1.1 PRIVACY NOTICE

regarding the Simple Application and Simple Website

Effective from: March 1^st, 2019

The developer and provider of the Simple Application and System, OTP Mobile Ltd (company reg. no. 01-09-174466; seat: 1093 Budapest, Közraktár u. 30-32.; hereafter referred to as: Simple) hereby informs the Users of the data management in the Simple Application, Simple Website (www.simple.hu), the Simple System and on the Simple Facebook Page ((https://www.facebook.com/simplehungary/) as follows, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation (hereafter referred to as GDPR).

The terms herein and the phrases beginning with capital letters are to be understood as those in the General Terms and Conditions on Simple System (hereafter: Simple GTC).

Simple is entitled to modify tThe present Privacy Notice in any time. The present Privacy Notice is published pn the Simple Website and also is available in the Simple Application. The present Privacy Notice takes into effect by publishing.

1. What personal data do we manage in the Simple System, for how long, for what purposes and by what authorization?

The legal bases for our data processing are the following:

a) GDPR Article 6 (1) a) where the processing is based on the informed consent of the data subject (hereafter referred to as Consent)

b) GDPR Article 6 (1) b), on where processing is necessary for the performance of a contract to which the data subject is party (hereafter referred to as Conclusion of Contract)

c) GDPR Article 6 (1) c) where data processing is necessary for the fulfillment of or compliance with a legal obligation of the data controller (e.g. obligations with tax statues – hereafter referred to as Compliance)

d) GDPR Article 6 (1) f) where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereinafter referred to as: Lawful Interest)

e) the data processing authorization afforded by Article 13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services, where data controllers are authorized to process the natural identification data and home address of the recipients without the need for consent, as required for contracts for information society services, for defining their contents, for subsequent amendments and for monitoring performance of these contracts, for invoicing the relevant fees, and for enforcing the claims arising out of or in connection with such contracts., moreover, where data controllers are authorized to process natural identification data and home address for the purposes of invoicing for the fees payable under the contracts for the provision of information society services to the extent related to the use of information society services, and information relating to the date, the duration and the place of using the service. (hereafter referred to as E-Commerce)

The legal basis for the data processing is specified below, per data categories and by reference to the elements of the above list.

1.1. Data managed in general within the Simple System

1.1.1. Data processing relating to Simple account, Simple profile and Simple registration

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management d) User identification e) Ensuring communication	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a), d) and e): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest Fraud prevention and management	For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).
	e-mail address*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges f) Claim and law enforcement, fraud prevention and management c) User identification d) Ensuring communication	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a), d) and e): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	phone number*	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	password*	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	e-mail address pertaining to a Facebook account(if it differs from the e-mail address of the Simple account)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	name pertaining to a Facebook acount (if it differs from the name given in the Simple acocunt)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	avatar pertaining to a Facebook account (profile picture)	From Subject	a) User identification b) Personalizing the User account	GDPR Article 6 (1) a) Consent	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	e-mail address pertaining to a Google account (if it differs from the e-mail address of the Simple account)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	name pertaining to a Google account (if it differs from the name given in the Simple acocunt)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	Age data (under 16 years or not) *	From Subject	a) Ascertaining of parental consent necessity	GDPR Article 6 (1) c) Fulfilment of legal obligation – Request of parental consent	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User.
	Phone identification code	Generated by the data conroller	a) User identification b) Ensuring communication	GDPR Article 6 (1) a) Consent	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data Simple account registration and the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

Simple is the data controller.

Presentation of Lawful Interest: Certain data as indicated above are processed 6 months after the deletion of your Simple account and your Simple registration was effectuated by you, because this period is necessary for the settlement of our contracts with the card companies and cooperating partners, for the examination of the possible fraud-suspicious transactions and for the claim and law enforcement in connection with them. This data processing for the purpose of settlement, fraud prevention and examination and claim and law enforcement does not concern the exercise of your other moral or fundamental rights; however, it is necessary for us and for our cooperating partners to enforce and fulfil our fraud prevention legal obligations set out by law.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.1.2. Data processing relating to the general use of Simple System

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	ID of the concluded transaction	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	price of the concluded transaction	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).
	Subject of the concluded transaction (purchased product, service)	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information).
	Shipping address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement, fraud prevention and management	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Billing name and address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 8 years from the deletion of Simple account and Simple registration by the User (reason: billing information)
	GPS coordinates, if the User has authorized it	From Mobile device	Profiling – displaying of behavioural advertisements, learning about customer preferences	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

Simple is the data controller.

1.1.3. Data processing relating to Simple customer service

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple and turning to the customer service	name*	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	e-mail address*	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	registration number	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	phone number	From Subject	a) User identification b) Communication with the User in course of complaint management c) Complaint management	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	recorded phone call	From Subject	a) User identification b) Quality assurance c) Protection of consumers’ rights d) Proof of the content of the complaint e) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	subject of complaint	From Subject	a) Complaint management b) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	parameters of transaction in question	From Subject	a) Complaint management b) Claim and law enforcement	GDPR Article 6 (1) f) Lawful Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.

Data marked with * are mandatory to fill in.

Simple is the data controller.

Indication of Lawful Interest in accordance with GDPR Article6 (1) f): the data processing within the scope of making a complaint, examination, settlement and management of the complaint, including the recording of phone calls, is your and our common interest, as well as the interest of the service providers of the services available within Simple Application, since the processing of these data is necessary for the enforcement of our consumer and civil rights and interests in connection with the the purchase made, service used within Simple Application.

The processing of your personal data hereunder is not precluded by your right to self-determination of recorded voice, since your personal freedoms are not infringed upon, since at the very beginning of the phonecall, you are duly informed regarding the recording of audio that is to commence, leaving you ample opportunity to decide on continuing with the phonecall, or terminating it. The same services and solutions are also available via e-mail customer service, thus, you have a choice regarding the addressing of your complaint.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2. Personal data processed specifically within the scope of certain services of Simple System

1.2.1. Parking

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Vehicle’s licence plate*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Vehicle’s country denomination*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Parking location*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Parking function is not possible.

The data controller is Simple.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.2. Purchase of motorway vignettes

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Vehicle’s licence plate *	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Vehicle’s country denomination *	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Type of the Vehicle*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Data of the purchased vignette (type, period of validity)*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Purchase of motorway vignette function is not possible.

The data controller is Simple.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.3. Food Courier, ordering food

a) when placing orders based on the portfolio of pizza.hu

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Shipping address*

From Subject

a) Concluding the contract, determination of its content, modification, completion thereof

b) Invoicing of contractual charges

c) Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Food Courier function is not possible.

