PRIVACY NOTICE

regarding the Simple Application and Simple Website

Effective from: 29 January 2024

The developer and provider of the Simple Application and System, OTP Mobile Ltd (company reg. no. 01-09-174466; seat: 1138 Budapest, Váci út 135-139. B. ép. 5. em.; hereafter referred to as: Simple) hereby informs the Users of the data management in the Simple Application, Simple Website (www.simple.hu), the Simple System and on the Simple Facebook Page (https://www.facebook.com/simplehungary/) as follows, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation (hereafter referred to as GDPR).

The terms herein and the phrases beginning with capital letters are to be understood as those in the General Terms and Conditions on Simple System (hereafter: Simple GTC).

Simple is entitled to modify the present Privacy Notice in any time. The present Privacy Notice is published pn the Simple Website and also is available in the Simple Application. The present Privacy Notice takes into effect by publishing.

The present Privacy Notice shall be applicable to the existing Simple Classic Application and the new Simple by OTP Application as well, while the single Services and functions shall be turned on in the Simple by OTP Application by Simple gradually, at its sole discretion and the Notice published on the Website shall contain the list of Services and functions available at the time in the Simple by OTP Application. Consequently, only those provisions of the present Privacy Notice apply to data processing in the Simple by OTP Application, which pertain to Services that are listed in the Notice. The provisions of the present Privacy Notice regarding data processing independent of the Services and functions are applicable to the Simple by OTP Application irrespective of those not being included in the Notice, which provisions are the following: Points 1.1.1., 1.1.2., 1.1.3., 1.2.13., 1.2.14., 1.2.15., 1.2.1.6. and points 2 – 14.

1. What personal data do we manage in the Simple System, for how long, for what purposes and by what authorization?

The legal bases for our data processing are the following:

a) GDPR Article 6 (1) a) where the processing is based on the informed consent of the data subject (hereafter referred to as Consent)

b) GDPR Article 6 (1) b), on where processing is necessary for the performance of a contract to which the data subject is party (hereafter referred to as Fulfilment of Contract)

c) GDPR Article 6 (1) c) where data processing is necessary for the fulfillment of or compliance with a legal obligation of the data controller (e.g. obligations with tax statues – hereafter referred to as Legal obligation)

d) GDPR Article 6 (1) f) where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereinafter referred to as: Legitimate Interest)

e) the data processing authorization afforded by Article 13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services, where data controllers are authorized to process the natural identification data and home address of the recipients without the need for consent, as required for contracts for information society services, for defining their contents, for subsequent amendments and for monitoring performance of these contracts, for invoicing the relevant fees, and for enforcing the claims arising out of or in connection with such contracts., moreover, where data controllers are authorized to process natural identification data and home address for the purposes of invoicing for the fees payable under the contracts for the provision of information society services to the extent related to the use of information society services, and information relating to the date, the duration and the place of using the service. (hereafter referred to as E-Commerce)

The legal basis for the data processing is specified below, per data categories and by reference to the elements of the above list.

1.1. Data processed in general within the Simple System

1.1.1. Data processing relating to Simple account, Simple profile and Simple registration

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and management d) User identification e) Ensuring communication	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a), d) and e): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – in case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply. In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest Fraud prevention and management	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights, fraud prevention and fraud management purposes will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	e-mail address*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges f) Claim and law enforcement, fraud prevention and management c) User identification d) Ensuring communication	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a), d) and e): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – in case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply. In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights, fraud prevention and fraud management purposes will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	phone number*	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	password*	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	e-mail address pertaining to a Facebook account(if it differs from the e-mail address of the Simple account)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	name pertaining to a Facebook acount (if it differs from the name given in the Simple acocunt)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	avatar pertaining to a Facebook account (profile picture)	From Subject	a) User identification b) Personalizing the User account	GDPR Article 6 (1) a) Consent	3 months from the deletion of Simple account and Simple registration by the User.
	e-mail address pertaining to a Google account (if it differs from the e-mail address of the Simple account)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	name pertaining to a Google account (if it differs from the name given in the Simple acocunt)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	e-mail address belonging to the Apple account (if it differs from the e-mail address of Simple account)	From Subject	a) User identification b) Ensuring communication	GDPR Article 6 (1) b) Conclusion of Contract	For 5 years after the termination of the registration (general term of statute of limitation).
	Age data (under 16 years or not) *	From Subject	c) Ascertaining of parental consent necessity	GDPR Article 6 (1) c) Fulfilment of legal obligation – Request of parental consent – According to Article 8 of the GDPR, the parent exercising parental rights needs to grant the consent or needs to authorize it on behalf of the person younger than 16 years old.	For 5 years after the termination of the registration (general term of statute of limitation).
	Phone identification code	Generated by the data conroller	a) User identification b) Ensuring communication	GDPR Article 6 (1) a) Consent	For 5 years after the termination of the registration (general term of statute of limitation).

Data marked with * are mandatory to fill in, without these data Simple account registration and the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

Simple is the data controller.

If the User use the Parking/E-vignette services through his/her employer, in the framework of the Simple Corporate Agreement concluded between Simple and the employer, the User’s employer transfers the User’s e-mail address and name to Simple for the purpose of the registration in the Simple Application, so the source of these personal data is the employer of the User. Simple processes the name and e-mail address of the User received from the User’s employer for the purposes, on the legal basis and in the duration indicated above.

Presentation of legitimate interest: in case pf data processing for claim and law enforcement purposes Simple processes and uses the Users’ aforementioned personal data in legal disputes arising from the contract concluded between the User and the Simple for the Simple System, in litigation, out-of-court proceedings, other court or authority proceedings as evidence. Simple processes those data that in case of any legal dispute between the User and Simple in connection with the contract, Simple can use them for the purpose of proving. The Service Provider is entitled to exercise its right within the general term of statute of limitation. The data processing therefore is necessary for the protection of Simple’s rights and legal interests. The purpose of data processing cannot be fulfilled in any other way.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

For his/her request, the User is entitled to receive the legitimate interest balancing tests concerning the aforementioned data processing based on legitimate interest; he/she submits his/her request in an e-mail to be sent to Simple customer service.

1.1.2. Data processing relating to the general use of Simple System

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	ID of the concluded transaction	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	price of the concluded transaction	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Subject of the concluded transaction (purchased product, service)	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Shipping address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement	In case of processing purpose of column D/a): Article 13/A E-commerce Act In case of processing purpose of column D/a): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) f) Legitimate Interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Billing name and address	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement, fraud prevention and fraud management	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – in case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply. In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed for the purpose of enforcement of claims and rights, fraud prevention and fraud management purposes will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	E-mail address, currency, type of payment, name , quantity and price of the product/services purchased, license plate of the vehicle in case of e-vignette and parking services	From the User	Issuing receipt	GDPR Article 6 (1) c) Fulfilment of legal obligation – in case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply and sections 166, 167, 173 and 173/A of the Act CXXVII of 2007 on the value added tax.	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	GPS coordinates, if the User has authorized it	From Mobile device	Profiling – displaying of behavioural advertisements, learning about customer preferences	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data the use of Simple System is not possible, the provision of these data is a prerequisite for contracting.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

Simple is the data controller.

1.1.3. Data processing relating to Simple customer service

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple and turning to the customer service	name*	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint. Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
	e-mail address*	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
	registration number	From Subject	a) User identification b) Communication with the User in course of complaint management c) Completion of contract d) Complaint management e) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
	Data indicated in the minutes on the complaint: name of the consumer, address of the consumer, time, place and way of making complaint, detailed description of the complaint, list of documents, evidence submitted by the consumer, Simple”s statement on its standpoint on the consumer's complaint; if the complaint can be examined immediately, signature of the person acting on behalf of Simple and signature of the consumer - except for complaints fixed via phone or by using any other electronic communication services; place and date of the minutes, unique identifier of the complaint in case of complaint made via phone or by using electronic communication services.	From subject and/or determined by Simple	Keeping records of the complaint	GDPR Article 6 (1) c) – Legal obligation – Act CLV of 1997 on the consumer protection section 17/A (5) stipulates the mandatory elements of the minutes of complaints.	For 5 years from the date of the complaint
	phone number	From Subject	a) User identification b) Communication with the User in course of complaint management c) Complaint management	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	recorded phone call	From Subject	a) User identification b) Quality assurance c) Protection of consumers’ rights d) Proof of the content of the complaint e) Claim and law enforcement	GDPR Article 6 (1) c) Legal obligation – According to Articlée 17/B (3) of the Act CLV of 1997 on consumer protection all verbal complaint made via phone to the customer service and all phone communication between the consumer and the customer service shall be recorded. The sound recording shall be indicated with a unique identifier and shall be kept for 5 years.	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint.
	subject of complaint	From Subject	a) Complaint management b) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
	parameters of transaction in question	From Subject	a) Complaint management b) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate Interest	Within the general civil law limitation period following the complaint, that is 5 years from the submission of the complaint. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.

Data marked with * are mandatory to fill in.

Simple and OTP Bank Nyrt. provide (1051 Budapest, Nádor u. 16) customer services as joint data controllers based on the joint data controller agreement concluded between them. According to Article 26 (2) of the GDPR we hereby inform you about the material provisions of the joint data controller agreement:

- Simple and OTP Bank Nyrt. independently keep the data protection records about its own data processing activities connected to its own liability, and independently keeps the data breach records, records of requests from supervisory authorities and data subjects, records of data processors, records of data transfers.

- OTP Bank Nyrt. ensures the storage of the consent statements for the time agreed by the joint data controllers and in a way which ensures searchability.

- In case of contacting the customer services via phone or in e-mail, OTP Bank Nyrt. informs the data subjects about the data processing and OTP Bank Nyrt. is liable for preparing the text of the consent statemeIt. OTP Bank Nyrt. collects, stores the consent statements and keeps records of them.

- Simple fulfils its obligation for information providing about the data processing via this privacy notice on its website.

- Simple and OTP Bank Nyrt. publish its privacy notices prepared separately related to the joint data processing on its own and informs the data subjects on its own.

- Simple and OTP Bank Nyrt. determine the purpose and tools of data processing jointly related to the joint data processing activity according to Article 26 (1) of the GDPR.

- The data subject is entitled to exercise his/her rights against both data controller and related to both data controller.

- Simple and OTP Bank Nyrt. answer the requests received by each of them independently according to the process jointly agreed.

- Simple and OTP Bank Nyrt. fulfil the requests of data subject on rectification, erasure, restriction of the personal data, objections against the data processing and requests on data portability independently.

- Simple and OTP Bank Nyrt. independently answer the questions of the supervisory authority related to their own activity.

- Those joint data controller announces the data breach to the authority whose activity is affected by the data breach.

- Those joint data controller informs the data subjects about the data breach, whose activity is affected by the data breach. If the data breach affected both data controller, the data controllers inform the data subjects independently and separately.

- Data protection officer of the OTP Bank Nyrt is: Zoárd Gázmár, e-mail: adatvedelem@otpbank.hu, address: 1131 Budapest, Babér u. 9.

Indication of legitimate interest in accordance with GDPR Article6 (1) f): the data processing within the scope of making a complaint, examination, settlement and management of the complaint, including the recording of phone calls, is your and our common interest, as well as the interest of the service providers of the services available within Simple Application, since the processing of these data is necessary for the enforcement of our consumer and civil rights and interests in connection with the the purchase made, service used within Simple Application. The processing of your personal data hereunder is not precluded by your right to self-determination of recorded voice, since your personal freedoms are not infringed upon, since at the very beginning of the phonecall, you are duly informed regarding the recording of audio that is to commence, leaving you ample opportunity to decide on continuing with the phonecall, or terminating it. The same services and solutions are also available via e-mail customer service, thus, you have a choice regarding the addressing of your complaint.

The User is entitled to object against the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2. Personal data processed specifically within the scope of certain services of Simple System

1.2.1. Parking

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Vehicle’s licence plate*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Vehicle’s country denomination*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Parking location*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).

