Privacy policy on the penalty fare procedure of the BKK Zrt.

Pursuant to Articles 12 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter GDPR), BKK Centre for Budapest Transport (hereinafter Data Controller or BKK) provides the following information to data subjects on the processing of personal data in connection with the penalty fares.

I. Data controller information and contact details; the concepts applied in that privacy policy

Name of data controller: BKK Budapesti Közlekedési Központ Zrt.

Company seat: 1075 Budapest, Rumbach Sebestyén utca 19–21.

Data Protection Officer email address: [email protected]

Phone number (customer service): +36-1-3-255-255

For the purposes of this document, personal data is any information relating to an identified or identifiable natural person (‘data subject’), such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, based on which the natural person (data subject) can be identified.

Biometric data are personal data relating to the physical, physiological or behavioural characteristics of the data subject obtained by means of specific technical procedures which allow or confirm the unique identification of the natural person.

The Data Subjects of the personal data processing under this Notice are the natural person customers who conclude a contract with BKK or who use the passenger transport services provided by the Service Providers.

Service providers are transport service companies with which BKK, as a transport operator, has concluded a service contract for the provision of passenger transport services.

II. Description of the process of data processing, introduction of the purposes of and the legislation forming the legal basis of data processing

In order to facilitate the smooth transport of passengers, the Data Controller will operate a system based on a digital solution from 2022 onwards, which will be available on the mobile devices of ticket inspectors. In penalty fare process, BKK ticket inspectors will be able to enter the passenger's data immediately into the ticket inspection application instead of the paper penalty fare statement, either by scanning the ePersonal ID or ePassport chip offline or by manually entering the data into the application. This procedure significantly shortens the administration process.

The data of surcharged passengers are recorded by ticket inspectors in a closed system. The personal data recorded for the subsequent surcharge settlement will be automatically transferred to the Data Controller's digital surcharge registration system and will not be accessible from the ticket inspectors' mobile devices once the process is completed, from where they will be irreversibly deleted. Once the digital recording has been completed, surcharged passengers will continue to receive a paper postal cheque for the basic surcharge, together with information on the surcharge payment methods and deadlines, thus, the paper-based penalty fare process will remain in force, in addition to the digital system, with the possibility to record, on a pilot basis, an animated digital signature recorded in the mobile device application of the ticket inspector, instead of and/or in addition to the manual, manually recorded signature of the customer on the penalty fare statement.

Ticket and pass control / Penalty fare process

Ticket inspectors, HÉV ticket inspectors and persons conducting ticket inspection who are also authorised to engage in the penalty fare process may impose a penalty fare on those who do not comply with the conditions of travel. Persons refusing to pay the on-the-spot penalty fare and refusing to provide official proof of their identity shall be excluded from the journey if it is not possible to establish their identity by official means. Ticket inspectors, HÉV ticket inspectors and persons conducting ticket inspection who are also authorised for the penalty fare process are entitled to exclude the passenger from the network provision contract between the passenger and BKK, but this does not exempt the passenger from the obligation to pay the surcharge.

The penalty fare shall be payable by

cannot provide sufficient proof of entitlement to travel during the check,
infringes the conditions of carriage.

If the passenger violates the provisions of the BKK General Terms and Conditions of Business in force at the time of travel, one of the following measures must be taken:

On-site penalty fare process,
issuing a surcharge statement,
exclusion from the journey.

The ticket inspector shall inform the passenger subject to the penalty fare process of the amount of the basic surcharge laid down in the applicable Tariff and, in the event of immediate payment on the spot, of the reduced amount of the basic surcharge, also laid down in the Tariff, as well as of the other possibilities for reducing the basic surcharge and the conditions for applying them. If the passenger does not wish or is unable to pay the reduced penalty fare amount on the spot, he/she may request BKK to grant an extension for the later payment of the penalty fare. In order to do so, he/she must present his/her personal data to BKK by presenting his/her identity card, from which the data will be taken. BKK may not make copies of the photo ID. Passengers subject to the penalty fare process - regardless of the reason for the penalty fare process - must always be informed about the pass presentation procedure and the possibility of paying the amount equivalent to the penalty fare at BKK Zrt. and their conditions, thus giving the passenger the opportunity to choose the most favourable penalty fare process among all penalty fare processes.

If the passenger refuses to cooperate both in the on-the-spot penalty fare process and in the collection of the penalty fare statement, an attempt shall be made to exclude him/her from the journey. In this case, if an official - a police officer or a public order officer - is available on the vehicle or at the stop (where the passenger is disembarked), the ticket inspector shall request the assistance of the official in order to establish the identity of the passenger and shall initiate the penalty fare process against the passenger identified by the official.

