MÁV-START Online Ticket Purchase - Privacy Policy

Valid from date: 2023-02-01

The purpose of this Privacy Policy is to provide information on data processing of MÁV-START Railway Passenger Transport Co. in accordance with the provisions of Article 13 of the General Data Protection Regulation of the European Union (hereinafter: GDPR) in its systems operated for the purpose of online ticket sales, such as www.jegy.mav.hu and ’MÁV application’.

1. Name and contact information of Data Controller

Name:	MÁV-START Railway Passenger Transport Co.
Headquarters:	Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary
Company reg. no.:	01-10-045551
Court of registration:	The Budapest Metropolitan Court
Tax number:	13834492-2-44
E-mail:	eszrevetel@mav-start.hu

hereinafter: Data Controller.

Contact details of the Data Protection Officer:

E-mail: adatvedelem@mav-start.hu

Postal adress: 1087 Budapest, Könyves Kálmán krt. 54-60., please add: ’To the Data Protection Officer’

If the data subject purchases a domestic or international ticket/pass in the online ticket sales systems operated by the Data Controller, which entitles him/her to use the services of service providers different from the Data Controller, the Data Controller is considered an independent data controller only with regard to the sales activity and related data processings. With regard to other data processing related to the provision of services (e.g. checking the validity of train tickets), the Data Controller does not independently determine the purpose of data processing, but performs it for the benefit of the service provider(s) providing the service (e.g. transfers data), so in this regard is considered as a data processor.

If the data subject purchases a domestic or international ticket/pass in the online ticketing systems operated by the Data Controller, which entitles them to use the services of additional service providers in addition to the Data Controller, the service providers involved in the provision of services are considered joint data controllers. In these cases, the data subject may submit a request for the exercise of data subject rights to any data controller involved in the provision of services.

2. Name and contact informations of Data Processor

Name:	MÁV Service Center Co.
Headquarters:	Könyves Kálmán krt. 54-60., Budapest, H-1087, Hungary
Company reg. no.:	01-10-045838
Court of registration:	The Budapest Metropolitan Court
Tax number:	14130179-2-44
E-mail:	helpdesk@mav-szk.hu

hereinafter: Data Processor

Based on the service contract concluded between the Data Controller and the Data Processor, the Data Processor provides a complete IT service to the Data Controller, which includes the operation and development of the website used for ticket sales (www.jegy.mav.hu) as well as the MÁV application and the necessary data storage hosting service.

3. Information on individual data processing

3.1. Registration on the online ticket sales platforms (’jegy.mav.hu’ website and the ’MÁV application’)

The data subject: all natural persons who register and create a user profile on the jegy.mav.hu website and/or in the MÁV application.

Purpose of the data processing: registration (creating a user account) in the system operated by the Data Controller for the purpose of online ticket sales - including the confirmation of the creation of the user account - in which the user has the opportunity to save the personal data necessary for the purchase of tickets in order to facilitate (speed up) the subsequent purchase of tickets.

The legal basis of the data processing: the consent of the data subject (the user) [GDPR Article 6 (1) point a)].

Personal data processed to achieve the purpose of data processing:

creation of the user account, including confirmation of the creation of the user account: e-mail address, full name (surname and first name), password.
billing data (not mandatory for registration, but a condition for a successful purchase; can be changed or deleted at any time in the profile): billing name, billing address (country, postal code, settlement, name and nature of public area, house number, floor/door).

The duration of the data processing: until withdrawing the consent (deleting the user profile).

3.2. Ticket purchase with or without registration

The data subject: all natural persons who, after registering on the jegy.mav.hu website and/or in the MÁV application, purchase tickets and/or passes through the user profile or purchase tickets and/or passes without registration.

Purpose of the data processing: ensuring the purchase of a named ticket/pass (tickets and passes providing travel rights tied to an individual), as well as sending the ticket/pass to the customer in electronic form and preventing the misuse of tickets.