Data marked with * are mandatory to fill in, without these data the use of the Parking function is not possible.

The data controller is Simple.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.2. Purchase of motorway vignettes

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	Vehicle’s licence plate *	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) c) Fulfilment of legal obligation – billing In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Vehicle’s country denomination *	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Type of the Vehicle*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Data of the purchased vignette (type, period of validity)*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Invoicing of contractual charges c) Claim and law enforcement	In case of processing purposes of column D/a) and b): Article 13/A E-commerce Act In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).

Data marked with * are mandatory to fill in, without these data the use of the Purchase of motorway vignette function is not possible.

The data controller is Simple.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.3. Purchase of Transport mobile ticket

Simple processes the following additional personal data of the Users during the purchase of Transport mobile tickets:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	· Volánbusz-BKSZ pass ID card number* · General pass ID Card number* · Pass ID card for persons with small children number* · Pass ID card for pensioners number* · Driving license number (card format)* · Passport number* · ID card number* · education ID card number under Government Decree No. 362/2011 (XII. 30.) – student ID card or pedagogue ID card* · Hungarian ID card number* · Hungarian relatives ID card number*	data subject	a) Concluding contract, determining its content, amendment, fulfilment of the contract b) Invoicing the fees based on the contract c) Law and claim enforcement d) Establishing right for discount	In case of purposes in column D points a), b) and d): GDPR art. 6 (1) c) – fulfilment of legal obligations, legal provisions for this obligations: E-Commerce Act 13/A § Act CC of 2011 – 6. § (2) Governmental Decree No. 356/2012 (XII.13.) 25. § (1) Act XLI of 2012 7. § (1) – (5) In case of purposes in column D points a), b) and d): GDPR art. 6 (1) b) – fulfilment of the contract In case of purposes in column D point c): GDPR art. 6 (1) f) – Legitimate interest	5 years after the termination of the registration Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
User registered within Simple	· starting date of the validity of the Transport mobile ticket*	data subject	a) Concluding contract, determining its content, amendment, fulfilment of the contract b) Invoicing the fees based on the contract c) Law and claim enforcement	In case of purposes in column D points a), b): E-Commerce Act 13/A § In case of purposes in column D points a), b) and d): GDPR art. 6 (1) b) – fulfilment of the contract In case of purposes in column D point c): GDPR art. 6 (1) f) – Legitimate interest	5 years after the termination of the registration Data processed with the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.

Data marked with * are mandatory to fill in, without these data the use of the Transport mobile ticket function is not working; those data are preconditions of the agreement.

Data controller is Simple.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.4. Bookline order

With respect to the data listed in the present section Simple is to be construed as data processor of Libri-Bookline LLC. operator of bookline.hu online webshop, and processes these data as data processor. The data controller of these data is Libri-Bookline LLC. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	Data of Bookline account (name, e-mail address)*
	Mode of shipping*
	Shipping address*
	Order name*

Data marked with * are mandatory to fill in, without these data the use of the Bookline order function is not possible.

1.2.5. Taxi order

With respect to the data listed in the present section Simple is to be construed as data processor of Főtaxi Ltd. service provider of Főtaxi, and processes these data as data processor. The data controller of these data is Főtaxi Ltd. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	Taxi order address*
	Phone number*
	Order name*

Data marked with * are mandatory to fill in, without these data the use of the Taxi order function is not possible.

1.2.6. OTP Health Fund balance inquiry and top up, OTP SZÉP card balance inquiry

A. Data processing related to the OTP Health Fund balance inquiry and top up

With respect to the data listed in the present section Simple is to be construed as data processor of OTP National Health and Self-care Fund and processes these data as data processor. The data controller of these data is OTP National Health and Self-care Fund. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	OTP Health Fund card number*
	OTP Health Fund card telecode*
	OTP Health Fund card balance
	OTP Health Fund card charged amount*

Data marked with * are mandatory to fill in, without these data the use of the OTP EP card balance inquiry and top-up function is not possible.

B. Data processing related to the OTP SZÉP card balance inquiry

With respect to the data listed in the present section Simple is to be construed as data processor of OTP Pénztárszolgáltató és Tanácsadó Zrt. and processes these data as data processor. The data controller of these data is OTP Pénztárszolgáltató és Tanácsadó Zrt. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	OTP SZÉP card number*
	OTP SZÉP card balance

Data marked with * are mandatory to fill in, without these data the use of the OTP SZÉP card balance inquiry function is not possible.

1.2.7. Loyalty Card

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Data of the saved Loyalty Card *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

GDPR Article 6 (1) b) Conclusion of Contract

3 months from the deletion of Simple account and Simple registration by the User.

Data marked with * are mandatory to fill in, without these data the use of the Loyalty Card function is not possible.

Simple is the data controller.

Use of the Loyalty Card function is prohibited for the purpose of fixing and saving any card eligible for the identification of a person, in particular ID card, address card, driving license, passport, tax ID card, Social security card, student crd, EU social security card, other ID card containing personal data with or without photo, entering card. In case of fixing and saving such cards as Loyalty Cards, Simple is entitled – but not obliged – to erasure them from the Simple System. Simple does not undertake to store such kind of cards or to manage personal data in connection with those cards; Simple does not undertake any responsibility or liability for that and excludes its liability regarding that.

In case of fixing, registering and activating the Costa Coffee loyalty card in the Loyalty card function – according to the contract between Simple and Costa Coffee – the Simple manages, stores and transfer the Costa Coffee card number, e-mail address, full name of card owner as well as the optional data such as birthdate, zip code and store id. The aim, legal basis and duration of those data management is as same as indicated in the above chart of other loyalty card data. In case of registering Costa Coffee loyalty card Costa Coffee transfers the loyalty points to be given after the purchase with the card to the Simple system; Simple stores those data connected to the card.

1.2.8. SuperShop card balance query

Subject

Data Category

Data origin

Purpose of data management

Legal basis of data management

Duration of data management

User registered within Simple

Number of the SuperShop card, date of birth of User cardholder *

From Subject

Concluding the contract, determination of its content, modification, completion thereof

GDPR Article 6 (1) b) Conclusion of Contract

Until the ceasing of the Simple registration.

Data marked with * are mandatory to fill in, without these data the use of the SuperShop card balance query function is not possible.

Simple is the data controller.

1.2.9. Wallet

1.2.9.1. Support for bank transfer

With respect to the data listed in the present section Simple is to be construed as data processor of OTP Bank Plc, and processes these data as data processor. The data controller of these data is OTP Bank Plc. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	Number of the sender bank card registered within Simple*
Holder of the recipient bank card	Number of the recipient bank card*
Holder of the recipient bank card	Recipient Simple User’s e-mail address*

Data marked with * are mandatory to fill in, without these data the use of the Support for bank transfer function is not possible.

The User can either type in the e-mail address of the Recipient of the bank transfer, or he/she can give access to the contact list on his/her mobile device and select the e-mail address of the desired Recipient. The data controller of this e-mail address is OTP Bank Plc, while Simple acts as a data processor in this context as well.

1.2.9.2. Bank card registration within Simple System

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name on bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	number of bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	expiration date of bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	name of the bank issuing the bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	bank card CVV/CVC code*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	name of bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof	GDPR Article 6 (1) b) Conclusion of Contract	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.

Data marked with * are mandatory to fill in, without these data the use of the Bank card registration function is not possible.

Simple is the data controller.

The User is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.9.3. NFC-payment

OTP Bank Plc. is the data controller, Simple processes the data of the bankcards suitable for NFC-payment on behalf of OTP Bank Plc based on the outsourcing and data processing agreement concluded with OTP Bank Plc. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	name on the bank card*
	number of the bank card*
	expiration date of bank card *
	name of the bank issuing the bank card
	bank card CVV/CVC code*
	phone number*
	For Visa card Mobile device IMEI number

Data marked with * are mandatory to fill in, without these data the use of NFC-payment function is not possible.

Simple uses the following additional data processor for the processing of data related to the above Card digitisation:

ANTELOP PAYMENTS "Société par Actions Simplifiée" (registered office: 67 rue d'Aboukir, 750002 Paris, France; registration number: 801 665 407; tax number: FR58801665407, place of data storage: European Economic Area.)

1.2.9.4. Simple card payment

OTP Bank Plc. is the data controller, Simple as data processor processes the data of Simple Card on behalf of OTP Bank Plc. Categories of data processed by Simple as data processor are the following:

Subject	Data Category
User registered within Simple	name
	address
	date of birth
	phone number
	e-mail address
	name on the bank card*
	number of bank card*
	expiration date of bank card*
	name of the bank issuing the bank card
	bank card CVV/CVC code*

Data marked with * are mandatory to fill in, without these data the issuing of Simple Card may not be ordered.

1.2.10. SimplePay Hero Wallet

During the data processing in the SimplePay Hero Wallet the User’s Simple Application account is connected to the SimplePay payment services and as a result of this, the User is able to pay the purchase price in the SimplePay services with a bankcard registered in the Simple Application according to the general terms and conditions of the Simple System and the general terms and conditions of the SimplePay services. In the framework of this services the Simple processes the following data of the User:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data management	Legal basis of data management	Duration of data management
User registered within Simple	name on the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	number of the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	expiration date of the bank card*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	name of the bank issuing the bank card	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) Claim and law enforcement, prevention and management of fraud	In case of processing purpose of column D/a) GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/b): GDPR Article 6 (1) f) Legitimate Interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	bank card CVV/CVC code*	From Subject	a) Concluding the contract, determination of its content, modification, completion thereof b) User identification c) Claim and law enforcement, prevention and management of fraud	In case of processing purposes of column D/a) and b): GDPR Article 6 (1) b) Conclusion of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate Interest	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.
	e-mail address	from subject or mercjant	a) sending notification related to the payment in the SimplePay services with a bankcard registered in the Simple System b) identifying the User	GDPR Article 6 (1) b) Conclusion of Contract	Until deletion of the bank card by the User or at the latest until the termination of Simple registration.

Data marked with * are mandatory to fill in, without these data the SimplePay Hero Wallet services cannot work.

Simple is the data controller.

The User is entitled to object against the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.11. Sending out of Invitation

Subject

Data Category

Data origin

Purpose of data management

Legal basic of data management

Duration of data processing

Recipient of the invitation

e-mail address*

User registered within Simple

Concluding the contract, determination of its content, modification, completion thereof

User identification

GDPR Article 6 (1) f) Legitimate interest

30 days calculated from the sending of the Invitation.

Data marked with * are mandatory to fill in, without these data the Invitation shall not be sent.

Simple is the data controller.

Within the Simple System you can send out Coupons, Tickets, messages, recommendations, invitations (hereinafter referred to as Invitation) promoting and encouraging the use of the Simple System and all the services therein, to unregistered third parties, whose email addresses you know (hereinafter referred to as Recipient).

When sending out such Invitations you only type in the Recipient’s name and email address in the appropriate field of Simple System.

By sending out the Invitation you thereby accept that you can only send invitations to such Recipients who have given their prior consent to the use of their name and email address for the purpose of receiving such Invitations. We do not take responsibility if you failed to get the Recipient’s consent to the use of his or her information in order to send out an Invitation or in case you provided an inaccurate email address of the Recipient. By sending out the Invitation you authorize us to send it out to the given Recipient in your name and on your behalf in such a way that due to some technical particularities the sender will appear as Simple, however the Invitation will be considered to have been sent by you and not us and the content of the Invitation will not be considered as an offer made by us, as advertisement or as another direct way of marketing communication.

By using the Invitation service you accept that a part of the Message is determined by us and that part cannot be erased by you. The content determined by us may include information about the Simple System and/or the Application.

You can only send messages that are corresponding with the law as well as with ethical, moral, and social norms. The message shall not include onscene, infringing contents or contents that unjustifiably infringe or contravene others’ rights or legitimate interests. Moreover, the content determined by the sender shall not be defamatory or detrimental to Simple System, the Application, and the Service Provider as well as to their reputation.

The personal data of the Recipient provided by you (name and email address) are only stored for Invitation delivery purposes.