Animated digital signature

Following the digital recording in the surcharge application, surcharged passengers will continue to receive a paper postal cheque for the basic surcharge, accompanied by information on the surcharge payment methods and deadlines, so that the paper surcharge process will remain in force with the digital system, instead of and/or in addition to the manual, manually recorded signature of the customer on the penalty fare process statement, an animated digital signature (recording the speed of the signature at the same time) recorded in the mobile application of the ticket inspector's mobile device may be recorded, on a pilot basis.

An animated digital signature is considered as biometric data in terms of the scope of the signature itself and the data captured using the appropriate technology associated with it. Pursuant to Article 9(2)(f) of the GDPR, where the processing is necessary for the establishment or exercise of legal claims, the special categories of personal data may be processed. The legal basis for the processing of the animated digital signature is therefore the legitimate interest of the controller within the meaning of Article 6(1)(f) of the GDPR.

In the case of an animated digital signature on a data recorder, the general characteristics that may be examined are the hand pressure and line quality, the hand emphasis and line characteristics, the writing speed and the writing movement. In the absence of an animated digital signature, i.e. in the absence of biometric data capture, the legal position of the data controller in civil litigation would be irreparably weakened and the possibility of enforcing claims would be reduced; given that the digital signature is so different from the paper signature, given the different writing instrument and surface, and the fact that it is probably captured on a moving vehicle, that in the event of a dispute with a traditional documentary evidence, the identity of the signatory cannot be established from the digital signature alone, and the biometric data listed above are necessary.

Surcharge assistance service

BKK's ticket and pass control staff offer customers the possibility to voluntarily provide their e-mail contact details, based on their prior informed consent, during the penalty fare process. The purpose of the data collection is to enable BKK to send regular information and reminders during the voluntary payment period (30 days) in order to facilitate the early settlement of the debt. The service, called Surcharge Assistant, sends information on the amount of the penalty fare to be paid, the payment deadlines, the method of settling the debt, and important information on data processing and penalty fare process to the e-mail contact details provided by the passenger. The information sent to the Customer by e-mail can also be easily unsubscribed from by clicking on the "unsubscribe" link at the bottom of the letter sent, which can be considered as a withdrawal of consent.

The Surcharge Assistant also allows the online payment of the imposed penalty fare by credit card with the support of the OTP - SimplePay system.

The Surcharge Assistant sends three simultaneous messages to the customer, taking into account the deadlines for payment of the surcharge

We inform our Customers that the data subject has the possibility to unsubscribe directly from the Toll Assistant service, which also means withdrawing the consent, after which the Data Controller will delete the e-mail address of the data subject, but this does not mean exemption from the payment of the penalty fare.

Receipt/acceptance of valuables or counterfeit or other documents entitling the holder to travel

Persons authorised by BKK to carry out checks are entitled to withdraw a season ticket certificate and/or a voucher or ticket against a receipt if

it is a forgery or has been falsified by copying or other means,
the serial number of the identity card, the student card or the student card serial number on the season ticket voucher, or, in the case of a bicycle pass, the serial number of the identity card or the number of a free travel pass has been corrected, or is not the same,
the facial image on the pass has been replaced or altered,
there is no doubt as to the identity of the holder,
the pass has been damaged to such an extent that its validity and the lawfulness of its use cannot be validity of the lease cannot be established,
if it is not used by the owner,
unauthorised use or other misuse is suspected.

If, in the case of a paper-based ticket or pass, the person authorised for ticket inspection is suspected of forgery and takes the pass issued by BKK, the Budapest 72-hour ticket, from the passenger against a receipt, regardless of the type and discount, and the result of the authenticity check carried out establishes the fact of forgery, then no pass presentation and no penalty fare can be imposed.

This procedure does not trigger a penalty fare process, and BKK will only enforce its surcharge claim if the subsequent authenticity test of the received Token confirms the forgery or misuse.

Handling of surcharge claims

BKK's Receivables Management department is responsible for the registration and management of surcharge receivables and the accounting of payments.

When enforcing the claims, it obtains the address data of the surcharge payer from the Central Register (hereinafter referred to as the Register).

In order to enforce debts not settled within the voluntary period (30 days from the date of the surcharge), the Data Controller sends reminder letters by post to the debtors of the surcharge claims or, in the case of a minor surcharger, to his/her legal representative.

The Data Controller shall enforce surcharge debts not settled within the time limit set out in the payment notices by legal means, by issuing a payment order or, after the order has become final, by initiating enforcement proceedings in order to enforce its claims.

The Data Controller may assign its outstanding claims arising from the penalty fare process to an assignee, in which case the Data Controller shall transfer the debtor's personal data to the assignee.

