision of additional information necessary to confirm the identity. This measure is necessary to promote the confidentiality of data processing, i.e. to prevent unauthorized access to personal data, as defined in Article 5(1)(f) of the GDPR.
5.4 Information and action costs
The Data Controller provides information on requests related to point 4 and the measures taken based on them free of charge.
If the User’s request is clearly unfounded or – especially due to its repetitive nature – excessive, – in view of the requested administrative costs associated with providing information or notification or taking the requested action – may be charged, or the Data Controller may refuse to take action based on the request.
6. Data processor data related to the operation of the Application
6.1 Informatics reasonable fee
The data processor is responsible for operating, developing and maintaining the IT system of the BLOCK service, as well as storing and maintaining the related databases, and conducting professional consultations related to this. The data processor performs the archiving and regular reorganization of the database, system recovery testing, troubleshooting and other maintenance tasks.
Name: AviBike Ltd.
Contact: https://blockcity.tech/
6.2 Payment of additional services fees
The fee for in-app payments can be paid through the banking service provider as a data processor.
The data processor’s details are as follows:
Name: OTP Mobile Ltd.
Contact details: https://simple.hu/fooldal/
6.3 In connection with invoice issuance
In connection with invoicing, the data processor used by the Data Controller will learn about the personal data provided by the Users for this purpose.
The data processor’s details are as follows:
Name: KBOSS.hu Ltd.
Contact details: https://www.szamlazz.hu/szamla/main
7. Data security
The employees of the Data Controller and the data processors are entitled to access the User’s personal data to the extent necessary to perform the tasks within their scope of work. The Data Controller takes all security, technical and organizational measures that guarantee the security of the data.
7.1 Organizational measures
The Data Controller enables access to IT systems with a person-specific authorization. The principle of “necessary and sufficient rights” applies when assigning access, i.e. each employee may use IT systems and services only to the extent necessary to perform their duties, with the appropriate authorizations and for the necessary period of time. Access to IT systems and services may only be granted to a person who is not subject to restrictions for security or other (e.g. conflict of interest) reasons and who has the professional, business and information security knowledge necessary for its safe use.
The data controller and the data processors undertake strict confidentiality rules in a written declaration and are obliged to act in accordance with these confidentiality rules during their activities.
7.2 Technical measures
The data – except for data stored by data processors – The data controller stores it on its own devices in a data center. IT devices storing data are stored in a separate, closed server room, protected by a multi-stage access control system subject to authorization checks.
Passwords provided by Users are doubly protected.
The internal network is equipped with multi-level firewall protection. At all entry points of the public networks used In all cases, a hardware firewall (border protection device) is installed. The data is redundantly – that is, in several places – are being for storage so that they are protected from destruction, loss, damage, and unlawful destruction resulting from the failure of the IT device.
In order to protect internal networks from external attacks, multi-level, active, complex protection against malicious codes (e.g. virus protection) is applied. Essential external access to IT systems and databases is achieved via encrypted data connection (VPN).
The Data Controller does everything possible to ensure that its IT tools and software continuously comply with technological solutions generally accepted in market operations.
During development, the data controller creates systems in which, through logging, the operations performed can be controlled and monitored, and incidents that have occurred, such as unauthorized access, can be detected.
The data controller’s server is located on the hosting provider’s separate dedicated server, protected and closed.
Taking into account the recommendationof the NAIH on the data protection requirements for data processing on party websites,the Data Controller uses the https protocol on the website.
8. Cookies
In order for the website to function properly, the Data Controller in certain cases places small data files on the User’s computer device, similar to most modern websites.
A cookie is a small text file that a website places on the User’s computer device (including mobile phones). This allows the website to “remember” the User’s settings (e.g. language used, font size, display, etc.), so that they do not have to be set again each time the User visits the website.
List of cookies used on the Website:
|
Cookie name |
Cookie function |
Cookie expiration |
|---|---|---|
|
ss_cid |
Identification of the User. |
2 years |
|
ss_CookieAllowed |
To communicate with the User and provide information. |
30 days |
|
ss_cpvisit |
To communicate with the User and provide information. |
2 years |
|
ss_cvisit |
Identifying and tracking visitors on the site. |
30 minutes |
|
ss_cvr |
Identifying and tracking visitors on the site. |
2 years |
|
ss_cvt |
Identifying and tracking visitors on the site. |
30 minutes |
These cookies can be deleted or blocked, but in this case the website may not function properly. Cookies are not used by the Data Controller to personally identify the User. These cookies serve only the purposes described in the table above.
8.1 Managing cookies
Cookies can be deleted (for more information, see www.AllAboutCookies.org) or blocked with most modern browsers. However, in this case, certain settings will need to be re-entered each time you use the website and certain services may not work.
9. Other provisions
9.1 Data processing for different purposes
If the Data Controller intends to use the provided data for a purpose other than the original purpose of data collection, it will inform the Users about this and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.
9.2 Registration obligation
The Data Controller shall keep records of the data processing activities carried out under its responsibility (data processing activity records) in accordance with Article 30 of the GDPR.
9.3 Data protection incidents
A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed. In the event of a data breach, the Controller shall act in accordance with Articles 33 and 34 of the GDPR. It shall keep records of data breaches, indicating the facts relating to the data breach, its effects, and the measures taken to remedy it.
9.4 Amendment
The Data Controller has the right to unilaterally modify this Notice at any time, so it is recommended that Users regularly review and read the Notice!
Effective: 2024.07.01.
AviBike Ltd.Data Controller Szabolcs Szilágyi Managing Director
10. Attachments
10.1. Annex No. 1; The relevant legislation
When developing the Information, the Data Controller took into account the relevant applicable laws and important international recommendations, with particular regard to the following:
• Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
• Act CXII of 2011 on the right to informational self-determination and freedom of information Act CXII of 2011 (Infotv.);
• Act V of 2013 on the Civil Code (Civil Code);
• Act CXXX of 2016 on the Code of Civil Procedure (Pp);
• Act C of 2000 on Accounting (Accounting Act);
• Act CLV of 1997 on Consumer Protection (Fgytv.);
• Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (Elkertv.)
10.2. Annex No. 2; concepts related to the processing of personal data
• Data controller: the legal entity that determines the purposes and means of processing personal data;
• Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Data transfer: making data available to a specific third party;
• Data erasure: making data unrecognizable in such a way that their recovery is no longer possible;
restriction of data processing: marking of stored personal data with the aim of restricting their future processing;
• Data destruction: the complete physical destruction of the data medium containing the data;
• Data processor: the legal entity that processes personal data on behalf of the data controller;
• Recipient: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not;
• Cookie: a small data package (text file) sent by the web server and placed on the user’s computer for a specific period of time, which, depending on its characteristics, the server may also supplement on subsequent visits, i.e. if the browser sends back a previously saved cookie, the service provider managing the cookie has the opportunity to connect the user’s current visit with previous ones, but only with regard to its own content;
• Data subject/user: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data;
• Consent of the data subject: any freely given, specific, adequately informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her;
• IP address: In all networks where communication is based on the TCP/IP protocol, server machines have an IP address, i.e. an identification number, which allows the identification of the machines over the network. It is known that every computer connected to a network has an IP address through which it can be identified.
• Personal data: any information relating to the data subject;
• Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the termination of the processing or the deletion of the processed data.