The User can either type in the e-mail address of the Recipient to be provided for sending out of Invitations, Tickets and Coupons or can provide it by giving access to the contact list on the mobile device and selecting the e-mail address of the desired Recipient. This e-mail address is processed by Simple on the legal basis of legitimate interest set out above, regardless of whether it was typed in by the User or selected from the contact list. Simple will not process any other data in the contact list, only the e-mail address selected by the User for this purpose.

Presentation of legitimate interest: It is the joint legitimate interest of the Users sending Invitation and Simple that the User are able to enter the e-mail address of the Addressees invited into the Simple System and that they are able to invite the third party Addressees to the Simple System. It is not possible to request consent from the Addressees for the data processing, because they are not registered in the Simple System. The purpose of data processing cannot be fulfilled in other way.

The data subject Addressee is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.12. Sending of electronic direct marketing messages via e-mail, in-app or push notification or in any similar way

Simple sends direct marketing messages to the Users who granted consent to it in which Simple sends news, novelties, promotions, advertisements, offers, gambling and other marketing content via electronic communication which can be e-mail message sent to the User’s e-mail address, notification sent to the User’s Simple account, in-app message, push notification, and any other message sent via similar electronic, online network.

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.
User registered within Simple	e-mail address*	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.
	In case of push notification and in-app messages: Simple account	From Subject	Electronic direct marketing content, such as newsletter, sending of an advertisement with the method of direct business acquisition	GDPR Article 6 (1) a) Consent	Until the consent is withdrawn.

Data marked with * are mandatory to fill in, without these data it is not possible to subscribe to the newsletter.

Simple is the data controller.

The User may withdraw his/her consent by clicking on the respective button at the end of the direct marketing message/newsletter, or in an e-mail sent to Simple customer service: ugyfelszolgalat@simple.hu or via post to the Simple’s headquarter or mailing address indicated below.

1.2.13. Data processing concerning prize games, promotional games

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
Persons participating in the promotion	name*	From Subject	Participation in a promotion or prize game, Communication, Notification of the participant about the result, Participant identification	If participation in the promotion is subject to an application or registration in the promotion: consent pursuant to Article 6(1)(a) of the GDPR If participation in the promotion is automatic by making a purchase and is not subject to a separate application or registration in the game: GDPR Article 6(1)(f): legitimate interest.	90 days after the draw date. In case of consent: until the withdrawal of consent, if sooner than the above processing period.
	e-mail address*	From Subject	Participation in a promotion or prize game, Communication, Notification of the participant about the result, participant identification
	Transaction ID of the payment transaction conducted on the payment site of SimplePay and Simple Application	From Subject	Participation in a promotion or prize game
	Time of the payment transaction conducted on the payment site of SimplePay and Simple Application	From Subject	Participation in a promotion or prize game
	ID number of the transaction carried out for participating in the Promotion.	From Subject	Participation in a promotion or prize game, draw

Data marked with * are mandatory to fill in, without these data it is not possible to participate in the prize game, promotion. Data controller is Simple.

The participant may withdraw his/her consent at any time. In case of withdrawal of the consent, it is not possible to process his/her data in the game, therefore the participant cannot take part in the game.

The Player (data subject) may object to the processing of data based on the above legitimate interest by sending an e-mail to the Service Provider's customer service at ugyfelszolgalat@simple.hu.

Processing personal data of the winners

Beyond the mandatory data indicated in section 1.2.13 herein the winning participant must provide further data for the purpose of taking over of the prizes, of the payment and report of the taxes and other common charges as well as of issuing tax certificate:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
Winner	Mailing address (if it differs from living address)	From Subject	Taking over of the prize	GDPR Article 6 (1) b) Fulfilment of a contract	After 5 years from the end of the promotion
	tax ID	From Subject	Fulfilment of taxation obligations	GDPR Article 6 (1) c) Legal obligation	If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years. In any other case the data shall be stored for 5 years after the termination of the registration (general term of statute of limitation).
	Place and date of birth	From Subject	Taking over of the prize, identification of the winner	GDPR Article 6 (1) b) Fulfilment of a contract
	Number of ID card	From Subject	a) Taking over of the prize, identification of the winner	GDPR Article 6 (1) b) Fulfilment of a contract
	Mother’s name	From Subject	a) Taking over of the prize, identification of the winner b) Fulfilment of taxation obligations	In case of data processing purpose in column D point a): GDPR Article 6 (1) b) Fulfilment of a contract In case of data processing purpose in column D point b): GDPR Article 6 (1) c) Legal obligation
	Video and sound recording	From subject	Use for marketing purposes in order to promote the activity and services of Simple.	GDPR Article 6 (1) a) - consent	Until withdrawal of consent

Data marked with * are mandatory to fill in, without these data it is not possible to take over the prize, providing of those data is the condition of taking over of the prize.

Simple publishes the video and sound recording of the winner on the websites operated by Simple, which means www.simple.hu website, Simple’s Facebook page and LinkedIn page. Consent covers taking the recordings and the use of the recordings according to this section.

Data controller is Simple.

The winner may withdraw his/her consent in an e-mail sent to Simple customer service: ugyfelszolgalat@simple.hu.

Processing the data in case of taking over of the prize by a proxy

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
Winner	Name*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest	After 3 months from the end of the promotion
	Place and date of birth*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest
	Number of ID card*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest
	Address*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest

Data marked with * are mandatory to fill in, without these data it is not possible to take over the prize, providing of those data is the condition of taking over of the prize.

Presentation of legitimate interest: ensuring the lawful taking over of the prize to the proxy. Processing of the data of the proxy for taking over the prize is the legitimate interest of Simple and the winner. Categories of data processed is narrow, it covers just data necessary for identification, so the fundamental rights and freedoms of proxies are not violated.

Data controller is Simple.

The data subject proxy is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

Processing the data of the witnesses of the proxies

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
Winner	Name*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest	After 3 months from the end of the promotion
Winner	Address*	From Subject	Identification of the proxy taking over the prize	GDPR Article 6 (1) f) Legitimate interest	After 3 months from the end of the promotion

Data marked with * are mandatory to fill in, without these data it is not possible to take over the prize, providing of those data is the condition of taking over of the prize.

Presentation of legitimate interest: ensuring the lawful taking over of the prize to the proxy. Processing of the data of the proxy for taking over the prize is the legitimate interest of Simple, the proxy and the winner. Categories of data processed is narrow, it covers just data necessary for identification, so the fundamental rights and freedoms of witnesses are not violated.

Data controller is Simple.

The data subject is entitled to object to the data processing based on the aforementioned legitimate interest in an e-mail sent to the Simple’s customer service: ugyfelszolgalat@simple.hu.

1.2.14. Sending system messages via e-mail, in-app or push notification

Simple sends system messages to the registered Users from time to time. System messages are messages regarding the operation, service breakout, maintenance, traoubleshooting, functions of Simple System, change of these functions, availability of new functions of Simple System, the range of the services available in Simple System, way of use of these services, the General Terms and Conditions and Privacy Notice of Simple System or the modification thereof, rights and obligations of the Users concerning Simple System and also including the confirmation messages, notifications, confirmations sent in connection with the use of the services in Simple System, electronic bills, receipts and invoices.

For the purpose of sending system messages, Simple manages the following personal data:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract
User registered within Simple	e-mail address*	From Subject or in case of SimplePay Hero Wallet service from the Merchant	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract
	In case of push notification: Simple account	From Subject	Sending system messages in order to fulfil the contract	GDPR Article 6 (1) b) Fulfilment of the contract	3 month after the termination of the contract

Data marked with * are mandatory to fill in, without these data it is not possible to send system messages. Data controller is Simple.

In case of push notifications the User may set in the Simple Application and on his/her Mobile device whether he/she wishes to receive automatic push notification. If the User does notswitch on the automatic push notification function, Simple is able to send him/her push notification only for his/her request.

1.2.15. Educational, awareness-raising messages by email, in-app or push message

From time to time, Simple will send educational, awareness-raising messages to Users with Simple registration for general data security awareness purposes (e.g., anti-phishing, importance of updates and system maintenance, strong password awareness).

To send educational awareness messages, Simple will process the following data:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	name*	From Subject	Raising awareness of internet threats and online safety principles to encourage safe online behaviour among users	GDPR Article 6 (1) f) Legitimate interest	Until the cancellation of the Simple registration or the exercise of the user's right to object under Article 21 of the GDPR
User registered within Simple	e-mail address*	From Subject or in case of SimplePay Hero Wallet service from the Merchant	Raising awareness of internet threats and online safety principles to encourage safe online behaviour among users	GDPR Article 6 (1) f) Legitimate interest	Until the cancellation of the Simple registration or the exercise of the user's right to object under Article 21 of the GDPR
	In case of push notification: Simple account	From Subject	Raising awareness of internet threats and online safety principles to encourage safe online behaviour among users	GDPR Article 6 (1) f) Legitimate interest	Until the cancellation of the Simple registration or the exercise of the user's right to object under Article 21 of the GDPR

The data marked with * are mandatory, without them it is not possible to send a system message.

Legitimate Interest Statement: Simple has a legitimate interest in promoting business continuity and reducing cybersecurity risks by increasing the data security awareness and knowledge of its users, thereby protecting the digital infrastructure of the Simple System. Simple also has a legitimate interest in preserving Simple's reputation in this case, as Simple effectively demonstrates its commitment to data privacy and cybersecurity by promoting IT awareness messages.

In the case of push messaging, the User can configure in the Simple Application and on his or her Mobile Device whether he or she wishes to receive push messages automatically. If the User does not enable the automatic push messaging feature, Simple will only be able to send push messages to the User at the User's specific request.

The data controller is Simple.

The data subject may object to the processing based on the above legitimate interest by sending an e-mail to Simple's customer service at ugyfelszolgalat@simple.hu.

A full copy of the balancing of interests test on the processing based on legitimate interests is available to data subjects on request. The request should be made to the customer service e-mail address below.

1.2.16. Data processing concerning questionnaires and other requests for data

Simple regularly sends questionnaires and requests for data to the Users concerning their opinion about the Simple System and the Services available therein, their behaviour related to the Simple services, their ownership, financial status or other characteristics, which can be connected to the Simple services. Simple sends those questionnaires and requests for data in e-mail, in-app messages, push notifications or displays them in any other electronic way. Simple processes the Users' personal data related to the questionnaire and requests for data and their answers to the questions in the following way:

A	B	C	D	E	F
Subject	Data Category	Data origin	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered in Simple System	name	From data subject	a) Increasing the effectiveness, further development of Simple Application, development of new products b) measuring the use of Simple Application, preparing statistics c) profile making: analysing and predicting the personal characteristics and preferences of the Users and based on that sending customised offers, advertisements to the users who have granted separate consent to receiving electronic direct marketing messages	In case of purposes in column D/a) és b): GDPR 6. cikk (1) bek. f) point: Legitimate interest In case of purpose in column D/c): GDPR 6. cikk (1) bek. a) point: Consent	Until deletion of Simple registration
	e-mail address	From data subject			Until deletion of Simple registration
	in case of push and in-app messages: Simple account	From data subject			Until deletion of Simple registration
	answers of the questions	From data subject			Until deletion of Simple registration

The data controller of the aforementioned data is Simple.

The legitimate interest:

a) Increasing the effectiveness, further development of Simple Application, development of new products: Simple has legitimate business, economic interest to know the opinion of the Users about the Simple System, the Users’ purchases and habits in the Simple System, their preferences and other personal characteristics related to the Simple services in order to develop the Simple System in such a way which meets the Users’ expectations and answers real market needs.

b) Measuring the use of Simple Application, preparing statistics: Simple has legitimate business, economic interest to know on the basis of the answers of the questionnaires that which services are used or not used by the Users, are there needs or there are not from the side of the Users, and to prepare business statistics based on those information which serve as the basis of business decisions.

The Users are entitled to object to the data processing based on legitimate interest which can be submitted to Simple in e-mail to ugyfelszolgalat@simple.hu e-mail address or in letter via post.

