Information on Data Processing Related to the Websites Operated by Sport Service Center of Budapest Nonprofit Ltd.

 

 

  1. Websites operated by Sport Service Center of Budapest Nonprofit Ltd.(hereinafter: “the Company”):

 

www.bsk.sport.hu

The official comprehensive webpage of the Company operating the sports facilities with a public service mission. The website basically provides an information summary on the Company’s actions and operations, including links to the sport facilities’ websites. The primary focus of the www.bsk.sport.hu website is for the Company to fulfil their data disclosure obligations under Government Decree 305/2005. (XII. 25.) on specific provisions relating to the electronic publication of public sector information (PSI), the single PSI search service, and on inventory and data integration. As an organisation required to disclose information, the Company is obligated to define under a disclosure regulation its rules on publishing data of public interest and data accessible on public interest grounds.     

 

www.mujegpalya.hu

The official website of the Budapest City Park Ice Rink and Boating Lake, the exclusive property of the Budapest Metropolitan Council, physically situated at 5 Olof Palme sétány, 1146 Budapest, Hungary. It informs visitors about opening hours and any changes thereto, ticket prices, and latest news. The website also provides access to the web shop where tickets are sold online for the winter skating season.   

 

www.margitsziget.com

The official website of the Margaret Island Athletic Centre and Running Track, the exclusive property of the Budapest Metropolitan Council, physically situated at Margaret Island, 1007 Budapest, Hungary. It informs visitors about opening hours and any changes thereto, ticket prices, and latest news. The website does not have web shop functionality.

 

Neither website contains automatic decisional processes or profiling.

The Company assumes no responsibility for damages related to websites operated by the Company or arising from their use or unavailability, inadequate operation, breakdown, faults in the line or in the system, viruses carried by the website, or any unauthorised changes in the data therein.  

  1. Particulars of the Company acting as data controller:

 

-       Corporate name: Budapesti Sportszolgáltató Központ Nonprofit Kft.

-       Seat: 1146 Budapest, Olof Palme sétány 5., Budapest City Park Ice Rink and Boating Lake

-       Premises: HU-1007, Budapest, Margaret Island Athletic Centre and Running Track Premises: HU-1126, Budapest, Zugligeti út 66., Firign Range at Zugligeti Road

-       Registration Number: 01-09-270163

-       Tax Number: 25352050-2-42

-       Bank Account Number: 11784009-20606309

-       Founder: Budapest Metropolitan Council (HU-1054 Budapest, Városház u. 9-11.)

The Company conducts its controlling activities in compliance with statutory rules as amended from time to time, in particular with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; hereinafter: “GDPR”) and of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: “Freedom of Information Act”).

 

  1. General data protection policies for the operation of the website

When visiting the websites operated by the Company, the Company may record the network identity of the website visitors (hereinafter: “Data Subject”) for security reasons: their IP addresses and the software environment used by the Data Subject, as well as the time of visit and the address of the visited pages. The Company stores such data in electronic format on a server, only in aggregated form after a specific time. The Company discloses such data only to a court or authority on a binding court order or a request by the authority.    

Purpose of data processing: Data automatically recorded by the server is temporarily stored by the Company for the secure operation of the server. All other data are recorded by the Company for the purposes of running the services and for user identification.

Duration of data processing: Data provided voluntarily by the Data Subject is retained by the Company until the Data Subject requests erasure, but no more than for 30 days. Data automatically recorded by the server is available to the Company for 30 days, after which it is only kept by the Company in an aggregated form as visitor statistics.  

  1. General cookie notice

Visitors to the site operated by the Company may receive a verification file, meaning a cookie (hereinafter: “cookie”) through the website from independent third-party auditing services (Google Analytics) to calculate visitors to the site. It is not mandatory to accept the cookies and they may be blocked by the visitor in the browser, but some of our services are only available if cookies are approved. Individual data controllers (e.g., Google Analytics) will provide detailed information on how they process the measurement data.    

Cookies are data sent by the visited website to the visitor’s browser to be stored and later loaded by the same website. Cookies may have a validity period: they may be valid until the browser is closed or may have indefinite validity. As a response to all subsequent HTTP(S) queries, the browser also sends this data to the server, thereby modifying the data on the user device. 

The point of using cookies is that website services by their nature require that users be recognised (e.g., that the user has accessed the page) and be handled accordingly in the future. Its dangers include users not always being aware of them, while cookies may be used by the website operator or by other service providers with integrated contents (e.g., Facebook, Google Analytics) to follow the user, in which case the cookie contents are considered personal data.   

