The operator of the website respects the privacy and data management rights of its customers who visit and use the website and all other parties involved, as well as the enforcement of these rights. Based on the obligation to implement the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, we inform you of the following:
Personal data manager
The personal data manager provided on the en.autovignet.hu website is
Principal office: 2094 Nagykovácsi, Séta utca 2.
Tax registration number: HU27116861
Trade registry number: 13-09-202680
(hereinafter: Service Provider, Data Controller) shall consider the following regulations available at https://en.autovignet.hu/privacy-policy (hereinafter: Prospectus, Regulations) to be binding on itself.
The time scope of this Data Management Policy is valid until its revocation, and the Data Controller may unilaterally modify it an any time. The modification of the policy takes effect on disclosure at the https://en.autovignet.hu/privacy-policy website.
The Data Controller shall only transmit personal data to service providers who provide the Data Controller with the services necessary for the performance of the activity, such as the operation of IT systems, provision of accounting services, execution of billing and settlement agreements, provision of legal services, execution of bank payments and personal data processing in accordance with the provisions of the applicable law. In such cases, the amount of data transmitted shall be limited to the minimum necessary in accordance with the principle of data minimisation. Moreover, the information you provide may be made available to the competent authorities if required by applicable law.
I. General Terms
“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“data processor”: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“data processor”: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller;
“recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored or otherwise processed;
II. Principles of personal data processing
a) processing shall be done in manner that is lawful, fair, and transparent to the data subject (“lawfulness, fairness and transparency”);
b) shall only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; in accordance with Article 89(1) further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”);
c) shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed („data minimisation”);
d) shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay (“accuracy”);
e) shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; in accordance with Article 89(1) personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject („storage limitation”);
f) shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
The Data Controller shall be responsible for, and be able to demonstrate compliance with the core principles of data processing as defined above (“accountability”).
The Data Controller states that the processing of personal data is managed in accordance with the principles set out in this section.
III. Legal basis
The data management of the activity of the Data Controller is established on the following legal basis:
a) freely-given consent (Article 6(1) of the GDPR):
In case of data processing relying on freely-given consent, the data subject may withdraw consent at any stage of the data processing. In cases the handling, storage and transfer of the provided data are made mandatory by law, of which the Data Controller informs the data subjects separately.
b) performance of the contract (Article 6(1)(b) of the GDPR):
In the event of which data is collected to the performance of a contract to which the data subject is party.
c) fulfilment of legal obligations (Article 6(1)(c) of the GDPR):
It shall be part of the fulfilment of legal obligations if the data processing is necessary for the fulfilment of legal obligations, to which the Data Controller is subject (e.g. fulfilment of an accounting obligation).
d) legitimate interest (Article 6(1)(f) of the GDPR):
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
It exists in all cases where the Data Controller intends to use personal data for purposes other than those for which the data were originally collected, the Data Controller shall inform the user of such issues and obtains his / her preliminary, express consent, and provide him / her with an opportunity to prohibit the use of such data. The Data Controller shall not verify the personal data provided for him / her. The person who provided the data is solely responsible for the adequacy of the personal data he / she provided.
An exception to the provision contained in this section is the use of data in a statistically aggregated form, which shall not contain other data suitable for the identification of data subjects in any form, thus it shall not be considered data management or data transmission.
According to the provisions of the GDPR, the Data Controller shall not l designate a data protection officer, as the Data Controller does not constitute a public authority or body, the activities of the Data Controller do not require regular and systematic monitoring of data subjects on a large scale, furthermore, the Data Controller does not process special categories of data or personal data relating to criminal convictions and offences.
IV. Data processing
a) Motorway vignette sales
The Data Controller performs electronic vignette sales, i.e. the data subject uses a website without registration to purchase the Hungarian motorway vignette.
The purpose of data control: contact with potential customers (data subjects), information, and sales promotion; record purchasing and billing information. The legal basis of data processing: freely-given consent, performance of the contract, and compliance with the Accounting Acts. Processed personal data: name, telephone number, e-mail, vehicle registration number, billing name, billing address, tax registration number. Deadline for erasure of data: if the registration is not followed by a purchase within 5 years, then 5 years from the date of registration, and 8 years after the issuance of the invoice according to Section 169(2) of the Accounting Act.
b) Customer correspondence
If you would like to contact the Data Controller, you can reach him / her using the contact details provided in this information prospectus and on the website (fill in the e-mail or contact form). The data controller will delete all e-mails he / she receives, together with the sender’s name, e-mail address, date and time data and other personal data provided in the message, no later than 5 years after the communication. The title of data processing: freely-given consent, and the performance of the contract.
c) Recording telephone conversations
The Data Controller’s administration related to the sale of motorway vignettes can be contacted on the telephone number +36205885618, the conversations will be recorded. Purpose of data processing: to enforce the rights of customers and the Data Controller, to provide evidence for the settlement of legal disputes that may arise, ex-post justification, quality assurance, fulfilment of legal obligations, handling of complaints. The legal basis of data processing: freely-given consent of the data subject, Section 288(2) of the Banking Act in case of any complaint. Processed data: telephone number, date and time of the call, recording of the telephone conversation, as well as other personal data provided during the conversation. Deadline for erasure of data: in the case of a question related to the sale of motorway vignettes, 30 days in accordance with Section 31(3) of Act CXXXIII of 2005. Data processor used: Telenor Magyarország Plc. (principal office: 2045 Törökbálint, Pannon út 1., trade registry number: 13-10-040409)
V. Data processors:
The Data Controller performs data processing via data processors. Data Controllers shall not make independent decisions, they are only entitled to act in accordance with the agreement whit the Data Controller and the received instructions. The Data Controller shall monitor the work of data processors.
