PRIVACY NOTICE
Privacy Policy of MAHART PassNaveKft. www.mahartpassnave.hu
www.mahartports.hu and www.mahartttours.hu respectively
1:
Mahart PassNave Kft. / 1056 Budapest, Belgrade Quay, International Boat Station / hereinafter referred to as the Company /as a data controller, carries out its data processing activities in accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council ("GDPR"). The purpose of this notice is to inform visitors to the Company's website www.mahartpassnave.hu, www.mahartports.hu and www.mahartttours.hu and customers about the data processed by the Company in the course of operating the website and other activities related to data processing. The terms used in this notice have the same meaning as defined in the EU Regulation 2016/679 ("GDPR").
2. Definitions:
- "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- "processing" means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "restriction of processing" means the marking of stored personal data for the purpose of restricting their future processing
- 'profiling' means any form of automated processing of personal data by which personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person
- "pseudonymisation" means the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no association with identified or identifiable natural persons is possible.
- 'filing system' means a set of personal data, structured in any way, whether centralised, decentralised, functional or geographical, which is accessible on the basis of specific criteria;
- 'controller' means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
- 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller
- "recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the framework of an individual inquiry in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing
- 'third party' means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or the processor, are authorised to process personal data
- 'consent of the data subject' means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data relating to him or her by means of a statement or an unambiguous act of affirmation
- 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed
- "genetic data" means any personal data relating to the inherited or acquired genetic characteristics of a natural person which contains specific information about the physiology or state of health of that person and which results primarily from the analysis of a biological sample taken from that natural person
- 'biometric data' means any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of a natural person, such as facial image or dactyloscopic data
- 'health data' means personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of the natural person
- "activity centre":
(a) in the case of a controller established in more than one Member State, the place of its central administration within the Union, but where decisions concerning the purposes and means of the processing of personal data are taken at another place of activity of the controller within the Union and the latter place of activity has the competence to implement those decisions, the place of activity which took those decisions shall be considered the centre of activity;
(b) in the case of a processor having its place of business in more than one Member State, the place of its central administration within the Union or, where the processor does not have a central administration in the Union, the place of business of the processor within the Union where the main processing activities in relation to the activities carried out at the place of business of the processor take place, where the processor is subject to obligations under this Regulation
- 'representative' means a natural or legal person established or resident in the Union, designated in writing by the controller or processor pursuant to Article 27, who represents the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation
- "undertaking" means any natural or legal person carrying on an economic activity, regardless of the legal form, including partnerships or associations carrying on a regular economic activity
- 'group of undertakings' means the controlling undertaking and the undertakings controlled by it
- 'Binding Corporate Rules' means the rules on the protection of personal data which a controller or processor established in the territory of a Member State of the Union follows in one or more third countries in respect of the transfer or series of transfers of personal data by a controller or processor within the same group of undertakings or the same group of undertakings engaged in joint economic activities
- 'supervisory authority' means an independent public authority established by a Member State in accordance with Article 51
- "supervisory authority concerned" means a supervisory authority which is concerned by the processing of personal data for one of the following reasons:
(a) the controller or processor is established in the territory of the Member State of that supervisory authority;
(b) the processing significantly affects or is likely to significantly affect data subjects residing in the Member State of the supervisory authority; or
(c) a complaint has been lodged with that supervisory authority
- 'cross-border processing of personal data':
(a) the processing of personal data within the Union in the context of activities carried out by a controller or processor established in more than one Member State in several Member States; or
(b) the processing of personal data in the Union which takes place in the context of activities carried out by a controller or processor at a single establishment and which affects or is likely to affect data subjects to a significant extent in more than one Member State
- 'relevant and reasoned objection' means an objection to a draft decision, raised with regard to whether this Regulation has been infringed or whether the envisaged measure concerning the controller or processor is in compliance with this Regulation; the objection must clearly demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, to the free flow of personal data within the Union
- 'international organisation' means an organisation governed by public international law or its subsidiary bodies or any other body which is established by or under an agreement between two or more countries.
3. Data processing on the website
3.1. Processing of data in the course of ticketing or brokerage activities on the websites
Purpose of processing. The purpose of the processing is to ensure the correct recording of the order when purchasing tickets and to issue an invoice in accordance with the accounting standards.
Data subjects: visitors or customers registered on the website for the purpose of purchasing tickets
Data processed: date, time, company name, surname, first name, email address, address, tax number
Legal basis for data processing: fulfillment of an order, or in the case of registration, Article 6 (1) (a) and (b) of EU Regulation 2016/679 ("GDPR") and Article 13/A (3) of Act CVIII of 2001 on certain issues of information society services. In the case of the creation of an accounting document, Article 6(1)(c) of Regulation EU 2016/679 ("GDPR").
Duration of processing. In the case of an accounting voucher, 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.
3.2. Data processing during the purchase of gift vouchers on the website:
Purpose of the processing: the sales platform operated on the Company's websites and the information communicated by the Company can be accessed by any external visitor. The purpose of the processing is to ensure the correct recording of the order during the purchase of a gift voucher and to issue an invoice in accordance with the accounting regulations.