With respect to the data listed in the present section Simple is to be construed as data processor of Euro Hungary LLC, service provider of pizza.hu, who process these data as data processor. The data controller of these data is Euro Hungary LLC.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

b) when placing orders based on the portfolio of netpincer.hu

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Shipping address*

From Subject

d) Concluding the contract, determination of its content, modification, completion thereof

e) Invoicing of contractual charges

f) Claim and law enforcement

In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act

In case of processing purposes of column D/a) and b):

GDPR Article 6 (1) b) Conclusion of Contract

In case of processing purposes of column D/c):

GDPR Article 6 (1) f) Lawful Interest

For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Food Courier function is not possible.

With respect to the data listed in the present section Simple is to be construed as an individual data controller, with the data being forwarded to Viala LLC, service provider of netpincer.huwho process these data as an individual data controller of their own, managing the data by their own conditions and per their own data management notice.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.4. Bookline order

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Data of Bookline account (name, e-mail address)*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Mode of shipping*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Shipping address*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purpose of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Order name*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purpose of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Bookline order function is not possible.

With respect to the data listed in the present section Simple is to be construed as data processor of Libri-Bookline LLC. operator of bookline.hu online webshop, and processes these data as data processor. The data controller of these data is Libri-Bookline LLC.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.5. Taxi order

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Taxi order address*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purpose of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Phone number*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Communication with User c) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purpose of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	Order name*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purpose of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Taxi order function is not possible.

With respect to the data listed in the present section Simple is to be construed as data processor of Főtaxi Ltd. service provider of Főtaxi, and processes these data as data processor. The data controller of these data is Főtaxi Ltd.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.6. OTP Health Fund balance check and upload

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	OTP EP card number*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	OTP EP card telecode*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	OTP EP card balance	OTP Országos Egészség- és Önsegélyező Pénztár (National Health and Self-care Fund)	a) Concluding the contract, determination of its content, modification, completion thereof	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	OTP EP card charged amount*	From Subject	b) Concluding the contract, determination of its content, modification, completion thereof c) User identification d) Claim and law enforcement	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the OTP EP card check and upload function is not possible.

With respect to the data listed in the present section Simple is to be construed as data processor of OTP National Health and Self-care Fund, and processes these data as data processor. The data controller of these data is OTP National Health and Self-care Fund.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.7. Loyalty Card

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Data of the saved Loyalty Card *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

GDPR Article 6 (1) b) Conclusion of Contract

3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data the use of the Loyalty Card function is not possible.

Simple is the data controller.

Use of the Loyalty Card function is prohibited for the purpose of fixing and saving any card eligible for the identification of a person, in particular ID card, address card, driving license, passport, tax ID card, Social security card, student crd, EU social security card, other ID card containing personal data with or without photo, entering card. In case of fixing and saving such cards as Loyalty Cards, Simple is entitled – but not obliged – to erasure them from the Simple System. Simple does not undertake to store such kind of cards or to manage personal data in connection with those cards; Simple does not undertake any responsibility or liability for that and excludes its liability regarding that.

In case of fixing, registering and activating the Costa Coffee loyalty card in the Loyalty card function – according to the contract between Simple and Costa Coffee – the Simple manages, stores and transfer the Costa Coffee card number, e-mail address, full name of card owner as well as the optional data such as birthdate, zip code and store id. The aim, legal basis and duration of those data management is as same as indicated in the above chart of other loyalty card data. In case of registering Costa Coffee loyalty card Costa Coffee transfers the loyalty points to be given after the purchase with the card to the Simple system; Simple stores those data connected to the card.

1.2.8. Wallet

1.2.8.1. Support for bank transfer

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Number of the sender bank card registered within Simple*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
Holder of the recipient bank card	Number of the recipient bank card*	From Simple User	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
Holder of the recipient bank card	Recipient Simple User’s e-mail address*	From Simple User	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Support for bank transfer function is not possible.

With respect to the data listed in the present section Simple is to be construed as data processor of OTP Bank Plc, and processes these data as data processor. The data controller of these data is OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.2. Banking balance inquiry

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Number of the sender bank card registered within Simple*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
User registered within Simple	account balance	From OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of the Banking balance inquiry function is not possible.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.3. Bank card registration within Simple System

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name on bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	number of bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	expiration date of bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	name of the bank issuing the bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	bank card CVV/CVC code*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	name of bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof	GDPR Article 6 (1) b) Conclusion of Contract	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data the use of the Bank card registration function is not possible.

Simple is the data controller.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.4. NFC-payment

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name on the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	number of the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	expiration date of bank card *	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	name of the bank issuing the bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	bank card CVV/CVC code*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.
	phone number*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Transaction authentication d) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a), b) and c): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/d): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter.

Data marked with * are mandatory to fill in, without these data the use of NFC-payment function is not possible.

OTP Bank Plc. is the data controller, Simple processes the data of the bank card suitable for NFC-payment on behalf of OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.8.5. Simple card payment

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	date of birth	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	phone number	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	e-mail address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest In case of processing purposes of column D/ b): GDPR Article 6 (1) c) Fulfilment of legal obligation – identification as per the Credit Institutotions Act	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	name on the bank card*	from OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	number of bank card*	from OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	expiration date of bank card*	from OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	name of the bank issuing the bank card	from OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	bank card CVV/CVC code*	from OTP Bank Plc.	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data the issuing of Simple Card may not be ordered.

OTP Bank Plc. is the data controller, Simple processes the data of Simple Card on behalf of OTP Bank Plc.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.9. SimplePay Hero Wallet

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name on the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	number of the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	expiration date of the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	name of the bank issuing the bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement, prevention and management of fraud	In case of processing purpose of column D/a) GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	bank card CVV/CVC code*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data the issuing of Simple Card may not be ordered.

Simple is the data controller.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.10. Simple Bill

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple and Simple Bill	utility provider’s client/consumer/consumer location ID *	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	notification address as registered at the utility provider	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	address of place of consumption	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	name of party contracted with the utility provider	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	contractual account number at utility provider	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	name of the invoiced party	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	address of the invoiced party	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter
	amount to be paid to the utility provider	from the utility provider	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Lawful Interest	For the conclusion of the contract and for invoincing: 3 months from the deletion of Simple account and Simple registration by the User. By lawful interest: 6 months thereafter

Data marked with * are mandatory to fill in, without these data SimpleBill service shall not be used.

The data controller is the utility provider pertaining to the given bill payment transaction to which Simple acts as data processor regarding the data specified above.

The User is entitled to object against the data management based on the aforementioned lawful interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.11. Sending out of Invitation

Subject

Data Category

Data origin

Purpose of data management

Legal basic of data management

Duration of data processing

Recipient of the invitation

e-mail address*

User registered within Simple

Concluding the contract, determination of its content, modification, completion thereof

User identification

GDPR Article 6 (1) f) Lawful Interest

30 days calculated from the sending of the Invitation.