Personal data shall be transferred to the following recipients on the basis of the contract entered.
Nemzeti Mobilfizetési Plc. (1027 Budapest, Kapás utca 6-12. trade registry number: 01-10-047569; tax registration number: 24151667-2-4)
Transmitted data: country code, vehicle registration number, data of the purchased vignette (type, validity period)
Data processing: https://nmzrt.hu/egyeb-informaciok/adatvedelem
KBOSS.hu Ltd. (1031 Budapest, Záhony utca 7/C. trade registry number: 01-09-303201; tax registration number: 13421739-2-41)
Transmitted data: name, billing information, e-mail
Data processing: https://www.szamlazz.hu/adatvedelem/
OTP Mobil Ltd. (1143 Budapest, Hungária krt. 17-19.; trade registry number: 01-09-174466; tax registration number: 24386106-2-42)
In case of credit card data abuse, fraud, suspected fraud related to credit card payment, the following will be transmitted: name, billing data, e-mail, IP.
Data processing: https://simplepay.hu/adatkezelesi-tajekoztatok/
EZIT Ltd. (1132 Budapest, Victor Hugo u. 18-22., trade registry number: 01-09-968191, tax registration number: 23493474-2-41)
Data processing: https://www.ezit.hu/adatvedelem/
TOPefekt s.r.o. (787 01 Sumperk, B. Nemcove 767/13, Czech Republic, trade registry number: 294 44 268, tax registration number: CZ29444268)
Data processing: https://portal.bulkgate.com/page/privacy-policy
Our mailing system is provided by Google LLC (“Google”); principal office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Data processing: https://gsuite.google.com/intl/hu/features/
The Data Controller performs the sending transaction letters and newsletters via an external data processor.
Mailgun Technologies, Inc. (548 Market Street Suite 43099 San Francisco, CA 94101 United States;)
Data processing: https://www.mailgun.com/privacy-policy/
AWS Europe (Amazon EU S.a.r.L., 23 r. du Puits Romain, 8070 Bertrange, Luxembourg)
Data processing: https://aws.amazon.com/privacy/
The external web analytics service provider cooperating with the Data Controller:
Google Analytics (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Data processing: https://gsuite.google.com/intl/hu/features/
We use Google Analytics by enabling IP anonymisation, for more information: https://support.google.com/analytics/answer/2763052?hl=hu
In this case, Analytics makes the address anonym at the earliest possible stage of the data collection network. The IP anonymisation feature of Analytics resets the last octet of IPv4 users’ IP addresses and the last 80 bits of IPv6 addresses to zero shortly after the address enters the Analytics data collection network. In this case, the system never records the full IP address on the disk.
What is a cookie? A cookie is a small package of data sent from a server to the browser, which in turn is sent back to the server each time a request is made towards the server. Cookies are useful as they allow the website to recognize the user’s device, thereby providing a more effective, personalised user experience.
What kind of cookie do we use?
We use the so-called first-party cookies and third-party cookies on the autovignet.hu website. The data subject may meet first-party cookies when visiting the autovignet.hu website; these are technical, session, persistent and functional cookies. Technical cookies are essential for the proper operation of the website. These allow the navigation between different parts of the website and the use of certain features. Session cookies are temporary cookies that allow quick and easy navigation on the site while browsing. Persistent cookies exceed the time of each browsing and remain in the browser for a set period of time after the session (unless deleted). Functional cookies detect the kind of device our website was opened with in order to improve user experience, remember your earlier decisions (such as selected language, or the region you are at). This way we can offer you better and more personalised features.
Third-party cookies include for instance performance cookies (by Google Analytics): they collect anonymous and aggregated information about your behaviour online (such as browser type, Internet Protocol (IP) address, operation system used, time and date the website was visited, etc.) for statistical purposes and creating visitor profiles.
The cookies we use do not collect information that could reveal your identity and therefore do not allow us to identify you. Our website may contain links to other websites that are not owned / operated by the Data Controller (content, links from third parties); the Data Controller is not responsible for the privacy practices of these websites.
How to reject cookies?
VII. Data security
The Data Controller’s computer systems and other data storage locations are located at his / her headquarters and data processors. The Data Controller selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the processed data:
a) is accessible to those entitled to it (“accessibility”);
b) authenticity and authentication are ensured (‘authenticity of data processing’);
c) integrity can be verifiable (‘data integrity’);
d) is protected against unauthorised access (“data confidentiality”).
