Privacy policy regarding the processing of personal data in connection with the preparation, organisation and conduct of programmes organised by BKK Centre for Budapest Transport as part of the Transport Research Arena (TRA2026) transport conference

Pursuant to Articles 12–14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), BKK Centre for Budapest Transport (hereinafter: Data Controller or BKK) provides the following information to data subjects regarding the processing of personal data in connection with the preparation, organisation and conduct of programmes organised by BKK within the framework of the TRA2026 transport conference.

I. Details and contact information of the data controller, and definitions of personal data and data subject

Name of the data controller: BKK Budapesti Közlekedési Központ Zártkörűen Működő Részvénytársaság (BKK Centre for Budapest Transport)

Registered office: 1075 Budapest, Rumbach Sebestyén utca 19–21.

Data Protection Officer’s contact details: [email protected]

Telephone number (customer service): +36-1-3-255-255

For the purposes of this privacy policy (hereinafter: Privacy policy), personal data means any information relating to an identified or identifiable natural person (hereinafter: Data Subject). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

The data subjects of the personal data processing operations described in this Privacy policy are those natural persons who register for and participate in the programmes organised by BKK within the framework of the TRA2026 transport conference.

II. Description of the data processing procedure, legal basis for data processing

The TRA (Transport Research Arena) is the European Commission’s biennial transport conference, which will be held in Budapest in 2026. The conference was established by the European Commission on the model of the United States TRB (Transportation Research Board), with the aim of making it Europe’s largest transport event of its kind.

This year, BKK is coordinating the preparation, organisation and running of site visits, and is also involved in developing and conducting the professional programme for the sections dealing with urban transport.

BKK is directly organising the site visit to the HungaroControl site. The names and ID card numbers of all data subjects required for the visit must be submitted to HungaroControl. To collect this information, BKK will set up a registration page where data subjects can provide the necessary details and give their explicit, unambiguous and voluntary consent to the collection and transfer of their data.

The main legislation governing data processing in accordance with this Privacy policy and the abbreviations used in this Privacy policy:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)

Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act)

III. Description of the purposes of data processing, the legal basis for data processing, the scope of data processed, and the duration of data processing

Source of personal data: for data processing purpose No. 1, the main organiser; for other data processing purposes, the Data Subject

Description and purpose of the data processing	Legal basis for data processing (In the case of Article 6(1)(c) or (e) of the GDPR, the exact legal provision is specified)	Scope of personal data processed	Duration of data processing
The processing of the list of those registered for technical visits within the framework of the TRA2026 conference for the purposes of organising and coordinating the events, establishing and maintaining contact, and for-warding the list to the programme hosts.	Legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.	Name Email address Organisation Title	For 1 year following the end of the project (30 September 2026), i.e. until 30 September 2027
Organising and conducting visits to HungaroControl and M4 metro control center by creating a dedicated registration form and forwarding the collected data to HungaroControl and BKV Zrt..	Article 6(1)(a) of the GDPR, the data subject’s consent Consent may be withdrawn at any time, which does not affect the lawfulness of data processing carried out based on consent prior to withdrawal.	Name ID card number	Within 30 days of the visit.
Recording of attendance sheets for participants at the venue of events/programmes, for the purposes of verifying and accounting for the implementation of the event.	Legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.	Name Organisation Title Signature	For 1 year following the end of the project (30 September 2026), i.e. until 30 September 2027.
Taking photographs, videos and audio recordings of the events. BKK may publish the recordings on its own website and social media platforms for media coverage purposes.	Legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.	Photographs and video recordings of data subjects.	For 1 year following the end of the project (30 September 2026), i.e. until 30 September 2027.

For the data processing purposes set out in Points 1, 3 and 4 of the table, the legal basis for data processing is Article 6(1)(f) of the GDPR (data processing necessary for the purposes of the legitimate interests pursued by the data controller or by a third party).

According to the results of the balancing of interests carried out by the Data Controller in this regard:

The Data Controller assesses that, in the case of the data processing purposes set out in points 1, 3 and 4 of the table, the legal basis for data processing corresponds to the legitimate interest set out in Article 6(1)(f) of the GDPR, given that

the Data Controller’s legitimate interest in the case of Point 1: to conduct technical visits safely, in an organised and efficient manner, to ensure the prior registration of participants and the conditions for admission, and to comply with the organisational and accounting requirements relating to events organised under the Horizon Europe programme
the Data Controller’s legitimate interest in the case of Point 3: to credibly verify the actual realisation of the events and the attendance of participants, which is an essential condition for the lawful accounting and verifiability of projects implemented under EU funding
the Data Controller’s legitimate interest in the case of point 3: to document the events, provide professional and public information about them, fulfil the communication and visibility requirements of projects implemented with EU funding, and strengthen the organisation’s professional reputation.