Scope of personal data processed when purchasing a ticket and pass and their purpose:

Scope of processed personal data	Purpose of processed personal data
Full name and date of birth of the data subject	Issuance of the e-ticket/pass
The e-mail address of the data subject	Sending the e-ticket/pass electronically
Date of birth of the data subject	Providing possible discounts for the trip based on the age of the data subject
Rate and entitlement of discount	Providing a travel discount for the passenger
Details of the travel (date, journey)	Proper issuance of the e-ticket/pass
ID number of the document entitling for discount	In order to prevent the unauthorized use of the discounted ticket
Billing data [billing name and billing address (country, postal code, settlement, name and nature of public area, house number, floor/door)]	In the case of purchasing any Product for the purpose of issuing the invoice
Ticket data in the bar code on the ticket/pass (the data displayed visually on the ticket according to the state at the time of purchase)	Preventing misuse of e-tickets
Portrait (picture) and ID number of the passenger – only in case of creating a virtual passholder	Issuance of the electronic passholder and verification of travel entitlement
The serial number of the e-ID card, name and date of birth of the data subject, in some cases the serial number of the student card or other discount-entitlement card (together) - only in the case of purchasing a pass linked to an e-ID card	Preventing misuse of e-tickets connected to an e-ID card

The duration of the data processing:

in the case of a ticket, it lasts until the trip is used, in the case of a pass, until the validity of the pass expires.
the additional data required for the purchase of a pass are assigned to the user profile and are handled until they are deleted by the user (data subject) or until the profile is deleted.

The recipient of the data transfer: OTP Mobil Szolgáltató Kft. (headquarter: 1143 Budapest, Hungária krt. 17-19., Company reg. no: 01-09-174466, E-mail: ugyfelszolgalat@simple.hu). Purpose of data transfer: payment for the ticket purchased electronically, strong customer authentication, fraud analysis and customer information. The legal basis of data transfer: Pursuant to Article 6 (1) point b) of the GPDR, the fulfillment of the contract concluded between the Data Controller and the data subject, and the fulfillment of the obligation to provide data required by the PSD2 Directive and the SCA Regulation.

3.2.1. Within the purpose of data processing, data processing carried out for purposes other than the original purpose (maintaining contact, sending travel-related information)

Purpose of the data processing: directly informing the passenger about information concerning the travel situation (delays, cancellations, etc.).

The legal basis of the data processing: according to Article 6 (1) point b) of the GDPR, the fulfillment of the contract concluded between the Data Controller and the data subject for the provision and use of passenger transport services according to which the Data Controller must fulfill its obligation to provide information related to the service.

Personal data processed to achieve the purpose of data processing: details of travel (date, journey) and the e-mail address of the passenger purchasing a ticket with this data.

3.3. Checking the right to use passenger transport services

The data subject: all natural persons who travel with a ticket/pass purchased from the Data Controller and the right to travel - including the right to benefit from the discount and the verification of the travel entitlement tied to the person - is checked by the authorized person(s) acting on behalf of the Data Controller.

Purpose of the data processing: checking the legality of using the passenger transport service by presenting a ticket, pass or other document entitling to travel. During the check, the ticket examiner acting on behalf of the Data Controller examines the ticket during the identity check and reads the bar code on the ticket with the device intended for this purpose, on the basis of which the device used by the ticket examiner can determine the data of the ticket at the time of purchase (validity, relationship, discount, personalization, etc.) provides information, which the ticket examiner compares with the data shown on the ticket. In addition, if the travel entitlement is tied to a person, the ticket examiner will also ask for the presentation of a document suitable for personal identification in order to establish identity, by viewing which he/she will have the opportunity to compare the name, date of birth and ID number(s) on the checking device and on the ticket based on the data on the identity card and the photo on the identity card, determine whether the identity document is really the passenger's identity document, and thus whether the ticket is really being used by the person entitled to travel.

The legal basis of the data processing: according to Article 6 (1) point b) of the GDPR, the fulfillment of the contract concluded between the Data Controller and the data subject for the provision and use of passenger transport services

Personal data processed to achieve the purpose of data processing: the data on the ticket and the passenger's personal data (passenger's name, date of birth, ID number in the case of a pass, and the legal title of the discount in the case of a discount) and the name, date of birth, ID number and likeness (photograph) on the passenger's identity document.

The duration of the data processing: until the ticket is checked.

The recipient of the data transfer: in the event that the ticket sold by the data controller gives the right to use the services of one or more service providers different from the Data Controller, independently or jointly, or the services provided jointly by the Data Controller and one or more service providers, and the control is carried out by other service providers other than the Data Controller(s) ), for this purpose, depending on the technical method of checking the ticket, the following personal data will be transmitted:

by scanning the bar code and deciphering the data in the code: the name and date of birth of the passenger, the conditions of the trip, information about the travel discount, the validity of the ticket, other purchased services;
by scanning the bar code in the case of querying the database of the Data Controller by the external service provider: the name and date of birth of the passenger, the circumstances of the trip, information about the travel discount, the validity of the ticket, other purchased services.