Data marked with * are mandatory to fill in, without these data the Invitation shall not be sent.

Simple is the data controller. Simple is the recipient of the data transmission carried out by User as data controller.

Within the Simple System you can send out Coupons, Tickets, messages, recommendations, invitations (hereinafter referred to as Invitation) promoting and encouraging the use of the Simple System and all the services therein, to unregistered third parties, whose email addresses you know (hereinafter referred to as Recipient).

When sending out such Invitations you only type in the Recipient’s name and email address in the appropriate field of Simple System.

By sending out the Invitation you thereby accept that you can only send invitations to such Recipients who have given their prior consent to the use of their name and email address for the purpose of receiving such Invitations. We do not take responsibility if you failed to get the Recipient’s consent to the use of his or her information in order to send out an Invitation or in case you provided an inaccurate email address of the Recipient. By sending out the Invitation you authorize us to send it out to the given Recipient in your name and on your behalf in such a way that due to some technical particularities the sender will appear as Simple, however the Invitation will be considered to have been sent by you and not us and the content of the Invitation will not be considered as an offer made by us, as advertisement or as another direct way of marketing communication.

By using the Invitation service you accept that a part of the Message is determined by us and that part cannot be erased by you. The content determined by us may include information about the Simple System and/or the Application.

You can only send messages that are corresponding with the law as well as with ethical, moral, and social norms. The message shall not include onscene, infringing contents or contents that unjustifiably infringe or contravene others’ rights or legitimate interests. Moreover, the content determined by the sender shall not be defamatory or detrimental to Simple System, the Application, and the Service Provider as well as to their reputation.

The personal data of the Recipient provided by you (name and email address) are only stored for Invitation delivery purposes.

1.2.12. Sending of electronic direct marketing messages via e-mail, in-app or push notification or in any similar way

Simple sends direct marketing messages to the Users who granted consent to it in which Simple sends news, novelties, promotions, advertisements, offers, gambling and other marketing content via electronic communication which can be e-mail message sent to the User’s e-mail address, notification sent to the User’s Simple account, in-app message, push notification, and any other message sent via similar electronic, online network.

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.
User registered within Simple	e-mail address*	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.
	In case of push notification and in-app messages: Simple account	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data it is not possible to subscribe to the newsletter.

Simple is the data controller.

1.2.13. Prize game, promotional game

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Participation in a promotion or prize game, Communication, Notification of the User about the result, User identification	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.
User registered within Simple	e-mail address*	From Subject	Participation in a promotion or prize game, Communication, Notification of the User about the result, User identification	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data it is not possible to participate in the prize game, promotion. Data controller is Simple.

1.2.14. Sending system messages via e-mail, in-app or push notification

Simple sends system messages to the registered Users from time to time. System messages are messages regarding the operation, service breakout, maintenance, traoubleshooting, functions of Simple System, change of these functions, availability of new functions of Simple System, the range of the services available in Simple System, way of use of these services, the General Terms and Conditions and Privacy Notice of Simple System or the modification thereof, rights and obligations of the Users concerning Simple System and also including the confirmation messages, notifications, confirmations sent in connection with the use of the services in Simple System, electronic bills, receipts and invoices.

For the purpose of sending system messages, Simple manages the following personal data:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract
User registered within Simple	e-mail address*	From Subject	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract
	In case of push notification: Simple account	From Subject	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract

Data marked with * are mandatory to fill in, without these data it is not possible to send system messages. Data controller is Simple.

1.2.15. Data processing concerning questionnaires and other requests for data

Simple regularly sends questionnaires and requests for data to the Users concerning their opinion about the Simple System and the Services available therein, their behaviour related to the Simple services, their ownership, financial status or other characteristics, which can be connected to the Simple services. Simple sends those questionnaires and requests for data in e-mail, in-app messages, push notifications or displays them in any other electronic way. Simple processes the Users' personal data related to the questionnaire and requests for data and their answers of the questions in the following way:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered in Simple System	name	From data subject	a) Increasing the effectiveness, further development of Simple Application, development of new products b) measuring the use of Simple Application, preparing statistics c) profil making: analysing and predicting the personal characteristics and preferences of the Users and based on that sending customised offers, advertisements to the users who have granted separate consent to receiving electronic direct marketing messages	In case of purposes in column D/a) és b): GDPR 6. cikk (1) bek. f) point: Legitimate interest In case of purpose in column D/c): GDPR 6. cikk (1) bek. a) point: Consent	Until deletion of Simple registration
	e-mail address	From data subject			Until deletion of Simple registration
	in case of push and in-app messages: Simple account	From data subject			Until deletion of Simple registration
	answers of the questions	From data subject			Until deletion of Simple registration

The data controller of the aforementioned data is Simple.

The legitimate interest:

a) Increasing the effectiveness, further development of Simple Application, development of new products: Simple has legitimate business, economic interest to know the opinion of the Users about the Simple System, the Users’ purchases and habits in the Simple System, their preferences and other personal characteristics related to the Simple services in order to develop the Simple System in such a way which meets the Users’ expectations and answers real market needs.

b) Measuring the use of Simple Application, preparing statistics: Simple has legitimate business, economic interest to know on the basis of the answers of the questionnaires that which services are used or not used by the Users, are there needs or there are not from the side of the Users, and to prepare business statistics based on those information which serve as the basis of business decisions.

The Users are entitled to object against the data processing based on legitimate interest which can be submitted to Simple in e-mail to ugyfelszolgalat@simple.hu e-mail address or in letter via post.

Simple uses the answers of the questionnaires for profiling based on automated decision making in case of the Users who have granted specific consent to it; Simple sends or displays targeted, online behaviour based electronic advertisements based on the result of profiling to the Users who have granted separate consent to receiving electronic direct marketing messages.

In case of those Users who have not granted consent to the profiling based on automated decision making but granted consent to receiving electronic direct marketing messages, Simple is profiling their answers of the questionnaire manually and sends or displays targeted, online behaviour based electronic advertisements to them based on the result of profiling.

In case of those Users who have not granted consent to receiving electronic direct marketing messages, Simple does not use the answers of the questionnaires for profiling and Simple does not send to them targeted, online behaviour based advertisements.

You find the detailed provisions for profiling in the next clause.

1.2.16. Data processing concerning the Cheque payment service

In the Cheque payment service during the reading of the QR code Simple as data processor processes Users’ personal data necessary for fixing the QR code and fulfilling the payment in the transaction for the request and according to the instructions of Magyar Posta Zrt., on the basis of the agreement and data processing agreement concluded with Magyar Posta Zrt. Concerning this data processing Magyar Posta Zrt. is the data controller and Simple is data processor. The Privacy Notice of Magyar Posta Zrt. shall apply to this data processing.