Simple uses the answers of the questionnaires for profiling based on automated decision making in case of the Users who have granted specific consent to it; Simple sends or displays targeted, online behaviour based electronic advertisements based on the result of profiling to the Users who have granted separate consent to receiving electronic direct marketing messages.

In case of those Users who have not granted consent to the profiling based on automated decision making but granted consent to receiving electronic direct marketing messages, Simple is profiling their answers of the questionnaire manually and sends or displays targeted, online behaviour based electronic advertisements to them based on the result of profiling.

In case of those Users who have not granted consent to receiving electronic direct marketing messages, Simple does not use the answers of the questionnaires for profiling and Simple does not send to them targeted, online behaviour based advertisements.

You find the detailed provisions for profiling in a separate clause below.

1.2.17. Data processing concerning the Cheque payment service

In the Cheque payment service during the reading of the QR code Simple as data processor processes Users’ personal data necessary for fixing the QR code and fulfilling the payment in the transaction for the request and according to the instructions of Magyar Posta Zrt., on the basis of the agreement and data processing agreement concluded with Magyar Posta Zrt. Concerning this data processing Magyar Posta Zrt. is the data controller and Simple is data processor. The Privacy Notice of Magyar Posta Zrt. shall apply to this data processing.

Simple acts as Magyar Posta Zrt.’s data processor only in case of services initiated with reading the Post QR Code. Simple is data controller in connection with any other services, products available in Simple Application and with the general use of Simple Application and the present Privacy Notice shall apply for these data processing activities.

Simple processes for the request and instructions of Magyar POosta Zrt. the following personal data as data processor:

- Status of the payment

- VPOS bank ID

- e-mail address

- transaction ID

- amount to be paid

- Cheque issuer

- Name and address of the client

- ID number of the payment

- Remarks of the client

- Name of the saved cheque.

Magyar Posta Zrt. as data controller determines the purpose, legal basis, duration of the aforementioned data processing in its Privacy Notice.

1.2.18. Data processing related to the Simple Social function

We process the following data of you in the Simple Social function on the following legal basis:

A	B	C	D	E
Érintett	Adat kategória	Adatkezelés célja	Adatkezelés jogalapja	Adatkezelés időtartama
User registered in the Simple System, signed into the Simple Social function and granted permission to display	E-mail address registered in the Simple system	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Profile picture registered in the Simple System	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Recently used Simple services	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	List of Facebook friends	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Name, profile picture, e-mail address registered on Facebook profile	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
User registered in the Simple System and marked as friend by other Simple User in the Simple Social function	E-mail address registered in the Simple system	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Profile picture registered in the Simple System	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Recently used Simple services	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	List of Facebook friends	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Name, profile picture, e-mail address registered on Facebook profile	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
User registered in the Simple System and recommended as a friend in case of other Simple User in the framework of friend recommendation	E-mail address registered in the Simple system	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Profile picture registered in the Simple System	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Recently used Simple services	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration
	Name, profile picture, e-mail address registered on Facebook profile	Providing Simple Social services	Article 6 (1) a) of the GDPR: consent	Until the withdrawal of the consent, in lack of it until the termination of the Simple registration

The User can withdraw his/her consent in any time.

The data controller is Simple.

1.2.19. Data processing related to the insurance

Data processing related to the Groupama Simple Motor Vehicle assistance group insurance

A) In connection with the User joining the Groupama Simple Motor Vehicle assistance group insurance Simple processes the following data concerning the joined Users as data processor on behalf and upon the instructions of Groupama Biztosító Zrt:

Users registered to Simple who joined the Simple motor vehicle assistance insurance contract:

- E-mail address registered to the Simple System

- Name submitted in the Simple System, in absence of that the name generated from the above e-mail address by Simple

- Motor vehicle’s type (passenger car/goods vehicle), license plate number, age (year of production) and nationality

- Date of joining the insurance contract

- Chosen insurance package and modifications thereof

- Starting date and end date of risk-bearing

- Habits concerining using a car (regularity of trips abroad, frequency of using a car)

- Number of the insurance contract.

B) Simple as data controller, in connection with the User joining the Groupama Simple Motor Vehicle assistance group insurance, processes the following personal data concerning the Users registered to Simple who joined the Simple motor vehicle assistance insurance contract in order to and for the purposes of invoicing the insurance premium to the Users on the basis of complying with legal obligations as provided by Article 6(1)c) of the GDPR (in respect of data necessary for the fulfilment of tax obligations Articles 78 (3) and 202 (1) of Act CL of 2017 on the Rules of Taxation (“Taxation Act”), in respect of documents necessary for the fulfilment of accounting obligations Articles 168-169 of Act C of 2000 on Accounting (“Accounting Act”)):

- E-mail address registered to the Simple System

- Name submitted in the Simple System, in absence of that the name generated from the above e-mail address by Simple

- Motor vehicle’s type (passenger car/goods vehicle), license plate number, age (year of production) and nationality

- Date of joining the insurance contract

- Chosen insurance package and modifications thereof

- Starting date and end date of risk-bearing.

Data retention period: if the data are necessary for the fulfilment of tax obligations, the data are stored for 5 years from the last day of the calendar year in which the taxes should have been declared, reported or notified, or paid in the absence of a tax return, report or notification. If the data are necessary for the fulfilment of accounting obligations, they are retained and stored for 8 years. In other cases, the data are retained for 5 years from the termination of the contract (general civil law prescription period).

C) Simple as data controller, in connection with the User joining the Groupama Simple Motor Vehicle assistance group insurance, processes the following personal data concerning concerning the Users registered to Simple who joined the Simple motor vehicle assistance insurance contract on the basis of legitimate interest as provided by Article 6(1)f) of the GDPR:

- E-mail address registered to the Simple System

- Name submitted in the Simple System, in absence of that the name generated from the above e-mail address by Simple

- Motor vehicle’s type (passenger car/goods vehicle), license plate number, age (year of production) and nationality

- Date of joining the insurance contract

- Chosen insurance package and modifications thereof

- Starting date and end date of risk-bearing

- Number of the insurance contract.

Legitimate interest of Simple: in case of data processing for the purposes of exercising rights and claims the Service Provider uses the data of the User specified above in order to resolve legal disputes arising from the contract concerning the Simple System and the insurance concluded with the User, for evidencing relevant facts in course of potential contentious, non-contentious or other authority proceedings. The Service Provider processes these data so that it can use them for the purposes of evidencing in case legal disputes with the User arise related to the insurance and the applicable insurance contract. The Service Provider may exercise this right within the prescription period. The data processing therefore is necessary for the protection of the Service Provider’s rights and legitimate interests. The objective of the data processing cannot be attained otherwise.

The user may object to the data processing based on the above legitimate interest by sending an e-mail to Simple’s customer service: ugyfelszolgalat@simple.hu.

The user, upon request, is entitled to inspect the legitimate interest balancing test prepared in connection with the data processing based on the above legitimate interest, the request shall be submitted by mail sent to the Simple customer service.

Data processing related to the device insurance provided by Magyar Posta Biztosító Zrt.

Simple transmits the group device insurance provided by Magyar Posta Biztosító Zrt. in the Simple Application to the Users in order to join to the insurance based on its agreement concluded with Magyar Posta Biztosító Zrt. as a tied insurance intermediary (agent) according to section 4 (1) point 34/a) of the Act LXXXVIII of 2014 on the insurance activities (“Bit”). During its activity as a tied insurance intermediary Simple acts as the data processor of Magyar Posta Biztosító Zrt. in connection with the data processing through the Device insurance menu of the Simple Application based on the data processing agreement concluded with Magyar Posta Biztosító Zrt. According to this adat processing agreement Simple processes the following personal data of the Users entering into the device insurance contract for Magyar Posta Biztosító Zrt as data processor:

- Name

- E-mail address

- Address

- IMEI number of the insured smart device

- Type of the insured smart device

- Insurance package (Basic/Extra)

- ID number of the insurance contract

- Starting time of risk undertaking

- Date of conclusion of the insurance contract

- Effect of cancellation of the contract

- Reason of the cancellation of the contract

- Date of the cancellation of the contract

- Payment frequency (monthky, half yearly, yearly)

- Annual insurance fee

- Insurance fee to be paid by frequency

- Date of the next payment

- Insurance downpayment

- Photo taken about the screen of the ensured smart device

- Status of the insurance (active, not active, terminated, expired)

- Data in the invoice about the Device.

Privacy policy on the aforementioned data processing of Magyar Posta Biztosító Zrt. Data controller is available in Insurance menu of the Simple Application.

1.2.20. Personal data processed by Simple after deletion of the Simple registration (account, profile)

In the event of deletion of the Simple registration (account/profile) as defined in the Simple GTC, the data below will continue to be processed by Simple for the purposes and for the period of time specified below:

A) Personal data processed on the legal basis of Article 6(1)(c) of the GDPR in order to comply with a legal obligation, which Simple is obliged to retain: these categories of personal data, data subjects, the purpose of the processing and the retention period are indicated in this Privacy Notice.

B) Personal data processed on the basis of a legitimate interest of Simple or a third party pursuant to Article 6(1)(f) GDPR for the purposes of enforcement of claims and rights, fraud prevention and management, which Simple shall retain within the 5-year civil law limitation period, or in the case of a criminal offence, within the limitation period of the criminal offence, and, in the event of judicial, criminal, administrative or other proceedings, until the proceedings have been finally disposed of. These personal data are the following:

- Username, email address registered in Simple

- Identifier, amount, subject, delivery address, billing address of the transaction carried out by the User in the Simple System

- Name, e-mail address, registration number, audio recording of the telephone call, record of the complaint and its content, subject of the complaint, details of the transaction complained about

- In case of parking and e-vignette purchases: vehicle registration number, type, registration number, parking location, e-vignette details

- In the case of a mobile transport ticket: number of the pass, number of the identity card, number of the document proving entitlement to the discount, validity period of the mobile transport ticket.

In the event of deletion of the Simple registration (account, profile), the User's personal data processed by Simple as data controller, other than the above cases and personal data, will be irreversibly anonymised in a manner that constitutes deletion.

The detailed rules for the deletion of Simple registration (account, profile) are set out in the Simple GTC.

1.2.21. Personal data processed for the purpose of sending login notifications and 2-factor authentication (in short: 2FA)

Simple processes the following data during the sending login notification and 2-factor authentication:

Data subject

Data category

Purpose of data processing

Legal basis of data processing

Retention period

User registered with Simple

Registered e-mail address of the User, place of login (Simple Website, Simple Application, etc), time of login, e-mail address used for login, code received in e-mail during 2-factor authentication

Protecting the User's Simple account, preventing and reducing misuse of the User's Simple account, creating a secure IT environment and strengthening the protection of user accounts by requiring a second, separate identification factor (code received by email) for users, thus significantly reducing the risk of unauthorized access.

In case of login notification: GDPR art. 6 (1) a): consent.

In case of 2FA: legitimate interest under Article 6(1)(f) GDPR.

Simple's legitimate interest and the related assessment has been carried out by Simple in a Legitimate Interest Assessment, which will be made available to the User upon request. The User may object to the processing for legitimate interest by disabling two-factor authentication in the Simple Application.

The 2FA additional security measure is applied by default by Simple on a mandatory basis and cannot be disabled by the User to ensure full account protection.

In case of login notification: Simple sends the login notifications to the User and applies 2-factor authentication based on the User’s consent until his/her registration in the Simple System is terminated, unless the User withdraws his/her consent earlier, in which case Simple will not send the User such login notices.

In case of 2FA: until the User’s registration in the Simple System is terminated.

The User gives his/her consent to the sending of login notifications and 2-factor authentication separately by activating the corresponding button in the Simple Classic and Simple by OTP Application. The User can withdraw his/her consent separately to receive login notifications and to 2-factor authentication at any time by deactivating the function in the Simple Classic and Simple by OTP Application by clicking on the appropriate button.

