Effective Date: February 22, 2024
I. INTRODUCTION:
1. Scope of Policy
Present Privacy Policy (hereinafter: “Policy”) aims to provide information on the types of personal data that are collected, the purposes of collection, and the methods of processing for visitors, registrants, and customers on the website at https://motorsportmania.shop (hereinafter: “Website”).
The scope of this Policy does not extend to services and data processing activities provided by third parties advertising or otherwise appearing on the Website. This includes, but is not limited to, promotions, sweepstakes, and other campaigns operated by third parties unrelated to the Data Controller. Such services are governed by the respective privacy policies of those third-party service providers, and the Data Controller assumes no responsibility for these data processing activities.
2. Definitions
2.1 Personal Data Personal data refers to any information relating to an identified or identifiable natural person (hereinafter: “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2.2 Data Processing Data processing encompasses any operation or set of operations performed on personal data or data sets, either by automated or non-automated means. This includes collecting, recording, organizing, structuring, storing, transforming, retrieving, consulting, using, disclosing, transmitting, disseminating, aligning, or otherwise making data available, as well as restricting, deleting, or destroying it.
2.3 Restriction of Data Processing Marking stored personal data with the aim of limiting their future processing.
2.4 Profiling Any form of automated processing of personal data involving the assessment of personal characteristics relating to a natural person, specifically for the analysis or prediction of characteristics such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
2.5 Pseudonymization: The processing of personal data in such a way that it can no longer be attributed to a specific natural person without additional information, provided that such information is kept separately and is subject to technical and organizational measures to ensure that the data cannot be linked to an identified or identifiable natural person.
2.6 Data Registry System Any structured set of personal data accessible based on specific criteria, centralized, decentralized, or organized according to functional or geographical principles.
2.7 Data Controller TRP Hungary Kft. (headquartered at 2040 Budaörs, Edison Street 5, 3rd floor; Company Reg. No.: 13-09-223443; Registered at: Budapest Regional Court of Registration, Tax ID: 24765356-2-13; Contact: info@trphungary.com, +36 70 161-8578) operates the Website and, in doing so, exercises control over the purpose and means of processing personal data, making it the Data Controller (hereinafter: “Data Controller”). The Data Controller may collect and store data electronically or on paper. Electronic data processing is supported by Excel spreadsheets, which are password-protected and accessible only by authorized personnel. Data on loyal customers are maintained in a unified registry. Upon request, the Data Controller will separate and make available the data handled for the requesting Data Subject.
2.8 Data Processor A natural or legal person, public authority, agency, or other entity processing personal data on behalf of the Data Controller. This Policy lists participating data processors; however, the list is not exhaustive, and the Data Controller reserves the right to engage additional data processors. Information regarding new data processors will be provided at the start of the data processing activity. The Data Processor may process personal data exclusively per the instructions of the Data Controller, cannot process data for its own purposes, and is obliged to store and retain personal data according to the Data Controller’s instructions. The Data Processor may engage additional processors per the Data Controller’s directives.
2.9 Recipient A natural or legal person, public authority, agency, or any other body to which personal data are disclosed, whether or not it is a third party. Public authorities that may access personal data in accordance with Union or Member State law in the context of a specific inquiry are not regarded as recipients; the data processing by these public authorities must comply with applicable data protection rules.
2.10 Third Party A natural or legal person, public authority, agency, or any entity other than the Data Subject, Data Controller, Data Processor, or individuals authorized to process personal data under the direct authority of the Data Controller or Data Processor. Personal data may be disclosed to third parties exclusively for data processing purposes.
2.11 Data Subject Consent A voluntary, specific, and informed indication of the Data Subject’s wishes through a statement or clear affirmative action that signifies consent to the processing of personal data relating to them.
2.12 Data Transfer to Third Countries The Data Controller may transfer certain personal data to service providers located outside the European Union (third countries). When transferring personal data to third countries, the Data Controller ensures that data transfers only occur to countries deemed by the European Commission as providing an adequate level of protection. Standard contractual clauses as per Article 46(2) of the GDPR are applied.
