INFORMATION ON DATA PROCESSING




1. PURPOSE OF INFORMATION


This document contains all information about the processing of personal data provided by passengers when reserving the airport and station transfer services offered by FOX TRANSFERS Ltd. (seat: Hungary, 1041 Budapest, Csányi László street 34.) on https://foxtransfer.eu website (“Website”) in order to let the passengers know the purpose and conditions, the risks and guarantees, and their rights associated with the data processing before providing their personal data and their consent (hereinafter referred to as: “Document”).


This Document ensures the effectiveness of the principle of lawful, fair and transparent data processing and the informational self-determination in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as: “GDPR”) and the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as: “InfoAct”).


1. DESCRIPTION OF DATA CONTROLLER


The controller of the personal data:


FOX TRANSFER Limited Liability Company
Seat and postal address: Hungary, 1041 Budapest, Csányi László street 34.
E-mail: info@foxtransfer.eu
Phone: +36 20 989 4440
Webpage: https://foxtransfer.eu
Name of the managing director: Gergely Garami
Contact: g.garami@foxtransfer.eu
(hereinafter: “Data Controller”)


1. PURPOSE, LEGAL GROUND, AND TERM OF THE DATA PROCESSING, PERSONS ENTITLED TO KNOW THE DATA


1. Reservation of transfer


1. The purpose of data processing


Personal data provided by the passengers during the transfer reservation on the Website or via mobile app are used by the Data Controller on order to identify the passenger, to track the reservation, to keep in contact with the passenger, to assess the passengers' transfer needs, to pair it to the offer of local service providers, to calculate the fees, to send the reservation voucher, to issue invoice and to fulfill the transfer subject to the terms and conditions specified below.


1.2 Scope of data processed


Type of data
Reason of recording data
transfer location, date, type,
number of passengers
necessary to assess the passenger's transfer needs
name
necessary to identify passenger
password
required to enter the user account
email address
phone
to keep in contact with the passenger
flight identification details of the passenger arriving, the desired destination
necessary to synchronize with the offer of local service providers and to perform the fee calculations
package info
necessary to select the correct transfer vehicle
other special needs
necessary to assess the special needs of the passenger


1.3 Legal ground of data processing


Data processing is necessary for the performance of such contract, where the data subject is one of the parties [GDPR Article 6. (1) b)].


1.4 Term of data processing


Data Controller will erase the personal data after the limitation period defined by legal rules having expired. If the passenger fails to pay the transfer service fee, the Data Controller automatically deletes the reservation, including the personal information provided during the reservation process.


1.5 Entitled persons to know data


Personal data may be reached by employees directly controlled by the Data Controller (managing manager, business division manager) in order to fulfil their job duties, who process data confidentially in accordance with all applicable internal rules and procedures in effect at the Data Controller.


Data Controller will use the following data processors when processing your personal data:


3Gteam Trading and Service Limited Liability Company
Seat: 1085 Budapest, Horánszky St. 23. 1st Floor 1., door No. 1., Hungary
Representative: Gergely Tótszöllősy managing director
e-mail address: tgergely@3gteam.hu
Data processing operations performed by the data controller: website operation


Nimbleteq Kft.
Seat: 2191 Bag, Állomás St. 14., Hungary
Representative: Ádám Balogh managing director
e-mail address: nimbleteq@gmail.com
Data processing operations performed by the data controller: software development, maintenance


Tas-Audit Consulting and Administrative Services Limited Liability Company
Seat: 9700 Szombathely, II. János Pál Pápa Boulevard 45. D. Building 1st Floor 1.
Representative: Zoltán Tasnádi managing director
e-mail address: info@tas-audit.hu
Data processing operations performed by the data controller: billing


Data Controller transfers personal data of the passenger to local service provider companies (driver managers and drivers) who are entitled to use it exclusively to the transfer service. Data processing operations performed by the local service providers as data processors: usage of data in order to contact passenger, to issue the invoice and to determine the route in case of payment-on-the-day. Data Controller shall, at the passenger’s request, provide information regarding to the name and availability of the local service providers.


2. Geographical position of participants in transfer


2.1 Purpose of data processing


Data Controller uses the personal data of passengers, driver managers and drivers to facilitate contact and to share the position of participants in transfer with the other Party in order to certify the performance of the transfer service.