Key pieces of legislation concerning data processing according to this present Privacy Policy and their abbreviations used therein:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)
Act XLI of 2012 on Passenger Transport Services (Szsztv.)
Act C of 2000 on Accounting (Sztv.)
Act L of 2009 on the Order for Payment Procedure (Fmh.)
Act CXXX of 2016 on the Code of Civil Procedure (Pp.)
Act CLV of 1997 on Consumer Protection (Fgytv.)
Act V of 2013 on the Civil Code (Ptk.)
Act LIII of 1994 on Judicial Enforcement (Vht.)
Act LXVI of 1992 on the Registration of Personal Data and Addresses of Citizens (Nytv.)

III. Processing of certain personal data arising in connection with the handling of penalty fares and penalty fare claims, legal basis for data processing

Designation and purpose of data processing	Legal basis of data processing	Scope of processed data	Duration of data processing
Identification of passengers who do not pay the fare or otherwise breach the conditions of carriage in connection with the performance of a passenger transport contract	Performance of a public task pursuant to Article 6(1)(e) of the GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	the natural identity data of the data subject (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), his/her address, the type and number of his/her official identity card and, if he/she is over 14 years of age, his/her animated digital or manual signature, in the case of a travel discount, the title of the discount, the identification, type, validity and issuer of the document giving entitlement to the discount, in the case of a travel-line discount, the travel-line, and in the case of a discount with a validity linked to a specific date or period, the period or date of validity. If the passenger subject to penalty fare holds an ePassport or passport, the above identification data, except for the address data and signature, and in the case of a passport, except for the mother's name and surname at birth, are recorded by an employee of the Data Controller acting offline using the ePassport chip and	It may be processed for a period of 6 months after the closure of the claims for the purpose of ex-post verification and administrative tasks until the end of the claims management activity.
Imposition of a penalty fare on passengers who do not pay the fare or otherwise breach the conditions of carriage in connection with the performance of a passenger transport contract (BKK processes your personal data for the purpose of identifying passengers who do not pay the fare or otherwise violate the conditions of travel in connection with the performance of a passenger transport contract.	Performance of a public task pursuant to Article 6(1)(e) of the GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	data necessary for the collection of the penalty fare: the natural personal identification data of the person concerned (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth, sex), address, type and number of his/her official identity card and, if he/she is over 14 years of age, his/her animated digital or manual signature, in the case of travel benefits, the title of the benefit, the identity, type, validity and issuer of the document establishing the title, the tax identification number and social security number of the beneficiary, in the case of a travel-linked discount, the travel line, and in the case of a discount with a validity linked to a specific date or period, the period or date of validity.	They may be kept for a further 6 months for the purpose of ex-post verification and administrative tasks after the closure of the claims until the end of the claims management activity. In the case of payment of a penalty fare: the Data Controller shall process it for 8 years pursuant to Section 169 (2) of the Public Provisions Act.
Recording and storage of personal data for the purpose of identifying the payment of an on-the-spot penalty fare imposed on a passenger who fails to pay the fare or otherwise violates the conditions of travel.	The performance of a public task pursuant to Article 6(1)(e) of the GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	Name, amount and date of payment, first and last 4 digits of the credit card.	The bank statement of the incoming amounts, in the case of a bank card the OTP POS list, will be kept for 8 years in accordance with Section 169 of the Act.
In order to simplify and speed up the administration of the penalty fare and to facilitate the proof of the penalty fare, an animated digital signature is recorded and stored	Legitimate interest of the controller under Article 6(1)(f) GDPR	animated digital signature of the data subject	It may be processed for a further 6 months after the closure of the claims for the purpose of ex-post verification and administrative tasks until the end of the claims management activity.
Toll assistance system During the voluntary 30-day payment period, BKK Zrt. may send regular information and reminders to help settle the debt as soon as possible	Consent of the data subject pursuant to Article 6(1)(a) GDPR	email address of the data subject	the email address of the data subject until the withdrawal of his/her consent or until the end of the voluntary 30-day payment period in the case of transactions: the bank statement of incoming amounts, in the case of bank cards the OTP POS list, will be kept for the period provided for in the Sztv, i.e. in the case of accounting vouchers (and related documentation) for 8 years after the adoption of the annual report on the year of issue of the accounting voucher.