 

  1. Types of cookies
  1. Technically indispensable session cookies: These are cookies without which the website could not function. They have a role in identifying visitors, e.g., to track whether the visitor has signed in, the contents of their shopping cart, etc. This is typically done by storing a session-id while the rest of the data is stored on the server for safety purposes. There are safety aspects when the cookie value for the session is inadequately generated and there is a risk of session hijacking, therefore it is crucial to generate such values in an appropriate manner. Other terminologies use the phrase ‘session cookie’ for all cookies that get deleted when the user logs out from the browser (one browsing session lasts from browser launch to logout).  
  2. Cookies conducive to use: Applied to remember user choices such as page viewing preferences. These types of cookies basically mean that settings are stored in the cookie. 
  3. Cookies conducive to performance: Used to collect information on user habits, visit durations, and clicks at the visited website. These are typically apps by third part services (e.g., Google Analytics, AdWords, or Yandex.ru cookies) and are suitable for profiling visitors. 

 

VI.   Data processing from the camera system operated by the Company

Due to high visitor traffic and security required by the applied technology, the sports facility has its own CCTV system. Operation of the CCTV system is regulated by the camera operation policy. The policy contains a map of the camera system and the rules on deletion and recording for constant soundless recordings. The sports facility has cameras indoors and outdoors. The primary goal of the placement of cameras is personal protection while its secondary goal is protection of property. Pictograms warn visitors about constant video surveillance on the external surfaces of the entrances and also in all observed rooms within the premises. Recordings are automatically deleted after 3 days.    

 

Ensuring privacy rights for photo shoots

Legal background:

Photos of natural persons under the definitions of the GDPR are considered personal data, therefore taking and processing photos is defined as data processing (see Subsections 4 (1) and (2) of the GDPR).

With regard to information provided to the data subject, Article 12 of the GDPR defines general requirements under which the controller shall take appropriate measures to provide any information and any communication in a concise, transparent, intelligible and easily accessible form, using clear and plain language.  The information shall be provided in writing or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally. The information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing.

Processing personal information (taking photos) falls under somewhat different rules if taken for journalistic, scientific or artistic purposes. Pursuant to Subsection 2:48 (2) of the Hungarian Civil Code, the consent of the relevant person is not required for the recording and for the use of such recording if made of a crowd or at a public event. 

The premises of the City Park Ice Rink and the Margaret Island Athletic Centre are not public spaces.  

 

Photos for private use: Visitors entering the sports complex may take photos with the consent of the person in question. Photos may only be taken in areas open to visitors. Lawful processing is the responsibility of the natural person taking the pictures. The operating organisation assumes no responsibility for the activities.

 

Taking and publishing photos for journalistic, scientific or artistic purposes is subject to prior written consent by the operator and by the proprietor Budapest Metropolitan Council, as well as by the persons in question, except for cases defined in Subsection 2:48 (2) of the Hungarian Civil Code.

 

Photo shooting for commercial purposes (e.g., shooting for movies, catalogues, advertisements, magazines, engaged couples, and all photo shoots involving deployment): Subject to prior written consent by the operator and by the proprietor Budapest Metropolitan Council, as well as to a fee.  

 

Drone photography: Both the Budapest City Park Ice Rink and the Margaret Island Athletic Centre are drone-free areas. Photos taken by drones are only allowed on a case-by-case basis under a contract previously concluded with the operator. The operator does not consent to the publication of any pictures taken without his authorisation. 

 

Visitors entering the premises of the Budapest City Park Ice Rink and the Margaret Island Athletic Centre shall comply, upon entering the premises, with the policies of the sports facilities. The operator reserves the right to make recordings at his facilities and events for his own social media pages and websites, which is noted in the policies of the sports facilities. In case you do not wish to be included in photos published at the operator’s social media pages or websites that are not considered recordings made of a crowd, please contact the operator and request that the recording be blurred, covered or deleted.   

 

Budapest City Park Ice Rink and Boating Lake processes

The Budapest City Park Ice Rink has distinct modes of operation in summer and winter seasons.

In the winter season visitors are served by the Ice Rink usually from November to March next year at the ice rink established in the artificial concrete structure connected to the City Park Lake. The premises of the sports facility are fenced and may only be entered with a valid ticket, pass, or under other a separate contract within opening hours.   

In the summer season the ice rink is under water. Data processing related to the operation of the boating lake is carried out by B.A.T. Kft. In the summer season, the Historic Skating Hall and its related premises may only be visited in exceptional cases during events, by the participants of such events. During opening hours in the summer, visitors may enter the boating lake through the entrance from Hősök tere, not through the main building.   

Ticket purchases (on-site):

During winter season at the City Park Ice Rink, tickets purchased on-site do not entail the collection of personal data. Visitors entering the premises receive a ticket that also serves as a receipt for the price of the ticket paid. Purchased tickets allow visitors to enter the premises without obstructions.