Data subjects do not have the possibility to opt-out of two-factor authentication and therefore cannot exercise their right to object to this processing pursuant to the first sentence of Article 21(1) of the GDPR, based on the second sentence of Article 21(1) of the GDPR. The processing in relation to the 2FA is justified on compelling legitimate grounds which override the interests, rights and freedoms of the data subject, according to the balance of interests carried out by the controller. This overriding reason is, on the one hand, that Users, although not or not necessarily having factual information about it, are increasingly demanding a high level of data security, and, on the other hand, that the rapidity of cyber-attacks on IT systems, which are becoming more frequent, means that it is not sufficient to activate the 2FA when a cyber-attack occurs, but that its prior, preemptive use is necessary.

1.2.22. Data processing related to Falatozz.hu food ordering

Simple processes the following personal data in the Falatozz.hu food ordering service:

A	B	C	D	E
Data subject	Data category	Purpose of data processing	Legal basis of data processing	Retention period
User registered with Simple	User’s age	Checking the right of the User to buy alcoholic beverages.	GDPR art. 6 (1) c): legal obligation. The Hungarian legislation establishing the legal obligation: Act CLV of 1997 on consumer protection, 16/A (1): t is prohibited to sell or serve alcoholic beverages to persons under the age of eighteen, with the exception of medicinal products available only on prescription. Paragraph 4: In order to enforce the restriction set out in paragraph 1, the business or its representative shall, in case of doubt, ask the consumer to provide credible proof of age. In the absence of such proof of age, the sale or service of the product shall be refused.	Until placing the order.
	Previous orders data	Reordering of previous orders	GDPR art. 6 (1) b): Performance of the contract between Simple and the User.	For 1 year
	Transaction ID in case of payment by SZÉP card	Confirmation to the user on the success of a SZÉP card payment	GDPR art. 6 (1) b): Performance of the contract between Simple and the User.	For 5 years from the date of the transaction

1.2.23. Data processing related to Payment Requests

Simple processes the following personal data in relation to Payment Requests as data controller:

A	B	C	D	E
Data subject	Data category	Purpose of data processing	Legal basis of data processing	Retention period
User registered with Simple	User’s nem and bank account number	Storage of bank account number and name in Simple Application for the purpose of fullfilment of the Payment Requests.	GDPR art. 6 (1) a): Consent.	Until withdrawal of the consent buta t the latest until the deletion of Simple registration (which occurs earlier).

The User can withdraw his consent at any time.

1.2.24. Data processing related to reporting errors

A	B	C	D	E
Data subject	Data category	Purpose of data processing	Legal basis of data processing	Retention period
User registered with Simple	E-mai address of the User	Investigating the error, informing the User	GDPR art. 6 (1) point f): legitimate interest	One month from reporting the error
User registered with Simple	Location of the error	Ivestigating the error	GDPR art. 6 (1) point f): legitimate interest	One month from reporting the error

The legitimate interest:

Repairing the Simple Application: It is the Simple’s legitimate interest that the Simple Application operates without errors, Simple be informed about the errors and Simple can repair the errors which also increase the User satisfaction.

The user may object to the data processing based on the above legitimate interest by sending an e-mail to Simple’s customer service: ugyfelszolgalat@simple.hu.

2. Data processing via cookies

We use cookies and other various programs on the Website and in the Simple Application in order to understand the Website and the Simple Application Visitors’ preferences and behaviour relating to the Website and the Simple Application, to develop the Website and the Simple Application based on those, and to generate anonymous statistics on Website and the Simple Application traffic and to send targeted marketing messages to the Users.

We use three types of cookies on the Website and in the Simple Application as follows:

a) Cookies strictly necessary for the operation of the Website and the Simple Application: without them the Website and/or the Simple Application do not work at all or do not work properly; those cookies are necessary for running the Website and Simple Application. These cookies are applied for language settings, currency, data protection preferencies. If the User blocks those cookies in the browser, the Website and the Simple Application do not work properly.

Simple processes the data collected by the cookies strictly necessary for the operation of the Website and the Simple Application based on Legitimate interest according to Article 6 (1) f) of the GDPR.

Legitimate interest of Simple: It is the legitimate interest of Simple that the Website and the Simple Application operates properly and the Website and the Simple Applicatiuon can be displayed to the Users. It is necessary to use the aforementioned cookies and processing the personal data collected by them for this purpose.

The Users are entitled to object to the data processing based on legitimate interest which can be submitted to Simple in e-mail to ugyfelszolgalat@simple.hu e-mail address.

b) Cookies for statistical, analytical purposes: those cookies help the Simple to measure the traffic of visitors and to processing data in data basis. They help Simple to understand which products and activities are the more popular than others. The User may block these cookies in his/her browser or can use this one: https:\\tools.google.com/dlpage/gaoptout. The data collected by these cookies Simple uses for the optimisation of the Website and the Simple Application, and for development of the Website and the Simple Application.

The Service Provider processes the data collected by the statistical, analytical cookies based on consent according to Article 6 (1) a) of the GDPR.

In case of data processing based on consent, the data subject is entitled to withdraw his/her consent at any time.

c) Marketing/remarketing cookies: those cookies are usually applied because of marketing and advertising activities for the purpose of monitoring the range of interest of the Users and based on that to display relevant advertisements on the Website and in the Simple Application. The data collected by those cookies are used for profiling the Users. If the User does not allow the use of these cookies, the User will not receive targeted advertisements in the future. The purpose of processing of the data collected by these cookies is segmenting for displaying targeted advertisements for direct marketing purposes. Furthermore, in order to send the Users only that kind of advertisements which meets their range of interest and which are relevant to them, we use the data collected automatically for segmenting and grouping the Users as recipients of the advertisements.

This data processing does not have legal effect on data subjects.

Simple processes these data based on consent according to Article 6 (1) a) of the GDPR.

In case of data processing based on consent, the data subject is entitled to withdraw his/her consent at any time.

General provisions about cookies

In general, the cookie is a small file consisting of letters and numbers which is sent to the device of the User from our servers. Reputable partners helps Simple in displaying advertisements on the Website, in the Simple Application and beyond them and analytical service providers like Google aNalytics, Facebook Pixel also may put cookies on the User’s device.

Simple uses the following third party cookies for the following purposes:

Type of cookie	Purpose of cookie
Google Analytics	Generating visitors’ statistics, development of the Website and the Simple Application
Google Adwords Remarketing	Use of the advertising services provided by Google LLC, displaying targeted, segmented advertisements
Facebook Pixel és Custom Audience	generating statistics on the visitors from the Facebook.com website Use of the remarketing services provided by Facebook, Inc. for displaying targeted, segmented advertisement on Facebook.com.

We use Google Analytics and Facebook Custom Audience cookies and services on the Website and in the Simple Application, which are the following:

Google Analytics is the online analysing service of Google LLC (“Google”) which helps to know more about that how the visitors use the Website and Simple Application. Google Analytics summarises information about the use of the Website and Simple Application, such as IP address, which the system may send to Google and store them on its servers. We use that information for preparing reports and to fix the operation of our website. Cookies furthermore collect anonimised information about the following: number of visitors of the Website and the Simple Application, data related to from which website arrived the Users to the Website and the Simple Application and which sites are visited.

You can read more about Google Analytics cookies here: http://www.google.com/policies/privacy/.

If you would like to switch off the Google Analytics tracking during the use of the Website and the Simple Application, please click on the following link: http://tools.google.com/dlpage/gaoptout

Facebook Customn Audience is the online analysing and advertising service of Facebook, Inc (Facebook) by which Simple gathers information about that how visitors use the Website and the Simple Application. Facebook pixels put cookies on the device browsing the Website and the Simple Application the purpose of which is to set up the proper audience for advertising, to measure conversion between devices, target advertisements, to optimise the advertisements for the relevant audience, to display targeted personalised advertisements, make reports and tables about the Website and the Simple Application.

The User is able to set these data processing activities of Facebook in his/her Facebook account and may authorise the data collection by Facebook cookies on the Website and in the Simple Application on his/her own. The User can find these cookies in Facebook Ads Settings menu by entering his/her Facebook account and he/she can set there or modify his/her cookie preferences.

The User can grant his/her consent to the use of the cookies in groups on the Website and in the Simple Application.

The User is able to set his/her browser to accept all cookies, to refuse all cookies or to inform the User if cookie arrives to his/her device. Each browser is different, so the “help” menu can help in cookie settings. You can find more information about cookies on the following website: http://www.youronlinechoices.com/hu/.

In order to inform Simple about thet the User refused the use of cookies, Simple puts a special cookie on the User’s device, so the Simple will know that it cannot put cookies when the User visits the Website and the Simple Application next time.

The cookie settings menu in case of the most popular browsers are the following:

§ Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

§ Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

§ Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

§ Microsoft Edge: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy

Google Analytics provides additional possibilities for unsubscribing Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=en-GB.

We use the following cookies:

A) Regarding iOS mobile devices:

A	B	C	D	E
Subject	Data Category	Purpose of data processing	Legal basis of data processing, cookie type	Duration of data processing
User registered within Simple	language of the application	a) Personalization of the application, b) Communication, c) Determination of the language of automatic notifications	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	unique hardware ID generated upon installation	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	key chain data required to identify and authenticate the User	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	e-mail address used for logging in	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	type of log in(e-mail, Google+ or Facebook account)	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	hashed version of the user password hashelt for the tasks requiring stonger authentication (e.g. payment)	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	regarding EP card upload, the number of the most recently used EP card is saved	Streamlining, customizing the application, increasing user experience	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	regarding money transfer function, the number of the most recently used bank card is saved	Streamlining, customizing the application, increasing user experience	GDPR Article 6 (1) a) Consent	Until the logging out of the application
	date of last password modification	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	date of last log in	a) Ensuring safety, b) Understanding of circle of interests, c) Customizing the application, d) Displaying advertisement, sending of personalized offer	In case of column C/a) purpose: GDPR Artcile 6 (1) f) Legitimate interest Necessary for the operation of the application. In case of processing purposes of column C/b) – d): GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	maximum amount of payment without password	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	registration date	a) Understanding of circle of interests, b) Customizing the application, c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	registration channel	a) Understanding of circle of interests, b) Customizing the application, c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	fact of registration from a social media network	a) Understanding of circle of interests b) Customizing the application c) Displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application

B) Regarding Android mobile devices:

A	B	C	D	E
Subject	Data Category	Purpose of data processing	Legal basis of data processing	Duration of data processing
User registered within Simple	bank card profile data (card ID, card status, card data)	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	Card transaction data (card ID, transaction timestamp ID, log)	a) User identification, b) plausibility, c) Claim and law enforcement, d) Understanding of circle of interests, e) customizing the application, f) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a) – c): GDPR art. 6 (1) f) Legitimate interest Necessary for the operation of the application. In case of processing purposes of column C/d) -f): GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	Environmental data (latitude, longitude – location, wallett status, remote url)	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the logging out of the application
	Mobile Keys (mobile key set, ID, type, value, ID card)	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	Transaction report status data (token unique refernce, timestamp)	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	Token unique reference list (token unique reference card ID)	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	e-mail address used for logging in	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	type of log in (e-mail, Google+ or Facebook account)	a) User identification, b) understanding of circle of interests, c) customizing the application, d) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): GDPR art. 6 (1) f) – Legitimate interest Necessary for the operation of the application. In case of processing purposes of column C/b) -d): GDPR Article 6 (1) a) Consent – marketing cookie	Until the logging out of the application
	double-hashed version of the user password for the tasks requiring less stonger authentication (e.g. re-log in)	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	hashed user password, fingerprint encrypted version	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	Number of successful transactions	a) understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer d) statistics, analysis	GDPR Article 6 (1) a) Consent - marketing and statistical, analysing cookies	Until the deletion of the application
	regarding EP card upload, the number of the most recently used EP card is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	regarding money transfer function, the number of the most recently used bank card is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	e-mail address used for the last log in is saved	a) Streamlining, customizing the application, b) Increasing user experience	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	user API level	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	Message center, last shown message and timestamp	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	Taxi order dialogue data	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	Parking GPS verification dialogue data	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the logging out of the application
	Wallet PIN	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	Wallet app payment ID	User identification	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	digitalization of Wallet Card ID	a) User identification, b) Conclusion of contract, c) plausibility d) Claim and law enforcement	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	unlocked phone timestamp	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the logging out of the application
	mobile payment being blocked by EULA	a) Conclusion of contract, b) plausibility c) Claim and law enforcement	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) and c): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	safe keyguard	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	changed Keyguard	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	Simple is not the default payment application	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent	Until the deletion of the application
	Application settings (language, newsletter subscription, fingerprint ID usage, notifications, Facebook connection in place or not, parking notifications, taxi notifications, cinema notifications)	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	date of last password modification	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	date of last log in	a) Ensuring safety, b) Understanding of circle of interests, c) customizing the application, d) displaying advertisement, sending of personalized offer	In case of processing purpose of column C/a): Fulfilment of contract In case of processing purposes of column C/b) - d): GDPR Article 6 (1) f) Legal Interest	Until the deletion of the application
	maximum amount of payment without password	Ensuring safety	GDPR Article 6 (1) f) Legitimate interest Necessary for the operation of the application.	Until the deletion of the application
	registration date	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	registration channel	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application
	fact of registration from a social media network	a) Understanding of circle of interests, b) customizing the application, c) displaying advertisement, sending of personalized offer	GDPR Article 6 (1) a) Consent – marketing cookie	Until the deletion of the application

Profiling

A) What are the purposes, legal basis of our profiling and what data categories do we use for that?

