MAGYAR

PRIVACYNOTICE

regarding the Simple Application and Simple Website

The developer and provider of the Simple Application and System, OTP Mobile Ltd (company reg. no. 01-09-174466; seat: 1093 Budapest, Közraktár u. 30-32.; hereafter referred to as: Simple) hereby informs the Users of the data management in the Simple Application and the Simple System as follows, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation (hereafter referred to as GDPR).

The terms herein and the phrases beginning with capital letters are to be understood as those in the General Terms and Conditions on Simple System (hereafter: Simple GTC).

Simple is entitled to modify tThe present Privacy Notice in any time. The present Privacy Notice is published pn the Simple Website and also is available in the Simple Application. The present Privacy Notice takes into effect by publishing.

1                     What personal data do we manage in the Simple System, for how long, for what purposes and by what authorization?

The legal bases for our data processing are the following:

a)      GDPR Article 6 (1) a) where the processing is based on the informed consent of the data subject (hereafter referred to as Consent)

b)      GDPR Article 6 (1) b), on where processing is necessary for the performance of a contract to which the data subject is party (hereafter referred to as Conclusion of Contract)

c)      GDPR Article 6 (1) c) where data processing is necessary for the fulfillment of or compliance with a legal obligation of the data controller (e.g. obligations with tax statues – hereafter referred to as Compliance)

d)      GDPR Article 6 (1) f) where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereinafter referred to as: Lawful Interest)

e)      the data processing authorization afforded by Article 13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services, where data controllers are authorized to process the natural identification data and home address of the recipients without the need for consent, as required for contracts for information society services, for defining their contents, for subsequent amendments and for monitoring performance of these contracts, for invoicing the relevant fees, and for enforcing the claims arising out of or in connection with such contracts., moreover, where data controllers are authorized to process natural identification data and home address for the purposes of invoicing for the fees payable under the contracts for the provision of information society services to the extent related to the use of information society services, and information relating to the date, the duration and the place of using the service. (hereafter referred to as E-Commerce)

The legal basis for the data processing is specified below, per data categories and by reference to the elements of the above list.

1.1                 Data managed in general within the Simple System

1.1.1             Regarding data management relating to Simple account, Simple profile and Simple registration

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

name*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

User identification

Ensuring communication

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a), d) and e):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest Fraud prevention and management 

For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).

e-mail address*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

User identification

Ensuring communication

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a), d) and e):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

phone number*

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

password*

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

e-mail address pertaining to a Facebook account(if it differs from the e-mail address of the Simple account)

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

name pertaining to a Facebook acount (if it differs from the name given in the Simple acocunt)

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

avatar pertaining to a Facebook account (profile picture)

From Subject

User identification

Personalizing the User account

GDPR Article 6 (1) a) Consent

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

e-mail address pertaining to a Google account (if it differs from the e-mail address of the Simple account)

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

name pertaining to a Google account (if it differs from the name given in the Simple acocunt)

From Subject

User identification

Ensuring communication

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

Age data (under 16 years or not) *

From Subject

Ascertaining of parental consent necessity

GDPR Article 6 (1) c) Fulfilment of legal obligation – Request of parental consent

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

Phone identification code

Generated by the data conroller

User identification

Ensuring communication

GDPR Article 6 (1) a) Consent

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data Simple account registration and the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

Simple is the data controller.

Presentation of Lawful Interest: Certain data as indicated above are processed 6 months after the deletion of your Simple account and your Simple registration was  effectuated by you, because this period is necessary for the settlement of our contracts with the card companies and cooperating partners, for the examination of the possible fraud-suspicious transactions and for the claim and law enforcement in connection with them. This data processing for the purpose of settlement, fraud prevention and examination and claim and law enforcement does not concern the exercise of your other moral or fundamental rights; however, it is necessary for us and for our cooperating partners to enforce and fulfil our fraud prevention legal obligations set out by law. 

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.1.2           Regarding data management relating to the general use of Simple System

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

ID of the concluded transaction

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

 

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

 

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

 

By lawful interest: 6 months thereafter.

price of the concluded transaction

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

 

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

 

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

 

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

 

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).

Subject of the concluded transaction

(purchased product, service)

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

 

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

 

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

 

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

 

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).

 

Shipping address

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement, fraud prevention and management

 

In case of processing purpose of column D/a): Article 13/A E-commerce Act

 

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

 

In case of processing purposes of column D/b):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

 

By lawful interest: 6 months thereafter.

Billing name and address

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement, fraud prevention and management

 

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

 

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

 

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

 

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information)

 

 

GPS coordinates, if the User has authorized it

From Mobile device

Profiling – displaying of behavioural advertisements, learning about customer preferences

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

Simple is the data controller.

1.1.3           Regarding data management relating to Simple customer service

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple and turning to the customer service

name*

From Subject

User identification

Communication with the User in course of complaint management

Completion of contract

Complaint management

Claim and law enforcement

GDPR Article 6 (1) f) Lawful Interest

Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

e-mail address*

From Subject

User identification

Communication with the User in course of complaint management

Completion of contract

Complaint management

Claim and law enforcement

GDPR Article 6 (1) f) Lawful Interest

Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

recorded phone call

From Subject

User identification

Quality assurance

Protection of consumers’ rights

Proof of the content of the complaint

Claim and law enforcement

GDPR Article 6 (1) f) Lawful Interest

Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

subject of complaint

From Subject

Complaint management

Claim and law enforcement

GDPR Article 6 (1) f) Lawful Interest

Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

parameters of transaction in question

From Subject

Complaint management

Claim and law enforcement

GDPR Article 6 (1) f) Lawful Interest

Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

Data marked with * are mandatory to fill in.