Receipt of suspected forgeries and other documents entitling the holder to travel, for the purpose of prosecution in the event of suspected criminal offences (e.g. suspected forgery of season tickets) by the competent body	Performing a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	Pursuant to Section 7 (4) of the Szsztv, BKK Zrt. is entitled to process the following data: the natural personal identification data of the data subject (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), address, type and number of his/her official identity card and, if the data subject is over 14 years of age, his/her signature, in the case of a travel discount, the title of the discount, the identification number, type, validity and issuer of the document establishing the title, in the case of a travel-line discount, the travel line, or, in the case of a discount with a validity linked to a specific date or period, the period or date of validity.	They may be kept for a further 6 months after the closure of the claims for the purpose of ex-post verification and administrative tasks until the end of the claims management activity.
Treatment of valuables, miscellaneous vouchers and receipts received for other reasons In the case of any other collection by a person authorised for ticket inspection, provided that it is not due to suspected forgery, the passenger has the possibility to settle the penalty fare by pass presentation or by paying the on-the-spot penalty fare in arrears.	The performance of a public task within the meaning of Article 6(1)(e) of the GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	the data subject's natural person identification data (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), address, type and number of his/her official identification card suitable for personal identification and, if he/she is over 14 years of age, his/her signature, or, in the case of a travel card issued electronically to the holder, its unique serial number and the holder's facial image, in the case of a travel discount, the entitlement to the discount, the identification, type, validity and issuer of the document giving entitlement to the discount, in the case of a travel-line discount, the travel line, or, in the case of a discount with a validity linked to a specific date or period, the period or date of validity.	They may be kept for a further 6 months after the closure of the claims for the purpose of ex-post verification and administrative tasks until the end of the claims management activity. In the case of payment of a penalty fare, the Data Controller shall process it for 8 years pursuant to Section 169 (2) of the Public Provisions Act.
Collection and storage of personal data for the purposes of processing requests for payment by instalments, modification of payment deadlines, requests for fairness, other requests from the debtor and sending a reply.	Performance of a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	Name, place and date of birth, name of mother, permanent address, postal address, e-mail address	It may be kept for a further 6 months for the purpose of post-clearance verification and administrative tasks until the end of the debt management activity, after the closure of the debt. - In the case of payment of a penalty fare, it is processed for 8 years pursuant to Article 169 (2) of the Public Provisions Act.
Personal data are stored for the purpose of concluding an instalment payment agreement.	Performance of a contract pursuant to Article 6(1)(b) GDPR	full name, address, place of birth, date, mother's name, final date of performance (last instalment), signature of the beneficiary and debtor	It may be kept for a further 6 months for the purpose of post-claims verification and administration until the end of the debt management activity or until the right to object has been successfully exercised, after the closure of the claims.
Recording and storing of personal data for the purpose of issuing certificates of nullity	Performance of a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	the data subject full name, name at birth, address, place and date of birth, mother's name	the requests and the reply to them must be in accordance with the Civil Code. 6:22 until the expiry of the 5-year period of divorce
Transmission of personal data to the Registrar for the purpose of requesting the debtor's address.	Performance of a public task pursuant to Article 6 (1) (e) GDPR on the basis of the authorisation pursuant to Section 7 (9) of the Act on the Nytv.	the debtor full name, name at birth, mother's name, place and date of birth, sex	Until the return of the data.
Recording and storing the address data of the Registry for the purpose of collecting the penalty fare.	Performing a public task pursuant to Article 6(1)(e) GDPR on the basis of the authorisation under Section 7(9) of the Szsztv.	the debtor gender full name, name at birth, address, temporary address, foreign address, mother's name, place and date of birth fact of death	It may be kept for a further 6 months for the purpose of ex-post verification or administrative tasks after the closure of the claims, until the cessation of the debt management activity or the effective exercise of the right to object.
The use and storage of personal data for the purpose of classifying claims and deciding on the further recovery process on the basis of the expected recovery by means of the scoring system developed prior to the initiation of legal proceedings.	Legitimate interest of the controller under Article 6(1)(f) GDPR	the debtor the gender, date of birth, address, number of surcharge debts accumulated, whether the debtor has any seizable assets as referred to in Article 52(d) of the Vht, previous involvement in an instalment facility agreement, previous repayment information	It may be kept for a further 6 months for the purpose of ex-post verification or administrative tasks after the closure of the claims until the debt management activity is terminated or the right to object has been successfully exercised.