The data collected from your mobile device and the Website automatically referred in clause 2 and the data given by the Users in the questionnaires defined in clause 1.2.15. are connected to the data indicated in clauses 1.1.1, 1.1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4 and 1.2.5 hereof and, from the data indicated in clause 1.2.19. hereof, to the data whether the User has motor vehicle assistance insurance and in respect of which motor vehicle which you have provided when registering in the Simple Application and to the data you have given when using other Simple services as well as to the data you have provided on websites operated by us e.g. www.simple.hu, www.simplepay.hu, www.simplepartner.hu, www.mozizzunk.hu, www.mozi-filmek.hu, www.simplejatekok.hu, www.nyerjamatricaddal.hu, www.penzugyekonline.hu, www.nyerjegyszeruen.hu, www.utazzegyszeruen.hu, www.mentsdegyszeruen.hu including the data we have automatically collected of you there and indicated in the privacy notices of those websites. Finally, all the above data are assigned to you personally.

Purposes and legal basis of data processing for the puspose of profiling without automated decision making:

a) Increasing the effectiveness, further development of Simple Application, development of new products: legal basis is GDPR (1) f) point: Legitimate interest: Simple has legitimate business, economic interest to know the opinion of the Users about the Simple System, the Users’ purchases and habits in the Simple System, their preferences and other personal characteristics related to the Simple services in order to develop the Simple System in such a way which meets the Users’ expectations and answers real market needs.

b) Measuring the use of Simple Application, preparing statistics: legal basis is GDPR (1) f) point: Legitimate interest Simple has legitimate business, economic interest to know on the basis of the answers of the questionnaires that which services are used or not used by the Users, are there needs or there are not from the side of the Users, and to prepare business statistics based on those information which serve as the basis of business decisions.

c) Profiling and based on that sending or displaying targeted online behaviour based advertisement: assigning the aforementioned database to the profile of the User created in the Simple Application, making profile of the User, analysing and predicting personal characteristics and preferences of the User and based on that sending or displaying customised offers and advertisements to those Users who have granted separate consent to receiving direct marketing messages.

In case of data processing based on legitimate interest the User is entitled to object; in that case we do not process their data further for that purpose and on the basis of legitimate interest.

For the request of the data subjects, the subjects are entitled to receive the the Legitimate interest balancing test. The request shall be sent to the e-mail address of the customer service.

B) Information about profiling based on automated decision making

We make profiling with decision making based on automated data processing in case of Users who have granted specific consent to that according to artciles 6 (1) a) and 22 (2) c) of GDPR (legal basis of data processing is Consent). We use the profile data and characteristics based on this profiling for direct marketing purposes, e.g. for sending targeted, online behavior based advertisement only in case of Users who have granted specific consent to receiving direct marketing messages.

In case of profiling based on automated decision-making, the Users have the following rights:

- the User is entitled to request human intervention,

- the User is entitled to express their standpoint,

- the User is entitled to submit a complaint against the decision made in such a way to the Simple.

The User can submit his statement for exercising its aforementioned rights to Simple via e-mail sent to the e-mail address of ugyfelszolgalat@simple.hu or in post letter, in every case in written format.

According to Article 13 (2) f) of the GDPR, Simple provides the Users with the following information about profiling based on automated decision-making:

- significance and consequences of profiling based on automated decision-making for the User are that he will receive marketing messages and marketing messages will be displayed to him which better meet his personal characteristics, range of interest, purchase habits, expectable predicted behaviour based on the result of the profiling carried out with automated decision-making. The User will not be out of any advantages or allowances, the price of the services remains the same, such kind of profiling based on automated decision-making will not have legal effect and will not affect him significantly.

- logic applied during the profiling based on automated decision-making: we assign the data collected about the User to the User, after that we make conclusions from the data collected of what are the preferences of the User, what kind of range of interest the User have, which services and how will the User use on the basis of his existing purchases and his online behaviour related to the Simple System, and based on those data we display or send advertisements which meet the aforementioned conclusions to the User.

In case of those Users who have not granted consent to the profiling based on automated decision making, we are profiling their answers of the questionnaire manually and we do not use automated decision-making; we use the profile data and characteristics originating from manual profiling for direct marketing purposes, e.g. for sending targeted, online behaviour based advertisements only to such Users who also have granted specific consent to receiving direct marketing messages.

In case of those Users who have not granted consent to receiving electronic direct marketing messages, Simple does not use profiling for direct marketing purposes with or without automated decision-making, we do not send to them targeted, online behaviour based advertisement. We use the data of those Users for the purpose of increasing the effectiveness, further development of Simple Application, development of new products and for measuring the use of Simple Application, preparing statistics. Legal basis of those data processing activities are Legitimate interest according to article 6 (1) f) point of GDPR.

For profiling we use Facebook Custom Audiences, Facebook Pixel and Google Analytics services. In order to reach the aforementioned goal in the framework of Facebook Custom Audience services we upload your e-mail address and phone identification number into the Facebook’s system. In case of Facebook Pixel and Google Analytics we use your data collected by them and we on an ad hoc basis combine with your data collected by us. Simple is the data controller of the data we forward to Facebook and Google as well as of the data received from them by us. Facebook and Google are the data controllers of the data collected by them. Facebook and Google is the data processor acting on behalf of Simple in case of the data collected by Simple and forwarded to them by Simple.

4. Data processing related to the Facebook Page

Simple operates a Fecabook Page under the URL address https://www.facebook.com/simplehungary/ on which page Simple displays news, advertisements, videos, organises games and promotions, discloses events, photos, posts. Simple collects, analyzes and displayes in aggregated way personal data with the function of Facebook Insight on the Simple Facebook Page concerning the type of the activities of the Users ont he Facebook Page, how much time they spend with viewing contents.

Simple hereby informs the visitors of the Simple Facebook Page that Simple and Facebook Ireland Limited are joint data processors under the Article 26 of GDPR concerning the personal data collected in Facebook Insight function of the Facebook Page; Simple and Facebook Ireland Limited jointly determines the purposes and tools of data processing. The agreement of joint data processing concluded between Simple and Facebook Ireland Limited is available here: https://www.facebook.com/legal/terms/page_controller_addendum.

Furthermore, Simple informs the visitors of its Simple Facebook Page about the split of the main responsibilities and obligations between Simple and Facebook Ireland Limited and also about the relevant provisions of the agreement on joint data processing:

Responsibilities and obligations of Facebook Ireland Limited:

a) Facebook Ireland Limited undertakes the primary liability of the data processing of the data in Facebook Insight function; data processing is carried out by Facebook Ireland Limited in trhe name of Simple.

b) Facebook Ireland Limited is liable for appropriately informing the Users ont he data processing.

c) Facebook Ireland Limited is liable for keeping in touch with the Users. answeing the Users' requests when the Users exercise their rights concerning data protection; Simple is not entitled to contact the Users in this matter on the basis of the joint precessing agreement. If the User submits his/her request/claim of data protection to Simple, Simple is obliged to forward it to Facebook Ireland Limited within 7 days; the User shall receive the answer of his/her request from Facebook Ireland Limited.

d) Facebook Ireland Limited is liable for keeping the data safety provisions on the personal data collected and processed in the function of Facebook Insight; for announcement of data breaches and for informing the Users about the data breaches.

Responsibilities and obligations of Simple:

a) Simple is obliged to ensure that Simple has appropriate legal basis of the data processing concerning Facebook Insight.

b) Simple is obliged to indicate itself as data controller on the Facebook Page.

c) Simple is not entitled to claim the concrete personal data processed in Facebook Insight function from Facebook Ireland Limited; Simple is able to reach only the statistics and reports created by Facebook Ireland Limited, Simple does not have access to the personal data forming the basis of the reports.

Simple hereby informes the visitors of the Facebook page that Simple processes their following data on the following legal basis:

§ Regarding the likes on Simple Facebook Page: number of likes; place of likes, number of new likes

§ Regarding posts on Simple Facebook Page: how much people are reached by the post, number of likes, comments and shares of the post, number of unlikes, hides, reporting as spam, when the persons reaching the Facebook Page view Facebook content;

§ Regarding visits of the Simple Facebook Page: how much times was the Page visited, how much times did the users come from external sites;

§ Regarding videos on Simple Facebook Page: number of watching video more than 3 seconds, more than 30 seconds, top videos of the Page;

§ Regarding visitors of the Simple Facebook Page: gender, age, location (country, city), language of the persons who liked the Page, number of visitors viewed the post in the last 28 days, who liked, commented or shared something on the Facebook Page in the last 28 days.

The legal basis of Simple’s aforementioned data processing is Consent according to Article 6 (1) a) of the GDPR. The Users can withdraw his/her cosent in any time. Granting or withdrawing consent is possible in the Users' Facebook profile.

Facebook Ireland Limited is obliged to disclose the deatiled privacy notice on the Facebook Pages on the basis of the aforementioned joint data processing agreement.

Simple excludes its liability for any data processing carried out by Facebook Ireland Limited, only Facebook Ireland Limited is liable for that.

5. Data processing concerning the enforcement of the data subjects’ data protection rights (see clause 11)

The Data controller processes data when the data subjects eyercise their data protection rights concerning the data controller’s data processing activity. In this case the Data controller processes the following data:

Name and purpose of data processing

Legal basis of data processing

data categories

Duration of data processing

Data processing concerning the enforcement of the data subjects’ data protection rights (see clause 8)

GDPR Article 6 (1) c) (the data processing is necessary for fulfilling the legal obligation of Data controller)

Legal obligation: making possible the exercising of the data subjects' rights stipulated in a GDPR Articles 15-22 and documentation of the other steps concerning the request.

Personal data submitted to the Data controller in connection with the data protection requests: in case of private persons, legal entities and other organisations turning to the Data controller the contact details of the contact persons necessary for communication with them (in particular: name, address, phone number, e-mail address), content of the request, steps concerning the request, documents concerning the request. For example: if the data subject requests in e-mail to erase all of his/her data based on the GDPR, and the Data controller fulfils this request, the Data controller will keep the e-mail about the request for erasure.

Duration of data processing: in lack of other data protection authority guidance: indefinite period of time.

6. Data processing in order to archive the consents of the data subjects to the data processing and to archive the withdrawal of those consents

Name and purpose of data processing

Legal basis of data processing

data categories

Duration of data processing

Archive the consents of the data subjects to the data processing and the withdrawal of those consents

GDPR Article 6 (1) c) (the data processing is necessary for fulfilling the legal obligation of Data controller)

Legal obligation: according to Article 7 (1) of GDPR if the data processing is based on consent, the data controller must be able to certify that the data subject has granted consent to the processing of his/her personal data.