Simple is the data controller.

Indication of Lawful Interest in accordance with GDPR Article6 (1) f): the data processing within the scope of making a complaint, examination, settlement and management of the complaint, including the recording of phone calls, is your and our common interest, as well as the interest of the service providers of the services available within Simple Application, since the processing of these data is necessary for the enforcement of our consumer and civil rights and interests in connection with the the purchase made, service used within Simple Application.  

The processing of your personal data hereunder is not precluded by your right to self-determination of recorded voice, since your personal freedoms are not infringed upon, since at the very beginning of the phonecall, you are duly informed regarding the recording of audio that is to commence, leaving you ample opportunity to decide on continuing with the phonecall, or terminating it. The same services and solutions are also available via e-mail customer service, thus, you have a choice regarding the addressing of your complaint.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2               Personal data managed specifically within the scope of certain services of Simple System

1.2.1           Parking

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Vehicle’s licence plate*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Vehicle’s country denomination*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Parking location*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Parking function is not possible.

The data controller is Simple.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.2          Purchase of motorway vignettes

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Vehicle’s licence plate *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) c) Fulfilment of legal obligation – billing

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Vehicle’s country denomination *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Type of the Vehicle*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data of the purchased vignette (type, period of validity)*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

 

Data marked with * are mandatory to fill in, without these data the use of the Purchase of motorway vignette function is not possible.

The data controller is Simple.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.3          Food Courier, ordering food

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Shipping address*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Food Courier function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of Euro Hungary LLC, service provider of pizza.hu ,and processes these data as data processor. The data controller of these data is Euro Hungary LLC.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.4         Bookline order

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Data of Bookline account (name, e-mail address)*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Mode of shipping*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Invoicing of contractual charges

Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Shipping address*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purpose of column D/a): Article 13/A E-commerce Act

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purpose of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Order name*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purpose of column D/a): Article 13/A E-commerce Act

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purpose of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Bookline order function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of Libri-Bookline LLC. operator of bookline.hu online webshop, and processes these data as data processor. The data controller of these data is Libri-Bookline LLC.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.5          Taxi order

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Taxi order address*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purpose of column D/a): Article 13/A E-commerce Act

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purpose of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Phone number*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Communication with User

Claim and law enforcement

In case of processing purpose of column D/a): Article 13/A E-commerce Act

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purpose of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Order name*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purpose of column D/a): Article 13/A E-commerce Act

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purpose of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Taxi order function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of Főtaxi Ltd. service provider of Főtaxi, and processes these data as data processor. The data controller of these data is Főtaxi Ltd.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.6         OTP Health Fund balance check and upload

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

OTP EP card number*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

OTP EP card telecode*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

OTP EP card balance

OTP Országos Egészség- és Önsegélyező Pénztár (National Health and Self-care Fund)

Concluding the contract, determination of its content, modification, completion thereof

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

OTP EP card charged amount*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the OTP EP card check and upload function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of OTP National Health and Self-care Fund, and processes these data as data processor. The data controller of these data is OTP National Health and Self-care Fund.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.7          Loyalty Card

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Data of the saved Loyalty Card *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

GDPR Article 6 (1) b) Conclusion of Contract

3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data the use of the Loyalty Card function is not possible. 

Simple is the data controller.

Use of the Loyalty Card function is prohibited for the purpose of fixing and saving any card eligible for the identification of a person, in particular ID card, address card, driving license, passport, tax ID card, Social security card, student crd, EU social security card, other ID card containing personal data with or without photo, entering card. In case of fixing and saving such cards as Loyalty Cards, Simple is entitled – but not obliged – to erasure them from the Simple System. Simple does not undertake to store such kind of cards or to manage personal data in connection with those cards; Simple does not undertake any responsibility or liability for that and excludes its liability regarding that.

In case of fixing, registering and activating the Costa Coffee loyalty card in the Loyalty card function – according to the contract between Simple and Costa Coffee – the Simple manages, stores and transfer the Costa Coffee card number, e-mail address, full name of card owner as well as the optional data such as birthdate, zip code and store id. The aim, legal basis and duration of those data management is as same as indicated in the above chart of other loyalty card data. In case of registering Costa Coffee loyalty card Costa Coffee transfers the loyalty points to be given after the purchase with the card to the Simple system; Simple stores those data connected to the card.

1.2.8         Wallet

1.2.8.1     Support for bank transfer

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Number of the sender bank card registered within Simple*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Holder of the recipient bank card

Number of the recipient bank card*

From Simple User

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Holder of the recipient bank card

Recipient Simple User’s e-mail address*

From Simple User

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Support for bank transfer function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of OTP Bank Plc, and processes these data as data processor. The data controller of these data is OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.2   Banking balance inquiry

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Number of the sender bank card registered within Simple*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

account balance

From OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purpose of column D/a):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Banking balance inquiry function is not possible. 