3. Accuracy and Legality of Personal Data Provided by the Data Subject
The Data Controller is not obligated to verify the accuracy of the personal data provided, except where otherwise stated in this Policy. Responsibility for the accuracy of the provided personal data, as well as for any shared user content, lies solely with the person providing the information. The Data Subject guarantees that, when visiting the Website or using services provided by the Data Controller, they have lawfully obtained consent from other natural persons to disclose or make accessible any personal data related to those individuals. The Data Subject assumes full responsibility to ensure that the provided email address and any other data used for service access are used solely by themselves, bearing exclusive responsibility for any actions performed under that email or with the provided data. The Data Controller disclaims any liability if the Data Subject incurs any damage due to inaccuracies, omissions, or changes in their personal data, or if their email account is unable to receive messages during service use. For Data Subjects under the age of 16, personal data may only be processed with the consent of an adult exercising parental authority, which the Data Controller presumes has been granted. The legal representative of the Data Subject is responsible for ensuring that consent to data processing complies with legal requirements. The Data Controller is not in a position to independently verify the authorization of individuals consenting to data processing or the specific content of such declarations.
4. Applicable Legislation
The provisions of this Policy have been formulated in accordance with the following legislation: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or GDPR); Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.); Act V of 2013 on the Civil Code (Ptk.); Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Eker. tv.); Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grtv.); Act CL of 2017 on the Rules of Taxation (Art.) for data necessary to fulfill tax obligations; and Act C of 2000 on Accounting (Sztv.) for documents required to meet accounting obligations.
II. DATA PROCESSING
1. Ticket Purchase
1.1 Contract
Purpose of Data Processing
When purchasing a ticket or gift voucher, a sales contract is established between the Data Subject and the Data Controller. During the preparation and fulfillment of this contract, the Data Controller processes the personal data provided. Data processing is conducted to fulfill the contract, specifically for the creation of the ticket or gift voucher, issuing an invoice, delivery of the ticket if required, and to inform the Data Subject of any changes related to the ticket or event, in accordance with the ticket refund policy. Additionally, the Data Controller may notify the Data Subject by email about other mandatory requirements set by the Organizer (e.g., conditions for attending the event).
Legal Basis for Data Processing
The legal basis for data processing is the performance of the contract, as per Article 6(1)(b) of the GDPR.
Scope and Source of Data Processed
The data processed includes the first and last name, address, billing name and address (if different from the residential address), email address, telephone number, shipping name and address (optional), and tax number (optional). During the ticket and gift voucher purchase, the transaction date, details of the event for which the ticket is purchased (including the venue and date), the number and price of purchased tickets, codes of any promotional coupons used, and, if applicable, the seating arrangement are recorded. Additionally, during ticket and gift voucher sales, payment information such as the cardholder’s name, last four digits of the card number, card type, expiration date, and notification of the success or failure of the transaction are processed. For personalized tickets, the place and date of birth, residential address, and mother’s maiden name of the Data Subject are also required.
Data Retention Period
Data processed for claims and enforcement purposes are retained within the general five-year limitation period following the event date. If any civil, criminal, administrative, or other official proceedings are initiated within this period, the data are retained until the final resolution of such proceedings.
Data Processors and Activities
The transfer of data to the processors mentioned here is conducted for the purpose of creating and delivering tickets, gift packages, and other promotional products for registered customers.
Technical Operation of Framework:
Raceonline.hu Media & Tech Kft. (Headquarters: 1027 Budapest, Bem József utca 6. Fsz., Company registration number: 01-09-320907, Tax number: 26264923-2-41, Contact: info@raceonline.hu)
HUMDA pro Kft. (Headquarters: 1113 Budapest, Dávid Ferenc utca 4-6., Company registration number: 01-09-377543, Tax number: 28962902-2-43, Contact: humdapro@gmail.com)
Home Delivery:
Magyar Posta Zrt. (Headquarters: 1138 Budapest, Dunavirág utca 2-6., Company registration number: 01-10-042463, Tax number: 10901232-2-44, Contact: ugyfelszolgalat@posta.hu)
PANNON XP Kft. (Headquarters: 2142 Nagytarcsa, Csonka János utca 5., Company registration number: 13-09-205731, Tax number: 14443103-2-13, Contact: aba@pannonxp.hu)
Online Payment:
Barion Payment Zrt. (Headquarters: 1117 Budapest, Irinyi József utca 4-20. 2nd floor, Company registration number: 01-10-048552, Tax number: 25353192-2-43, License number: H-EN-I-1064/2013, Contact: hello@barion.hu)
OTP Mobil Kft. (Headquarters: 1138 Budapest, Váci út 135-139. B building, 5th floor, Company registration number: 01-09-174466, Tax number: 24386106-2-44, Contact: ugyfelszolgalat@simple.hu)
1.2 Taxation and Accounting, Bank Card Data
Purpose of Data Processing
In connection with ticket and gift voucher sales, the Data Controller is obliged to fulfill tax and accounting obligations. Processing bank card data aims to verify that the purchaser and the cardholder are the same individual, and to prevent misuse or fraud associated with bank cards.