Simple acts as Magyar Posta Zrt.’s data processor only in case of services initiated with reading the Post QR Code. Simple is data controller in connection with any other services, products available in Simple Application and with the general use of Simple Application and the present Privacy Notice shall apply for these data processing activities.

Simple processes for the request and instructions of Magyar POosta Zrt. the following personal data as data processor:

- Status of the payment

- VPOS bank ID

- e-mail address

- transaction ID.

Magyar Posta Zrt. as data controller determines the purpose, legal basis, duration of the aforementioned data processing in its Privacy Notice.

1.3. What type of data do we collect of you automatically, why do we profile your data, and what effects could this have on you?

1.3.1. How and what type of data do we collect of you automatically?

In course of the use of Simple System via mobile application we run cookies and similar technologies on your phone to help your identification and the recognition of your data so that you don’t have to type them in every time, as well as to get to know your interests more in order to send you customized offers. We also use these cookies to improve the user-experience, and to increase the security and efficiency of Simple System and Application, as well as to publish advertisements. These data are not provided by the user, we are the ones collecting them from you while you use the application.

A) Regarding iOS mobile devices:

A	B	C	D	E
Subject	Data Category	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	language of the application	a) Personalization of the application, b) Communication, c) Determination of the language of automatic notifications	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	unique hardware ID generated upon installation	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	key chain data required to identify and authenticate the User	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	e-mail address used for logging in	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	type of log in(e-mail, Google+ or Facebook account)	User identification	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	hashed version of the user password hashelt for the tasks requiring stonger authentication (e.g. payment)	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	regarding EP card upload, the number of the most recently used EP card is saved	Streamlining, customizing the application, increasing user experience	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	regarding money transfer function, the number of the most recently used bank card is saved	Streamlining, customizing the application, increasing user experience	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	date of last password modification	Ensuring safety	GDPR Article 6 (1) b) Fulfilment of the contract	Until the deletion of the application
	date of last log in	a) Ensuring safety, b) Understanding of circle of interests, c) Customizing the application, d) Displaying advertisement, sending of personalized offer	In case of column C/a) purpose: GDPR Artcile 6 (1) b) Fulfilment of the contract In case of processing purposes of column C/b) – d): GDPR Article 6 (1) a) Consent	Until the deletion of the application
	maximum amount of payment without password	Ensuring safety	GDPR Artcile 6 (1) b) Fulfilment of contract	Until the deletion of the application
	registration date	a) Understanding of circle of interests, b) Customizing the application, c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	registration channel	a) Understanding of circle of interests, b) Customizing the application, c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	fact of registration from a social media network	a) Understanding of circle of interests b) Customizing the application c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application

B) Regarding Android mobile devices:

A	B	C	D	E
Subject	Data Category	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	bank card profile data (card ID, card status, card data)	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	Card transaction data (card ID, transaction timestamp ID, log)	a) User identification, b) plausibility, c) Claim and law enforcement, d) Understanding of circle of interests, e) customizing the application, f) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest In case of processing purposes of column C/d) -f): GDPR Article 6 (1) a) Consent	Until the deletion of the application
	Environmental data (latitude, longitude – location, wallett status, remote url)	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	Mobile Keys (mobile key set, ID, type, value, ID card)	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	Transaction report status data (token unique refernce, timestamp)	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	Token unique reference list (token unique reference card ID)	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	e-mail address used for logging in	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	type of log in (e-mail, Google+ or Facebook account)	a) User identification, b) understanding of circle of interests, c) customizing the application, d) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) -d): GDPR Article 6 (1) a) Consent	Until the logging out of the application
	double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	hashed user password, fingerprint encrypted version	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	Number of successful transactions	a) Conclusion of contract, b) plausibility c) Claim and law enforcement, d) understanding of circle of interests, e) customizing the application, f) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest In case of processing purposes of column C/d) -f): GDPR Article 6 (1) a) Consent	Until the deletion of the application
	regarding EP card upload, the number of the most recently used EP card is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	regarding money transfer function, the number of the most recently used bank card is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	e-mail address used for the last log in is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	user API level	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	Message center, last shown message and timestamp	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	Taxi order dialogue data	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	Parking GPS verification dialogue data	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	Wallet PIN	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	Wallet app payment ID	User identification	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	digitalization of Wallet Card ID	a) User identification, b) Conclusion of contract, c) plausibility d) Claim and law enforcement	In case of processing purpose of column C/a) and b): Fulfilment of contract In case of processing purposes of column C/c) and d): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	unlocked phone timestamp	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the logging out of the application
	mobile payment being blocked by EULA	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	safe keyguard	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	changed Keyguard	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	Simple is not the default payment application	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	Application settings (language, newsletter subscription, fingerprint ID usage, notifications, Facebook connection in place or not, parking notifications, taxi notifications, cinema notifications)	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	date of last password modification	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	date of last log in	a) Ensuring safety, b) Understanding of circle of interests, c) customizing the application, d) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) - d): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	maximum amount of payment without password	Ensuring safety	GDPR Article 6 (1) b) Conclusion of Contract	Until the deletion of the application
	registration date	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	registration channel	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	fact of registration from a social media network	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application

1.3.2. Profiling

A) What are the purposes, legal basis of our profiling and what data categories do we use for that?

The data collected from your mobile device automatically referred in clause 1.3.1 and the data given by the Users in the questionnaires defined in clause 1.2.15. are connected to the data indicated in clauses 1.1.1, 1.1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4 and 1.2.5 hereof which you have provided when registering in the Simple Application and to the data you have given when using other Simple services as well as to the data you have provided on websites operated by us e.g. www.simple.hu, www.simplepay.hu, www.simplepartner.hu, www.mozizzunk.hu, www.mozi-filmek.hu, www.simplejatekok.hu, www.nyerjamatricaddal.hu, www.penzugyekonline.hu, www.nyerjegyszeruen.hu, www.utazzegyszeruen.hu, www.mentsdegyszeruen.hu including the data we have automatically collected of you there and indicated in the privacy notices of those websites. Finally, all the above data are assigned to you personally. The database we have created of you is being used and processed for the following purposes and on the following legal basis:

a) Increasing the effectiveness, further development of Simple Application, development of new products: legal basis is GDPR (1) f) point: Legitimate interest: Simple has legitimate business, economic interest to know the opinion of the Users about the Simple System, the Users’ purchases and habits in the Simple System, their preferences and other personal characteristics related to the Simple services in order to develop the Simple System in such a way which meets the Users’ expectations and answers real market needs.

b) Measuring the use of Simple Application, preparing statistics: legal basis is GDPR (1) f) point: Legitimate interest Simple has legitimate business, economic interest to know on the basis of the answers of the questionnaires that which services are used or not used by the Users, are there needs or there are not from the side of the Users, and to prepare business statistics based on those information which serve as the basis of business decisions.

c) Profiling and based on that sending or displaying targeted online behaviour based advertisement: assigning the aforementioned database to the profile of the User created in the Simple Application, making profile of the User, analysing and predicting personal characteristics and preferences of the User and based on that sending or displaying customised offers and advertisements to those Users who have granted separate consent to receiving direct marketing messages.