Storage and use of personal data for the purposes of the collection of the surcharge debt by sending out payment reminder letters .	Performing a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) Szsztv.	the debtor full name of the debtor, address date of letter, letter reference number, reference number, payment identification number, date of penalty fare process, penalty fare identifier, case number of the final payment order, payment deadline,	It may be kept for a further 6 months for the purpose of post-claim verification and administrative tasks until the debt management activity is terminated or the right to object has been successfully exercised, and after the closure of the claims. - In the event of payment of a debt, they are processed for 8 years pursuant to Article 169 (2) of the Staff Regulations.
Transfer of personal data of the surcharged data subjects to the assignee for the purpose of assignment of surcharge claims	Legitimate interest of the controller pursuant to Article 6(1)(f) GDPR	the debtor full name, address, mother's name, name, place and date of birth	the Data Controller shall process for 1 year after the signing of the Contract any document or information relating to the assigned claim and the debtor that has come to the knowledge or possession of BKK for the purpose of transferring it to the assignee. After the 1-year retention period, BKK shall immediately anonymise the personal data.
Storage and transfer of personal data to the Hungarian National Chamber of Notaries (MOKK) for the purpose of initiating the order for payment (OTP) procedure.	Performance of a public task pursuant to Article 6 (1) (e) GDPR on the basis of the statutory authorisation pursuant to Article 7 (1) (d) and (4) Szsztv.	debtor full name, address, date of the penalty fare process, date of payment, date of payment notice	It may be kept for a further 6 months for the purpose of ex-post verification or administrative tasks after the closure of the claims, until the debt management activity is terminated or the right to object has been successfully exercised.
Receipt and storage of the valid TBR issued by a notary for the purpose of enforcing surcharge claims	Performance of a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	debtor full name, address, date of the penalty fare process, date of payment, date of payment notice, FMH case number, date of issue	They may be kept for a further 6 months for the purpose of ex-post verification or administrative tasks until the debt management activity is terminated or the right to object has been successfully exercised, following the closure of the debt. In the event of payment of a debt, they are processed for 8 years pursuant to Article 169(2) of the Sztv.
Storage and transmission of personal data to the court for the purpose of enforcing the claim in the event of civil proceedings.	Performing a public task pursuant to Article 6 (1) (e) GDPR on the basis of the statutory authorisation pursuant to Article 7 (1) (d) and (4) of the Act on the Szsztv.	debtor full name, address, mother's name, name, place and date of birth of the debtor's legal representative or agent full name of the debtor address for service of process, date of the penalty fare process, date of payment, the date of the demand for payment	It may be kept for a further 6 months for the purpose of post-claims verification or administrative tasks, until the debt management activity is terminated or the right to object has been successfully exercised, and after the closure of the debt.
Sending a payment notification for the purpose of recovery of the debt on the basis of a final court judgment/judicial order.	Performance of a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	case number of final judgment, date of finality person representing the party full name, place of residence, domicile, debtor full name of the debtor, place of residence, date of the penalty fare process, due date of payment	It may be kept for a further 6 months for the purposes of ex-post verification and administrative tasks, until the debt management activity is terminated or the right to object has been successfully exercised, and after the debt has been closed.
Transmission of the debtor's personal data to the MOKK system/court for the purpose of the application for enforcement (EO).	Performance of a public task pursuant to Article 6(1)(e) GDPR on the basis of the statutory authorisation pursuant to Article 7(1)(d) and (4) of the Szsztv.	debtor full name, place and date of birth, name of mother, place of residence case number of final judgment/order for payment, date of entry into force	They may be kept for a further 6 months for the purpose of post-claims verification or administrative tasks, until the debt management activity is terminated or the right to object has been successfully exercised, after the closure of the claims.
Storage of personal data provided by the executor for the purpose of monitoring certain procedural acts carried out by him	Legitimate interest of the controller under Article 6(1)(f) GDPR	in relation to the debtor's assets, movable and immovable property real estate registration information (title deeds), information on housing and social circumstances (on-site reports), information on the debtor's other debts subject to enforcement, information on employment, benefits (in the case of income garnishment), debtor's applications	They may continue to be processed for 6 months for the purpose of ex-post verification and administrative tasks after the closure of the debt until the debt management activity is terminated or until the right to object has been successfully exercised.