Legal Basis for Data Processing
The processing is based on the GDPR Article 6(1)(c), fulfilling a legal obligation, and Article 6(1)(f), serving the Data Controller’s legitimate interest, as well as the provisions of Hungary’s Art. 78(3), 202(1), and Sztv.168-169.
Scope and Source of Data Processed
The data types are as listed in the previous section.
Data Retention Period
If necessary for fulfilling tax obligations, data are stored for five years from the last day of the calendar year in which the tax declaration or report was due. For accounting obligations, data are retained for eight years. For claim enforcement and fraud prevention, data are retained within the general five-year statute of limitations following the event date. If any legal or official proceedings are initiated, the data are retained until the final resolution of such proceedings.
1.3 Mobility-Impaired Data Subjects
Purpose of Data Processing
Data on mobility impairments are collected to assess and address the specific needs of affected individuals. These Data Subjects can inquire and purchase wheelchair-accessible tickets and companion tickets directly via the email support@trpevents.hu, where data are manually recorded in the system.
Legal Basis for Data Processing
Consent as per GDPR Article 6(1)(a) and Article 9(2)(a) is required. Without specific consent to process this data, it is not possible to sell tickets to mobility-impaired individuals, especially wheelchair users.
Scope and Source of Data Processed
Beyond the personal data required for ticket sales, the data includes information on the individual’s mobility impairment and health status.
Data Retention Period
Special data are processed only at the time of purchase. Otherwise, the general ticket sales data retention period applies.
1.4 Event Cancellation and Ticket Refund
Purpose of Data Processing
In certain cases (mainly event cancellations), it may be possible to refund purchased tickets in accordance with conditions set by the event organizer, following a preliminary data verification related to the purchased ticket. The purpose is to refund the ticket price to the purchaser or ticket holder.
Legal Basis for Data Processing
The legal basis is the fulfillment of the contract under GDPR Article 6(1)(b), including processing related to withdrawal from the contract and refund.
Scope and Source of Data Processed
For refunds, data processed includes the following data, which was submitted to the support@trpevents.hu e-mail address: purchaser’s first and last name, email address, ticket purchase date, order number or unique identifier, number of purchased tickets, and the bank card details needed for refund: cardholder’s name, bank account for refund, card expiration date, bank name, and, if needed, IBAN and SWIFT code.
Data Retention Period
Data processed for claims and enforcement are retained within a general five-year limitation period after the event date. If legal or official proceedings are initiated, data are retained until the final resolution. Accounting data needed for compliance and issuing a cancellation invoice are retained for eight years.
Payment Service Providers for Refund Processing:
Barion Payment Zrt. (Headquarters: 1117 Budapest, Irinyi József utca 4-20. 2nd floor, Company registration number: 01-10-048552, Tax number: 25353192-2-43, License number: H-EN-I-1064/2013, Contact: hello@barion.hu)
OTP Mobil Kft. (Headquarters: 1138 Budapest, Váci út 135-139. B building, 5th floor, Company registration number: 01-09-174466, Tax number: 24386106-2-44, Contact: ugyfelszolgalat@simple.hu)
1.5 Customer Surveys
Purpose of Data Processing
To continuously improve the services offered on the Website, particularly tickets for events and products, and to better align with customer needs, the Data Controller may invite customers to participate in surveys and provide feedback. The Data Controller uses the data provided by the customer during the purchasing process to contact them. Survey responses are anonymized.
Legal Basis for Data Processing
The processing is based on the Data Controller’s legitimate interest in improving products and services, as per GDPR Article 6(1)(f).
Scope and Source of Data Processed
The data processed includes the customer’s name, address, and email address as provided during ticket purchase.
