DATA PRIVACY NOTICE

1. Aim of the notice

It is the aim of this notice to stipulate the data protection and processing principles applied in relation to the personal data provided during the conclusion and performance of the service contract concluded for using the electromobility service provided by Elektromotive Hungaria Korlátolt Felelősségű Társaság (registered seat: 1025 Budapest Szalamandra u 44.

VAT number: 23162884 2-41 registration number:01-09-955917) hereinafter: "Company" or "Data Controller" ) through electric chargers, including:

• contact details;

• data required for contracting;

• data required for performing the agreement;

as well as the data protection and processing policy of the Company, by which the Company is bound. By issuing this notice, the Company complies with its prior notification obligation required by Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: "GDPR") and Section 16 of Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (hereinafter: Information Act).

2. Aim of data processing

2.1 Aim of the processing:

1. performance of the contract,

2. communication and consulting with the customers,

3. customer service,

4. provision of services,

5. informing the customers, performing invoicing,

6. complaint handling, compensation management,

7. management of invoicing and receivables data,

8. enforcement of the rights related to the contracted service, fulfilment of obligations.

2.2 The Data Controller does not use the personal data provided or given by the Data Subject according to Section 5 for purposes other than those specified in Section 2.1. Unless regulated otherwise by the legal regulations, the personal data may only be disclosed to third parties or to the court or other authorities on the basis of the relevant court or authority order, or the prior express Consent of the Data Subject.

3. Legal ground for data processing

The legal ground for processing is based on Article 6 (1) a) of the GDPR, the data subject has given consent to the processing of his/her personal data for one or more specific purposes.

The legal ground for processing is based on Article 6 (1) b) of the GDPR, processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.

The legal ground for processing is based on Article 6 (1) c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject.

4. Period of Processing

The Company processes the personal data only for the shortest period required for achieving the objective specified in Section 2.1, or until the expiry of the period specified by the legal regulations at the latest, or in the absence of such regulations, for one (1) year following the provision of the personal data to the Controller. The Controller may process the personal data of the data subject until the purpose of the processing exists (during the effect/performance of the contract).

The Controller terminates the processing of the personal data if the Data Subject has requested the deletion of its personal data on the basis of Section 14. § e) of the Information Act or according to Article 17 of the GDPR.

5. Type of the processed personal data

The Company only processes the following personal data provided by the Data Subject:

Reason of processing and processed personal data

1. Registration data:

• name, email address, password, unique user ID

2. Contact details:

• name, email address, phone number

3. Invoicing data:

• name, address, invoicing address, charging data, VAT number

4. Data required for online (bank card) payment:

• bank card number, name on bank card, expiry of the bank card, CPV or CCV code of the bank card

22. Data required for RFID customer key:

• name, delivery address, invoicing address

6. Complaint handling data:

• name, address, phone number, transaction ID, place, date and method of submitting the complaint, detailed description of the complaint, list of the documents and other proofs mentioned by the Customer (and the data contained therein), the date of taking the minutes and the unique ID of the complaint, the ID of the used charging device, and the signature of the person taking the minutes

8. Voice recording

• recording of the data subject's voice

9. Data related to charging:

• charging data (location of the charging device, ID, charging quantity, date of charging)

6. The principles of Processing

6.1 Personal data may only be recorded and processed for the purpose specified in Section 2, in accordance with the requirements of fairness and lawfulness.
6.2 Personal data may only be processed to the extent and for the period required for achieving the objective.
6.3 Processing shall be proportionate to the requirements specified in Section 3.
6.4 The Company undertakes to process the personal data received and processed by it by observing the requirements of the Information Act, the GDPR, and the data processing principles stipulated herein, and besides the Controller specified herein, the Company will not transfer such data to incompetent or other third parties not indicated in this notice.
6.5 The Company will make the personal data of the Data Subject available to third parties in exceptional cases only, on the basis of court or authority order or statutory requirement.
6.6 The Company obliges itself to ensure data integrity and confidentiality in accordance with Article 5 (1) f) of the GDPR, and ensures the security of processing in accordance with Article 32 of the GDPR. For this, it will take the technical and organisational measures ensuring the protection of the recorded, stored and processed data, and preventing the destruction, unauthorised use of or access to such data.

7. Control of the personal data

7.1 The Data Subject may request information from the Company on the processing of his personal data anytime, in writing, by sending a registered mail or a registered mail with return receipt to the Company's address, or by sending an email to the address support@elektromotive.hu . The Company will only consider the request sent by post authentic if the Data Subject can be clearly identified from the mail. In case of requests sent by email, the request can be considered authentic if it was sent from the email address used for concluding the contract.
7.2 In case of a request, the Company shall give the requested information to the Data Subject within twenty-five (25) days calculated from the receipt of the request at the latest.
7.3 Providing the information is free of charge. Providing information to the Data Subject may only be refused in the cases specified in Section 19 of the Information Act.
7.4 If the personal data are not correct, but the correct data are available to the Data Controller, or if the Data Subject requests rectification of his personal data, then the Controller shall rectify the personal data. Instead of deletion, the Controller blocks the personal data if the Data Subject requests so, or if it can be supposed based on the available information that the deletion would violate the legitimate interests of the data subject. The blocked personal data may only be processed until the purpose of processing excluding the deletion exists. The Data Subject and all parties to whom the data were transferred earlier for processing shall be informed on the rectification, blocking, marking or deletion. If the Controller fails to fulfil the Data Subject's request on rectification, blocking or deletion, then it shall communicate the factual and legal reasons of refusing the request to rectify, block or delete within twenty-five (25) days following the receipt of the request. In case of refusing the request on rectification, blocking or deletion, the Controller shall inform the Data Subject on court remedy or the possibility to contact the Hungarian National Authority for Data Protection and the Freedom of Information.

