Privacy policy on the processing of personal data in connection with the Bubi 3.0 test operation conducted by BKK Zrt. (from 22 June 2026)

Pursuant to Articles 12–14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), BKK Centre for Budapest Transport (hereinafter: the Data Controller or BKK) provides the following information to data subjects regarding the processing of personal data in connection with the Bubi 3.0 test operation conducted by BKK Zrt.

I. Details and contact information of the data controller; definitions of ‘personal data’ and ‘data subject’

Name of the data controller: BKK Budapesti Közlekedési Központ Zártkörűen Működő Részvénytársaság (BKK Centre for Budapest Transport)

Registered office: 1075 Budapest, Rumbach Sebestyén utca 19–21.

Contact details of the data protection officer: [email protected]

Telephone number (customer service): +36-1-3-255-255

For the purposes of this data processing policy (hereinafter: Privacy Policy), personal data means any information relating to an identified or identifiable natural person (hereinafter: Data Subject). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

The data subjects in relation to the processing of personal data as set out in this Privacy Policy are those natural persons who participate in the testing of Bubi 3.0 and express their opinions in connection with it.

II. Description of the data processing procedure and the legal basis for data processing

Data subjects can register to test the entire Bubi 3.0 system via a registration portal.

The BKK will send testers an email informing them of the key details required for the testing, as well as the link to the platform where they can provide feedback on their experiences with the system. This feedback option will be anonymous. However, throughout the entire testing process, participants will also have the opportunity to express their opinions about the system and its operation by name – via email – and to make suggestions via the specified electronic channel.

The main legislation governing data processing as set out in this Privacy Policy and the abbreviations used herein are as follows:

Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Privacy Act)

III. Description of the purposes of data processing, the legal basis for data processing, the scope of the data processed, and the duration of data processing

Source of personal data: the data subject

Description and purpose of the data processing	Legal basis for data processing (In the case of Article 6(1)(c) or (e) of the GDPR, the exact legal provision is specified)	Scope of personal data processed	Duration of data processing
Registration and communication before and after the test	Article 6(1)(a) of the GDPR, the data subject’s consent Consent may be withdrawn at any time; this does not affect the lawfulness of data processing carried out on the basis of consent prior to its withdrawal.	Name, email address, telephone number	BKK will delete the personal data provided during registration 60 days after the testing period has ended.
Testing of the entire Bubi 3.0 system (app and bicycles), as well as communication during the testing period (sending information/notifications about the testing process, receiving feedback provided under your name, etc.)	Legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.	Name, email address, telephone number, home address, date of birth location data (GPS coordinates of the mobile device) Location data relating to smart lock operations (opening/closing)	BKK will delete all personal data of testers by the time Bubi 3.0 goes live, but no later than 60 days after the end of the testing phase. Any feedback or opinions provided under a name will subsequently be stored by BKK in anonymised form.

Description and purpose of the data processing

Legal basis for data processing

(In the case of Article 6(1)(c) or (e) of the GDPR, the exact legal provision is specified)

Scope of personal data processed

Duration of data processing

Registration and communication before and after the test

Article 6(1)(a) of the GDPR, the data subject’s consent

Consent may be withdrawn at any time; this does not affect the lawfulness of data processing carried out on the basis of consent prior to its withdrawal.

Name, email address, telephone number

BKK will delete the personal data provided during registration 60 days after the testing period has ended.

Testing of the entire Bubi 3.0 system (app and bicycles), as well as communication during the testing period

(sending information/notifications about the testing process, receiving feedback provided under your name, etc.)

Legitimate interest of the data controller pursuant to Article 6(1)(f) of the GDPR.

Name, email address, telephone number, home address, date of birth

location data (GPS coordinates of the mobile device)

Location data relating to smart lock operations (opening/closing)

BKK will delete all personal data of testers by the time Bubi 3.0 goes live, but no later than 60 days after the end of the testing phase. Any feedback or opinions provided under a name will subsequently be stored by BKK in anonymised form.

