1.1      General provisions

1. This Notice defines the data protection and data processing regulations that are recognised by KTI Institute for Transport Sciences Non-profit Ltd. (registered office: 1119 Budapest, Than Károly utca 3-5, company reg. no.: Cg.01-09-890710, hereinafter: Controller), the publisher and operator of the online portal www.bvs.hu, as binding pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: ‘GDPR’), Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter: ‘Info Act’), Act V of 2013 on the Civil Code (hereinafter: ‘Civil Code’) as well as Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: ‘Comm Ads Act’).
2. The Notice contains the principles governing the processing of personal data collected on Users from the Controller’s website, as well as from its mobile or tablet application.
3. For the purpose of this Notice, the Controller is KTI Institute for Transport Sciences Non-profit Ltd., which primarily performs the research and analysis activity related to the www.bvs.hu website, necessary for the preparation of the Budapest Rail Node Study [BRNS, Hungarian abbreviation: BVS], and provides the necessary IT services related to this activity.
4. For the purposes of this Notice, a user (hereinafter: ‘User’) is a person who uses the media content services of the Controller on the www.bvs.hu website, or on its mobile or tablet application (i.e., logs onto the website or into the application), subscribes to its newsletters, supports the operation of the website as a sponsor, participates in the projects announced on the website or any of the website’s own promotions, submits an opinion or observation to the Controller or initiates contact with the Controller in any other way.

1.2      Data processed during the performance of the Controller’s activity

Unless otherwise provided for by law, the personal data listed in this Section may be processed by the Controller without any explicit consent for the purpose of compliance with any statutory obligation imposed upon them, for the enforcement of their own or a third party’s legitimate interest, if the enforcement of this interest is proportionate to the limitation of the right related to the protection of personal data. We would like to advise the User that these data are never linked by the Controller with other information that would allow the person behind these data to be identified.

1. Data processed when accessing the web page and during the use of the tablet and mobile phone application

• During login, some data that are generated during the visit may be automatically recorded. The system logs the automatically recorded data without any specific statement or act of the User when the User logs in or out. The system stores these data for the shortest possible time necessary for the provision of the service and safe operation, typically for the period of the project, following which the data are automatically overwritten, i.e., erased. Thus, for example, the following data may be stored: IP address, browsing data, visit parameters.
• For an optimal customized appearance, the Controller may place a so-called cookie onto the device of the User. The cookie allows a higher level of functionality to be provided on the web page, and the provision of personalised services. A cookie can be deleted by the User from his/her own device or by setting up the browser in such a way that it prohibits the use of cookies. At the time of the first login, the page will visibly alert the User to the use of cookies and the possibility of disabling them.
• With the use of cookies placed by the Controller, within the scope of its own operation, the Controller does not collect data; the cookies are used in the User-side service process (on the device and in the browser of the User). Cookies are present in the User’s system for an indefinite period of time, or until the cookies are deleted by the User.

2. Participation in the project announced on the website

The primary purpose of the website is to inform the public about the Budapest Rail Node Study, to consult with the public and to analyse and consider comments and suggestions sent by the public during the preparation of the strategy. To achieve this goal, it is necessary to involve the Users in the project and to get their opinions.

If a User registers on the website, by providing his/her e-mail address, he/she consents to the processing. The Controller performs processing only if the concerned User has consented to it during registration.

The range of data involved in the processing may vary depending on the content of the project phase, but it is primarily directed at the User’s e-mail address and name.

The purpose of the processing is for the Controller to send a newsletter or information to the User, in which it details its activity followed by the User and the progress, status and outcome of the project.

Duration of the processing: the duration of the project or the date of de-registration. De-registration may be done by sending an e-mail advising your intent to de-register to the bvs@kti.hu e-mail address. De-registration shall be deemed a withdrawal of consent. When the consent is withdrawn, the processed data will be erased. The Controller does not transfer the data.

1.3      Contacting the Controller

If the User initiates a contact with the Controller (e.g. via e-mail), he/she acknowledges and consents to the Controller recording his/her e-mail address and for them to process it for the duration and to the extent necessary for the purpose of the given contact.

During its content editing activity, the Controller processes the personal data of all natural persons involved in the production of content, either as a source or a reference in the edited content. In this case, the personal data most commonly processed by the Controller may be the following: name, position, place of work, age, place of residence, or other information that indicates how the data subject relates to the subject of the edited content.

The Controller reviews the scope of the data processed in this manner pursuant to the intervals specified in the Internal Privacy Policy and if the purpose of the processing has been fulfilled or the processing is no longer required, it erases the data processed in this manner.

1.4      Purpose and general rules of the processing carried out by the Controller

1. Purpose of the processing performed by the Controller:

• understanding and gathering information on public awareness and needs relating to the Budapest Rail Node Study project, reviewing the content of the project;
• maintaining contact with the User in order to inform the User of the individual projects and for the fulfilment thereof;
• management and implementation of user requests;

2. The Controller shall not use the provided personal data for purposes other than specified in these points.
3. Processing takes place on the basis of the freely given, prior, informed statement of the Users. The statement contains the explicit consent of the Users to the use of their personal data provided by them while they use the site. When processing is based on consent, the User may withdraw his/her consent at any time, but it shall not affect the lawfulness of the processing carried out prior to the withdrawal.
4. The Controller may use the services of a third party for the processing of the personal data, provided that the third party’s processing practices comply with the relevant legal requirements. With the acceptance of this Notice, the User grants his/her explicit consent for the processing carried out by the third party. The Controller stores the data until the consent to processing is withdrawn. As far as comments, remarks and opinions are concerned, additional processing and controlling activities can be performed by the TRENECON-FŐMTERV-KTI consortium.