2.2 Scope of data processed


Type of data
Reason of recording data
name
to identify driver manager, driver
GPS data
to determine the geographical position of passengers, driver managers, drivers


2.3 Legal grounds of data processing


Data processing is necessary for the performance of such contract, where the data subject is one of the parties [GDPR Article 6. (1) b)].


2.4 Term of data processing


Data Controller will erase the personal data after the limitation period defined by legal rules having expired.


2.5 Entitled persons to know data


Personal data may be reached by employees directly controlled by the Data Controller in order to fulfil their job duties, who process data confidentially in accordance with all applicable internal rules and procedure in effect at the Data Controller.


Data Controller will use the following data processors when processing the personal data of passengers, driver managers, drivers:


3Gteam Trading and Service Limited Liability Company
Seat: 1085 Budapest, Horánszky St. 23. 1st Floor 1., door No. 1., Hungary
Representative: Gergely Tótszöllősy managing director
e-mail address: tgergely@3gteam.hu
Data processing operations performed by the data controller: website operation


Nimbleteq Kft.
Seat: 2191 Bag, Állomás St. 14., Hungary
Representative: Ádám Balogh managing director
e-mail address: nimbleteq@gmail.com
Data processing operations performed by the data controller: software development, maintenance


Data Controller transfers personal data of passengers to local service provider companies, driver managers, drivers, and it transfers personal data of driver managers and drivers to partner travel agencies and passengers who are entitled to use it exclusively to facilitate contact. The travel agencies, passengers, as data processors may use the data of driver managers, drivers and local service provider companies, and driver managers, drivers as data processors may use data of passengers exclusively for the purpose to contact and to prove the performance of the transfer service.


3. Subscription to Newsletter


1. Purpose of data processing


Data Controller uses data provided by the passengers to send newsletters, advertising letters, questionnaires electronically in order to inform the passengers about the news concerning its services, events, sales or to assess the interest, expectations of the passengers for the improvement of its own services.


3.2 Scope of data processed


Type of data
Reason of recording data
name
to identify passenger
e-mail address
to send newsletters


3.3 Legal grounds of data processing


The legal ground of data processing is the consent of the passenger according to which the passenger gives its prior approval to the data processing of his/her personal data by the Data Controller in accordance with the terms and conditions set out in this Document. Passenger shall be entitled to withdraw its consent any time, which shall not affect the lawfulness of data processing performed prior to the withdrawal based on the consent [GDPR Article 6 (1) a)].


3.4 Term of data processing


Data Controller shall control the personal data of the passenger until its consent is withdrawn. Passenger may withdraw his/her consent at any time by sending a letter to the above-mentioned e-mail address of the Data Controller.


3.5 Entitled persons to know data


Personal data may be reached by employees directly controlled by the Data Controller in order to fulfil their job duties, who process data confidentially in accordance with all applicable internal rules and procedure in effect at the Data Controller.


Data Controller will use the following data processors when processing the personal data of passengers, driver managers, drivers:


3Gteam Trading and Service Limited Liability Company
Seat: 1085 Budapest, Horánszky St. 23. 1st Floor 1., door No. 1., Hungary
Representative: Gergely Tótszöllősy managing director
e-mail address: tgergely@3gteam.hu
Data processing operations performed by the data controller: website operation








1. TRANSFER OF PERSONAL DATA TO THIRD PARTY, OFFICIAL DATA PROVISION


Data Controller shall be entitled to transfer the data of the passenger to someone else only in exceptional cases, if the transfer of the data is necessary to fulfill legal obligations pertaining to the Data Controller. For example, provided that a judicial procedure commences where the passenger is involved, and the court in charge needs the documents containing personal data of the passenger or the police visits the Data Controller and asks for the documents containing the personal data of the passenger.


1. TECHNICAL AND ORGANISATIONAL MEASURES FOR DATA SECURITY


Data Controller will use the cloud-based storage service of 3Gteam Trading and Service Limited Liability Company to store personal data.


Data Controller ensures the security of the personal data of the passenger, the protection against unauthorized or unlawful processing, accidental loss, destruction or damage, including the confidentiality of information systems and tools used to manage personal data, integrity, availability and resistivity by applying technical and organizational measures in compliance with the rate of risk.


1. RIGHTS RELATED TO DATA PROCESSING


1. Right of information/access


Data subject may ask for information from the Data Controller in writing or via email on the availabilities of the Data Controller listed above whether its personal data is processed or not by the Data Controller. If such data controlling is in progress, the data subject shall be entitled to ask for information from the Data Controller of what personal data is processed on what legal ground, for what purpose, from what source and for how long and to whom, when, on what legal basis, what personal data did the Data Controller ensure access or to whom did the Data Controller transfer the personal data, including particularly the third country recipients and international organizations.