The Data Controller wishes to carry out testing of the entire Bubi 3.0 system (app and bicycles) and, in the course of this, to maintain ongoing contact and communicate with data subjects, which requires the processing of personal data.

The legal basis for the data processing required for this is Article 6(1)(f) of the GDPR (data processing necessary for the purposes of the legitimate interests pursued by the data controller or by a third party).

According to the results of the balancing of interests carried out by the Data Controller in this regard:

The Data Controller considers that the legal basis for data processing for testing and communication purposes corresponds to the legitimate interest set out in Article 6(1)(f) of the GDPR, given that it is in the Data Controller’s legitimate interest to ensure that testing is carried out smoothly and that the launch of the live system is aligned with user needs on the basis of the opinions, feedback and suggestions received, the live system is tailored to users’ needs. The interests or fundamental rights and freedoms of the Data Subjects are not infringed upon during data processing in such a way as to override the Data Controllers’ legitimate interest (the specific interests or fundamental rights and freedoms of the Data Subject do not take precedence over this interest).

A legitimate interest exists	The legitimate interest must be sufficiently specific, genuine and current, as the data processing is actually necessary for the effective performance of the Data Controller’s business activities.
Data processing is necessary	Data processing is necessary to fulfil the legitimate interest, as without it the Data Controller’s business objective – to provide its service as efficiently as possible whilst achieving the highest level of satisfaction – could not be realised.
Data processing constitutes a proportionate restriction on the data subject	The interests, fundamental rights and freedoms of data subjects are not infringed upon during data processing. The data subject’s interests do not enjoy a higher level of protection than the Data Controller’s interests. Given that the data subject receives appropriate information about the data processing concerning them at the time of data collection, and that the effects of the data processing are fully predictable due to the manner in which it is carried out, the balance of proportionality in this regard tilts in favour of the permissibility of the data processing. The proportionality of the restriction is also enhanced by the fact that the data controller provides the data subject with comprehensive, clear and easily understandable information at the time of data collection regarding the scope of the personal data being processed, the legal basis, method and duration of the data processing, and the data subject’s rights in relation to the data processing.

In accordance with Article 21 of the GDPR, the Data Controller, clearly and separately from any other information, expressly draws the attention of natural persons who are Data Subjects to the fact that every Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data for the data processing purpose specified in this Policy, which is based on Article 6(1)(f) of the GDPR.

In such cases, the Data Controller may no longer process the personal data, unless the Data Controller demonstrates that the processing is justified on compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject, or which relate to the establishment, exercise or defence of legal claims.

IV. The fact that automated decision-making, including profiling, takes place, as well as, at least in these cases, the logic applied and comprehensible information regarding the significance of such data processing and the likely consequences for the data subject

No automated decision-making or profiling takes place in the processing of personal data as detailed in this Privacy Policy.

V. Data security measures

The Data Controller undertakes to ensure the security of the personal data it processes. Taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, shall take such technical and organisational measures and establish such procedural rules as are necessary to ensure that the data collected, stored or processed are protected, and to prevent their destruction, unauthorised use and unauthorised alteration.

The Data Controller also undertakes to require any third party to whom it transfers or discloses data on any legal basis to comply with data security requirements.

The Data Controller guarantees a level of data security commensurate with the level of risk, including, amongst other things, where applicable:

the pseudonymisation and encryption of personal data,
ensuring the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process personal data (operational and development security, protection against and detection of intrusions, and prevention of unauthorised access),
in the event of a physical or technical incident, the ability to restore access to personal data and the availability of such data in a timely manner (prevention of data breaches; vulnerability and incident management),
a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of data processing (maintaining business continuity, protection against malicious code, the secure storage, transmission and processing of data, and security training for our employees).

When determining the appropriate level of security, particular consideration must be given to the risks arising from data processing, specifically those resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data that is transmitted, stored or otherwise processed.