With respect to the data listed in the present section Simple is to be construed as data processor of OTP Bank Plc, and processes these data as data processor. The data controller of these data is OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.3   Bank card registration within Simple System

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

name on bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

number of bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

expiration date of bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

name of the bank issuing the bank card

 

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

bank card CVV/CVC code*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

name of bank card

From Subject

Concluding the contract, determination of its content, modification, completion thereof

GDPR Article 6 (1) b) Conclusion of Contract

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data the use of the Bank card registration function is not possible.

Simple is the data controller.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.4   NFC-payment

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

  User registered within Simple

name on the bank card*

From Subject

a) Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

number of the bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

expiration date of bank card *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

name of the bank issuing the bank card

 

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

bank card CVV/CVC code*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

phone number*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Transaction authentication

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a), b) and c):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/d):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of NFC-payment function is not possible. 

OTP Bank Plc. is the data controller, Simple processes the data of the bank card suitable for NFC-payment on behalf of OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.5   Simple card payment

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

name

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

 

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

address

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

date of birth

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

phone number

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

e-mail address

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

name on the bank card*

from OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

number of bank card*

from OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

expiration date of bank card*

from OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

name of the bank issuing the bank card

from OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

bank card CVV/CVC code*

from OTP Bank Plc.

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data the issuing of Simple Card may not be ordered.

OTP Bank Plc. is the data controller, Simple processes the data of Simple Card on behalf of OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.9         SimplePay Hero Wallet

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

name on the bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

number of the bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

expiration date of the bank card*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

name of the bank issuing the bank card

From Subject

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement, prevention and management of fraud

In case of processing purpose of column D/a)

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/b):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

bank card CVV/CVC code*

From Subject

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement, prevention and management of fraud

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data the issuing of Simple Card may not be ordered.

Simple is the data controller.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.10       Simple Bill

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

  User registered within Simple and  Simple Bill

utility provider’s client/consumer/consumer location ID *

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing:  3months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

notification address as registered at the utility provider

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing:  3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

address of place of consumption

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing:  3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

name of party contracted with the utility provider

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

contractual account number at utility provider

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing:  3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

name of the invoiced party

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing:  3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

address of the invoiced party

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

User identification

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

amount to be paid to the utility provider

from the utility provider

Concluding the contract, determination of its content, modification, completion thereof

Claim and law enforcement

In case of processing purposes of column D/a) and b):

Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data SimpleBill service shall not be used.  

The data controller is the utility provider pertaining to the given bill payment transaction to which Simple acts as data processor regarding the data specified above.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.11         Sending out of Invitation

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data management

Legal basic of data management

Duration of data processing

Recipient of the invitation

e-mail address*

User registered within Simple

Concluding the contract, determination of its content, modification, completion thereof

User identification

GDPR Article 6 (1) f) Lawful Interest

30 days calculated from the sending of the Invitation.

Data marked with * are mandatory to fill in, without these data the Invitation shall not be sent. 

Simple is the data controller. Simple is the recipient of the data transmission carried out by User as data controller. 

Within the Simple System you can send out Coupons, Tickets, messages, recommendations, invitations (hereinafter referred to as Invitation)   promoting and encouraging the use of the Simple System and all the services therein, to unregistered third parties, whose email addresses you know (hereinafter referred to as Recipient).

When sending out such Invitations you only type in the Recipient’s name and email address in the appropriate field of Simple System.

By sending out the Invitation you thereby accept that you can only send invitations to such Recipients who have given their prior consent to the use of their name and email address for the purpose of receiving such Invitations. We do not take responsibility if you failed to get the Recipient’s consent to the use of his or her information in order to send out an Invitation or in case you provided an inaccurate email address of the Recipient. By sending out the Invitation you authorize us to send it out to the given Recipient in your name and on your behalf in such a way that due to some technical particularities the sender will appear as Simple, however the Invitation will be considered to have been sent by you and not us and the content of the Invitation will not be considered as an offer made by us, as advertisement or as another direct way of marketing communication.

By using the Invitation service you accept that a part of the Message is determined by us and that part cannot be erased by you. The content determined by us may include information about the Simple System and/or the Application.

You can only send messages that are corresponding with the law as well as with ethical, moral, and social norms. The message shall not include onscene, infringing contents or contents that unjustifiably infringe or contravene others’ rights or legitimate interests. Moreover, the content determined by the sender shall not be defamatory or detrimental to Simple System, the Application, and the Service Provider as well as to their reputation.

The personal data of the Recipient provided by you (name and email address) are only stored for Invitation delivery purposes.

1.2.12       Sending of electronic direct marketing messages via e-mail or push notification

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data processing

Legal basis of data processing

Duration of data processing

User registered within Simple

name*

From Subject

Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

e-mail address*

From Subject

Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

In case of push notification: Simple account

From Subject

Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data it is not possible to subscribe to the newsletter.

Simple is the data controller.

1.2.13       Prize game, promotional game

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data processing

Legal basis of data processing

Duration of data processing

User registered within Simple

name*

From Subject

Participation in a promotion or prize game,

Communication, Notification of the User about the result,

User identification

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

e-mail address*

From Subject

Participation in a promotion or prize game,

Communication, Notification of the User about the result,

User identification

GDPR Article 6 (1) a) Consent

Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data it is not possible to participate in the prize game, promotion. Data controller is Simple.