Data Retention Period
Data is retained for six months from the completion of the survey.
2. Registration
2.1 Purpose of Data Processing
The purpose of data processing is to enable registration on the Website and create a user account, with the customer’s data being stored in the Data Controller’s customer database. Account creation requires a username and password in addition to the data collected during purchase, which are then recorded in the Data Controller’s database.
Legal Basis for Data Processing
Data processing related to registration is based on the registrant’s consent as per GDPR Article 6(1)(a).
Scope and Source of Data Processed
To create an account, the registrant must provide an email address and password. The time of registration and the IP address at the time of registration are also recorded. The following optional data may be provided after registration: first name, last name, address, billing address, and phone number.
Data Retention Period
The data is retained until the termination of the registration or for a maximum of five years after the last order to allow for claims or legal proceedings. If any legal or official proceedings are initiated within this period, the data is retained until the final resolution.
Data Processor and Activities
Framework Technical Operations:
Raceonline.hu Media & Tech Kft. (Headquarters: 1027 Budapest, Bem József utca 6. Ground Floor, Company registration number: 01-09-320907, Tax number: 26264923-2-41, Contact: info@raceonline.hu)
HUMDA pro Kft. (Headquarters: 1113 Budapest, Dávid Ferenc utca 4-6., Company registration number: 01-09-377543, Tax number: 28962902-2-43, Contact: humdapro@gmail.com)
Hosting Provider:
Rackforest Zrt. (Headquarters: 1132 Budapest, Victor Hugo utca 11. 5th Floor, Company registration number: 01-10-142004, Tax number: 32056842-2-41, Contact: info@rackforest.com)
3. Marketing Research
Purpose of Data Processing
The Data Controller conducts general marketing research aimed at customer analysis, segmentation, and the creation of statistics (profiling). Additionally, the Data Controller may use this information to assess the unique interests and preferences of individuals in order to customize the experience provided by the Website and optimize its services and products.
Legal Basis for Data Processing
The processing is based on the Data Controller’s legitimate business and economic interests, as outlined in GDPR Article 6(1)(f). The Data Controller aims to understand general user opinions about the Website, the services utilized, purchasing habits, service preferences, and other personal characteristics. This information enables the Data Controller to implement system improvements that respond to real market needs and user demands.
Scope and Source of Data Processed
The scope of data includes information provided in the previous section. If a user creates an account or otherwise identifies themselves to the Data Controller (e.g., by purchasing a ticket on the Website), the Data Controller may link data gathered during website use with other collected information, such as name, email address, phone number, address, Facebook profile details, Google account information, demographic data, interests, preferences, online and offline transaction data, and customer service interactions.
Data Retention Period
Personal data linked to registration is retained until the registration is terminated, or up to five years following the last order to allow for claims and rights enforcement. If any civil, criminal, administrative, or other official proceedings are initiated within this period, the data will be retained until the final resolution. The individual has the right to object to profiling at any time. In case of an objection, the Data Controller will no longer process personal data for profiling purposes.
Data Processor and Activities
Framework Technical Operations:
Raceonline.hu Media & Tech Kft. (Headquarters: 1027 Budapest, Bem József utca 6. Ground Floor, Company registration number: 01-09-320907, Tax number: 26264923-2-41, Contact: info@raceonline.hu)
HUMDA pro Kft. (Headquarters: 1113 Budapest, Dávid Ferenc utca 4-6., Company registration number: 01-09-377543, Tax number: 28962902-2-43, Contact: humdapro@gmail.com)
4. Website Visit
Cookies and Data Processing Purpose
To provide a tailored user experience, the Website may place and retrieve small data packages, known as cookies, on the user’s device. The applicable cookie usage policy is available at: https://motorsportmania.shop/cookie-szabalyzat-eu/.
Purpose of Data Processing
The Website uses both persistent and session cookies. Persistent cookies enable the Website to remember returning visitors and their preferences, while session cookies help recognize the visitor during a single session, expiring once the visitor leaves the Website. Technical cookies relate to content provision and services offered by the Website, helping to prevent unlawful use and filter inappropriate content.
Cookies Used on the Website
Technical Cookies: These are essential for the proper display and functioning of the Website, including tasks like logging in and managing ticket purchases. They are necessary for the Website to display correctly.