Purpose of data transfer: examination of the validity of the pass/ticket entitling to use the passenger transport service, and thus the right to travel. Legal basis of data transfer: according to Article 6 (1) point b) of the GDPR, the fulfillment of the contract for the provision and use of passenger transport services concluded between the Data Controller and the additional service provider(s) involved in the provision of services and the data subject.

3.4. Data processing for purposes other than the original purposes specified in point 3.2. and 3.3. (production of statistical data)

Purpose of the data processing: from the personal data processed by the Data Controller specifically in connection with ticket sales and/or ticket verification, statistical data may be created - according to different aspects - which can serve as the basis for decisions related to the Data Controller's sales activities and service provision, or to measure the consequences of previous decisions. In addition, given that the Data Controller is an organization performing a public task, if the Data Controller receives a request for public data, the fulfillment of which can be achieved by creating statistical data from personal data processed in connection with ticket sales and/or ticket control activities, in view of the relevant and applicable rules, the Data Controller can also use personal data for this purpose. In all cases, the statistical data is prepared in such a way that the data subject cannot be identified afterwards.

The legal basis of the data processing:

according to Article 6 (1) point f) of the GDPR, the legitimate interest of the Data Controller, which is manifested in the fact that the Data Controller has a legitimate interest to prepare statistical data from the personal data processed during its ticket sales and ticket control activities, which are necessary for the sales and facilitates and establishes the basis for making decisions related to the development of its control activities and the provision of services.
if the preparation of the statistical data is necessary because it is also a public data and based on the law the Data controller is responsible for releasing it due to the fulfillment of the data request, the legal basis of the data management is the fulfillment of the public duty of the data controller according to Article 6 (1) point e) of the GDPR.

3.5. Issuing an invoice for ticket purchases and keeping the invoice

The data subject: all natural persons who buy any Product on the jegy.mav.hu website and/or in the MÁV application.

Purpose of the data processing: the issuance of an invoice for the payment of the consideration for the service provided by the Data Controller and, where appropriate, a correction invoice/a document subject to the same consideration as the invoice and its preservation in accordance with the law.

The legal basis of the data processing: fulfillment of the legal obligation according to Article 6 (1) point (c) of the GDPR, which is stipulated in the §§ 169-170 of the Act VAT.

Personal data processed to achieve the purpose of data processing: the billing name, billing address (country, zip code, settlement, name and nature of public area, house number, floor/door), the invoice data.

The duration of the data processing: 8 years from the publication of the report for the given year, based on Section 169 (2) of Act C of 2000 on accounting. The data controller in the case of request of the financial information unit, the investigative authority, the prosecutor's office and the court based on the paragraph 58 (1) of the Act LIII of 2017 on the prevention of money laundering and terrorist financing (hereinafter: Pmt.) must keep the invoices for the period specified in the request, up to ten years from the termination of the business relationship or the fulfillment of the transaction order.

The recipient of the data transfer: the Hungarian tax authority (National Tax and Customs Administration). Purpose of data transfer: fulfilling the obligation to provide data according to law. Legal basis of data transfer: the fulfillment of the legal obligation according to Article 6 (1) point c) of the GDPR, which was established by the Act CXXVII of 2007 and 23/2014. (VI. 30.) NGM decree.

3.6. Operation of the monitoring system related to online ticket sales

The data subject: all natural persons who carry out any activity on any online platfrom used by the Data Controller for online ticket sales.

Purpose of the data processing: the recording of the sales and invoicing data generated during the sale by the Data Controller in a log file of any errors that may arise, for the purpose of monitoring and analyzing the errors, as well as eliminating the detected errors, and if the data subject asserts a claim for any reason, the assessment of the claim.

The legal basis of the data processing: according to Article 6 (1) point f) of the GDPR, it is the legitimate interest of the Data Controller.

A kezelt személyes adatok köre: the e-mail address used when logging in, the notification e-mail address provided for purchases without registration, the activities and times of the online ticket purchase system during the purchase, the IP address of the connected device.