In case of data processing based on legitimate interest the User is entitled to object; in that case we do not process their data further for that purpose and on the basis of legitimate interest.

B) Information about profiling based on automated decision making

We make profiling with decision making based on automated data processing in case of Users who have granted specific consent to that according to artciles 6 (1) a) and 22 (2) c) of GDPR (legal basis of data processing is Consent). We use the profile data and characteristics based on this profiling for direct marketing purposes, e.g. for sending targeted, online behavior based advertisement only in case of Users who have granted specific consent to receiving direct marketing messages.

In case of profiling based on automated decision-making, the Users have the following rights:

- the User is entitled to request human intervention,

- the User is entitled to express their standpoint,

- the User is entitled to submit a complaint against the decision made in such a way to the Simple.

The User can submit his statement for exercising its aforementioned rights to Simple via e-mail sent to the e-mail address of ugyfelszolgalat@simple.hu or in post letter, in every case in written format.

According to Article 13 (2) f) of the GDPR, Simple provides the Users with the following information about profiling based on automated decision-making:

- significance and consequences of profiling based on automated decision-making for the User are that he will receive marketing messages and marketing messages will be displayed to him which better meet his personal characteristics, range of interest, purchase habits, expectable predicted behaviour based on the result of the profiling carried out with automated decision-making. The User will not be out of any advantages or allowances, the price of the services remains the same, such kind of profiling based on automated decision-making will not have legal effect and will not affect him significantly.

- logic applied during the profiling based on automated decision-making: we assign the data collected about the User to the User, after that we make conclusions from the data collected of what are the preferences of the User, what kind of range of interest the User have, which services and how will the User use on the basis of his existing purchases and his online behaviour related to the Simple System, and based on those data we display or send advertisements which meet the aforementioned conclusions to the User.

In case of those Users who have not granted consent to the profiling based on automated decision making, we are profiling their answers of the questionnaire manually and we do not use automated decision-making; we use the profile data and characteristics originating from manual profiling for direct marketing purposes, e.g. for sending targeted, online behaviour based advertisements only to such Users who also have granted specific consent to receiving direct marketing messages.

In case of those Users who have not granted consent to receiving electronic direct marketing messages, Simple does not use profiling for direct marketing purposes with or without automated decision-making, we do not send to them targeted, online behaviour based advertisement. We use the data of those Users for the purpose of increasing the effectiveness, further development of Simple Application, development of new products and for measuring the use of Simple Application, preparing statistics. Legal basis of those data processing activities are Legitimate interest according to article 6 (1) f) point of GDPR.

For profiling we use Facebook Custom Audiences, Facebook Pixel and Google Analytics services. In order to reach the aforementioned goal in the framework of Facebook Custom Audience services we upload your e-mail address and phone identification number into the Facebook’s system. In case of Facebook Pixel and Google Analytics we use your data collected by them and we on an ad hoc basis combine with your data collected by us. Simple is the data controller of the data we forward to Facebook and Google as well as of the data received from them by us. Facebook and Google are the data controllers of the data collected by them. Facebook and Google is the data processor acting on behalf of Simple in case of the data collected by Simple and forwarded to them by Simple.

C) Information about the cookies we use:

It is necessary to put cookies on the user’s device for the use of Facebook Pixel and Google Analytics. We use Facebook Pixel also on the Website and in the Simple Application for advertising and Website, Simple Application analytics. Facebook Pixel puts cookies on the devices browsing the Website and/or using the Simple Application, the purposes of which are the following: creating appropriate advertising audience, measuring cross device conversions, targeting and optimising advertisements for the relevant audience, displaying personalized advertisements, preparing reports of the visitors of the Website and the application. You are able to control and set those data management activities of Facebook and Google in your Facebook and Gogle account. Furthermore, you are able to grant consent to the data collection through Facebook and Google cookies in the Simple Application and the Simple Website on your own. You are able to check those cookies in your Facebook account in Facebook Settings Ads and you can modify or set up your preferences concerning those cookies also here.

The ban on profiling, cookies and notifications may worsen the user experience; it may make the use of the application more inconvenient and may prevent you from getting personalized offers, coupons, and discounts from us in connection with the services provided in the application.

Upon visiting the Webpage and ustilising the Services, Service Provider places cookies within User’s browser and in HTML-based emails as per the regulations herein.

In general the cookie is a small file consisting of letters and numbers which is sent to the device of the User from the web server of the Service Provider. It enables for example the Service Provider to recognize the final appliance of the User when the connection is created between the web server of the Service Provider and the device. The main purpose of the cookie is to enable the Service Provider to make available individualized offers, publicity and advertisements for the User which may personalize the User’s experience during the use of the Simple System and may reflect more to the personal needs of the User.

Purpose of the cookies used by Service Provider:

a) Security: aiding and ensuring safety, moreover enabling and aiding Service Provider to detect unlawful conduct.

b) Preferences, attributes and services: cookies let Service Provider know, what language is preferred by the User, what are their communications preferences, aid the User in completing forms on the Website, making them easier to fill out.

c) Advertisements: Service Provider may utilise cookies, in order to serve Users with relevant advertisements both on the Website and off it. Certain cookies may be used, which show, whether the Users who have seen a certain advertisement on the Website, have visited the advertiser’s website later. Similarly, the Service Provider’s business partners may use cookies to ascertain, whether the Service Provider had displayed their advertisement on their Webpage, and to ascertain its performance, also, they may issue information to Service Provider on how the User conducts themselves regarding the advertisement. Service Provider may collaborate with business partners, who display certain advertisements for the User either on the Website or off it, after the user having visited the website of that partner.

d) Performance, analytics and research: cookies aid the Service Provider in understanding how the Website performs in various areas. Service Provider may use cookies, which rate, improve and search the Website, the products, functions, services, including when User enters the Website from other webpages, and the devices, such as User’s computer or mobile device.

Types of cookies utilised by Service Provider:

a) analytics, tracking cookies;

b) session cookies, which only operate during the active session (usually the webpage visit itself);

c) permanent cookies: which help in identifying the Customer as an existing user, making it easier for them to return without having to log in again. After the Customer logs in, the permanent cookie remains in their browser, withe the webpage being able to read it.