Functional Cookies: Functional cookies track browsing preferences and actions on the Website, allowing it to remember details such as registration information, viewed events, language settings, and other user-specific preferences.
Analytical Cookies: Analytical cookies monitor visitor behavior on the Website, helping improve the site by offering better user experiences and more relevant content. This analysis is performed using Google Analytics. If a visitor wishes to opt-out from tracking via Google Analytics, they can download and install the browser plug-in available at this link: https://tools.google.com/dlpage/gaoptout?hl=hu.
Google Ads Tracking Cookies:
These cookies collect information if a visitor arrives at the Website after viewing or clicking one of our ads displayed through Google’s network. They allow us to create statistics on ad views and clicks. Based on the viewed content, Google may display targeted ads on partner websites. After a purchase, Google Ads and Google Analytics 360 cookies may set personalized recommendations based on search behavior (search marketing). This data processing is based on user consent in line with GDPR Article 6(1)(a). If you wish to opt out of Google Ads and Google Analytics 360 processing, please click on the provided link. Personal data related to Google Ads processing may be transferred to the United States, and this transfer is based on EU standard contractual clauses to ensure adequate data protection. For more information, please consult the relevant privacy policies:
Google: https://policies.google.com/privacy?hl=de
Google Ads: https://policies.google.com/technologies/ads
Explanation on third-party data usage by Google: https://policies.google.com/technologies/partner-sites
Facebook Remarketing Cookies:
Using Facebook remarketing cookies, we aim to re-engage Website visitors with advertisements on Facebook. These cookies target users who have previously visited our Website. For more information on Facebook cookies, visit https://www.facebook.com/policies/cookies/.
Third-Party Cookies:
Some functions on the Website are provided by third parties, such as social media platforms (e.g., Facebook, Google+, Twitter). These services may set cookies, which are not covered by the Data Controller’s policies. Users are encouraged to review the privacy policies of these third-party services. For cookies used on the Data Controller’s Facebook fan page, please refer to section II.6 of this Policy.
Legal Basis for Data Processing
Data processing is based on the user’s consent per GDPR Article 6(1)(a), granted via the “Accept” button in the pop-up or by selecting preferences on the “Cookie Settings/Policies” page. Users may withdraw their consent at any time via browser settings, preventing further data collection. Data processing may also rely on legitimate interest per GDPR Article 6(1)(f) to ensure service provision and filter unlawful content.
Data Processed and Sources
Cookies record data such as the user’s device identifier (IP address), visit date and time, browsing duration, navigation patterns, and referral history.
Data Retention Period
Data processing lasts until the end of the visit or until consent is withdrawn. Cookies remain on the user’s device until manually deleted. Facebook remarketing cookies are retained for 180 days.
Data Processors and Activities
Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland)
Facebook (Meta Ireland Platforms Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy information: https://www.facebook.com/policy.php)
Opting Out of Cookies
Users can manage or delete cookies through browser settings, opting to prevent certain cookies or receive notifications when cookies are placed. Please note that disabling all cookies may affect the Website’s functionality. After deletion, cookies will be re-placed upon consent if the Website is revisited.
5. Newsletter and Direct Marketing
Purpose of Data Processing
For general newsletter services, the purpose of data processing is to allow the Data Controller to send periodic promotional emails containing information on current news, events, discounts, new features, games, and other updates to the Data Subject’s email address. Subscriptions can be made via the main page or specific pages, such as Motorsportmania.shop/hirlevel or Motorsportmania.shop/newsletter. Once subscribed, newsletters are sent from the email address hirlevel@motorsportmania.shop. In the case of direct marketing, after purchasing a ticket, the Data Controller may occasionally send personalized emails with exclusive offers on similar events, services, and promotions.
Legal Basis for Data Processing
Data processing is based on the Data Subject’s explicit consent according to Article 6(1)(a) of the GDPR, which can be granted by checking the appropriate checkbox. For direct marketing, data processing relies on the Data Controller’s legitimate interest under Article 6(1)(f) of the GDPR. The legitimate interest of the Data Controller is to inform Data Subjects about updates to products and services, promote products and services, and conduct direct marketing activities.