1.5      Rights and obligations of the User

1.5.1     Procedural rules

The User may request information regarding his/her personal data processed pursuant to this chapter at any time in writing, by sending an e-mail or by sending a letter with registered mail or by registered mail with confirmed receipt to the registered office of the Controller. The Controller considers any request for information sent by letter authentic when the User can be clearly identified from the submitted request. The Controller considers any request for information sent by e-mail authentic only if it is sent from the User’s registered e-mail address.

1.5.2     Right to information

Pursuant to the formal requirements set out in the ‘Procedural Rules’ subsection, the User may request the Controller at any time to provide information on whether they are processing the User’s personal data and if so, to provide the User with access to the personal data processed by them.

The request for information may be extended to the data of the User processed by the Controller, their sources, the purpose and legal ground as well as duration of processing, the name and address of any Processor, the activities relating to processing and, when personal data are transferred, the parties who received or still receive data of the User and the related purpose.

The User may request the rectification or modification of his/her personal data processed by the Controller, as well as the supplementation of incomplete data.

1.5.3     Right to request erasure of personal data

Pursuant to the formal requirements set out in the ‘Procedural Rules’ subsection, the User may request the erasure of his/her personal data processed by the Controller.

The process of unsubscribing from the database: If you have registered on the BVS website but no longer wish to be listed in the database, please send an e-mail advising your intention to unsubscribe to the leiratkozas.bvs@kti.hu e-mail address, after which your data shall be erased from the database.

1.5.4     Restriction of processing of personal data

The User is entitled to restrict the processing of his/her personal data by the Controller for a specified period, in the form complying with the formal requirements set out in the ‘Procedural Rules’ subsection. The restriction may be applied if the User disputes the accuracy of the processed personal data or if, according to the User, the processing is unlawful but the User objects to the erasure of the processed personal data, or if the purpose of processing has been achieved but the User requests the processing of data by the Controller for the presentation, enforcement or defence of legal claims.

1.5.5     Right to objection

Pursuant to the formal requirements of the ‘Procedural Rules’ subsection, the User may object at any time to the processing of his/her personal data if the processing of personal data is required only for fulfilling a legal obligation of the Controller or for the enforcement of a legitimate interest of the Controller or a third party; where the purpose of data processing is direct marketing; or if data processing takes place in order to fulfil a task in the public interest. The Controller assesses the lawfulness of the User’s objection and when concludes that the objection is justified, will stop the processing and block the personal data and shall notify all parties to whom the personal data affected by the objection were potentially transferred about the objection and the measure taken accordingly.

1.5.6     Deadlines

The Controller shall provide information on action taken on a submitted request to the User without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the User makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the User. If the Controller does not take action on the request of the User, the Controller shall inform the User without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

1.5.7     Right to lodge a complaint

Users may lodge complaints relating to processing directly with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

1.5.8     Right to seek legal remedy

In the event of any infringement of his/her rights, the User may bring his/her case before the court. The case falls within the competence of the regional court. If so requested by the data subject, the case may be brought before the regional court in whose jurisdiction the User’s home address or temporary residence is located.

1.5.9     Obligations of the User

The User warrants having lawfully obtained the consent of the natural person data subject for the processing of personal data provided or made accessible by them about other natural persons.

Whenever any User provides an e-mail address or other data during registration, they undertake that only they will use the service from the specified e-mail address or by using the data provided by them. In view of that responsibility, any responsibility associated with any login made from the specified e-mail address and/or data shall lie with the User who registered the e-mail address and provided the data.

The Controller uses the personal data based on the consent of the concerned User and exclusively for the limited purpose. The Controllers process the personal data only for purposes defined in this Notice and the applicable legal regulations. The scope of processed personal data is proportionate with the purpose of processing and may not exceed it. Whenever the controller intends to use the personal data for any purpose other than those for which the personal data were initially collected, it shall inform the User and obtain prior explicit consent from the User for that, providing also an opportunity to prohibit the use of data for such purposes.

The Controller does not verify the personal data supplied. Only the person supplying the data is responsible for the accuracy of the provided personal data. Personal data of data subjects who are below the age of 16 years may only be processed with the consent of the person of adult age who is the holder of parental responsibility over them. The Controller cannot verify the eligibility or content of the statement of the person providing consent, and therefore the User or the holder of parental responsibility over them warrants that the consent complies with the laws and regulations. Without a statement of consent the Controller does not collect any personal data about the data subjects who are below the age of 16 years, with the exception of the IP address, browsing data and visit parameters used during the Service, which are registered automatically given the nature of online services.

1.5.10 Other provisions

In certain cases, especially in the case of an official request from a court or the police, legal proceedings based on the violation of copyrights, property rights or other rights, etc., the Controller makes accessible the available personal data of the concerned User to third parties. The User acknowledges that the Controller is entitled and obligated to transfer any personal data available to and duly stored by them to the competent authorities, the transfer of which is their legal obligation, imposed by the law or in an effective order of an authority. The Controller may not be held liable for such data transfer or any consequences thereof.

The Controller uses the personal data based on the consent of the concerned User and exclusively for the limited purpose. The Controller processes the personal data only for purposes defined in this Notice and the applicable legal regulations. The scope of processed personal data is proportionate with the purpose of processing and may not exceed it. Whenever the controller intends to use the personal data for any purpose other than those for which the personal data were initially collected, it shall inform the User and obtain prior explicit consent from the User for that, providing also an opportunity to prohibit the use of data for such purposes.

The Controller reserves the right to modify this Notice with a unilateral decision at any time.

With the login, the User accepts the currently effective provisions of the Notice, beyond which the consent of the individual User shall not be required.