Data subjects: visitors or customers registered on the website for the purpose of purchasing gift vouchers
Data processed: date, time, company name, surname, first name, telephone number, serial number of gift voucher, date of travel
Legal basis for data processing: In the case of order fulfillment or registration, Article 6(1)(a) and (b) of Regulation (EU) 2016/679 (“GDPR”) and Article 13/A(3) of Act CVIII of 2001 on certain issues of information society services. In the case of the generation of an accounting document, Article 6(1)(c) of Regulation (EU) 2016/679 (“GDPR”).
Duration of data processing: In the case of the receipt of a request for deletion, the personal data will be deleted immediately. In the case of the generation of an accounting document, 8 years pursuant to Article 169(2) of Act C of 2000 on Accounting.
The data controllers authorized to access personal data and the recipients of personal data: The personal data provided during registration are processed by the data controller's employees entrusted with the marketing activities, the data processing company entrusted with the operation of the website, and the data protection officer.
3.3. Data processing during the sending of the newsletter:
Purpose of data processing: when registering on the Company's websites, the user may give his/her prior consent to be contacted by the Company with its current offers by electronic or paper newsletter using the contact details provided during registration. In the absence of registration, the Company does not send advertising messages, and the registered user may unsubscribe from receiving the newsletter orally, by e-mail or by telephone. Newsletter registration requires acceptance of the privacy statement on the website.
Data subjects: visitors who have given their consent to receive the newsletter on the website
Data processed: date, time, surname, first name, email address, telephone number
Legal basis for data processing: in the case of subscribing to the newsletter, Article 6 (1) a) of Regulation (EU) 2016/679 ("GDPR") and Article 6 (5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity.
The personal data will be deleted without delay upon receipt of a request for erasure.
The personal data provided during registration may be processed by the employees of the data controller entrusted with the marketing activity, the employees of the data processing company entrusted with the operation of the website, the data protection officer.
3.4. Personal data processing in case of loyalty card applications:
Purpose of processing: the Company operates a loyalty group, the purpose of which is to provide its loyal customers and their family members living in the same household with individual discounts, personalized offers and direct information about the Company's current offers and promotions.
Data subjects: persons who apply for a loyalty card on the website
Data processed: surname, first name, email address, telephone number,
Legal basis for processing: article 6(1)(a) of EU Regulation 2016/679 ("GDPR")
Duration of processing: until the data subject's consent is withdrawn.
The data controllers authorized to access personal data and the recipients of personal data: The personal data provided during the submission of the quality complaint are processed by the data controller's employees entrusted with the performance of marketing activities, the data processing company entrusted with the operation of the website, the data protection officer
4. Persons authorized to delete, modify or restrict the processing of personal data: • Marketing Manager Postal address: 1066 Budapest, Belgrád rakpart, International Shipping Station.
Email address: ertekesites@mahartpassnave.hu
Telephone number: 06 1 484 4013
5. Data processing or joint processing in the course of the operation of the website:
In the operation of the website, the data controller shall only use data processors or joint controllers that provide guarantees for the implementation of appropriate technical and organisational measures to ensure compliance with the requirements of Regulation EU 2016/679 and the protection of the rights of data subjects. The parties have defined in a transparent manner, in a written agreement between them, the allocation of their responsibilities for the performance of their obligations, in particular in relation to the exercise of the rights of the data subject, in the processing and joint processing. The Company uses the following data processors or joint controllers for the operation of the website:
- Travelgate Kft., 1094 Budapest, Páva utca 8.
- Storage service: BIT Hungary Kft., Budapest, Budakeszi út 51. - Travelgate Kft., 1094 Budapest, Páva utca 8.
- Complog MRC Kft., Budapest, Varjú u 48.
6. Use of cookies when using this website:
Mahart PassNave Ltd would like to send cookies to your computer to enhance your experience on http://mahartpassnave.hu.
It is important to us to protect your personal information and to be open about how we use it. This information is for informational purposes only and is provided to help you enjoy your time on our websites.
So, what is a cookie?
A small text file containing information that is stored on your computer when you visit a website. It is used to help websites remember what you have done while you are there. For example, it stores information about whether you clicked on certain links or pages, logged in with your username or read certain pages on the site months or even years before.
There are different types of cookies and without them websites will not work as you are used to. PassNave Ltd websites also use cookies to ensure the best user experience and only use the most necessary and useful cookies.
What types of cookies are found on Mahart PassNave Ltd. websites?
Cookies may be either persistent or valid at the time of use and we distinguish between first-party and third-party cookies. Below we explain what these terms mean so that you can better understand the cookies we use and why we use them.
Cookies that are valid during your browsing session:
Browsing session cookies allow you to be recognised when you visit a website so that any page changes or selections can be remembered by the browser from page to page. These cookies allow you to move quickly and easily through the many pages of a website without having to identify yourself or repeat processes on each page you visit. Cookies that are valid during your browsing session are temporary and expire as soon as you close your browser or leave the website.