Types and Sources of Data Processed
To subscribe to the newsletter, the Data Subject must provide their first name, last name, and email address. Additionally, the subscription timestamp and IP address at the time of subscription are recorded, along with newsletter tracking data. For previous ticket buyers who consented to this data processing, the data processed aligns with the data provided during their ticket purchase.
Data Retention Period
Data is processed until the Data Subject withdraws their consent by unsubscribing. For direct marketing following a ticket purchase, data is retained for up to twelve months or until the Data Subject unsubscribes.
Data Processor and Activities
Brevo (SENDINBLUE) – Responsible for sending newsletters and promotional emails (Address: 106 boulevard Haussmann, 75008 Paris, France,VAT number: FR80498019298, Contact: contact@brevo.com)
6. Notifications
Purpose of Data Processing
The purpose of this data processing is to allow the Data Controller to send notifications regarding upcoming events, special offers, cancellations, changes to purchased events, updates on tickets added to the cart but not yet purchased, and other essential information. The Data Subject is automatically subscribed to notifications upon creating a user account, with the option to unsubscribe in the account settings.
Legal Basis for Data Processing
Data processing is based on the Data Subject’s explicit consent according to Article 6(1)(a) of the GDPR.
Types and Sources of Data Processed
The data processed includes the Data Subject’s email address, name, IP address, browser type, and areas of interest.
Data Retention Period
Data is retained until the Data Subject withdraws consent, i.e., unsubscribes from notifications.
Data Processor and Activities
Brevo (SENDINBLUE) – Responsible for sending newsletters and promotional emails (Address: 106 boulevard Haussmann, 75008 Paris, France,VAT number: FR80498019298, Contact: contact@brevo.com)
7. Complaint Handling
Purpose of Data Processing
The purpose of this data processing is to handle complaints, questions, comments, and issues related to ordered products and services, as well as to manage potential ticket refunds.
Legal Basis for Data Processing
Data processing is based on the Data Controller’s legal obligation under Article 6(1)(c) of the GDPR, and on the Data Subject’s consent as per Article 6(1)(a) of the GDPR. The Data Controller also has a legitimate interest in managing complaints, investigating, resolving, and handling them to protect consumer rights and interests related to purchases and services used on the Website.
Types and Sources of Data Processed
In the complaint-handling process, the complainant must provide personal data related to prior purchases. For complaints reported via phone, additional data such as the phone number, date and time of the call, recording of the conversation, and any personal data provided during the conversation will be processed. If these data are not provided, assistance over the phone may not be possible.
Data Retention Period
Complaints and corresponding responses are retained for five (5) years from the complaint date (or longer if the applicable limitation period for claims is extended), to ensure the rights and interests of both the Data Controller and Data Subject. If the complaint was submitted via email and the complainant does not have an account on the Website, the Data Subject’s email address will be deleted 90 days after the complaint’s closure, unless the Data Controller has a legitimate interest in further retention. Recorded phone conversations will be kept for three (3) months from the recording date.
8. Social Media and Prize Draws
Purpose of Data Processing
The Data Controller processes personal data on social media platforms to share, like, and promote certain content elements, products, promotions, or the Website itself. The Data Controller operates a Facebook fan page at https://facebook.com/motorsportmania.shop (“Facebook Fan Page”). Facebook collects personal data from visitors of this page through cookies and generates anonymous statistical data from it.
Legal Basis for Data Processing
The legal basis for data processing is the Data Subject’s voluntary consent provided on social media platforms in accordance with Article 6(1)(a) of the GDPR, as well as the participants’ consent in the case of prize draws. For identifying the winner and transferring the prize, the legal basis is contract fulfillment under Article 6(1)(b) of the GDPR. For tax and contribution obligations related to the prize, the legal basis is the legal obligation under Article 6(1)(c) of the GDPR.
Types and Sources of Data Processed
On the Facebook Fan Page, the data processed includes demographic data, visitor interests, and geographic information. The name and other public data of users registered on platforms like Facebook, Google+, Twitter, Pinterest, YouTube, and Instagram who interact with the Data Controller’s Website on social media are also processed. Facebook shares these data anonymously with the Data Controller for the purpose of publishing more relevant information to the Fan Page audience. A pop-up on the Facebook page informs visitors about the use of cookies and the data collection. During prize draws, for conducting the draw, the Data Controller collects and processes the first and last names and email addresses of participants. In the case of Facebook-announced prize draws, the names of winners are published on the Facebook page. For tax and accounting obligations related to the prize, the Data Controller may process the tax identification number, address, mother’s name, place, and date of birth of the Data Subject.