Adobe Flash is another technology equal in function to cookies. Adobe Flash is able to store data on the User’s device. Not every browser allows the removal of Adobe Flash cookies however. The Customer may restrict or block Adobe Flash cookies via the website of Adobe. If Customer restricts or blocks them, certain elements of the Website may become inaccessible.

Third party cookies:

Reputable partners aid Service Provider in analysing Webpage statistics, and analytics companies such as Google Analytics, Quantcast, Nielsen and ComScore may also place cookies on the Customer’s device.

Users may disallow Google cookies on the page used for the disabling of Google ads.

On http://www.networkadvertising.org/choices/ there are further means to deny other, third party cookies from being used.

Control of cookies:

Most cookies enable Customers to control cookie usage via their settings. However, if Customer restricts the usage of cookies, this may hinder user experience, since it will no longer be customised. Customer may also stop the saving of personal settings, such as the saving of login information.

If Customer does not wish for Service Provider to use cookies when User visits the webpage, they may refuse usage under their settings page. In order to let Service Provider know that the Customer has refused usage of cookies, a denial cookie is placed on the Customer’s device, thus, Service Provider will know that no cookies may be placed on the device upon the next visit of the webpage. If the Customer does not wish to receive cookies, they may change their browser settings accordingly. If no such change has been made, Service Provider will view Customer as having given consent to the sending of any kinds of cookies. The Website shall not function completely without cookies.

For further information of cookies, including types, management and removal, visit Wikipedia.org or www.allaboutcookies.org or www.aboutcookies.org.

The users are able to control cookies on the following websites: https:\\www.aboutads.info/choices and https://www.youronlinechoices.eu

1.4. Data processing of Facebook Page

Simple operates a Fecabook Page under the URL address https://www.facebook.com/simplehungary/ on which page Simple displays news, advertisements, videos, organises games and promotions, discloses events, photos, posts. Simple collects, analyzes and displayes in aggregated way personal data with the function of Facebook Insight on the Simple Facebook Page concerning the type of the activities of the Users ont he Facebook Page, how much time they spend with viewing contents.

Simple hereby informs the visitors of the Simple Facebook Page that Simple and Facebook Ireland Limited are joint data processors under the Article 26 of GDPR concerning the personal data collected in Facebook Insight function of the Facebook Page; Simple and Facebook Ireland Limited jointly determines the purposes and tools of data processing. The agreement of joint data processing concluded between Simple and Facebook Ireland Limited is available here: https://www.facebook.com/legal/terms/page_controller_addendum.

Furthermore, Simple informs the visitors of its Simple Facebook Page about the split of the main responsibilities and obligations between Simple and Facebook Ireland Limited and also about the relevant provisions of the agreement on joint data processing:

Responsibilities and obligations of Facebook Ireland Limited:

a) Facebook Ireland Limited undertakes the primary liability of the data processing of the data in Facebook Insight function; data processing is carried out by Facebook Ireland Limited in trhe name of Simple.

b) Facebook Ireland Limited is liable for appropriately informing the Users ont he data processing.

c) Facebook Ireland Limited is liable for keeping in touch with the Users. answeing the Users' requests when the Users exercise their rights concerning data protection; Simple is not entitled to contact the Users in this matter on the basis of the joint precessing agreement. If the User submits his/her request/claim of data protection to Simple, Simple is obliged to forward it to Facebook Ireland Limited within 7 days; the User shall receive the answer of his/her request from Facebook Ireland Limited.

d) Facebook Ireland Limited is liable for keeping the data safety provisions on the personal data collected and processed in the function of Facebook Insight; for announcement of data breaches and for informing the Users about the data breaches.

Responsibilities and obligations of Simple:

a) Simple is obliged to ensure that Simple has appropriate legal basis of the data processing concerning Facebook Insight.

b) Simple is obliged to indicate itself as data controller on the Facebook Page.

c) Simple is not entitled to claim the concrete personal data processed in Facebook Insight function from Facebook Ireland Limited; Simple is able to reach only the statistics and reports created by Facebook Ireland Limited, Simple does not have access to the personal data forming the basis of the reports.

Simple hereby informes the visitors of the Facebook page that Simple processes their following data on the following legal basis:

§ Regarding the likes on Simple Facebook Page: number of likes; place of likes, number of new likes

§ Regarding posts on Simple Facebook Page: how much people are reached by the post, number of likes, comments and shares of the post, number of unlikes, hides, reporting as spam, when the persons reaching the Facebook Page view Facebook content;

§ Regarding visits of the Simple Facebook Page: how much times was the Page visited, how much times did the users come from external sites;

§ Regarding videos on Simple Facebook Page: number of watching video more than 3 seconds, more than 30 seconds, top videos of the Page;

§ Regarding visitors of the Simple Facebook Page: gender, age, location (country, city), language of the persons who liked the Page, number of visitors viewed the post in the last 28 days, who liked, commented or shared something on the Facebook Page in the last 28 days.

The legal basis of Simple’s aforementioned data processing is Consent according to Article 6 (1) a) of the GDPR. The Users can withdraw his/her cosent in any time. Granting or withdrawing consent is possible in the Users' Facebook profile.

Facebook Ireland Limited is obliged to disclose the deatiled privacy notice on the Facebook Pages on the basis of the aforementioned joint data processing agreement.

Simple excludes its liablóility for any data processing carried out by Facebook Ireland Limited, only Facebook Ireland Limited is liable for that.

2. Who manages your personal data, and who has access to them?

The data controller

The controller of the personal data specified under point 1.2.3. – 1.2.6 hereto is Simple, meaning OTP Mobile Service Llc., the company data of which are as follows:

OTP Mobile Service Limited Liability Company.

Company reg. no.: 01-09-174466

Tax no.: 24386106-2-43

Seat: 1093 Budapest, Közraktár u. 30-32. RiverPark irodaház, K30 VII. emelet

Postal address: 1093 Budapest, Közraktár u. 30-32.

Represented by: Péter Benyó managing director (availability: Budapest, Közraktár u. 30-32. RiverPark irodaház, K30 VII. emelet; ugyfelszolgalat@simple.hu)

E-mail address: ugyfelszolgalat@simple.hu

Telephone: 06 1 3666 611

06 70 3666 611

06 30 3666 611

06 20 3666 611

On behalf of Simple, the data is accessible to the employees of Simple whose access is essential to the performance of their duties. Access authorizations are specified in a strict internal code.