1.2.14       Sending system messages via e-mail or push notification

Simple sends system messages to the registered Users from time to time. System messages are messages regarding the operation, service breakout, maintenance, traoubleshooting, functions of Simple System, change of these functions, availability of new functions of Simple System, the range of the services available in Simple System, way of use of these services, the General Terms and Conditions and Privacy Notice of Simple System or the modification thereof, rights and obligations of the Users concerning Simple System and also including the confirmation messages, notifications, confirmations sent in connection with the use of the services in Simple System, electronic bills, receipts and invoices.

For the purpose of sending system messages, Simple manages the following personal data:

A

B

C

D

E

F

Subject

Data Category

Data origin

Purpose of data processing

Legal basis of data processing

Duration of data processing

User registered within Simple

name*

From Subject

Sending system messages in order to fulfil the contract

GDPR Article 6 (1) b) Fulfilment of the contract

3 month after the termination of the contract

e-mail address*

From Subject

Sending system messages in order to fulfil the contract

GDPR Article 6 (1) b) Fulfilment of the contract

3 month after the termination of the contract

In case of push notification: Simple account

From Subject

Sending system messages in order to fulfil the contract

GDPR Article 6 (1) b) Fulfilment of the contract

3 month after the termination of the contract

Data marked with * are mandatory to fill in, without these data it is not possible to send system messages. Data controller is Simple.

1.3               What type of data do we collect of you automatically, why do we profile your data, and what effects could this have on you?

How and what type of data do we collect of you automatically?

In course of the use of Simple System via mobile application we run cookies and similar technologies on your phone to help your identification and the recognition of your data so that you don’t have to type them in every time, as well as to get to know your interests more in order to send you customized offers. We also use these cookies to improve the user-experience, and to increase the security and efficiency of Simple System and Application, as well as to publish advertisements. These data are not provided by the user, we are the ones collecting them from you while you use the application.

Regarding iOS mobile devices:

A

B

C

D

E

Subject

Data Category

Purpose of data processing

Legal basis of data processing

Duration of data processing

User registered within Simple

language of the application

Personalization of the application,

Communication,

Determination of the language of automatic notifications

GDPR Article 6 (1) a) Consent

Until the deletion of the application

unique hardware ID generated upon installation

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

key chain data required to identify and authenticate the User

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

e-mail address used for logging in

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

type of log in(e-mail, Google+ or Facebook account)

User identification

GDPR Article 6 (1) a) Consent

Until the logging out of the application

double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

hashed version of the user password hashelt for the tasks requiring stonger authentication (e.g. payment)

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

regarding EP card upload,  the number of the most recently used EP card is saved

Streamlining, customizing the application,  increasing user experience 

GDPR Article 6 (1) a) Consent

Until the logging out of the application

regarding money transfer function, the number of the most recently used bank card is saved 

Streamlining, customizing the application,  increasing user experience 

GDPR Article 6 (1) a) Consent

Until the logging out of the application

date of last  password modification

Ensuring safety

GDPR Article 6 (1) b) Fulfilment of the contract

Until the deletion of the application

date of last log in

Ensuring safety,

Understanding of circle of interests,

Customizing the application,

Displaying  advertisement, sending of personalized offer

In case of column C/a) purpose: GDPR Artcile 6 (1) b) Fulfilment of the contract

In case of processing purposes of column C/b) – d):

GDPR Article 6 (1) a) Consent

Until the deletion of the application

maximum amount of payment without password

Ensuring safety

GDPR Artcile 6 (1) b) Fulfilment of contract

Until the deletion of the application

registration date

Understanding of circle of interests,

Customizing the application,

Displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

registration channel

Understanding of circle of interests,

Customizing the application,

Displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

fact of registration from a social media network

Understanding of circle of interests

Customizing the application

Displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

Regarding Android mobile devices:

A

B

C

D

E

Subject

Data Category

Purpose of data processing

Legal basis of data processing

Duration of data processing

User registered within Simple

bank card profile data (card ID, card status, card data)

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

Card transaction data (card ID, transaction timestamp ID, log)

User identification,

plausibility,

Claim and law enforcement,

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

In case of processing purposes of column C/d) -f):

GDPR Article 6 (1) a) Consent

Until the deletion of the application

Environmental data (latitude, longitude – location, wallett status, remote url)

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the logging out of the application

Mobile Keys (mobile key set, ID, type, value, ID card)

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

Transaction report status data (token unique refernce, timestamp)

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the logging out of the application

Token unique reference list (token unique reference card ID)

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the logging out of the application

e-mail address used for logging in

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

type of log in (e-mail, Google+ or Facebook account)

User identification,

understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) -d):

GDPR Article 6 (1) a) Consent

Until the logging out of the application

double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

hashed user password, fingerprint encrypted version

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

Number of successful transactions

Conclusion of contract,

plausibility

Claim and law enforcement,

understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

In case of processing purposes of column C/d) -f):