In the Data Controller’s view, the interests or fundamental rights and freedoms of the Data Subjects are not infringed during data processing in such a way as to override the Data Controller’s legitimate interest (the Data Subject’s specific interests or fundamental rights and freedoms do not take precedence over this interest).

The legitimate interest exists	The legitimate interest is sufficiently defined, genuine and current, as the data processing is necessary for communicating the Data Controller’s activities to the public, as well as for the organised and efficient conduct of events, for providing credible evidence of the actual realisation of the event, and for the lawful accounting and verifiability of the project.
Data processing is necessary	Data processing is necessary to fulfil the legitimate interests set out above, as failure to do so would prevent the Data Controller from achieving its objective.
The data processing constitutes a proportionate restriction on the data subject	The interests, fundamental rights and freedoms of the Data Subjects are not infringed upon during data processing. The interests of the Data Subject do not enjoy a higher level of protection than those of the Data Controller. Given that the data subject receives appropriate information about the data processing concerning them at the time of data collection, and that the effects of the data processing are fully predictable due to the manner in which it is carried out, the balance of proportionality in this regard tilts towards the permissibility of the data processing. The proportionality of the restriction is also enhanced by the fact that the data controller provides the data subject with comprehensive, clear and easily understandable information at the time of data collection regarding the scope of the personal data being processed, the basis, method and duration of the data processing, and the data subject’s rights in relation to the data processing.

In accordance with Article 21 of the GDPR, the Data Controller, clearly and separately from any other information, expressly draws the attention of natural persons who are Data Subjects to the fact that every Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data for the data processing purposes specified in this policy, based on Article 6(1)(f) of the GDPR.

In such a case, the Data Controller may no longer process the personal data, unless the Data Controller demonstrates that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject, or which relate to the establishment, exercise or defence of legal claims.

IV. The fact of automated decision-making, including profiling, and, at least in these cases, comprehensible information regarding the logic applied and the significance of such data processing and the likely consequences for the data subject

No automated decision-making or profiling takes place during the processing of personal data as detailed in this Privacy policy.

V. Data security measures

The Data Controller undertakes to ensure the security of the personal data it processes. Taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, the Data Controller undertakes to take such technical and organisational measures and establish such procedural rules as to ensure that the data collected, stored and processed are protected, and to prevent their destruction, unauthorised use and unauthorised alteration.

The Data Controller also undertakes to require any third party to whom data is transferred or disclosed on any legal basis to comply with data security requirements.

The Data Controller guarantees a level of data security commensurate with the degree of risk, including, where applicable:

the pseudonymisation and encryption of personal data,
ensuring the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process personal data (operational and development security, protection against and detection of intrusions, prevention of unauthorised access),
in the event of a physical or technical incident, the ability to restore access to personal data and the availability of the data in a timely manner (prevention of data breaches; vulnerability and incident management),
a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of data processing (maintaining business continuity, protection against malicious code, secure storage, transmission and processing of data, security training for our employees).

When determining the appropriate level of security, particular attention must be paid to the risks arising from data processing, specifically those resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data that is transmitted, stored or otherwise processed.

The Data Subject’s data is stored on the Data Controller’s secure internal servers, the protection of which complies with the highest standards of IT security. Remote access is only possible for a limited group of authorised persons, exclusively via a virtual private network and following authentication. All operations carried out by the User and the Service Provider relating to data processing involving any modification are logged. The data is not copied to any other physical data storage medium.

The Data Controller operates the IT tools used for the processing of recorded personal data as follows:

Ensuring the protection of physical devices containing data relating to BKK.
Ensuring that only approved and authorised Users have access to the data used by the Data Controller.
Ensuring that only persons authorised to use the systems have access to the Data Controller’s data.
Ensuring that unauthorised persons cannot transmit, read, modify or delete the Data Controller’s data during data transmission or storage. The processed data may only be accessed by the Data Controller, its employees and the data processor(s) engaged by it, in accordance with their respective access levels; the Data Controller shall not disclose such data to third parties who are not authorised to access it. The Data Controller’s and the Data Processor’s employees may access personal data in a manner specified for the roles defined by the Data Controller and the Data Processor, in accordance with their respective access levels.
To ensure that the Data Controller’s data is protected against accidental destruction or loss, and that, in the event of incidents causing such consequences, the Data Controller’s data can be accessed and restored in a timely manner.
To ensure that the Data Controller’s data is processed separately from that of other clients. The Data Controller and the Data Processor shall classify and treat personal data as confidential. In order to protect data files processed electronically in various records, the Data Controller shall ensure that the data stored in the records – subject to exceptions specified by law – cannot be directly linked to or attributed to the Data Subject.
Ensuring that the Data Processor regularly tests, examines and evaluates the effectiveness of the technical and organisational measures outlined above.
To ensure the security of its IT systems, the Data Controller protects them with a firewall and uses antivirus and anti-malware software to prevent external and internal data loss. The Data Controller has also ensured that all incoming and outgoing communications, in any form, are properly monitored to prevent misuse.