8. Data processing, transmission

During Processing, the Company uses the following data processors (Name, Address, Contact details, Purpose of processing, Data privacy notice):

Elektromotive Hungaria Kft.

• H-1025 Budapest, Szalamandra út 44..

• Phone number: +36305901931
  E-mail: info@elektromotive.hu
  Adress: 1025 Budapest, Szalamandra út 44.
  Web: elektromotive.hu

• technical support, maintanance, operation of chargers, electromobility service provider

• elektromotive.hu/hu/adatkezeles

SmartCharging Kft.

• H-3200 Gyöngyös, Rigó utca 7.

• Phone number: +36 30 774 0262
  E-mail: info@smartcharging.hu
  Mailing address: 3200 Gyöngyös, Rigó utca 7.
  Web: smartcharging.hu

• providing web platform and management of charging sessions

• smartcharging.hu/adatvedelem/

Billingo Technologies Zrt.

• 1133 Budapest, Árbóc utca 6. I. emelet

• Phone number: +36-1/500-9491 Email: hello@billingo.hu
  Mailing address: 1133 Budapest, Árbóc utca 6. I. emelet
  Web: www.billingo.hu

• Billing, invoices

• www.billingo.hu/adatkezelesi-tajekoztato

OTP Mobil Kft.*

• 1143 Budapest, Hungária krt. 17-19.

• Phone number: +36 (1) 366-3311
  E-mail: ugyfelszolgalat@simple.hu
  Mailing address: 1143 Budapest, Hungária krt. 17-19.
  Web: simplepay.hu

• SimlePay payment service

simplepay.hu/kereskedo-aszf

*DATA TRANSFER DECLARATION: I acknowledge the following personal data stored in the user account of Elektromotive Hungaria Ltd. (1025. Budapest Szalamandra street 44. fsz. 1., VAT number: 23162884-2-41, Registration number: 01-09-955917) in the user database of [https://start.elektromotive.hu/] will be handed over to OTP Mobil Ltd. and is trusted as data processor. The data transferred by the data controller are the following: Name, Phone number, E-mail adress, Adress. The nature and purpose of the data processing activity performed by the data processor in the SimplePay Privacy Policy can be found at the following link: http://simplepay.hu/vasarlo-aff

9. Amendment of the Data Privacy Notice

The Company reserves the right to amend this data privacy notice anytime by unilateral decision.

10. Enforcement of rights options

10.1 The Data Subject may enforce his rights (object) against processing in the cases specified in Sections 21-24 of the Information Act and Article 21 of the GDPR. The Controller shall assess the objection as soon as possible, but within fifteen (15) days at the latest following the receipt of the request, shall make a decision on whether the objection is reasoned, and inform the Data Subject in writing. The Data Subject has the right to initiate lawsuit before the competent court within thirty (30) days following the receipt of such notice or if no such notice is received.
10.2 In addition to the above, the Data Subject may turn to court for enforcing his rights in accordance with the provisions of the Information Act or Act V of 2013 on the Civil Code (hereinafter: "Civil Code" ), and the court shall proceed as a matter of urgency. The lawsuit shall be subject to the competence of the tribunal. At the Data Subject's discretion, the lawsuit may be initiated before the tribunal competent at the Data Subject's residence or place of stay.
10.3 With the questions concerning processing, the Data Subject may turn to the Hungarian National Authority for Data Protection and the Freedom of Information (contact details: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; mailing address: 1530 Budapest, Pf. 5.).
10.4 In case of questions arising in relation to processing, the Company's employees may be contacted at the email address support@elektromotive.hu.

11. Definitions

11.1. 'data processing' means the performance of the technical tasks related to the processing operations, irrespectively of the method and tool of performing the operations and the place of the application, on condition that such technical task is performed on the data.
11.2. 'processor' means the natural or legal person or an organisation without legal personality performing data processing on the basis of a contract, including the contract concluded on the basis of a legal regulation.
11.3. 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
11.4. 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Notice, the Controller shall mean Elektromotive Hungaria Kft.
11.5. 'data owner' (data owner, business responsible) shall be responsible for ensuring that the data assigned to him (supervised by him) fulfil their role in the value creating process. As well as for performing this efficiently (always considering the return of expenditures, exploiting new opportunities by the developments, etc.) and securely (ensuring confidentiality, integrity and availability; requesting/approving effective and efficient protection). In terms of access control, its tasks and responsibilities include the determination of the access rules of the data possessed by it (e.g. definition of roles) and the approval of the changes of rights affecting its area (applications, withdrawals, etc.).
11.6. 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
11.7. 'confidentiality (secrecy)' means the characteristic of the data that it is only accessible to predefined users and not to others. Losing confidentiality is revealing, in case of which the confidential information becomes known to or accessible by incompetent persons.
11.8. 'criminal personal data' means personal data relating to criminal convictions and offences or related security measures.
11.9. 'user' means the person or organisation using one or more IT systems for performing its task.
11.10. 'third country' means any state that is not an EEA member state.
11.11. 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies agreement to the processing of personal data relating to him or her.
11.12. 'information security (IT security)' means the state of the information (IT) system – sufficient for the Data Subject -, in which its protection is closed, comprehensive, continuous and proportionate to the risks in terms of the confidentiality, integrity and availability of the stored data, as well as the integrity and availability of the system elements.
11.13. 'power' means the right to process data, information, and to use various systems, applications, tools.
11.14. 'special personal data' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
11.15. 'personal data' means data related to the data subject – especially the data subject's name, tax ID, and the knowledge related to one or more physical, physiological, mental, economic, cultural or social identity -, as well as the consequences drawn from such data in relation to the data subject.