Data Controller shall answer the claim within 30 days from receiving the information request of the data subject on the availabilities given by the data subject in letter or via email. Data subject access to its personal data in such a way that the Data Controller sends the personal data concerned in writing or by email to the data subject.


2. Right to rectification


Data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him on the availabilities of the Data Controller listed above. For example, he/she may change his/her e-mail address or password anytime. Data Controller fulfills the request within 30 days and notifies the data subject about the activity carried out by the given availabilities in letter or via e-mail.


3. Right to erasure/ to be forgotten


Data subject shall have the right to obtain from the Data Controller to erase his/her personal data without undue delay on the availabilities of the Data Controller listed above in writing or via e-mail, if any of the below mentioned reasons occurred:


1. the personal data are no longer necessary in relation to the purposes for which they were collected by the Data Controller;
2. the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
4. the personal data have been unlawfully processed by the Data Controller;
5. the personal data have to be erased for compliance with a legal obligation applicable to the Data Controller;
6. the personal data have been collected in relation to the offer of information society services to children.


Data Controller fulfills the request within 30 days and notifies the data subject about the activity carried out by the given availabilities in letter. If the Data Controller transferred the personal data to others, it shall inform those data controllers/processors that the data subject requested the erasure of all copy and replication of his/her personal data.


4. Right to blocking/restriction of processing


Data subject shall have the right to obtain from the Data Controller the blocking or restriction of his/her personal data without undue delay on the availabilities of the Data Controller listed above in writing or via e-mail, if any of the below mentioned reasons occurred:


1. the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;


1. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;


1. the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;


1. the data subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.


Where processing has been blocked/restricted, personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The blocking/restriction will last as long as the reason indicated by the data subject requires storage.


5. Right to data portability


Data subject shall have the right to receive the personal data concerning him, which he/she has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, where the processing is based on the consent of the data subject or on a contract and the processing is carried out by automated means.


In exercising his/her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible. The Data Controller fulfills the request within 30 days and notifies the data subject about the activity carried out by the given availabilities in letter.




6. Right to object


Data subject shall have the right to object at any time to processing of personal data concerning him/her based on the legitimate interest of the Data Controller or a third party on the availabilities of the Data Controller listed above in writing or via e-mail. In this case the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall, on the availabilities of the Data Controller listed above in writing or via e-mail have the right to object at any time to processing of personal data concerning him/her for such marketing, in which case the personal data shall no longer be processed for such purposes.


7. Automated individual decision-making, including profiling


Data Controller does not apply decision-making based solely on automated processing, including profiling. Should the Data Controller introduce a decision-making process based on such processing in the future, it shall duly inform the data subject previously by e-mail of the applied logic, method and its point, and shall ensure to the data subject to require human intervention from the Data Controller, to express its position or to object to the decision.


1. POSSIBILITIES FOR ENFORCING RIGHTS RELATED TO DATA-PROCESSING


If the data subject notices unlawful data processing, prior to the initiation of any proceeding, it is advisable to first communicate its complaint to the Data Controller in order to let the lawful status to be restored by the Data Controller.


Data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him/her infringes his/her lawful rights or there is a direct danger thereof. The contact info of the supervisory authority is the following:


National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet Avenue 22/c., Hungary
Postal address: 1530 Budapest, mailbox 5.
E-mail: ugyfelszolgalat@naih.hu
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: www.naih.hu


Data subject shall be entitled to initiate a civil procedure when experiencing unlawful data processing. The tribunal court has competence to adjudicate the litigation. The proceeding – according to the choice of the data subject – may be commenced before the tribunal court of the geographical area in which the data subject resides. The list and contact details of the tribunals can be viewed via the following link: http://birosag.hu/torvenyszekek


1. REVIEW AND MODIFICATION OF THIS DOCUMENT
The circumstances of the data processing may change from time to time, or the Data Controller may at any time decide to supplement the ongoing data processing with new purposes, and therefore the Data Controller reserves the right to change this Document at any time. Data Controller will notify the data subject prior to any modifications of the Document.


1. LEGAL RULES PERTAINING TO THE DATA PROCESSING


The applicable legal rules pertaining to the data processing of the data subject:


* Act I of 2012 – on the Labor Code (“Lc.”)


* REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”)


Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“InfoAct”)