Persistent cookies:
Persistent cookies are cookies that remain "persistent" on your computer for a certain period of time after the browsing session has expired, and therefore allow you to recall users' preferences or actions during subsequent visits to the website.
Cookies from the website operator:
These are cookies from the website operator of the website you are browsing.
Third party cookies:
Cookies may also be your own (internal) or third-party (external) cookies. Internal cookies are set by the Mahart PassNave Ltd website you visit, while external cookies are set by someone else. PassNave Ltd. only allows the setting of external cookies that it has approved in advance.
Google Analytics cookies are necessary for monitoring the website and for obtaining information about how the website is used.
We use this information to compile statistics and further develop the website. Google Analytics cookies store information in anonymous form, such as the number of visitors to the website or the subpages viewed.
These cookies are set by Google Analytics. For more information, please visit the following page: http://www.google.com/analytics. To disable tracking by Google Analytics on all websites, please visit http://tools.google.com/dlpage/gaoptout. Cookie consent: We will only place cookies on your computer, phone or tablet with your consent. You can give this consent by clicking the "Accept" button in the cookie pop-up window. If you do not want our website-related cookies to be placed on your computer, phone or tablet, the website will most likely not function properly. Even if you initially consent to the use of cookies, you can choose to disable and delete cookies at any time in your internet browser settings. However, please note that without the use of cookies, you will not be able to access many features that make your browsing experience easier, and some of our services may not function properly.
Setting and Deleting Cookies If you prefer not to use cookies, you can delete them from your browser's cookie folder. You can also set your browser to block cookies or to display a warning message before storing a cookie. These settings are usually available in your browser's 'settings' or 'preferences' menu. If you have any further questions, we recommend that you visit the 'All About Cookies' website: http://www.allaboutcookies.org
7. Other rights of data subjects:
• Right of access The data subject has the right to obtain from the controller information as to whether or not his or her personal data are being processed and, where such processing is taking place, access to the personal data collected by the controller. • Right to rectification The data subject has the right to obtain from the controller, at his or her request, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purpose of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.
• Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where the conditions set out in Article 17(1) of Regulation (EU) 2016/679 apply.
• Right to be forgotten
Where the controller has made personal data public and is obliged to erase them, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, those personal data.
• Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following conditions is met:
- the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead
- the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims
- the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject.
• Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of Regulation (EU) 2016/679 and the processing is carried out by automated means.
• Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (a) of Article 6(1) of Regulation (EU) 2016/679, including profiling based on those provisions. In such a case, the controller shall no longer process the personal data.
• Automated decision-making in individual cases, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The previous paragraph shall not apply where the decision:
• is necessary for entering into, or the performance of, a contract between the data subject and the controller
• is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
• is based on the data subject's explicit consent.
8. Security of data processing:
Taking into account the state of the art and the costs of implementation, the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, including, where appropriate:
a) the pseudonymisation and encryption of personal data
b) the continued confidentiality, integrity, availability and resilience of systems and services used to process personal data
c) the ability to restore access to and the availability of personal data in a timely manner in the event of a physical or technical incident
d) a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of data processing.
9. Informing the data subject about the data breach and reporting the incident to the supervisory authority:
The controller shall report the data breach to the competent supervisory authority without undue delay and no later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall inform the data subject of the personal data breach without undue delay.
10. Legal remedies:
The data subject may request access to his/her personal data, rectification of data, restriction of processing of personal data, and the right to data portability and – with the exception of data processing obligations specified in the law – to submit a request for deletion of personal data at the contact details provided in the information.
The Company shall provide information on the measures taken in response to requests related to data processing within 1 month of receipt of the request. This deadline may be extended by 2 months if there is a legitimate reason. The Company shall provide information on the extension of the deadline within 1 month of receipt of the request, indicating the reasons for the delay. If the Company does not take measures in response to the request of the person affected by the data processing, it shall provide information without delay, but no later than one month from receipt of the request, on the reason for the failure to take measures and on the method of complaint handling that can be submitted to the supervisory authority and court.
In case of violation of the rights of the data subject or in case of any comments, you can make a statement at the following contact details:
• By post to MAHART PassNave Személyhajózási Kft, 1056 Budapest, Belgrád rakpart
• By e-mail to adatvedelem@mhrt.hu
• By phone to 06-1/484-4001
• Data Protection Officer: Dr. László Péter Erős E-mail: info@dreroslaszlo.hu Tel: + 36 30 650-1718
In case of violation of the rights of the data subject or in case of a complaint, you may contact the following authorities:
• The competent Metropolitan Court of Justice (1055 Budapest, Markó utca 27.) according to the registered office of the Company as the data controller, or the competent court according to the place of residence of the data subject/reporter, or the competent court according to the place of residence of the data subject/reporter.
The competent courts can be found at https://birosag.hu/birosag-kereso.
• National Authority for Data Protection and Freedom of Information: 1055 Budapest, Falk Miksa utca 9-11. Email: ugyfelszolgalat@naih.hu
Last modified: September 26, 2023.