Data processors

For the processing of the personal data of representative and contact persons, we engage the following companies, with whom we have entered into data processor agreements and to whom we forward your data necessary for the fulfilment of the aforementioned purposes.. The following data processors conduct the processing of personal data:

Data processors’ name and address	Purpose of data processing
OTP Bank Plc. (seat: 1051 Budapest, Nádor u. 16.; Reg. Nr.: 01-10-041585; Tax Nr.: 10537914-4-44)	a) providing online bank card payment service in the Simple System, bank card authorization b) providing Simple with IT infrastructure c) operation of the Simple Customer Service
Microsoft Corporation (USA - One Microsoft Way Redmond, Washington 98052)	a) provider of Microsoft 365 cloud service
Mastercard Europe SA, Reg. Nr.: RPR 0448038446, seat: 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium	a) conclusion of online bank card payment
Visa Europe Services LLC (registered int he USA, Delaware, acting through its London Branch Office (Reg. no of the Branch: BR007632) registered office: 1 Sheldon Square, London W2 6TT, VAT No: GB 840 111 776)	a) conclusion of online bank card payment
American Express Services Europe Limited (registered office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9AX, United Kingdom, Reg. No: 1833139, Registered by: Companies House)	a) conclusion of online bank card payment
The Rocket Science Group LLC d/b/a MailChimp (seat: Georgia 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308)	a) sending out of the newsletters, storage of the e-mail addresses in the newsletter database
SendGrid, Inc. (1801 California Street, Suite 500 Denver, Colorado 80202, USA)	a) sending out of the newsletters, storage of the e-mail addresses in the newsletter database
Wyze PFM LLC (seat: 1118 Budapest, Brassó út 144. 1^st floor 6.; Reg Nr.: 01-09-291453; Tax Nr.: 25829237-2-43)	a) operation, maintenance, troubleshooting and development of the IT background of SimpleBill service
Aggreg8 LLC (seat: 6721 Szeged, Zárda u 8.; Reg Nr.: 06-09-023518, T: 25930423-2-06)	a) development and improvement of the software background of SimpleBill service
KBOSS.hu Kft., (Számlázz.hu, 1034 Budapest, Bécsi út 126-128., Reg. No: 01-09-303201, VAT No: 13421739-2-41)	a) electronic billing services
N-Ware Kft. (Billzone.eu, 1139 Budapest, Gömb utca 26., Cg.: 01 09 921789 adószám: 14825679-2-41)	a) electronic billing services
Facebook, Inc. (USA)	a) Profiling, advertising, analytics and measuring, online behavioural advertising
GOOGLE LLC (USA - Google Data Protection Office, 1600 Amphitheatre Pkwy Mountain View, California 94043)	a) Profiling, advertising, analytics and measuring, online behavioural advertising
Survey Monkey Europe UC (2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4, Ireland) The sub-processor of Survey Monkey Europe UC to which personal data are forwarded: Survey Monkey, Inc (Delaware, USA, One Curiosity Way, San Mateo, CA 94403)	a) ensuring questionnaire forms for subscription for games, promotions, answering questions in promotions, in which e-mail address, name and answers of the questions as personal data are processed b) ensuring questionnaire forms and surfaces for collecting and managing user remarks during the beta tests os Simple Application and System

Information regarding data transfer to abroad:

Google LLC and its member companies, Facebook, Inc., The Rocket Science Group LLC (Mailchimp), SendGrid, Inc., Microsoft Corporation and Survey Monkey, Inc. is the member of the USA- EU Privacy Shield List created on the basis of the adequacy decision of the European Commission according to Article 45 of GDPR and decision 2016/1260 of the European Commission. It means that data tranbsfer to those entities shall not be deemed as data transfer to third countries outside the Eurpoean Union and the affected persons’ specific consent is not needed as well as the data trabnsfer to those entities is allowed. Those entities undertokk the compliance with the GDPR.

3. Who is the data protection officer of Simple and what are his contact details?

Zsombor Sári

Contact:

a) Simple offices (1093 Budapest, Közraktár u. 30-32.)

b) e-mail address: dpo@otpmobil.com

c) Postal address: 1093 Budapest, Közraktár u. 30-32.

4. To whom do we forward your personal data?

The following types of data from your personal data are transferred to the following recipients based on our agreement concluded with them (beside of the aforementioned data processors):

Recipient of data transmission	Category of transmitted data
I. T. Hungarian Cinemas LLC. (1132 Budapest Váci út 22- 24. 1^st floor.; Reg nr.: 01- 09- 663 792)	E-mail address, name, user customer ID, data of the purchased cinema ticket, amount paid for the cinema ticket, date of the payment transaction of the users purchasing cinema ticket within Cinema City card.
Nemzeti Mobilfizetési Zártkörűen Működő Részvénytársaság (1027 Budapest, Kapás utca 6-12. Reg. no: 01 10 047569; VAT No: 24151667-2-4)	In case of purchase of parking tickets and e-vignette, the following data shall be transmitted: vehicle’s licence plate, vehicle’s country denomination, parking location, type of the vehicle, data of the purchased vignette (type, period of validity).
Interticket Kft. (registered office: 1139 Budapest, Váci út 99., Reg. No: 01-09-736766, VAT No: 10384709-2-41)	In case of purchase of Ticket: the data, price of the ticket purchased and the e-mail addree of the User purchased the Ticket
Viala Kft. (1093 Budapest, Czuczor utca 2. 1. em.; Cg.: 01 09 668748; VAT No: 11187433-2-43; netpincer.hu)	In case of the use Food order service: name, e-mail, telephone number, order, payment status, total sum of order, delivery address, billing name and address
Jegymester Kft. (www.jegy.hu; 1065 Budapest, Bajcsy-Zs út 31.; Cg.: 01 09 369537; VAT No: 12033791-2-42)	In case of purchase of the Ticket: name, e-mail address
Libri-Bookline Kereskedelmi Zrt. (1066 Budapest, Nyugati tér 1.; Cg.: 01 10 044841; VAT No: 12921360-2-42)	In case of purchase in Bookline card: Bookline ID, e-mail address, delivery address, billing name and address
Főtaxi Zrt. (1087 Budapest, Kerepesi út 15.; Cg.: 01 10 042322; VAT No: 10873498-2-42)	In case of Taxi ordering: name, phone number, location of Taxi ordering
Budapest Film Zrt. (1054 Budapest, Bajcsy-Zsilinszky út 36-38. félemelet; Cg.: 01 10 042453; VAT No: 10906110-2-41)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Magyar Moziüzemeltető Kft. (1097 Budapest, Könyves Kálmán krt. 12-14.; Cg. 01-09-959700; VAT No: 23314562-2-43)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Óbudai Mozi Üzemeltető Kft. (1032 Budapest, Bécsi út 154.; Cg. 01-09-970980; VAT No: 23491348-2-41)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Tatabányai Moziüzemeltető Kft. (2800 Tatabánya, Győri út 7-9.; Cg. 11-09-019571; VAT No: 23535826-2-11)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Sziget Kulturális Menedzseriroda Zrt. (1033 Budapest, Hajógyári sziget 23796/58.; Cg. 01-10-049598; VAT No: 26189905-2-41)	In case of purchase festival Ticket in the Ticket card: e-mail address
Volt Produkció Kft. (1033 Budapest, Hajógyári sziget 23796/58; Cg. 01-09-695549; VAT No: 12625150-2-4)	In case of purchase festival Ticket in the Ticket card: e-mail address
Kultúrpark Kft. (1095 Budapest, Soroksári út 60.; Cg. 01-09-193625; VAT No: 24995670-2-43)	In case of purchase festival Ticket in the Ticket card: e-mail address
L-Coffee Kft. (1062 Budapest, Teréz krt. 55-57.; Cg. 01-09-959271; VAT No: 23305416-2-42 – Costa Coffee)	In case of fixing, registering and activating Costa Coffee loyalty card under Loyalty card function the following data are transferred: store id, card number, e-mail address, full name, birthdate, zip code, number of loyalty points

The aforementioned entities are independent data controllers of the data transferred to them.