VI. Data processors, data transfer

Name and registered office of the data processor	Activities carried out by the data processor	Personal data processed by the data processor
-	-	-

BKK, as the organiser, forwards the list of those registered for each technical visit to the programme hosts.

For the HungaroControl tour, BKK collects the list of participants and their ID card numbers, which it forwards to HungaroControl as a prerequisite for entry.

VII. Your (the data subject’s) rights and the procedure for exercising them

The Data Controller shall, without undue delay but within one month of receiving the request, inform the data subject via the contact details provided by them of the measures taken in response to the request as set out below. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of any extension of the time limit within one month of receipt of the request, stating the reasons for the delay.

As a data subject, you may exercise the rights listed below using the contact details provided:

In person:

At any BKK Customer Service Centre.

In writing:

By post: to the customer service address, 1075 Budapest, Rumbach Sebestyén u. 19-21.
By email: to the customer service email address bkkbkk.hu

Your right to information

The Data Controller is obliged – provided that the personal data originates from the Data Subject at the time of obtaining the personal data – to make the following information regarding data processing available to Data Subjects:

the Data Controller’s name, contact details and representative
the contact details of the data protection officer (DPO)
the purposes of the intended processing of personal data and the legal basis for the processing
in the case of data processing based on legitimate interests, the legitimate interests of the Data Controller or a third party
the recipients of the personal data
the duration of the storage of personal data
whether the Data Controller intends to transfer the personal data to a third country or to an international organisation
information on the rights of the Data Subject
in the case of data processing based on consent, the right to withdraw consent
the right to lodge a complaint with the supervisory authority
whether the provision of personal data is based on a legal obligation or a contractual obligation, or is a prerequisite for entering into a contract
the fact of automated decision-making, including profiling

The above information obligation need not be fulfilled if the Data Subject already possesses the information set out in these points.

If the personal data have not been obtained from the Data Subject, the Data Controller shall provide the Data Subject with the above information, as well as the following additional information:

the categories of the Data Subject’s personal data
the source of the personal data and, where applicable, whether the data originates from publicly available sources

If the personal data has not been obtained from the Data Subject, the obligation to provide information need not be fulfilled if:

the Data Subject already possesses the information
providing the information proves impossible or would require a disproportionate effort
the collection or disclosure of the data is expressly required by EU law or relevant Hungarian law applicable to the Data Controller, or
personal data must remain confidential in accordance with the professional confidentiality obligations laid down in EU law or applicable Hungarian law.

Your right of access

You have the right to receive confirmation from the Data Controller as to whether your personal data is being processed, and if such processing is taking place, you have the right to access your personal data and the following information:

the purposes of the processing
the categories of personal data concerning you
the recipients or categories of recipients to whom the Data Controller has disclosed or will disclose the personal data, including, in particular, recipients in third countries or international organisations
where applicable, the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period
your right to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning you, and to object to the processing of such personal data
the right to lodge a complaint with a supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information);
where the data controller has not collected the data from you, any available information regarding its source
the fact of automated decision-making, including profiling, and, at least in these cases, the logic applied and comprehensible information regarding the significance of such data processing and the likely consequences for you

The Data Controller shall provide you with a copy of the personal data subject to processing. The Data Controller may charge a reasonable fee based on administrative costs for any further copies you request. If you have submitted your request electronically, the information must be provided in a commonly used electronic format, unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Your right to rectification and completion

Upon your request, the Data Controller is obliged to rectify inaccurate personal data concerning you without undue delay. Taking into account the purpose of the data processing, you are entitled to request that incomplete personal data be completed, including by means of a supplementary statement.

Your right to erasure

You have the right to request that the Data Controller erases personal data concerning you. The Data Controller is obliged to erase personal data concerning you without undue delay in the following cases:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
you withdraw your consent on which the processing is based, and there is no other legal basis for the processing
you object to the processing of your personal data on grounds of public interest, the exercise of official authority, or the legitimate interests of the data controller (or a third party), and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes
the personal data has been unlawfully processed
the personal data must be erased to comply with a legal obligation under Union or Member State law (Hungarian law) applicable to the data controller
the personal data was collected in connection with the offering of information society services

The request for erasure cannot be complied with if the processing is necessary:

for the purpose of exercising the right to freedom of expression and the right to information
to comply with a legal obligation under Union or Member State law to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
on grounds of public interest in the area of public health
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the exercise of the right to erasure would render impossible or seriously jeopardise such processing
for the establishment, exercise or defence of legal claims

Your right to restriction of processing

You have the right to request that the Data Controller restrict data processing if any of the following applies:

You contest the accuracy of the personal data; in this case, the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data
the processing is unlawful, and you oppose the erasure of the data, requesting instead that its use be restricted
the Data Controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims; or
the Data Subject has objected to the processing; in this case, the restriction applies for the period until it is determined whether the Data Controller’s legitimate grounds override those of the Data Subject

If data processing is restricted on the basis of the above, such personal data may, with the exception of storage, only be processed with your consent, or for the purpose of establishing, exercising or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of substantial public interest of the European Union or of a Member State. The Data Controller shall inform you in advance – if data processing has been restricted at your request – of the lifting of the restriction on data processing. The data will remain blocked for as long as the reason you have specified necessitates the storage of the data. You may request the blocking of data, for example, if you believe that the Data Controller has processed your data unlawfully, but it is necessary for the purposes of administrative or judicial proceedings initiated by you that the Data Controller does not erase them.

In this case, the Data Controller will continue to store the personal data until contacted by the relevant authority or court, after which the data will be deleted.

Your right to object

You may object to the processing of your personal data if the legal basis for the processing is:

the performance of a task carried out in the public interest, or the exercise of official authority vested in the Data Controller, as referred to in Article 6(1)(e) of the GDPR
the legitimate interests of the Data Controller or a third party pursuant to Article 6(1)(f) of the GDPR

Where the right to object is exercised, the Data Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which are related to the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling to the extent that it is related to such direct marketing. If the Data Subject objects to the processing of personal data for the purposes of direct marketing, the personal data may no longer be processed for that purpose.

Your right to data portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to whom you have provided the personal data, where:

the legal basis for the processing is your consent or the performance of a contract to which you are a party, and
the processing is carried out by automated means

In exercising your right to data portability, you are entitled to request, where technically feasible, the direct transfer of your personal data between data controllers.

Exercising the right to data portability shall not prejudice the right to erasure. The right to data portability does not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.

Your right to withdraw consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

Your right to seek redress

Contacting the Data Controller

We recommend that, before initiating court or administrative proceedings, you send your enquiry or complaint regarding the processing of your personal data to the Data Controller so that we may investigate and resolve the matter to your satisfaction, or so that we may fulfil any request or claim you have made in accordance with the preceding section, provided it is well-founded.

The Data Controller shall, in the event of the Data Subject exercising any of their rights relating to data processing as set out in the previous section, request for information regarding data processing, or in the event of an objection or complaint regarding data processing, the Data Controller shall investigate the matter without undue delay, within the timeframe prescribed by the applicable legislation, take action in response to the request and provide information on the matter to the Data Subject. Where necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended in accordance with the law.

If the Data Subject submitted the request electronically, the Data Controller shall provide the information electronically where possible, unless the Data Subject requests otherwise. If the Data Controller does not take action in response to the Data Subject’s request without delay, but at the latest within the time limit specified by law, it shall inform the Data Subject of the reasons for the failure to act or for refusing to comply with the request, and that the Data Subject may initiate court or administrative proceedings in the case as set out below.

In order to exercise your rights relating to data processing, or if you have any questions or concerns regarding the data processed by the Data Controller, or if you wish to request information regarding your data, lodge a complaint, or exercise any of your rights as set out in the previous section, you may do so via the contact details of the Data Controller listed in Section 1.

Initiating legal proceedings

The Data Subject may bring legal proceedings against the Data Controller or – in connection with data processing operations falling within the scope of the data processor’s activities – against the data processor, if, in their opinion, the Data Controller or the data processor acting on its behalf or under its instructions processes their personal data in breach of the provisions laid down in legislation or in a binding legal act of the European Union concerning the processing of personal data.

The adjudication of the action falls within the jurisdiction of the court. The action may also be brought before the competent court at the Data Subject’s place of residence or habitual residence, at the Data Subject’s discretion. You may also bring a civil action against BKK. The court has jurisdiction to hear the case. The case may generally be brought before the Municipal Court of Budapest, which has jurisdiction over the BKK’s registered office, or – at your discretion – before the court in the jurisdiction of your place of residence.

Submitting a complaint to the supervisory authority

If you believe that the Data Controller is processing your data unlawfully – without prejudice to other administrative or judicial remedies – you are entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1055 Budapest, Falk Miksa utca 9-11, postal address: 1363 Budapest, PO Box 9, email:ugyfelszolgalatnaih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, website: www.naih.hu) – in particular in the Member State of your habitual residence, place of work or the place where the alleged infringement occurred – if you consider that the Data Controller is restricting the exercise of your rights or has rejected your request to exercise those rights (initiation of an investigation), and if, in their opinion, the processing of their personal data by the Data Controller or by a data processor commissioned by or acting on the instructions of the Data Controller infringes the provisions on the processing of personal data laid down in legislation or in a binding legal act of the European Union (request for the conduct of an administrative procedure).