 

Sports equipment rental (on-site skate rental)

Sports equipment rental is provided by a subcontractor. The sports equipment and the infrastructure used for their rental are the property of the operator. Renting does not entail personal data processing. Apart from the rental fee, persons renting skates or educational seals are required to make a deposit. The IT system only records the size of the skates.  

 

Online ticket purchases (at the web shop) during winter season

You must select the date and time of your visit under the menu item ‘Ticket purchases’, meaning whether you wish to use the services during the week, on a weekend, or during peak hours. You must select the type of your ticket in respect to age-related discounts (adult, pensioner, or student). After providing the number of tickets, the items are moved to the shopping cart. Click on the cart to check its contents or to modify if necessary. Electronic invoices are issued for all online purchases where personal data must be provided.     

The scope of personal data processed:

-        Name:

-        Email address:

-        Phone number:

-        Billing name:

-        Country:

-        Post code:

-        Town:

-        Address:

Purpose of processing: Acquiring the electronic address necessary for issuing the invoice for the services and for sending the invoice and the ticket to their holder.

Legal title of processing: Legal title provided by legislation.

Duration of processing: 1+8 years in line with the accounting law.  

After filling out all fields for purchasing and billing data, you may proceed to the payment interface of OTP bank. The OTP interface serves to enter bank card details and to verify the payment. If payment is successful, you will receive an automatic email reply along with the ticket required for entry with a unique QR code and an electronic invoice. 

You may print your ticket and bring it with you or you may present it on your electronic device. Your QR code is checked and entry is approved by the scanner at the entrance. If the code is valid, the gate opens and your ticket is validated by the system.  

 

Online sports equipment rentals (at the web shop) during winter season

 

Skate rental tickets are also available under the menu item ‘Ticket purchases’. Visitors purchasing an entry ticket and/or a rental ticket in advance do not need to queue up, you can enter directly at the central gates. You can then access the rental counter through the skate attaching area where you also do not need to stand in line. Personal data processing is identical to the scope of data required for ticket purchases and is an integrated part thereof.

 

Data handling and processing at the Margaret Island Athletic Centre (“MAC”)

MAC data handling:

The Margaret Island Athletic Centre does not process data for natural persons (data subjects) and the organisation does not operate a web shop. When natural persons purchase a ticket or a pass, the Centre issues a receipt or a pass/ticket containing information and substituting to a receipt. If an invoice is requested, data required for its mandatory contents under Article 169 of the VAT Act are collected by the operator.

 

MAC processing:

The operator engages two sports card providers under contract.

Both organisations have installed cloud-based infrastructure at the sports facility where club members can scan their cards when entering and leaving the premises. The sports centre maintains an attendance sheet for entries (paper-based). The attendance sheet serves as a registry annexed to the monthly invoices issued by the operator to the service providers.

The personal data processed on the attendance sheet only contains the

-        name

-        card number

-        date of entry

-        date of exit

for person entering the premises.

The registry is maintained within the scope of data controlling activities. Data of natural persons (Data Subjects) are fully transferred in case the contract terminates.

Data subjects’ rights and legal remedies:

In respect to each Company listed in our privacy policy, Data Subjects have and may exercise their rights as defined in legal regulations currently in effect and in the General Data Protection Regulation after 25 May 2018:

-         Right to access;

-         Right to rectification;

-         Right to erasure;

-         Right to restrict processing;

-         Right to data portability;

-         Right to object.

In case Data Subject’s right are violated despite his objections, he has the following options for legal remedy:

-         You may request information on the processing of your personal data and may request rectification thereof;

-         You may request the erasure of personal data processed on the basis of your consent, and you may withdraw your consent;

-         Upon request, we will provide information on data processed by us or processed by a controller mandated by us, the purpose of processing, its legal title and duration.

-         Personal data shall be erased if:

-          processed unlawfully;

-          so requested by the data subject;

-          the purpose of processing no longer exists;

-          incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;

-          the legal time limit for storage has expired; or

-          so ordered by court or by the data protection authority.

The User shall have the right to object to the processing of data relating to him:

-         if processing or disclosure is carried out solely for the purpose of discharging the Controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;

-         if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and

-         if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

Controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If, according to the findings of the controller, the data subject’s objection is justified, the controller shall notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures. If Data Subject disagrees with the decision taken by the controller, he shall have the right to bring action in the court of law within thirty days of the date of delivery of the decision. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.

Data protection authority

Please contact the National Authority for Data Protection and Freedom of Information for any complaints against violations of law by the data controller.

National Authority for Data Protection and Freedom of Information
Hungary, 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Postafiók: 5. 
E-mail: ugyfelszolgalat@naih.hu

Court:

At the discretion of the data subject, an action may be brought before the competent tribunal of the data controller’s domicile (Metropolitan Court of Justice) or of data subject’s domicile. The court shall hear such cases in priority proceedings.