5. What rights do you have regarding the processing of your data, and how can you exercise them?

a) Right of access: they may inquire as to what employee data is managed, for what purposes, for how long, to whom do we forward them, and where the data originates from.

b) Right of correction: should their data change or be recorded wrong, they may request that this be rectified or corrected.

c) Right of deletion: in instances specified by law, they may request that we delete their stored personal data.

d) Right of restriction: in instances specified by law, they may request that data management be restricted regarding their personal data.

e) Right to data portability: the subject may request the porting of their personal data, in which case we hand over their stored data either to them, or directly to a data controller of their choosing, if such is technically safe.

The right to data portability request form can be downloaded from this link.

In cases of such requests, we conduct ourselves pursuant to applicable law, and will provide information on the rendered measures in one month.

We inform you, that cases of deletion requests, OTP Mobile Llc. shall – without any modifications whatsoever, except the modifications on your request for rectification – retain your aforementioned data processed for the purposes of enforcement of rights and claims, moreover for the efficient prevention, detection and handling of fraud for the general civil law limitation period of 5 years, for the purposes of enforcement of rights and claims, moreover for the efficient prevention, detection and handling of fraud. The anonymisation of data shall take place after the cessation of the pertaining legal interest.

f) Right to revoke consent: in cases where personal data is managed by the consent of the subject, they have the right to revoke such consent at any time, which does not affect the legality of data management conducted prior to the revocation

g) Right of complaint: should you have any complaints or grievances regarding our data management, you have the right to lodge a complaint by the supervisory authority:

National Authority for Data Protection and Freedom of Information

Website: http://naih.hu

Postal address: 1530 Budapest, Pf.: 5.

E-mail: ugyfelszolgalat@naih.hu

Telephone: +36 (1) 391-1400

Moreover, you may file a suit against Simple before the Municipal Court of Budapest if your personal data has been infringed upon.

h) Right to object:

- If we manage your personal data on the basis of Legal Interest, you are entitled to object against this data management based on Legal Interest.

In case of your objection, we do not manage your personal data any further.

6. How do we ensure the safety of your data?

We follow an extensive information security ruleset regarding the provision of safety concerning the data and information under our governance, the knowing and following of which is mandatory for all our staff.

Our staff is regularly trained and coached in matters of data and information security.

6.1. Data security in IT infrastructure

We store personal data on our central server, to which only a select and close employee group have access, per strict access control rules. We regularly test and check our IT systems in order to ensure and maintain data and information security.

We fulfil data security obligations by complying with the PCI DSS certificate, which entails enacting the strictest banking security regulations regarding our systems and our data governance.

Office workstations are password protected, third-party storage devices are restricted and may only be used following approval.

Protection against malicious software is provided regarding all of the systems and system elements of the Service Provider.

During the planning, development, testing and operation of programs, applications and tools, we address security functions separately and with emphasis.

When allocating authorisations to our IT systems, we pay close attention to the protection of data (e.g. passwords, authorisations) affecting these systems.

6.2. Data security in communications

Regarding electronically forwarded messages and data, we conduct ourselves regarding our Key Management bylaws. In order to comply with the principle of safe transfer of data, we ensure the integrity of both the data of the controller and the user. For the prevention of data loss and damage, we use error detecting and correcting procedures. The application’s passes, authorization data, safety parameters and other data may only be forwarded under encryption We use network endpoint-to-endpoint authorization checking in order to ensure accountability and auditability.

Our implemented security measures detect unauthorized modifications, embedding and repetitive broadcasting. We prevent data loss and damage by fault detecting and correcting procedures and we ensure the prevention of deniability.

Regarding the network used for data transmission, we provide defense against illegal connection and eavesdropping per an adequate security level.

6.3. Data security in software development and programming

In development of the Simple Application, we implement the measures of data safety and security even into the planning stage, which we uphold during the entire course of development.

We separate the development environment from the live one, as well as development data from live data, and we depersonalise personal data in development, where possible.

We keep the requirements of safe coding in development, we use platform- and programming language-dependant technologies to avoid frequent damage risks, moreover, we follow the latest industry best practices regarding code examination (e.g. például OWASP Top 10 Guide, SANS CWE Top 25, CERT Secure Coding)

We constantly follow procedures to identify newfound vulnerabilities, we regularly coach our developers regarding data security and we standardise our programming techniques to avoid typical errors.

The checking of completed code is conducted pursuant to the principles of safe coding, and documented with alteration tracking procedures in order to ensure proper documentation.

6.4. Data security in document management

We comply with data security requirements in document management as well, which we stipulate in document management by-laws. We manage documents by pre-set access and authorization levels, based on the level of confidentiality regarding the documents. We follow strict and detailed rules regarding the destruction of documents, their storage and handling at all times.

6.5. Physical data security

In order to provide physical data security, we ensure our physical barriers are properly closed and locked, and we keep strict access control regarding our visitors at all times.

Our paper documents containing persona data are stored in a closed locker that is fire- and theft-proof, to which only a select few have authorised access.

The rooms where storage devices are placed in have been made to provide adequate protection against unauthorised access and breaking and entering, as well as fire and environmental damage. Data transit, as well as the storage of backups and archives is done in these confined locations.

Backup data storage units are stored in a reliably locked area, with containers having a minimum of 30 minutes’ fireproofing time.

7. What procedure do we follow upon an incident?

Pursuant to applicable law, we report incidents to the supervisory authority within 72 hours of having gained knowledge thereof, and we also keep records of them. In cases regulated by applicable law, we also inform subjects of the incidents, where necessary.

8. When and how do we amend this notice?

Should the scope of data, or the circumstances of data management be subject to change, this notice shall be amended and published on www.simple.hu. Please pay attention to the amendments of this notice, as they contain important information regarding the management of your personal data.