If any data processing of the Data controller is based on consent, the Data controller archives the consent. The purpose of this procedure is to certify the legality of the consent in any time. If the data subject withdraws his/her consent, the Data controller keeps the withdrawal statement (and the communication related to that). The purpose of this procedure is that the Data controller must always be be aware of that a data subject withdrew his/her consent to a given data processing.

Duration of data processing: in lack of other data protection authority guidance: indefinite period of time.

7. Data processing for the purpose of recording data protection breaches (including documentation of steps taken related to the management of the incidents)

Name and purpose of data processing

Legal basis of data processing

data categories

Duration of data processing

Data processing for the purpose of recöoring data protection breaches (including documentation of steps taken related to the management of the incidents)

GDPR Article 6 (1) c) (the data processing is necessary for fulfilling the legal obligation of Data controller)

Legal obligation: according to Article 33 (5) of GDPR the Data controller keeps records on data protection incidents by indicating the facts related to the data protection incident, their effects and the measures taken for remedy of the incident. This record makes the data protection authority able to control the compliance with the GDPR.

Personal data of the data subjects related to the data protection incident.

Duration of data processing: in lack of other data protection authority guidance: indefinite period of time.

8. Who processes your personal data, and who has access to them?

The data controller

The controller of the personal data specified in clauses 1.1.1., 1.1.2., 1.2.1. – 1.2.3., 1.2.7., 1.2.8.3., 1.2.9., 1.2.11. – 1.2.15., 1.2.17., 1.2.19. paragraphs B) and C), 1.2.20 – 1.2.22, 2., 3., 5 – 7 is Simple, meaning OTP Mobile Service Llc., the company data of which are as follows:

OTP Mobile Service Limited Liability Company.

Company reg. no.: 01-09-174466

Tax no.: 24386106-2-44

Seat: 1138 Budapest, Váci út 135-139. B. ép. 5. em.

Postal address: 1138 Budapest, Váci út 135-139. B. ép. 5. em.

Represented by: Péter Benyó managing director (availability: 1138 Budapest, Váci út 135-139. B. ép. 5. em.; ugyfelszolgalat@simple.hu)

E-mail address: ugyfelszolgalat@simple.hu

Telephone: 06 1 3666 611

06 70 3666 611

06 30 3666 611

06 20 3666 611

On behalf of Simple, the data is accessible to the employees of Simple whose access is essential to the performance of their duties. Access authorizations are specified in a strict internal code.

Data processors

For the processing of the personal data of representative and contact persons, we engage the following companies, with whom we have entered into data processor agreements and to whom we forward your data necessary for the fulfilment of the aforementioned purposes.. The following data processors conduct the processing of personal data:

Data processors’ name and address	Purpose of data processing	Information regarding data transfers to abroad
OTP Bank Plc. (seat: 1051 Budapest, Nádor u. 16.; Reg. Nr.: 01-10-041585; Tax Nr.: 10537914-4-44)	a) providing online bank card payment service in the Simple System, bank card authorization b) providing Simple with IT infrastructure	There is no data transfer to abroad.
Microsoft Corporation (USA - One Microsoft Way Redmond, Washington 98052)	a) provider of Microsoft 365 cloud service	Data is transferred to the USA. Legal basis of transfer: Standard Contractual Clauses (SCC) based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and transferred in accordance with the EU data protection provisions. The SCC is available in the Microsoft Online Services Terms.
Mastercard Europe SA, Reg. Nr.: RPR 0448038446, seat: 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium	a) conclusion of online bank card payment	There is no data transfer to abroad.
Visa Europe Services LLC (registered int he USA, Delaware, acting through its London Branch Office (Reg. no of the Branch: BR007632) registered office: 1 Sheldon Square, London W2 6TT, VAT No: GB 840 111 776)	a) conclusion of online bank card payment	There is no data transfer to abroad.
American Express Services Europe Limited (registered office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9AX, United Kingdom, Reg. No: 1833139, Registered by: Companies House)	a) conclusion of online bank card payment	There is no data transfer to abroad.
The Rocket Science Group LLC d/b/a MailChimp (seat: Georgia 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308)	a) sending out of the newsletters, storage of the e-mail addresses in the newsletter database	Data is transferred to the USA. Legal basis of transfer: Standard Contractual Clauses (SCC) based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and transferred in accordance with the EU data protection provisions. The MailChimp SCC is available in Annex 3 of the MailChimp Data Protection Addendum: MailChimp Data Processing Addendum
SendGrid, Inc. (1801 California Street, Suite 500 Denver, Colorado 80202, USA)	a) sending out of the newsletters, storage of the e-mail addresses in the newsletter database	Data is transferred to the USA. Legal basis of transfer: Twilio Standard Contractual Clauses (SCC) based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and transferred in accordance with the EU data protection provisions. The Twilio SCC also applicable to SendGrid is available here: Data Protection Addendum (twilio.com)
Wyze PFM LLC (seat: 1118 Budapest, Brassó út 144. 1^st floor 6.; Reg Nr.: 01-09-291453; Tax Nr.: 25829237-2-43)	a) operation, maintenance, troubleshooting and development of the IT background of SimpleBill service	There is no data transfer to abroad.
Aggreg8 LLC (seat: 6721 Szeged, Zárda u 8.; Reg Nr.: 06-09-023518, T: 25930423-2-06)	a) development and improvement of the software background of SimpleBill service	There is no data transfer to abroad.
KBOSS.hu Kft., (Számlázz.hu, 1034 Budapest, Bécsi út 126-128., Reg. No: 01-09-303201, VAT No: 13421739-2-41)	a) electronic billing services	There is no data transfer to abroad.
N-Ware Kft. (Billzone.eu, 1139 Budapest, Gömb utca 26., Cg.: 01 09 921789 adószám: 14825679-2-41)	a) electronic billing services in case of Interticket tickets b) issuing and sending receipts, data processed: e-mail address, currency, type of payment, name, quantity and price of the purchased products/services, license plate of the vehicle in case of parking and e-motorway ticket services	There is no data transfer to abroad.
Facebook, Inc. (USA)	a) Profiling, advertising, analytics and measuring, online behavioural advertising	Data is transferred to the USA. Legal basis of transfer: the Standard Contractual Clauses (SCC) in the Facebook Data Transfer Addendum based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and trasnferred in accordance with the EU data protection provisions. The Data Transfer Addendum of Facebook is available here: Facebook.com
GOOGLE LLC (USA - Google Data Protection Office, 1600 Amphitheatre Pkwy Mountain View, California 94043)	a) Profiling, advertising, analytics and measuring, online behavioural advertising b) Firebase services	Data is transferred to the USA. Legal basis of transfer: The Standard Contractual Clauses (SCC) in the Google Ads Data Processing Terms based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and transferred in accordance with the EU data protection provisions. The Google SCC is available here: Google Ads Data Processing Terms: Model Contract Clauses The Standard Contractual Clauses (SCC) for Firebase services based on the Data Protection Directive 95/46/EC as approved by the Article 29 Working Party based on the model contract 2010/87/EU, by virtue of which the data processor ensures that the personal data is processed and transferred in accordance with the EU data protection provisions which are available here: Standard Contractual Clauses (google.com).
Survey Monkey Europe UC (2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4, Ireland)	a) ensuring questionnaire forms for subscription for games, promotions, answering questions in promotions, in which e-mail address, name and answers of the questions as personal data are processed b) ensuring questionnaire forms and surfaces for collecting and managing user remarks during the beta tests os Simple Application and System	There is no data transfer to abroad.
Quadron Kibervédelmi Kft. (1051 Budapest, Sas u. 10-12.; Cg. 01-09-189206)	Cyber security and cyber protection services and consulting	There is no data transfer to abroad.
Ondemand Kft. (1124 Budapest, Muskátli u. 6. 1. em. 1.; Cg. 01-09-173803)	Software development and support	There is no data transfer to abroad.
Etalon-Informatika Kft. (1132 Budapest, Kresz Géza u. 53/b.; Cg. 01-09-668817)	Professional support of IT infrastructure operation and system maintenance	There is no data transfer to abroad.
HOV-9 Informatikai és Szolgáltató Kft. (2310 Szigetszentmiklós, Kéktó köz 9/b.; Cg. 13-09-181701)	Support of softeware development, testing and software consulting services	There is no data transfer to abroad.
Nconnect Hungary Kft. (2161 Csomád, Kossuth u. 79.; Cg. 13-09-140663)	IT security consulting	There is no data transfer to abroad.
Slack Technologies Limited (Central Park (Block G), 3rd and 4th FL, No 1, Central Park, Leopardstown, Dublin 18, Ireland)	Task management and internal communication for the employees of the Data Controller.	Slack stores the data in the U.S., so there is a data transfer to third country which Slack does on the basis of Standard Contractual Clauses (Data Processing Addendum - Legal - Slack (axdraft.com) which serves as an appropriate guarantee according to article 45 (2) point c) and d) of the GDPR. The Data Controller and the Slack entered into a data processing agreement available on the above link.

9. Who is the data protection officer of Simple and what are his contact details?

Zsombor Sári

Contact:

a) Simple offices (1138 Budapest, Váci út 135-139. B. ép. 5. em.)

b) e-mail address: dpo@otpmobil.com

c) Postal address: 1138 Budapest, Váci út 135-139. B. ép. 5. em.

10. To whom do we forward your personal data?

The following types of data from your personal data are transferred to the following individual data controller recipients based on our agreement concluded with them (beside of the aforementioned data processors):

Recipient of data transmission	Category of transmitted data
Nemzeti Mobilfizetési Zártkörűen Működő Részvénytársaság (1027 Budapest, Kapás utca 6-12. Reg. no: 01 10 047569; VAT No: 24151667-2-4)	In case of purchase of parking tickets and e-vignette, the following data shall be transmitted: vehicle’s licence plate, vehicle’s country denomination, parking location, type of the vehicle, data of the purchased vignette (type, period of validity). In case of purchase of Transport mobile tickets, the following data shall be transmitted: type and number of ID card and documents proving right for discounts, type and purchase price of Transport mobile ticket bought, personal data included in the complaint submitted to Simple and data related to the complaint and necessary for managing the complaint.
Interticket Kft. (registered office: 1139 Budapest, Váci út 99., Reg. No: 01-09-736766, VAT No: 10384709-2-41)	In case of purchase of Ticket: the data, price of the ticket purchased and the e-mail addree of the User purchased the Ticket
Delivery Hero Hungary Kft. (1093 Budapest, Czuczor utca 2. 1. em.; Cg.: 01 09 668748)	iOS IDFA and Android GPS ADID
Jegymester Kft. (www.jegy.hu; 1065 Budapest, Bajcsy-Zs út 31.; Cg.: 01 09 369537; VAT No: 12033791-2-42)	In case of purchase of the Ticket: name, e-mail address
Libri-Bookline Kereskedelmi Zrt. (1066 Budapest, Nyugati tér 1.; Cg.: 01 10 044841; VAT No: 12921360-2-42)	In case of purchase in Bookline card: Bookline ID, e-mail address, delivery address, billing name and address
Főtaxi Zrt. (1087 Budapest, Kerepesi út 15.; Cg.: 01 10 042322; VAT No: 10873498-2-42)	In case of Taxi ordering: name, phone number, location of Taxi ordering
Budapest Film Zrt. (1054 Budapest, Bajcsy-Zsilinszky út 36-38. félemelet; Cg.: 01 10 042453; VAT No: 10906110-2-41)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Magyar Moziüzemeltető Kft. (1097 Budapest, Könyves Kálmán krt. 12-14.; Cg. 01-09-959700; VAT No: 23314562-2-43)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Óbudai Mozi Üzemeltető Kft. (1032 Budapest, Bécsi út 154.; Cg. 01-09-970980; VAT No: 23491348-2-41)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Tatabányai Moziüzemeltető Kft. (2800 Tatabánya, Győri út 7-9.; Cg. 11-09-019571; VAT No: 23535826-2-11)	In case of purchase of movie ticket in Movie Card: data of the purchased ticket, purchase price, date of payment transaction.
Sziget Kulturális Menedzseriroda Zrt. (1033 Budapest, Hajógyári sziget 23796/58.; Cg. 01-10-049598; VAT No: 26189905-2-41)	In case of purchase festival Ticket in the Ticket card: e-mail address
Volt Produkció Kft. (1033 Budapest, Hajógyári sziget 23796/58; Cg. 01-09-695549; VAT No: 12625150-2-4)	In case of purchase festival Ticket in the Ticket card: e-mail address
Kultúrpark Kft. (1095 Budapest, Soroksári út 60.; Cg. 01-09-193625; VAT No: 24995670-2-43)	In case of purchase festival Ticket in the Ticket card: e-mail address
L-Coffee Kft. (1062 Budapest, Teréz krt. 55-57.; Cg. 01-09-959271; VAT No: 23305416-2-42 – Costa Coffee)	In case of fixing, registering and activating Costa Coffee loyalty card under Loyalty card function the following data are transferred: store id, card number, e-mail address, full name, birthdate, zip code, number of loyalty points
Groupama Biztosító Zrt. (registered seat: 1146 Budapest, Erzsébet királyné útja 1/C; Cg. 01-10-041071; mailing address: 10380 Budapest, Pf. 1049.)	In case of joining the Simple motor vehicle assistance insurance, establishing the undertaking of the insurer, performing the insurance contract, administration in connection with reporting the materialisation of the risk: the User’s name registered tot he Simple System, e-mail address, the motor vehicle’s type, license plate number, nationality, age, the date of joining the insurance, whether there was insurance coverage at the time the risk materialised, the starting date and end date of risk-bearing, insurance package, amount of insurance premium, Simple ID, number of the contract, data concerning car use.
Diston-line Kft. (2535 Miskolc, Körmöci u. 20., Cg.: 05-09-019809)	Performing Falatozz.hu food ordering service. Data transmitted: e-mail address, telephone number, delivery address, order data, age, billing name and address.