GDPR Article 6 (1) a) Consent

Until the deletion of the application

regarding EP card upload,  the number of the most recently used EP card is saved

Streamlining, customizing the application,

Increasing user experience 

GDPR Article 6 (1) a) Consent

Until the deletion of the application

regarding money transfer function, the number of the most recently used bank card is saved 

Streamlining, customizing the application,

Increasing user experience 

GDPR Article 6 (1) a) Consent

Until the deletion of the application

e-mail address used for the last log in is saved 

Streamlining, customizing the application,

Increasing user experience 

GDPR Article 6 (1) a) Consent

Until the deletion of the application

user API level

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

Message center, last shown message and timestamp

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

 

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the deletion of the application

Taxi order dialogue data

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the logging out of the application

Parking GPS verification dialogue data

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the logging out of the application

Wallet PIN

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

Wallet app payment ID

User identification

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

digitalization of Wallet Card ID

User identification,

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a) and b):

Fulfilment of contract

In case of processing purposes of column C/c) and d):

GDPR Article 6 (1) f) Legal Interest

Until the deletion of the application

unlocked phone timestamp

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the logging out of the application

mobile payment being blocked by  EULA

Conclusion of contract,

plausibility

Claim and law enforcement

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) and c):

GDPR Article 6 (1) f) Legal Interest

Until the deletion of the application

safe keyguard

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

changed Keyguard

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

Simple is not the default payment application 

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

Application settings

(language, newsletter subscription, fingerprint ID usage, notifications, Facebook connection in place or not, parking notifications, taxi notifications, cinema notifications)

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

date of last password modification

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

date of last log in

Ensuring safety,

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

In case of processing purpose of column C/a):

Fulfilment of contract

In case of processing purposes of column C/b) - d):

GDPR Article 6 (1) f) Legal Interest

Until the deletion of the application

maximum amount of payment without password

Ensuring safety

GDPR Article 6 (1) b) Conclusion of Contract

Until the deletion of the application

registration date

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

registration channel

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

fact of registration from a social media network 

Understanding of circle of interests,

customizing the application,

displaying  advertisement, sending of personalized offer

GDPR Article 6 (1) a) Consent

Until the deletion of the application

Profiling – what is the purpose of our profiling and what effects can it have on you?

The above listed data are connected to the data you have provided when registering in the Simple Application and to the data you have given when using other services as well as to the data we have automatically collected of you. Furthermore, they are also connected to the data you have provided on websites run by us e.g. www.simple.hu, www.simplepay.hu, www.simplepartner.hu, www.mozizzunk.hu, www.mozi-filmek.hu, www.simplejatekok.huwww.nyerjamatricaddal.hu, www.penzugyekonline.hu including the data we have automatically collected of you there. Finally all the above data are assigned to you personally. The database we have created of you is being used to make Simple Application more efficient, to measure the use of Simple Application as well as to customize it and to find out about your preferences. Based on the above, after an automatic evaluation we target you with customized offers and advertisements with the help of automatic tools. These data are anonymously used for the development of new products, services as well as for statistical purposes.

In order to reach tose goals we use Facebook Custom Audiences, Facebook Pixel and Google Analytics services. In order to reach the aforementioned goal in the framework of Facebook Cutom Audience services we upload your e-mail address and pohone identification number into the Facebook’s system. In case of Facebook Pixel and Google Analytics we use your data collected by them and we on an ad hoc basis combine with your data collected by us. Simple is the data controller of the data we forward to Facebook and Google as well as of the data received from them by us. Facebook and Google are the data controllers of the data collected by them. Facebook and Google is the data processor acting on behalf of Simple in case of the data collected by Simple and forwarded to them by Simple.

It is necessary to put cookies on the user’s device for the use of Facebook Pixel and Google Analytics. You are able to control and set those data management activities of Facebook and Google in your Facebook and Gogle account. Furthermore, you are able to grant consent to the data collection through Facebook and Google cookies in the Simple Application and the Simple Website on your own.

The ban on profiling, cookies and notifications may worsen the user experience; it may make the use of the application more inconvenient and may prevent you from getting personalized offers, coupons, and discounts from us in connection with the services provided in the application.

Upon visiting the Webpage and ustilising the Services, Service Provider places cookies within User’s browser and in HTML-based emails as per the regulations herein.

In general the cookie is a small file consisting of letters and numbers which is sent to the device of the User from the web server of the Service Provider. It enables for example the Service Provider to recognize the final appliance of the User when the connection is created between the web server of the Service Provider and the device. The main purpose of the cookie is to enable the Service Provider to make available individualized offers, publicity and advertisements for the User which may personalize the User’s experience during the use of the Simple System and may reflect more to the personal needs of the User. 

Purpose of the cookies used by Service Provider:

a)      Security: aiding and ensuring safety, moreover enabling and aiding Service Provider to detect unlawful conduct.

b)      Preferences, attributes and services: cookies let Service Provider know, what language is preferred by the User, what are their communications preferences, aid the User in completing forms on the Website, making them easier to fill out.

c)      Advertisements: Service Provider may utilise cookies, in order to serve Users with relevant advertisements both on the Website and off it. Certain cookies may be used, which show, whether the Users who have seen a certain advertisement on the Website, have visited the advertiser’s website later. Similarly, the Service Provider’s business partners may use cookies to ascertain, whether the Service Provider had displayed their advertisement on their Webpage, and to ascertain its performance, also, they may issue information to Service Provider on how the User conducts themselves regarding the advertisement. Service Provider may collaborate with business partners, who display certain advertisements for the User either on the Website or off it, after the user having visited the website of that partner.

d)      Performance, analytics and research: cookies aid the Service Provider in understanding how the Website performs in various areas. Service Provider may use cookies, which rate, improve and search the Website, the products, functions, services, including when User enters the Website from other webpages, and the devices, such as User’s computer or mobile device.