The duration of the data processing: if the Online Ticket Purchase System is functioning flawlessly or in the absence of customer comments regarding the given transaction, they are automatically deleted within 15 days from the date of purchase. In case of receiving a complaint or comment regarding an error or specific transaction, the monitoring system stores the relevant monitoring data until the comment or complaint is investigated or the error is corrected.

3.7. Other data processings related to online ticket sales

The following data processings is closely related to the online ticket sales carried out by the Data Controller and to the Data Controller's service, in respect of which the Data Controller provides the information according to Article 13 of the GDPR independently. Some data processing information of the Data Manager is available on the website https://www.mavcsoport.hu/en/mav-start/introduction/privacy-policy.

data processing performed by MÁV-START Zrt.'s Customer Service in connection with written complaint and the assessment and fulfillment of refund/compensation claims;
data processing carried out by the Customer Service of MÁV-START Zrt. during the operation of the telephone complaint reporting system (MÁVDIREKT);
data processing carried out by MÁV-START Zrt. in connection with the management and enforcement of claims against passengers who do not pay the fare or otherwise violate the travel conditions.

4. The rights of the data subject and the manner of their exercise

The data subject can primarily exercise his/her rights in the application submitted through the contact details indicated in point 1 of the Data Controller. We inform the data subject that he/she can submit his/her request for the exercise of the data subject's right to any of the Data Controller's contact details, but we recommend that he/she do so through one of the contact details indicated in point 1.

The Data Controller shall provide the information in writing, in an understandable form, as soon as possible after the submission of the request, but no later than one month. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. The Data Controller primarily fulfills the data subject's request in the form requested by the data subject. If the data subject submitted the request electronically, the Data Controller will provide the answer electronically, unless otherwise requested by the data subject.

The Data Controller ensures the exercise of data subject rights free of charge for the data subject. If the data subject's request is clearly unfounded or - especially due to its repetitive nature - excessive, the Data Controller may, taking into account the administrative costs associated with providing the requested information or information or taking the requested measure, charge a reasonable fee or refuse to take action based on the request. The Data Controller may refuse to fulfill a request to exercise its data subject rights until it cannot identify the data subject beyond any doubt.

4.1. The right of access and the right to request a copy

The data subject is entitled to receive feedback from the Data Controller as to whether their personal data is being processed. Based on the right of access, the data subject is entitled to receive access to the personal data related to the ongoing data processing about the following information: the purpose of the data processing, the categories of personal data, the duration of the data processing, who and for what purpose receive or have received the personal data of the data subject, his or her rights related to data processing, and the right to submit a complaint to the supervisory authority.

Based on the request of the data subject, the Data Controller provides a copy of the processed personal data if it does not adversely affect the rights and freedoms of others. The Data Controller may establish reimbursement for additional copies requested by the data subject.

4.2. The right to modify, correct and supplement data

The data subject can request the modification (correction) of inaccurate personal data relating to him/her or the addition of incomplete personal data via the contact information given in point 1. The data controller will notify the data subject of the correction.

If the data subject has a user account in the Data Controller's online ticket sales systems, the data subject has the option to independently modify the personal data recorded in the user account.

4.3. Right to withdraw consent

The data subject may withdraw his/her consent in accordance with Article 6(1)(a) of the GDPR at any contact point of the Data Controller without any time limit, which does not affect the legality of the data processing carried out on the basis of the consent prior to the withdrawal. If the data subject withdraws his/her consent, the Data Controller will delete the data subject's data without delay and inform the data subject of the measures taken.

The data subject concerned in the data processing mentioned in the 3.1. [registration on the online ticketing platforms] can revoke the given consent at any time by deleting the user profile.

4.4. The right to erasure (’right to be forgotten’)

The data subject may request the deletion of his/her personal data if the purpose of the data processing has ceased, if the data subject withdraws his/her consent, if the data processing is unlawful, if the specified time limit for data storage has expired, and if it has been ordered by a court or authority. The Data Controller will notify the data subject of the deletion of personal data. The Data Controller does not delete personal data if it is necessary to fulfill the legal obligations of the Data Controller, as well as to present, enforce and defend legal claims.

We inform the data subject that the e-mail address and registration data provided for non-activated registration will be automatically deleted 72 hours after the activation e-mail has been sent.

We inform the data subject that the user account belonging to an activated registration can only be deleted in the following ways:

in the case of the ticket purchase system available from the MÁV-START website (new Elvira), after logging in, in the ‘My Profile’ menu, with the ‘Delete account’ function;
with the ‘Delete account’ function in the ‘My Account’ menu within the MÁV application.