The Data Controller shall protect the data with appropriate measures, especially against unauthorised access, alteration, transmission, disclosure, erasure or destruction, accidental destruction, damage, and inaccessibility due to changes in the used technology.
In order to protect the data files processed electronically in its various registers, the Data Controller shall ensure, by means of an appropriate technical solution, that the stored data, unless permitted by law, cannot be directly linked and assigned to the data subject.
The Data Controller shall, taking into account the respective state of the art, ensure that the security of data processing is protected by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the data processing.
During data processing, the Data Controller maintains:
a) confidentiality: protects the information so that only authorised persons may access it;
b) integrity: protects the accuracy and completeness of the information and the method of processing;
c) accessibility: ensures that authorised users can access the required information when needed, and that the tools to do so are accessible.
The Data Controller and its partners’ IT systems and networks are all protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer hacking and denial-of-service attacks. The operator ensures security through system-wide and application-level protection procedures.
The Data Controller informs data subjects that electronic messages transmitted on the Internet, regardless of the protocol (e-mail, http, https, ftp, etc.), are vulnerable to network threats that lead to unfair activity, dispute of a contract, or disclosure or modification of information. In order to protect against such threats, the Data Controller shall take all precautionary measures required of him. He / she monitors systems to record any security incidents and provide proof of any security incidents. System monitoring also makes it possible to check the effectiveness of the taken precautions.
VIII. Possibility of data transmission
The Data Controller is entitled and obliged to transfer to the competent authorities all personal data in its possession and duly stored by them; he / she is obliged to transfer those personal data by law or a final official obligation. The Data Controller cannot be held liable for such transfers and the consequences thereof. The Data Controller is entitled, with the express consent of the data subject, to transfer the personal data specified in the authorisation to a third party specified in the authorisation for the purpose and for the period specified in the authorisation. The processing of the transmitted data is governed by the data processing provisions of the third party. The Data Controller shall keep a record of the transfer in order to verify the lawfulness of the transfer and to ensure that the data subject is informed.
IX. Rights of the data subjects
Data subject shall have the right to request information from the Data Controller regarding whether or not personal data concerning him / her are being processed, and, where that is the case, may request access to the personal data and information listed in the Regulation.
Data subject shall have the right to (‘right to rectification’) request the amendment and rectification of inaccurate personal data concerning him / her without undue delay. Taking into account the purpose of data processing, the data subject shall have the right to request that the incomplete personal data be supplemented (inter alia by means of a supplementary statement).
Data subject shall have the right to (‘right to erasure’) request the Data Controller to erase personal data concerning him / her without undue delay, and the Data Controller shall erase the data subject’s personal data without due delay under certain conditions.
Right to be forgotten: if the Data Controller disclosed the personal data, and is obliged to erase it, he / she shall take reasonable steps – including technical measures – taking into account available technology and the cost of implementation, to inform data controllers that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.
Data subject shall have the right to (‘right to restriction’) request the restriction of data processing, where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling Data Controller to verify the accuracy of the personal data;
- the data processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing, pending the verification of whether the legitimate grounds of the Data Controller override those of the data subject.
The data subject shall have the right (‘right to data portability’) to receive the personal data concerning him / her, which he / she has provided to Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from Data Controller, to whom the data were made available.
Right to object: if the data processing is necessary for reasons of legitimate interest, or public authority as a legal basis, the data subject shall have the right to object, on grounds relating to his / her particular situation, including profiling based on those provisions.
Objection in case of direct marketing purposes: if personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him / her for such marketing, including profiling, to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
X. Deadline of action
The Data Controller shall inform the data subject about the decisions made in connection with the above requests without undue delay. This deadline may be extended by one months if necessary. The Data Controller will inform the data subject about the extension of the deadline and the reasons of the delay. If the Data Controller does not take action on the data subject’s request, he / she shall inform the data subject without delay, but no later than within 30 calendar days of receipt of the request, of the reasons for non-action and of their ability to file a complaint with a supervisory authority and a judicial remedy.
XI. Personal data breach
In accordance with the law, we report the personal data breach to the supervisory authority no later than 72 hours after becoming aware of it. The personal data breach is recorded in a breach log for recording personal data breach. In cases specified by law, the data subjects will also be informed of the personal data breach.
XII. Enforcement options
The data subject may contact the Data Controller with any questions or remarks related to the data processing by e-mail, telephone, or by registered or certified mail.
Principal office: 2094 Nagykovácsi, Séta utca 2.
Tax registration number: HU27116861
Trade registry number: 13-09-202680
The data subject may turn to the National Authority for Data Protection and Freedom of Information (mailing address: H-1530 Budapest, Pf. 5, e-mail: firstname.lastname@example.org) in case of any complaints related to data processing.
In the event of a violation of his / her rights, the data subject may initiate court proceedings against the Data Controller pursuant to Section 22(1) of the Information Act. The trial falls within the jurisdiction of the tribunal. The tribunal tries the case promptly. The trial may, at the discretion of the data subject, also be initiated at the court competent at his / her place of residence or place of stay.
Last modification: 31 May 2020.