For each purpose, the legal basis for processing is Article 6(1)(f) of the GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller or a third party).

According to the result of the balancing of interests carried out by the Controller in this context:

The Data Controller assesses that the purposes for which the processing is carried out are based on the legitimate interest referred to in Article 6(1)(f) of the GDPR, given that the Data Controller has the legitimate interest in the purposes being fulfilled and that the processing does not adversely affect the interests or fundamental rights and freedoms of the Data Subjects in such a way as to override the legitimate interests of the Data Controllers (the specific interests or fundamental rights and freedoms of the Data Subject do not prevail over the interest).

Legitimate interest exists	The legitimate interest is sufficiently specific, genuine and current, as the processing is really necessary for the effective performance of the Controller's business activities.
Processing is necessary	The processing is necessary for the purposes of the legitimate interest, otherwise the business objective of the Data Controller (to provide its services as efficiently as possible and with the highest level of satisfaction) could not be achieved.
Processing constitutes a proportionate restriction on the data subject	The interests, fundamental rights and freedoms of the Data Subjects are not violated during the Data Processing. The interests of the Data Subjects are not protected to a higher degree than the interests of the Data Controller. Given that the Data Subject is duly informed of the processing concerning him or her at the time of collection and that the effects of the processing are fully foreseeable due to the way in which the processing is carried out, the proportionality standard in this respect is shifted towards permissibility. The proportionality of the restriction is also enhanced by the fact that the controller provides the data subject with full, clear and comprehensible information at the time of collection on the scope of the personal data processed, the basis, the method and the time of processing, and the data subject's rights in relation to the processing.

Subject to Art. 21 of the GDPR, the Data Controller expressly draws the attention of the Data Subjects, clearly and separately from any other information, to the fact that each Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data for the purposes of the processing specified in this Notice, based on Art. 6(1)(f) of the GDPR.

In this case, the Controller may no longer process the personal data unless the Controller proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

IV. Automated decision-making including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject:

The BKK uses profiling to classify claims based on the expected recovery and to decide on the further recovery process before initiating legal proceedings, using the scoring system developed.

The scoring system applied is based on the back-testing of historical recoveries and the analysis of the results. The application of the system developed allows the screening of claims where the expected recovery in a given case is below the defined value on the basis of the parameters examined by the scoring. In these cases, as a general rule, no legal line is taken.

On the basis of the results of the data protection impact assessment carried out, the processing poses a negligible, limited risk to the rights and freedoms of data subjects and can be started.

V. Data security measures

Data Controller undertakes to ensure the security of personal data processed by it and it shall implement appropriate technical and organisational measures and adopt policies by taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of data processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons to make sure that the recorded, stored and processed data are protected and prevented from destruction, unauthorised use or alteration.

Data Controller undertakes to request from all third parties to whom data are transferred or handed over on any legal basis to comply with the requirement of data security.

Data Controller guarantees a data security level in line with the risk, including among others, as appropriate:

the pseudonymisation and encryption of personal data
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (operating and development security, protection against and detection of intrusions, prevention of unauthorised access)
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (prevention of data breach, vulnerability and incident management)
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (maintenance of business continuity, protection against malicious codes, safe storage, transmission and processing of data, security education of staff)

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Data subject’s data shall be stored on Data Controller’s protected internal server that meets the highest level of IT security guidelines. Remote access is possible only by a limited number of authorised persons through a virtual private network, following authentication. All user activity involving modification in the course of data processing shall be logged. Data shall not be copied to any physical storage devices.

Data Controller shall operate the applied IT equipment for data processing, as follows:

by ensuring the protection of physical equipment containing data related to BKK
by ensuring that only approved and authorised users have access to data used by Data Controller
by ensuring that only persons authorised to use the systems have access to Data Controller’s data
by ensuring that no unauthorised person can forward, read, alter or delete Data Controller’s data in the course of data transfer or storage. Processed data can be known only by Data Controller and its staff as well as by its commissioned data processor(s) according to different access levels; Data Controller shall not hand over any data to unauthorised third parties. Data Controller and Data Processor staff can access personal data based on job category assigned by Data Controller and Data Processor, in a defined way, according to access level.
by ensuring that Data Controller’s data are protected from accidental destruction or loss, and in case of events leading to those results, data can be accessed and restored in a timely manner
by ensuring that Data Controller’s data are handled separately from other customers’ data. Data Controller and Data Processor shall qualify and process personal data as confidential. In order to protect datasets handled electronically in different databases, Data Controller shall ensure, with the legally specified exceptions, that the data stored in the databases cannot be directly linked and attributed to Data Subject
by ensuring that Data Controller has a process is in place for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
Data Controller shall deploy a firewall to protect IT systems and use virus detection and elimination software to prevent external and internal data loss. Data Controller has taken measures for the proper control of any form of both incoming and outgoing communication in order to prevent abuse.

VI. Data processors, data transmission

The Data Controller may enforce a claim against the Data Subject, may pre-process it itself or through a third party, or may assign its claim to a third party. On the basis of the assignment, it shall provide the assignee with all data and documents relating to the outstanding claim of the Data Subject (unless otherwise agreed between the assignor and the assignee in the assignment agreement).

The Processor is entitled to process the personal data processed in this Notice during the term of its contract with the Controller and for the duration of the contract as provided by law. In the case of a Data Processor, the reason for the transfers by the Controller is to enable the Data Processor to carry out its processing activities.