Types of cookies utilised by Service Provider:

a)      analytics, tracking cookies;

b)      session cookies, which only operate during the active session (usually the webpage visit itself);

c)      permanent cookies: which help in identifying the Customer as an existing user, making it easier for them to return without having to log in again. After the Customer logs in, the permanent cookie remains in their browser, withe the webpage being able to read it.

Adobe Flash is another technology equal in function to cookies. Adobe Flash is able to store data on the User’s device. Not every browser allows the removal of Adobe Flash cookies however. The Customer may restrict or block Adobe Flash cookies via the website of Adobe. If Customer restricts or blocks them, certain elements of the Website may become inaccessible.

Third party cookies:

Reputable partners aid Service Provider in analysing Webpage statistics, and analytics companies such as Google Analytics, Quantcast, Nielsen and ComScore may also place cookies on the Customer’s device.

Users may disallow Google cookies on the page used for the disabling of Google ads.

On http://www.networkadvertising.org/choices/ there are further means to deny other, third party cookies from being used.

Control of cookies:

Most cookies enable Customers to control cookie usage via their settings. However, if Customer restricts the usage of cookies, this may hinder user experience, since it will no longer be customised. Customer may also stop the saving of personal settings, such as the saving of login information.

If Customer does not wish for Service Provider to use cookies when User visits the webpage, they may refuse usage under their settings page. In order to let Service Provider know that the Customer has refused usage of cookies, a denial cookie is placed on the Customer’s device, thus, Service Provider will know that no cookies may be placed on the device upon the next visit of the webpage. If the Customer does not wish to receive cookies, they may change their browser settings accordingly. If no such change has been made, Service Provider will view Customer as having given consent to the sending of any kinds of cookies. The Website shall not function completely without cookies.

For further information of cookies, including types, management and removal, visit Wikipedia.org or www.allaboutcookies.org or www.aboutcookies.org.

The users are able to control cookies on the following websites: https:\\www.aboutads.info/choices and https://www.youronlinechoices.eu

2                    Who manages your personal data, and who has access to them?

The data controller

The controller of the personal data specified under point 1.2.3. – 1.2.6 hereto is Simple, meaning OTP Mobile Service Llc., the company data of which are as follows:

OTP Mobile Service Limited Liability Company.

Company reg. no.:    01-09-174466

Tax no.:                     24386106-2-43

Seat:                         1093 Budapest, Közraktár u. 30-32. RiverPark irodaház, K30 VII. emelet

Postal address:         1093 Budapest, Közraktár u. 30-32.

Represented by:      Péter Benyó managing director (availability: Budapest, Közraktár u. 30-32. RiverPark irodaház, K30 VII. emelet; ugyfelszolgalat@simple.hu)

E-mail address:         ugyfelszolgalat@simple.hu

Telephone:               06   1 3666 611

                                 06 70 3666 611

                                 06 30 3666 611

                                 06 20 3666 611

On behalf of Simple, the data is accessible to the employees of Simple whose access is essential to the performance of their duties. Access authorizations are specified in a strict internal code.

Data processors

For the processing of the personal data of representative and contact persons, we engage the following companies, with whom we have entered into data processor agreements and to whom we forward your data necessary for the fulfilment of the aforementioned purposes.. The following data processors conduct the processing of personal data:

Data processors’ name and address

Purpose of data processing

OTP Bank Plc. (seat: 1051 Budapest, Nádor u. 16.; Reg. Nr.: 01-10-041585;   Tax Nr.: 10537914-4-44)

providing online bank card payment service in the Simple System, bank card authorization

providing Simple with IT infrastructure

 operation of the Simple Customer Service

Microsoft Corporation (USA - One Microsoft Way
Redmond, Washington 98052)

provider of Microsoft 365 cloud service

Mastercard Europe SA, Reg. Nr.: RPR 0448038446, seat: 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium

and

Mastercard International Incorporated (seat: 2000 Purchase Street, Purchase, New York 10577, USA)

conclusion of online bank card payment

Visa Europe Services LLC (registered int he USA,  Delaware, acting through its London Branch Office (Reg. no of the Branch: BR007632) registered office: 1 Sheldon Square, London W2 6TT, VAT No: GB 840 111 776)

conclusion of online bank card payment

American Express Services Europe Limited (registered office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9AX, United Kingdom, Reg. No: 1833139, Registered by: Companies House)

conclusion of online bank card payment

The Rocket Science Group LLC d/b/a MailChimp (seat: Georgia

675 Ponce De Leon Ave NE, Suite 5000
Atlanta, Georgia 30308)

sending out of the newsletters, storage of the e-mail addresses in the newsletter database

SendGrid, Inc. (1801 California Street, Suite 500 Denver, Colorado 80202, USA)

sending out of the newsletters, storage of the e-mail addresses in the newsletter database