The Data Subject’s data is stored on the Data Controller’s secure internal servers, the protection of which complies with the highest standards of IT security. Remote access is permitted only to a limited group of authorised persons, exclusively via a virtual private network and following authentication. All operations carried out by Users and the Service Provider relating to data processing involving any changes are logged. The data is not copied onto any other physical data storage media.

The Data Controller operates the IT tools used for the processing of recorded personal data as follows:

To ensure the protection of physical devices containing data relating to BKK.
To ensure that only approved and authorised Users have access to the data used by the Data Controller.
To ensure that only persons authorised to use the systems have access to the Data Controller’s data.
To ensure that unauthorised persons cannot transmit, read, modify or delete the Data Controller’s data during data transmission or storage. The data being processed may only be accessed by the Data Controller, its employees and any data processor(s) engaged by it, in accordance with their respective authorisation levels; the Data Controller shall not disclose such data to any third party who is not authorised to access it. Employees of the Data Controller and the Data Processor may access personal data in a specified manner, in accordance with access levels, as assigned to the roles defined by the Data Controller and the Data Processor.
To ensure that the Data Controller’s data is protected against accidental destruction or loss, and that, in the event of incidents causing such consequences, the Data Controller’s data can be accessed and restored in a timely manner.
To ensure that the Data Controller’s data is handled separately from that of other clients. The Data Controller and the Data Processor shall classify and treat personal data as confidential information. In order to protect the data files processed electronically in the various registers, the Data Controller shall ensure that the data stored in the registers – subject to the exceptions specified by law – cannot be directly linked to or attributed to the Data Subject.
To ensure that the Data Processor regularly tests, reviews and evaluates the effectiveness of the technical and organisational measures outlined above.
To ensure the security of its IT systems, the Data Controller protects them with a firewall and uses antivirus and anti-malware software to prevent both external and internal data loss. The Data Controller has also ensured that all incoming and outgoing communications, in whatever form, are properly monitored to prevent misuse.

VI. Data processors, data transfer

Name and registered office of the data processor

Activities carried out by the data processor

Personal data processed by the data processor

Citybike Global S.A.; Spain 08006 Barcelona, Carrer Tuset, 20–24, 2nd floor, Barcelona

System testing

Name, email address, telephone number, home address, date of birth

Location data (GPS coordinates of the mobile device)

Location data relating to smart lock operations (opening/closing)

In the event of a request from a public authority, the data requested by the authority will be forwarded to that authority.

VII. Your (the data subject’s) rights and the procedure for exercising them

The Data Controller shall, without undue delay but within one month of receiving the request, inform the data subject, via the contact details provided by them, of the measures taken in response to the request as set out below. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of any extension of the time limit within one month of receiving the request, stating the reasons for the delay.

As a data subject, you may exercise the rights set out below using the contact details provided:

In person:

At BKK customer service centres.

In writing:

by post: to the customer service address, 1075 Budapest, Rumbach Sebestyén u. 19-21.
by email: to the customer service email address bkkbkk.hu

Your right to information

The Data Controller is obliged – provided that the personal data originates from the Data Subject at the time of collection – to make the following information regarding data processing available to Data Subjects:

the Data Controller’s name, contact details and representative;
the contact details of the data protection officer;
the purposes of the intended processing of personal data and the legal basis for the processing;
in the case of data processing based on legitimate interests, the legitimate interests of the Data Controller or a third party;
the recipients of the personal data;
the period for which the personal data will be stored;
whether the Data Controller intends to transfer the personal data to a third country or to an international organisation;
information on the rights to which the Data Subject is entitled;
in the case of data processing based on consent, the right to withdraw consent;
the right to lodge a complaint with the supervisory authority;
whether the provision of personal data is required by law or under a contractual obligation, or whether it is a prerequisite for entering into a contract;
the fact of automated decision-making, including profiling.

The obligation to provide the information set out above need not be fulfilled if the Data Subject already possesses the information contained in these points.

If the personal data have not been obtained from the Data Subject, the Data Controller shall provide the Data Subject with the above information, as well as the following additional information:

the categories of the Data Subject’s personal data;
the source of the personal data and, where applicable, whether the data originates from publicly available sources.