Data Retention Period
Data processing continues as long as the Data Subject “likes” and/or follows the Data Controller or Website on the relevant social media platform. The Data Controller deletes participants’ personal data after the prize draw and the prize delivery, or upon withdrawal of consent, whichever is earlier. For tax obligations, the data retention period is five years from the end of the calendar year (Art. 78 § (3), 202 § (1)). For accounting records, the retention period is eight years (Szvtv. 168-169 §).
Data Processor and Activity
For Facebook use:
Facebook (Meta Ireland Platforms Limited, Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy)
For delivery (in case of physical prizes):
Magyar Posta Zrt. (Dunavirág utca 2-6., 1138 Budapest, Hungary, Cg.: 01-10-042463, Tax No.: 10901232-2-44, Contact: ugyfelszolgalat@posta.hu)
PANNON XP Kft. (Csonka János utca 5., 2142 Nagytarcsa, Hungary, Cg.: 13-09-205731, Tax No.: 14443103-2-13, Contact: aba@pannonxp.hu)
9. Contact Management
Purpose of Data Processing
The purpose of processing data is to respond to inquiries sent to the company email address (info@trphungary.com) and to facilitate communication with Data Subjects and third-party partners.
Legal Basis for Data Processing
The legal basis for data processing is the Data Subject’s voluntary consent under Article 6(1)(a) of the GDPR. For partners, the legal basis is the legitimate interest of the Data Controller as per Article 6(1)(f) of the GDPR, allowing for the management of contact data to maintain communication with contracting partners.
Types and Sources of Data Processed
Messages sent to the company email may contain various personal data provided by the sender with their consent. The Data Controller assumes that its business partners have obtained appropriate consent from any individuals whose personal data they provide or have informed them of the processing of their data.
Data Retention Period
Data processing continues until consent is withdrawn. For contracting partners, data processing aligns with the duration of the contractual relationship and any relevant claim enforcement period—five years from the completion of the contract.
10. Data Processing Related to Exercising Data Subject Rights
Purpose of Data Processing
In accordance with the GDPR’s accountability principle, the Data Controller maintains records related to the exercise of Data Subject rights concerning the processing of personal data. This includes documenting any requests from Data Subjects and the corresponding responses to ensure compliance.
Legal Basis for Data Processing
The legal basis for this processing is the Data Controller’s legitimate interest as per Article 6(1)(f) of the GDPR. The Data Controller’s legitimate interest lies in the ability to document actions taken in response to Data Subject requests and demonstrate compliance with GDPR requirements.
Types and Sources of Data Processed
Processed data includes the requestor’s identification data, the content of the request, and records concerning the exercise of Data Subject rights.
Data Retention Period
The retention period for this data is five years from the provision of the information.
III. DATA SUBJECT RIGHTS AND REMEDIES
Data Subjects have rights and remedies as outlined in GDPR Articles 15-22 and 77-82. The Data Controller highlights the following rights:
Right to be informed about the processing of personal data;
Right to rectify personal data;
Right to delete personal data, except where processing is required by law (right to be forgotten);
Right to restrict the processing of personal data;
Right to data portability (right to receive and transfer personal data);
Right to object to the processing of personal data.
Right to Information and Access
Upon request, the Data Controller provides information on the processing of personal data, the data being processed, its source, purpose, legal basis, and storage duration. This includes details on any data processors involved, as well as the basis and recipients of data transfers to third countries or international organizations.
Data Subjects are entitled to copies of their personal data processed. The Data Controller does not refuse requests to exercise these rights unless it can demonstrate the inability to identify the Data Subject.
In cases where the Data Controller declines to provide information, a written explanation citing applicable legal provisions is given, including information on judicial remedies and the option to contact the Hungarian National Authority for Data Protection and Freedom of Information (Address: 1055 Budapest, Falk Miksa u. 9-11., Mailing Address: 1363 Budapest, Pf.: 9., Phone: +36 (1) 391-1400, Email: ugyfelszolgalat@naih.hu).
The Data Controller must respond in clear language to requests within 30 days, providing the requested information in writing upon the Data Subject’s request.