Wyze PFM LLC (seat: 1118 Budapest, Brassó út 144. 1st floor 6.; Reg Nr.: 01-09-291453; Tax Nr.: 25829237-2-43)

operation, maintenance, troubleshooting and development  of the IT background of SimpleBill service

Aggreg8 LLC (seat: 6721 Szeged, Zárda u 8.; Reg Nr.: 06-09-023518, T: 25930423-2-06)

development and improvement of the software background of SimpleBill service

KBOSS.hu Kft., (Számlázz.hu, 1034 Budapest, Bécsi út 126-128., Reg. No: 01-09-303201, VAT No: 13421739-2-41)

electronic billing services

 N-Ware Kft. (Billzone.eu, 1139 Budapest, Gömb utca 26., Cg.: 01 09 921789   adószám: 14825679-2-41)

electronic billing services

Facebook, Inc. (USA)

Profiling, advertising, analytics and measuring, online behavioural advertising

GOOGLE LLC (USA - Google Data Protection Office, 1600 Amphitheatre Pkwy
Mountain View, California 94043)

Profiling, advertising, analytics and measuring, online behavioural advertising

Information regarding data transfer to abroad:

Google LLC and its member companies, Facebook, Inc., The Rocket Science Group LLC (Mailchimp), SendGrid, Inbc. and Microsoft Corporation is the member of the USA- EU Privacy Shield List created on the basis of the adequacy decision of the European Commission according to Article 45 of GDPR and decision 2016/1260 of the European Commission. It means that data tranbsfer to those entities shall not be deemed as data transfer to third countries outside the Eurpoean Union and the affected persons’ specific consent is not needed as well as the data trabnsfer to those entities is allowed. Those entities undertokk the compliance with the GDPR.

3                   Who is the data protection officer of Simple and what are his contact details?

János Weiner

Contact:    

a)      Simple offices (1093 Budapest, Közraktár u. 30-32.)

b)      e-mail address: weiner.janos@otpmobil.com

c)      Postal address: 1093 Budapest, Közraktár u. 30-32.

4                   To whom do we forward your personal data?

The following type of data from your personal data are transferred to the following recipients based on our agreement concluded with them (beside of the aforementioned data processors):

Recipient of data transmission

Category of transmitted data

I. T. Hungarian Cinemas LLC. (1132 Budapest Váci út 22- 24. 1st floor.; Reg nr.: 01- 09- 663 792)

E-mail address, name, user customer ID, data of the purchased cinema ticket, amount paid for the cinema ticket, date of the payment transaction of the users purchasing cinema ticket within Cinema City card.

Nemzeti Mobilfizetési Zártkörűen Működő Részvénytársaság

(1027 Budapest, Kapás utca 6-12. Reg. no: 01 10 047569; VAT No: 24151667-2-4)

In case of purchase of parking tickets and e-vignette, the following data shall be transmitted: vehicle’s licence plate, vehicle’s country denomination, parking location, type of the vehicle, data of the purchased vignette (type, period of validity).

Interticket Kft. (registered office: 1139 Budapest, Váci út 99., Reg. No: 01-09-736766, VAT No: 10384709-2-41)

In case of purchase of Ticket: the data, price of the ticket purchased and the e-mail addree of the User purchased the Ticket

EURÓ Magyarország Kft. (1132 Budapest, Victor Hugo utca 11-15. 3. em. 310.; Cg.: 01 09 075576; VAT No: 10526141-2-41; pizza.hu)

In case of the use Food order service: name, e-mail, delivery address, billing name and address

Jegymester Kft. (www.jegy.hu; 1065 Budapest, Bajcsy-Zs út 31.; Cg.: 01 09 369537; VAT No: 12033791-2-42)

In case of purchase of the Ticket: name, e-mail address

Libri-Bookline Kereskedelmi Zrt. (1066 Budapest, Nyugati tér 1.; Cg.: 01 10 044841; VAT No: 12921360-2-42)

In case of purchase in Bookline card: Bookline ID, e-mail address, delivery address, billing name and address

Főtaxi Zrt. (1087 Budapest, Kerepesi út 15.; Cg.: 01 10 042322; VAT No: 10873498-2-42)

In case of Taxi ordering: name, phone number, location of Taxi ordering

Budapest Film Zrt. (1054 Budapest, Bajcsy-Zsilinszky út 36-38. félemelet; Cg.: 01 10 042453; VAT No: 10906110-2-41)

In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.

L-Coffee Kft. (1062 Budapest, Teréz krt. 55-57.; Cg. 01-09-959271; VAT No: 23305416-2-42 – Costa Coffee)

In case of fixing, registering and activating Costa Coffee loyalty card under Loyalty card function the following data are transferred: store id, card number, e-mail address, full name, birthdate, zip code, number of loyalty points

The aforementioned entities are independent data controllers of the data transferred to them.

5                   What rights do you have regarding the processing of your data, and how can you exercise them?

a)      Right of access: they may inquire as to what employee data is managed, for what purposes, for how long, to whom do we forward them, and where the data originates from.

b)     Right of correction: should their data change or be recorded wrong, they may request that this be rectified or corrected.

c)      Right of deletion: in instances specified by law, they may request that we delete their stored personal data.

d)      Right of restriction: in instances specified by law, they may request that data management be restricted regarding their personal data.

e)      Right to data portability: the subject may request the porting of their personal data, in which case we hand over their stored data either to them, or directly to a data controller of their choosing, if such is technically safe.