Name and address of the data processor	Activity carried out by the data processor	Personal data processed by the Processor
Bitnet Group Korlátolt Felelősségű Társaság Registered office:1114 Budapest, Bocskai út 11.	Operation of the Penalty Fare Process Application and Penalty Fare Assistant System	the natural identity data of the data subject (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), address, type and number of his/her official identity card
Késmárki Szoftverfejlesztő Korlátolt Felelősségű Társaság 1068 Budapest, Benczúr utca 47.	operation, development and maintenance of the INDECS IT system for the penalty fare process and the provision of related professional support.	the natural identity data of the data subject (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), address , type and number of his/her official identity card, signature
e-Postoffice Service Provider Limited Liability Company 1135 Budapest, Kisgömb utca 6/1. fszt. 1.	Development and maintenance of the JBK (Legal Recovery Framework) software and provision of related professional support.	the data subject's natural person identification data (name and surname, name and surname at birth, place and date of birth, mother's name and surname at birth), address
DRESCHER Hungary Direct Mailing Informatikai és Nyomdai Kft. 1097 Budapest, Gyáli út 31.	the process of bulk printing, enveloping, and equipping and processing of mail with domestic e-receipt to be electronically processed.	name and surname of the person concerned, address , payment order number

The bank card data will be processed by OTP Mobil Kft. (Cg. 01-09-174466; registered office: 1143 Budapest, Hungária krt. 17-19.; hereinafter referred to as SimplePay) is stored and processed on the basis of its Privacy Policy (https://simplepay.hu/adatkezelesi-tajekoztatok/).

BKK Zrt. does not store or process bank card data, BKK only processes token data. By saving your bank card, you agree to SimplePay saving your card data and you accept the OTP Bank's Privacy Policy. If you wish to delete your card data, you can do so using the contact details provided in this Information. By sending the identification code generated by SimplePay, you indicate your request to the bank to delete your card data and SimplePay will take the necessary measures in accordance with its own procedures and the Data Processing Information referred to above. No personal data other than the card identification code required to identify the card to be cancelled will be transmitted to SimplePay in connection with your cancellation request.

In the event of a request from a public authority, the data requested by the public authority will be transmitted to the public authority.

VII. Your rights as a data subject and how to exercise those rights

Data Controller shall inform the data subject through the contact channels provided by him or her without undue delay, and in any event one month of receipt of data subject’s request about action taken on the request submitted in line with the information below. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of data subject’s request together with the reasons for the delay.

You, as a data subject, have the following options to exercise your rights below:

In person:

BKK customer service centres

By telephone:

BKK Call Centre +36 1 325 52 55

In writing to Customer Service:

letter addressed to 1075 Budapest, Rumbach Sebestyén u. 19-21.
email: [email protected]

Your right to be informed

Data Controller is obliged, if the personal data originate from the Data Subject at the time of obtaining the personal data, to provide the following information on the processing to the Data Subjects:

the name, contact details and representative of the Data Controller;
the contact details of the Data Protection Officer
the purposes for which the personal data are intended to be processed and the legal basis for the processing;
in the case of processing based on legitimate interests, the legitimate interests pursued by the Controller or by a third party;
the recipients of the personal data;
the duration of the storage of personal data
whether the Controller intends to transfer the personal data to a third country or an international organisation;
information on the rights of the Data Subject;
the right to withdraw consent in the case of processing based on consent;
the right to lodge a complaint with a supervisory authority;
whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract;
the fact of automated decision-making, including profiling.

The obligation to provide the information described above need not be fulfilled if the Data Subject already has the information referred to in these points.

If the personal data have not been obtained from the Data Subject, the Data Controller shall provide the Data Subject with the above information and, in addition, the following information:

the categories of personal data concerned;
the source of the personal data and, where applicable, whether the data originate from publicly available sources.

If the personal data have not been obtained from the Data Subject, the obligation to provide information does not apply if:

the Data Subject already has the information
it would be impossible or disproportionate to provide the information,
the acquisition or disclosure of the data is expressly required by EU or Hungarian law applicable to the Data Controller, or
the personal data must remain confidential under an obligation of professional secrecy under EU or applicable Hungarian law.

Your right of access

You have the right to receive feedback from the Data Controller as to whether or not your personal data are being processed and, if such processing is taking place, you have the right to access your personal data and the following information:

the purposes of the processing;
the categories of personal data processed about you;
the recipients or categories of recipients to whom the personal data are or will be disclosed by the Data Controller, including in particular recipients in third countries or international organisations;
where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
your right to request the Controller to correct, delete or restrict the processing of personal data concerning you and to object to the processing of such personal data;
the right to lodge a complaint with a supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information);
if the data were not collected by the Data Controller from you, any available information about their source;
the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information about the significance of such processing and its likely consequences for you.