Right to Rectification
The Data Subject has the right to request that the Data Controller promptly correct any inaccurate personal data related to them. Considering the purpose of data processing, the Data Subject is also entitled to request the completion of incomplete personal data, which may include providing supplementary statements.
Right to Erasure (“Right to be Forgotten”)
The Data Subject has the right to request the Data Controller to delete personal data concerning them without undue delay, and the Data Controller is obligated to erase such data if one of the following grounds applies:
The personal data is no longer necessary for the purpose it was collected or otherwise processed;
The Data Subject withdraws their consent on which the processing is based, and there is no other legal basis for the processing;
The Data Subject objects to the processing, and there are no overriding legitimate grounds for continued processing;
The personal data has been unlawfully processed;
Deletion is necessary for compliance with a legal obligation to which the Data Controller is subject.
Personal data processed based on consent shall be deleted by the Data Controller within a short period following the termination of the legal basis for processing, including the withdrawal of consent.
Regarding data received from contractual partners, personal data must be stored and disposed of in accordance with legal obligations concerning the retention of accounting records.
Data Locking
Instead of deletion, the Data Controller may lock the personal data if requested by the Data Subject or if the available information suggests that deletion would violate the legitimate interests of the Data Subject. Locked personal data may only be processed as long as the purpose that excluded the deletion of the personal data persists.
Right to Restriction of Processing
The Data Subject has the right to request that the Data Controller restrict the processing of personal data if any of the following conditions apply:
The Data Subject contests the accuracy of the personal data; in this case, the restriction applies for a period allowing the Data Controller to verify the accuracy of the data;
The processing is unlawful, and the Data Subject opposes the deletion of the data, requesting instead the restriction of their use;
The Data Controller no longer needs the personal data for processing purposes, but the Data Subject requires it for the establishment, exercise, or defense of legal claims; or
The Data Subject has objected to the processing; in this case, the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the Data Subject.
Right to Data Portability
The Data Subject is entitled to receive the personal data concerning them, which they provided to the Data Controller, in a structured, commonly used, machine-readable format. They are also entitled to transmit these data to another Data Controller without interference from the Data Controller.
Right to Object
The Data Subject has the right to object to the processing of their personal data if:
The processing or transfer of personal data is necessary solely for the Data Controller’s compliance with a legal obligation or for the enforcement of the legitimate interests of the Data Controller, the data recipient, or a third party, except in cases of mandatory data processing;
The personal data is used or transferred for direct marketing, public opinion polling, or scientific research purposes; or
In other cases specified by law.
If the Data Subject objects, the Data Controller must cease the processing of the personal data unless there are compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
The right to object must be clearly indicated to the Data Subject at the time of the first communication, and this information must be presented separately from all other information.
Data Subjects may object to data processing based on legitimate interest by sending an email to the Data Controller at info@motorsportmania.shop. When data processing is based on the Data Controller’s legitimate interest, the Data Controller has conducted, and may continue to conduct, a balancing test in accordance with the relevant provisions of the GDPR.
Right to Withdraw Consent
The Data Subject has the right to withdraw their consent to data processing at any time without providing a reason. Withdrawal of consent does not affect the lawfulness of data processing conducted based on consent prior to its withdrawal.
IV. DATA PROTECTION OFFICER
The Data Controller has appointed a Data Protection Officer (DPO) whom Data Subjects may contact regarding any data protection matters.
Data Protection Officer: Hartinger-Debreceni Gergő, DPO
Phone: +36 70 161-8578
Email: info@motorsportmania.shop
V. LEGAL REMEDIES
In case of a violation of their rights, the Data Subject may initiate legal proceedings. The court will proceed in an expedited manner. The case falls within the jurisdiction of the tribunal, and the Data Subject may choose to initiate proceedings before the tribunal of their place of residence or domicile.
If the court grants the request, it may require the Data Controller to provide information, rectify, block, or delete data, annul decisions made through automated data processing, and respect the Data Subject’s right to object. If deemed necessary to protect the data protection interests of a larger group of Data Subjects, the court may also order the publication of its decision, including the identification of the Data Controller.
VI. MODIFICATION OF THE PRIVACY POLICY
The Data Controller reserves the right to unilaterally modify this Privacy Policy, particularly in response to changes in relevant legislation or applicable data protection practices.