If the personal data were not obtained from the Data Subject, the obligation to provide information need not be fulfilled if:

- the Data Subject already has the information,
it proves impossible to provide the information or would require a disproportionate effort,
the collection or disclosure of the data is expressly required by Union law or applicable Hungarian law applicable to the Data Controller, or
the personal data must remain confidential pursuant to a professional duty of confidentiality prescribed by EU or applicable Hungarian law.

Your right of access

You have the right to receive confirmation from the Data Controller as to whether your personal data is being processed, and if such processing is taking place, you have the right to access your personal data and the following information:

the purposes of the processing;
the categories of personal data relating to you that are being processed;
the recipients or categories of recipients to whom the Data Controller has disclosed or will disclose your personal data, including, in particular, recipients in third countries or international organisations;
where applicable, the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;
your right to request from the Data Controller the rectification, erasure or restriction of the processing of your personal data, and to object to the processing of such personal data;
the right to lodge a complaint with a supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information);
where the data controller has not collected the data from you, all available information regarding its source;
the fact that automated decision-making, including profiling, is taking place, and, at least in such cases, the logic applied and comprehensible information as to the significance of such data processing and the likely consequences for you.

The Data Controller shall provide you with a copy of the personal data subject to processing. The Data Controller may charge a reasonable fee based on administrative costs for any further copies you request. If you have submitted your request electronically, the information must be provided in a commonly used electronic format, unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Your right to rectification and completion

Upon your request, the Data Controller is obliged to rectify any inaccurate personal data concerning you without undue delay. Taking into account the purpose of the data processing, you are entitled to request that incomplete personal data be completed, including, amongst other things, by means of a supplementary statement.

Your right to erasure

You have the right to request that the Data Controller erases your personal data. The Data Controller is obliged to erase your personal data without undue delay in the following cases:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing is based, and there is no other legal basis for the processing;
you object to the processing of your personal data on grounds of public interest, the exercise of official authority or the legitimate interests of the data controller (or a third party), and there are no overriding legitimate grounds for the processing, or you object to the processing of your personal data for direct marketing purposes;
the personal data has been processed unlawfully;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law (Hungarian law) applicable to the data controller;
the personal data was collected in connection with the offering of information society services.

A request for erasure cannot be complied with if the processing is necessary:

for the purposes of exercising the right to freedom of expression and the right to information;
to comply with a legal obligation under Union or Member State law to which the data controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the data controller;
on grounds of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the exercise of the right to erasure would render impossible or seriously jeopardise such processing;
for the establishment, exercise or defence of legal claims.

Your right to restriction of processing

You have the right to request that the Data Controller restrict data processing if any of the following apply:

you contest the accuracy of the personal data; in this case, the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the data, requesting instead that its use be restricted;
the Data Controller no longer needs the personal data for the purposes of data processing, but you require it for the establishment, exercise or defence of legal claims; or
the Data Subject has objected to the processing; in this case, the restriction applies for as long as it remains to be determined whether the Data Controller’s legitimate grounds override those of the Data Subject.

If data processing is restricted on the basis of the above, such personal data may, apart from storage, only be processed with your consent, or for the purpose of establishing, exercising or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of substantial public interest of the Union or of a Member State. The Data Controller shall inform you in advance – if data processing has been restricted at your request – of the lifting of the restriction on data processing. The data will remain blocked for as long as the reason you have specified necessitates the storage of the data. You may request that the data be blocked, for example, if you believe that the Data Controller has processed your data unlawfully, but it is necessary for the purposes of administrative or judicial proceedings initiated by you that the Data Controller does not erase the data.

In this case, the Data Controller will continue to store the personal data until the authority or court makes a request, after which the Data Controller will delete the data.

Your right to object

You may object to the processing of your personal data if the legal basis for the processing is:

the performance of a task carried out in the public interest or the exercise of official authority vested in the Data Controller, as set out in Article 6(1)(e) of the GDPR;
the legitimate interests of the Data Controller or a third party, as set out in Article 6(1)(f) of the GDPR.