The aforementioned entities are independent data controllers of the data transferred to them.

Related to the NFC-payment function available on iOS Mobile devices Simple hereby inform the Users that during Card digitalisation on iOS Mobile devices and making the Simple Card eligible for the payment through the NFC-payment function the bankcard to be digitalised will be stored in the ApplePay service and in the Apple Pay Wallet operated by the Apple Distribution International (Hollyhill Industrial Estate, Cork, Ireland), during which Simple transfer the card number, name ont he card and expiration date of the digitalised bankcard in an encrypted and coded way to Apple Distribution International Irish company in the name and on behalf of OTP Bank Plc. OTP Bank Plc’s relevant privacy notice contains more detailed information on this data transfer. Apple Distribution International is individual data controller of these bankcard data, for the data processing by them Apple Distribution International’s privacy notice shall apply. Simple is not liable for the data processing of OTP Bank Plc. and Apple Distribution International.

11. What rights do you have regarding the processing of your data, and how can you exercise them?

The detailed rights and remedies of the individuals – which include Employees and the people listed in Section 1 – are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Employer provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the individual, information may also be provided orally, provided that the identity of the individual is proven by other means.

The Employer will respond without unreasonable delay and by no means later than within one month of receipt to the request of an individual whereby such person exercises his/her rights about the measures taken upon such request (see articles 15-22 of the GDPR). This period may be, if needed, extended by further two months in the light of the complexity of the request and the number of requests to be processed. The Employer notifies the individual about the extension also indicating its grounds within one months of the receipt of the request. Where the request has been submitted by electronic means, the response should likewise be sent electronically unless the individual otherwise requests.

In case the Employer does not take any measure upon the request, it shall so notify the individual without delay but by no means later than in one month stating why no measures are taken and about the opportunity of the individual to lodge a complaint with the data protection authority and to file an action with the courts for remedy.

11.1 The individual’s right of access

(1) The individual has the right to obtain confirmation from the Employer whether or not personal data concerning him/her are being processed. Where the case is such, then he/she is entitled to have access to the personal data concerned and to the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed including especially recipients in third countries and/or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the right of the individual to request from the Employer rectification or erasure of personal data or restriction of processing of personal data concerning the individual, or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the individual, any available information as to their source;

h) whether automated decision making (Section (1) and (4) of article 22 of the GDPR) is applied including profiling, and in such case, at least information in comprehensible form about the applied logic and the significance of such data processing and the expectable consequences it may lead to for the individual.

(2) Where personal data are forwarded to a third country, the individual is entitled to obtain information concerning the adequate guarantees of the data transfer.

(3) The Employer provides a copy of the personal data undergoing processing to the individual. The Employer may charge a reasonable fee based on administrative costs for requested further copies. Where the individual submitted his/her request in electronic form, the response will be provided to him/her by widely used electronic means unless otherwise requested by the individual.

11.2 Right to rectification

The individual has the right to request that the Employer rectify inaccurate personal data which concern him/her without undue delay. In addition, the individual is also entitled to have incomplete personal data completed e.g. by a supplementary statement or otherwise.

11.3 Right to erasure (‘right to be forgotten’)

(1) The individual has the right that when he/she so requests, the Employer erase the personal data concerning him/her without delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Employer;

(b) the individual withdraws consent on which the processing is based, and no other legal ground subsists for the processing;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Employer is subject;

(f) the collection of the personal data occurred in connection with offering services regarding the information society.

(2) In case the Employer has made the personal data public and then it becomes obliged to delete it as aforesaid, then it will, taking into account the available technology and the costs of implementation, take reasonable steps including technical steps in order to inform processors who carry out processing that the individual has initiated that the links leading to the personal data concerned or the copies or reproductions of these be deleted.

(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:

a) exercising the right of freedom of expression and information;

b) compliance with a legal obligation which requires processing by Union or Member State law to which the Employer is subject;

c) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

d) the establishment, exercise or defence of legal claims.

11.4 Right to restriction of processing

(1) The individual has the right to obtain a restriction of processing from the Employer where one of the following applies:

a) the accuracy of the data is contested by the individual, for a period enabling the Employer to verify the accuracy of the personal data;

b) the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Employer no longer needs the personal data for the purposes of the processing, but the individual requires them for the establishment, exercise or defence of legal claims;

d) the individual has objected to processing based on the legitimate interest of the Employer pending the verification whether the legitimate grounds of the Employer override those of the individual.

(2) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the consent of the individual or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) The Employer informs the individual whose request has served as grounds for the restriction based on the aforesaid, before the restriction of processing is lifted.

11.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Employer will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Employer informs the individual about those recipients if he/she so requests.

11.6 Right to data portability

(1) The individual has the right to receive the personal data concerning him/her, which he/she has provided to the Employer in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Employer, where:

a) the processing is based on consent or on a contract; and

b) the processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph 1, the individual shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) Exercising the aforesaid right shall not contravene to provisions concerning the right to erasure (‘right to be forgotten’) and, further, this right shall not harm the rights and freedoms of others.

11.7 Right to object

(1) The individual has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her for the purposes of legitimate interests. The Employer will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

(2) Where personal data are processed for scientific or historical research purposes or statistical purposes, the individual, on grounds relating to his/her particular situation, has the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

11.8 Right to lodge a complaint with a supervisory authority

The individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if he/she considers that the processing of personal data relating to him/her infringes the GDPR. In Hungary, the competent supervisory authority is the The National Data protection and Freedom of Information Authority (website: http://naih.hu; address: 1055 Budapest, Falk Miksa u. 9-11; Mailing address: 1363 Budapest, POB 9; Phone: +36 1 391 1400; fax: +36 1 391 1410; e-mail: ugyfelszolgalat@naih.hu)

11.9 Right to an effective judicial remedy against a supervisory authority

(1) The individual has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him/her.

(2) The individual has the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform him/her within three months on the progress or outcome of the complaint lodged.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

11.10 Right to an effective judicial remedy against the Employer or the processor

(1) The individual, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, has the right to an effective judicial remedy where he/she considers that his/her rights under the GDPR have been infringed as a result of the processing of his/her personal data in non-compliance with the GDPR.

(2) Proceedings against the Employer or a processor shall be brought before the courts of the Member State where the Employer or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has habitual residence. You can find more information about the availabilities of the courts here: www.birosag.hu.

12. How do we ensure the safety of your data?

We follow an extensive information security ruleset regarding the provision of safety concerning the data and information under our governance, the knowing and following of which is mandatory for all our staff.

Our staff is regularly trained and coached in matters of data and information security.

12.1. Data security in IT infrastructure

We store personal data on our central server, to which only a select and close employee group have access, per strict access control rules. We regularly test and check our IT systems in order to ensure and maintain data and information security.

We fulfil data security obligations by complying with the PCI DSS certificate, which entails enacting the strictest banking security regulations regarding our systems and our data governance.

Office workstations are password protected, third-party storage devices are restricted and may only be used following approval.

Protection against malicious software is provided regarding all of the systems and system elements of the Service Provider.

During the planning, development, testing and operation of programs, applications and tools, we address security functions separately and with emphasis.

When allocating authorisations to our IT systems, we pay close attention to the protection of data (e.g. passwords, authorisations) affecting these systems.

12.2. Data security in communications

Regarding electronically forwarded messages and data, we conduct ourselves regarding our Key Management bylaws. In order to comply with the principle of safe transfer of data, we ensure the integrity of both the data of the controller and the user. For the prevention of data loss and damage, we use error detecting and correcting procedures. The application’s passes, authorization data, safety parameters and other data may only be forwarded under encryption We use network endpoint-to-endpoint authorization checking in order to ensure accountability and auditability.

Our implemented security measures detect unauthorized modifications, embedding and repetitive broadcasting. We prevent data loss and damage by fault detecting and correcting procedures and we ensure the prevention of deniability.

Regarding the network used for data transmission, we provide defense against illegal connection and eavesdropping per an adequate security level.

12.3. Data security in software development and programming

In development of the Simple Application, we implement the measures of data safety and security even into the planning stage, which we uphold during the entire course of development.

We separate the development environment from the live one, as well as development data from live data, and we depersonalise personal data in development, where possible.

We keep the requirements of safe coding in development, we use platform- and programming language-dependant technologies to avoid frequent damage risks, moreover, we follow the latest industry best practices regarding code examination (e.g. például OWASP Top 10 Guide, SANS CWE Top 25, CERT Secure Coding)

We constantly follow procedures to identify newfound vulnerabilities, we regularly coach our developers regarding data security and we standardise our programming techniques to avoid typical errors.

The checking of completed code is conducted pursuant to the principles of safe coding, and documented with alteration tracking procedures in order to ensure proper documentation.

12.4. Data security in document management

We comply with data security requirements in document management as well, which we stipulate in document management by-laws. We manage documents by pre-set access and authorization levels, based on the level of confidentiality regarding the documents. We follow strict and detailed rules regarding the destruction of documents, their storage and handling at all times.

12.5. Physical data security

In order to provide physical data security, we ensure our physical barriers are properly closed and locked, and we keep strict access control regarding our visitors at all times.

Our paper documents containing persona data are stored in a closed locker that is fire- and theft-proof, to which only a select few have authorised access.

The rooms where storage devices are placed in have been made to provide adequate protection against unauthorised access and breaking and entering, as well as fire and environmental damage. Data transit, as well as the storage of backups and archives is done in these confined locations.

Backup data storage units are stored in a reliably locked area, with containers having a minimum of 30 minutes’ fireproofing time.

13. What procedure do we follow upon an incident?

Pursuant to applicable law, we report incidents to the supervisory authority within 72 hours of having gained knowledge thereof, and we also keep records of them. In cases regulated by applicable law, we also inform subjects of the incidents, where necessary.

14. When and how do we amend this notice?

Should the scope of data or the circumstances of data management be subject to change, this notice shall be amended and published on www.simple.hu. Please pay attention to the amendments of this notice, as they contain important information regarding the management of your personal data.