The right to data portability request form can be downloaded from the link below: OTP_Mobil_Kft_adathordozhatosagi_kerelem_form.pdf

In cases of such requests, we conduct ourselves pursuant to applicable law, and will provide information on the rendered measures in one month.

f)       Right to revoke consent: in cases where personal data is managed by the consent of the subject, they have the right to revoke such consent at any time, which does not affect the legality of data management conducted prior to the revocation

g)      Right of complaint: should you have any complaints or grievances regarding our data management, you have the right to lodge a complaint by the supervisory authority:
National Authority for Data Protection and Freedom of Information
Website:                 http://naih.hu
Postal address:       1530 Budapest, Pf.: 5.
E-mail:                    ugyfelszolgalat@naih.hu
Telephone:             +36 (1) 391-1400
Moreover, you may file a suit against Simple before the Municipal Court of Budapest if your personal data has been infringed upon.

h)      Right to object:

-          If we manage your personal data on the basis of Legal Interest, you are entitled to object against this data management based on Legal Interest.

-          You are antitled to object against the data management for the purpose of profiling.

In case of your objection, we do not manage their personal data any further.

6                   How do we ensure the safety of your data?

We follow an extensive information security ruleset regarding the provision of safety concerning the data and information under our governance, the knowing and following of which is mandatory for all our staff.

Our staff is regularly trained and coached in matters of data and information security.

6.1               Data security in IT infrastructure

We store personal data on our central server, to which only a select and close employee group have access, per strict access control rules. We regularly test and check our IT systems in order to ensure and maintain data and information security.

We fulfil data security obligations by complying with the PCI DSS certificate, which entails enacting the strictest banking security regulations regarding our systems and our data governance.

Office workstations are password protected, third-party storage devices are restricted and may only be used following approval.

Protection against malicious software is provided regarding all of the systems and system elements of the Service Provider.

During the planning, development, testing and operation of programs, applications and tools, we address security functions separately and with emphasis.

When allocating authorisations to our IT systems, we pay close attention to the protection of data (e.g. passwords, authorisations) affecting these systems.

6.2             Data security in communications

Regarding electronically forwarded messages and data, we conduct ourselves regarding our Key Management bylaws. In order to comply with the principle of safe transfer of data, we ensure the integrity of both the data of the controller and the user. For the prevention of data loss and damage, we use error detecting and correcting procedures. The application’s passes, authorization data, safety parameters and other data may only be forwarded under encryption We use network endpoint-to-endpoint authorization checking in order to ensure accountability and auditability.

Our implemented security measures detect unauthorized modifications, embedding and repetitive broadcasting. We prevent data loss and damage by fault detecting and correcting procedures and we ensure the prevention of deniability.

Regarding the network used for data transmission, we provide defense against illegal connection and eavesdropping per an adequate security level.

6.3             Data security in software development and programming

In development of the Simple Application, we implement the measures of data safety and security even into the planning stage, which we uphold during the entire course of development.

We separate the development environment from the live one, as well as development data from live data, and we depersonalise personal data in development, where possible.

We keep the requirements of safe coding in development, we use platform- and programming language-dependant technologies to avoid frequent damage risks, moreover, we follow the latest industry best practices regarding code examination (e.g. például OWASP Top 10 Guide, SANS CWE Top 25, CERT Secure Coding)

We constantly follow procedures to identify newfound vulnerabilities, we regularly coach our developers regarding data security and we standardise our programming techniques to avoid typical errors.

The checking of completed code is conducted pursuant to the principles of safe coding, and documented with alteration tracking procedures in order to ensure proper documentation.

6.4             Data security in document management

We comply with data security requirements in document management as well, which we stipulate in document management by-laws. We manage documents by pre-set access and authorization levels, based on the level of confidentiality regarding the documents. We follow strict and detailed rules regarding the destruction of documents, their storage and handling at all times.

6.5             Physical data security

In order to provide physical data security, we ensure our physical barriers are properly closed and locked, and we keep strict access control regarding our visitors at all times.

Our paper documents containing persona data are stored in a closed locker that is fire- and theft-proof, to which only a select few have authorised access.

The rooms where storage devices are placed in have been made to provide adequate protection against unauthorised access and breaking and entering, as well as fire and environmental damage. Data transit, as well as the storage of backups and archives is done in these confined locations.

Backup data storage units are stored in a reliably locked area, with containers having a minimum of 30 minutes’ fireproofing time.

7                    What procedure do we follow upon an incident?

Pursuant to applicable law, we report incidents to the supervisory authority within 72 hours of having gained knowledge thereof, and we also keep records of them. In cases regulated by applicable law, we also inform subjects of the incidents, where necessary.

8                   When and how do we amend this notice?

Should the scope of data, or the circumstances of data management be subject to change, this notice shall be amended and published on www.simple.hu within 30 days, as is required by GDPR. Please pay attention to the amendments of this notice, as they contain important information regarding the management of your personal data.