Where the right to object is exercised, the Data Controller may no longer process the personal data, unless it demonstrates that the processing is justified on compelling legitimate grounds which override the interests and rights of the Data Subject, or which relate to the establishment, exercise or defence of legal claims.

Where personal data are processed for the purposes of direct marketing, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, insofar as it is related to direct marketing. If the Data Subject objects to the processing of personal data for the purposes of direct marketing, the personal data may no longer be processed for that purpose.

Your right to data portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to whom you have provided the personal data, where:

the legal basis for the processing is your consent or the performance of a contract to which you are a party, and
the processing is carried out by automated means.

When exercising your right to data portability, you are entitled – where technically feasible – to request the direct transfer of your personal data between data controllers.

Exercising the right to data portability shall not prejudice the right to erasure. The right to data portability does not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The right to data portability shall not adversely affect the rights and freedoms of others.

Your right to withdraw consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of data processing carried out on the basis of consent prior to withdrawal.

Your right to seek redress

Contacting the Data Controller

We recommend that, before initiating court or administrative proceedings, you send the Data Controller your enquiry or complaint regarding the processing of your personal data so that we may investigate it and resolve it to your satisfaction, or so that we may comply with any request or claim you have made under the previous point, provided it is well-founded.

The Data Controller shall, in the event of the Data Subject exercising any of their rights relating to data processing as set out in the previous point, a request for information regarding data processing, or an objection or complaint concerning data processing, the Data Controller shall investigate the matter without undue delay, within the timeframe prescribed by the applicable legislation, take appropriate action in response to the request, and provide the Data Subject with information on the matter at . Where necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended in accordance with the law.

If the Data Subject has submitted the request electronically, the Data Controller shall provide the information electronically where possible, unless the Data Subject requests otherwise. If the Data Controller does not take action in response to the Data Subject’s request without undue delay, but at the latest within the time limit specified by law, it shall inform the Data Subject of the reasons for failing to take action or for refusing to comply with the request, and that the Data Subject may initiate court or administrative proceedings in their case as set out below.

In order to exercise your rights relating to data processing, or if you have any questions or concerns regarding the data processed by the Data Controller, or if you wish to request information about your data, lodge a complaint, or exercise any of your rights as set out in the previous point, you may do so using the contact details of the Data Controller listed in point 1).

Initiating legal proceedings

The Data Subject may bring proceedings against the Data Controller or – in connection with data processing operations falling within the scope of the data processor’s activities – against the data processor, if they consider that the Data Controller, or the data processor commissioned by or acting on the instructions of the Data Controller, is processing their personal data in breach of the provisions laid down in legislation or in a binding legal act of the European Union relating to the processing of personal data.

The court has jurisdiction to hear the case. The case may also be brought – at the Data Subject’s discretion – before the competent court in the Data Subject’s place of residence or habitual residence. You may also bring a civil action against BKK. The court has jurisdiction to hear the case. The case may generally be brought before the Municipal Court of Budapest, which has jurisdiction over BKK’s registered office, or – at your discretion – before the court in the area where you are resident.

Lodging a complaint with the supervisory authority

If you believe that the Data Controller is processing your data unlawfully – without prejudice to other administrative or judicial remedies – you are entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1055 Budapest, 9–11 Falk Miksa utca, postal address: 1363 Budapest, Pf. 9, email:ugyfelszolgalatnaih.hu , telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, website: www.naih.hu) – in particular in the Member State of your habitual residence, place of work or the place where the alleged infringement occurred – if you consider that the Data Controller is restricting the exercise of your rights or has rejected your request to exercise those rights (initiation of an investigation), and if, in their view, the Data Controller, or a data processor commissioned by or acting on the instructions of the Data Controller, infringes the provisions governing the processing of personal data as laid down in legislation or in a binding legal act of the European Union (request for the conduct of an administrative procedure).