The Data Controller will provide you with a copy of the personal data processed. The Controller may charge a reasonable fee based on administrative costs for any additional copies you request. If you have made a request by electronic means, the information shall be provided in a commonly used electronic format unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Your right to rectification and completion

Upon your request, the Controller shall correct inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Your right to erasure

You as a data subject shall have the right to obtain from Data Controller the erasure of personal data concerning you. Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

you withdraw consent on which the processing is based and where there is no other legal ground for the processing;
you object to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority or to processing necessary for the legitimate interests pursued by the controller or by a third party, and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;
the personal data have been collected in relation to the offer of information society services.

A request for erasure cannot be granted if the processing is necessary:

to comply with an obligation under Union or Member State law to which the Data Controller is subject to which the processing of personal data is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
for the establishment, exercise or defence of legal claims.

Your right to restriction of processing

You as a data subject shall have the right to obtain from Data Controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by you, for a period enabling BKK to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
BKK no longer needs the personal data for the purposes of the processing, but they are required by the you for the establishment, exercise or defence of legal claims, or
you have objected to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority, or to processing necessary for the legitimate interests pursued by Data Controller or by a third party, pending the verification whether the legitimate grounds of BKK override yours.

Where processing has been restricted based on the above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You as a data subject who has obtained restriction of processing shall be informed by BKK before the restriction of processing is lifted. The restriction shall apply until the reason indicated by you renders data storage necessary. You may request restriction of processing in case, for instance, you believe that Data Controller has unlawfully processed your data, however it is necessary for authority or judicial proceedings initiated by Data Controller that those data are not deleted by Data Controller. In these cases, Data Controller shall continue to store data until the official request by an authority or court of law is received; deletion will be performed thereafter.

Your right to object

You may object to the processing of your personal data if the legal basis for the processing is:

the performance of a task carried out in the public interest pursuant to Article 6(1)(e) of the GDPR or in the exercise of official authority vested in the controller;
legitimate interest of the controller or a third party pursuant to Article 6(1)(f) of the GDPR.

In the event of the exercise of the right to object, the Data Controller may no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests or rights of the Data Subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Your right to data portability

You as a data subject shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

the processing is based on consent or on a contract and
the processing is carried out by automated means.

In exercising your right to data portability, you as a data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right to data portability shall be without prejudice to the right to erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.

Your right to withdraw your consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

Your right to legal remedy

Contacting the Data Controller

Before initiating a procedure by a law court or authority, we recommend you send your complaint or query about the processing of your personal data to Data Controller, so that we can investigate and remedy it in a satisfactory manner, or fulfil your justified request.

Data Controller shall investigate, take action and provide information to data subject without undue delay and within the legally prescribed timeframe in the event data subject exercises his or her right in connection with the data processing, requests information about the data processing, objects to, or complains about the data processing. If needed, the time limit can be extended in a legally specified way, taking into account the complexity and number of the queries.

If the data subject lodged the query electronically, the response will also be given that way, unless data subject requests it otherwise. If Data Controller does not take action based on data subject’s query without undue delay, but within the legally specified time limit, Data Controller shall notify data subject about the reasons of absence of action, or of the refusal to fulfil the request, and whether Data Subject can launch a procedure by a court or an authority in the specific case.

In order to exercise your rights concerning data processing, or in case have any questions or concerns with regard to your data processed by Data Controller, or if you need information about your data, or wish to file a complaint, you may turn to Data Controller using the contact details listed under Point I in this Privacy Policy.

Launching a proceeding before a court of law

Data Subject may turn to a court of law against Data Controller or data processor – in connection with data processing falling within its scope of activity – if he or she believes that Data Controller or its commissioned data processor has infringed the provisions concerning the processing of personal data specified in legislation or in a mandatory legal act of the EU, while processing Data Subject’s personal data.

Settlement of the lawsuit is in the power of the tribunal. The lawsuit can also be launched before the tribunal competent according to the residence or location of the Data Subject, at Data Subject’s discretion. You can also start a civil lawsuit against BKK. Settlement of the lawsuit is in the power of the tribunal, i.e. of the Budapest-Capital Regional Court, which is competent based on the location of BKK’s registered company seat. You can also launch the lawsuit before the tribunal competent according to your place of residence.

Notification to the supervisory authority

If you believe that Data Controller has processed your data unlawfully, you shall have the right without prejudice to any administrative or judicial remedies, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, to file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) located at 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., e-mail: [email protected], phone :+36 1 391-1400, fax.:+36 (1) 391-1410, website: www.naih.hu), if in your opinion Data Controller has restricted you in exercising your rights or denied your request to exercise those rights (initiating an investigation), and if you believe Data Controller or its commissioned data processor has infringed the provisions concerning the processing of personal data specified in legislation or in a mandatory legal act of the EU (request to conduct proceedings by an authority).

This Privacy Policy is effective from 11 March 2025.