A user account can only be deleted if all of the products contained in it have already expired or been refunded. Deletion cannot be initiated for a user account containing valid or pre-registered products. If the data subject did not initiate the deletion of the user account from the MÁV application and/or logged into his account on a different phone than the one from which he initiated the deletion, to delete the data stored on the phone, please use the ‘Delete all data’ function in the ‘Settings’ menu in the MÁV application or delete the MÁV application from the given phone. By pressing the ‘Delete Account button’, the registration e-mail address (User ID) will be added to the deletion schedule, which means that your user account will no longer be available.

4.5. Limitation of data processing

The data subject may request that the processing of his/her personal data be restricted by the Data Controller at any contact point of the Data Controller if s/he:

disputes the accuracy of the personal data (in this case, the limitation applies to the period until the Data Controller checks the correctness of the data);
the data processing is illegal, but the data subject opposes the deletion of the data and requests the restriction of their use;

the purpose of the data processing has ceased, but the data subject needs them to present, enforce and defend legal claims.

The limitation of data processing lasts as long as the reason specified by the data subject makes it necessary. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Data Controller informs the data subject in advance of the lifting of the restriction at the request of the data subject.

4.6. Right to data portability

The data subject has the right to receive the personal data provided by him/her in a segmented, widely used, machine-readable format, and is also entitled to transfer this data to another data controller without being hindered by the data controller if the data processing is based on a consent of the data subject according to Article 6 (1) point a) or on a contract acoording to Article 6 (1) point b) and the processing is carried out by automated means.

4.7. Right to object

The data subject has the right to object at any time to the processing of his personal data based on points e) and f) of Article 6 (1) of the GDPR for reasons related to his own situation. This right can be exercised in the case of data processing indicated in point 3.4. and 3.6. of this Privacy Policy. In this case, the Data Controller will not process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the data subject objects to the data processing contained in this Privacy Policy, the Data Controller will individually examine the feasibility of the request.

4.8. Remedies (Right to appeal)

4.8.1. The right to contact the Data Controller

If the data subject has comments or objections regarding the processing of his personal data, or would like to request information about the processing of his/her data, he/she can do so in an e-mail written to adatvedelem@mav-start.hu. If the data subject would like to find out more about the rights, please visit the website https://www.mavcsoport.hu/en/mav-start/introduction/rights-data-subject-and-their-enforcement.

4.8.2. Right to complain

If the data subject does not agree with the data processing carried out by the Data Controller or believes that the data controller has violated one of his rights, he can lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information at any of the following contact details:

Name:	Hungarian National Authority for Data Protection and Freedom of Information
Headquarters:	Falk Miksa utca 9-11., Budapest, H-1055, Hungary
Postal adress:	P.O.B. 9., Budapest, H-1363, Hungary
Phone No.:	+36 (1) 391-1400 / +36 (30) 683-5969 / +36 (30) 549-6838
Fax No.:	+36 (1) 391-1410
E-mail:	ugyfelszolgalat@naih.hu
Website:	www.naih.hu

4.8.3. Right to a judicial remedy

If the data subject does not agree with the data processing carried out by the Data Controller or believes that the data controller has violated one of his rights, the data subject may apply directly to the Data Controller for legal redress, which request must be submitted to the court at the Data Controller's registered office or the data subject's place of residence. submit. The court acts out of sequence in the case.

5. Legislation applied and referred to during above-mentioned data processings

The Data Controller applies the following legislation during its data processing processes specified in point 4 of this Privacy Policy:

Regulation (EC) No. 1371/2007 of the European Parliamnet and of the Council on rail passengers’ rights and obligations (Regulation 1371/2007);
Act XLI of 2012 on passenger transport services;
Government Decree no. 271/2009. (XII.1.) on the detailed conditions of rail passenger transport based on a national operating license;
Act C of 2000 on accounting;
Act V of 2013 on the Civil Code;
Act CXXVII of 2007 on value added tax;
Act LIII of 2017 on the prevention of money laundering and terrorist financing.
NGM decree no. 23/2014. (VI.30.) on the tax administration identification of the invoice and the receipt, as well as the tax authorities' control of the invoices kept in electronic form;
Directive (EU) 2015/2366 of the European Parliamnet and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC;
Commission delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.

Download in pdf.

MÁV-START Zrt.

Data Controller