Privacy Notice of Yettel Hungary

(a)    Act C of 2003 on Electronic Communications (Electronic Communications Act);

(b)    Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act);

(c)    Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society-Related Services (E-commerce Act);

(d)    Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations on Business Advertising (Advertising Act);

(e)    Act CLXV of 2013 on Complaints and Public Interest Disclosures;

(f)    Act CLV of 1997 on consumer protection (“Consumer Protection Act”);

(g)    Act C of 2000 on accounting; 

(h)    Act CXXXIII of 2005 on security services and the activities of private investigators

(i)    Decree 22/2020 (XII.21.) NMHH of the National Media and  Infocommunications Authority on the detailed rules of electronic communications subscriber contracts (“Subscriber Contract Decree”);

(j)    Decree 4/2012 (I.24.) NMHH of the National Media and Infocommunications Authority on the rules concerning data protection and confidentiality in relation to public electronic communications services, special conditions for data processing and confidentiality, security and integrity of networks and services, processing of traffic and billing data, identification and call forwarding rules (”NMHH Decree 4/2012”);

(k)    Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (“Directive on Privacy and Electronic Communications”) (“Regulation 611/2013/EU”);

(l)    Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR");

(m)    Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Second Payment Services Directive, PSD2 Directive).

If you have ordered or use one of our services, the Data Processing Notice for that service will provide you with detailed information on exactly what personal data we process, for what purposes, on what legal bases and for how long. With respect to our electronic communication services (e.g. voice calls, data traffic), Annex 2 of our General Terms and Conditions will provide you with detailed information on data protection (“Processing of personal data of subscribers and users by Yettel Hungary”) (hereinafter referred to as the “Data Processing Notice”). For our other services (e.g. Yettel app, Yettel TV, Yettel Wallet), you will find direct links to the general terms and conditions of the respective services in Section 4 below, which also contains information on the processing of personal data. If you also use one of our mobile apps, the Data Processing Notice provided when you download the app will apply to the processing of your personal data in connection with your use of the mobile app. The Data Processing Notices are also available retroactively from the applications and on our website.

Yettel operates a Compliance function to support compliance with Yettel’s Code of Conduct, internal policies and applicable legislation and other compliance related issues. This includes implementation of ethics and compliance principles in daily operations, responding to and managing ethics and compliance issues and situations, monitoring employee compliance and investigating potential violations. Anyone can report potential violations to Yettel Compliance by sending an email to compliance@yettel.hu. All reports will be treated confidentially and no one will suffer any disadvantage for reporting such cases in good faith. For detailed information on the reporting process and the processing of personal data, please see the document “Information on compliance reports”.

If you are browsing through our websites or are using a service available on one of our websites, in addition to this information document you can find additional information on data protection in the document entitled “Legal disclaimer and terms of service”. Additional conditions and provisions may be applicable to certain services available on our websites; additional information on these may be found on the associated websites where the given service or product is offered.

Yettel operates a compliance hotline that you can use to report breaches of laws, Yettel’s Code of Ethics or Yettel’s internal regulations. If you report an incident, your personal data will be subject to processing. 

If you are using one of our mobile applications, the Privacy Notice provided at the time of downloading the application will be applicable to the processing of your personal data with regard to the use of the mobile application. The Privacy Notice can also be accessed subsequently from the application, or through the following link.

Yettel Hungary processes your personal data based on different legal bases during each data processing activity. Subscribers can find detailed information on the various data processing activities in the Privacy Notice. The legal bases used in the case of web-based products, applications and other, not electronic communications services are detailed in the relevant notices. 

The possible legal basis for our data processing activities, in general, are the following: 

• consent, if you have given consent to the processing of your personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
• compliance with a legal obligation to which Yettel is subject;
• processing is necessary in order to protect your or another natural person’s vital interests;
• processing is necessary for the purposes of the legitimate interests pursued by Yettel or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data.

Information is always provided on the legal basis of data processing for a given data processing purpose in the privacy notice applicable to the data processing at hand. 

4.1.1 In order to be able to provide our services to you, such as any of our tariff packages, the Yettel Wallet or MyTv services, etc., we require certain personal data.

These include:

(a)    your name, telephone number, email address, postal address, date of birth and other data (e.g. for contracts concluded through the Yettel application the photos taken during the identification process, scanned document data) that you provide when registering for our services or concluding a contract with us;

(b)    information related to payment, such as bank card data or other banking and payment data, that you also provide while concluding the contract.

These data are typically collected in the following cases:

(a)    when you register for one of our products or services, or 

(b)    when you purchase or use one of our products or services;

(c)    or when you subscribe to our newsletters or promotions pertaining to our products or services; or

(d)    when you request information or have questions or feedback regarding one of our products or services or our website.

These data are typically used

• to provide the given service or product;
• to process data related to your contract;
• to conduct credit-rating checks,
• to meet payment terms,
• to communicate with you; and
• to fulfill and manage your request for information about our product, service or website.

4.1.2 Other data also need to be processed in order to be able to provide our services:
We can collect other data on you while you are using our products, services or web pages. These data may include:

(a)    data related to your contract (for example, the end date of your loyalty period) and data related to your communication with us (e.g., your queries addressed to our customer service, your feedback and data related to your compliance with payment terms and invoicing dates);

(b)    product use data, such as the date you last used an application, how long you spent using a certain application, or how much you spent on a given product or service;

(c)    network data, including the data on mobile calls and short text messages (e.g. the dates of the calls and short text messages originated or received by you (but not their content), or the duration of the calls originated or received on our network);

(d)    positioning data (not recorded as a geographical address, but as cell data), when:

(i)    you use our telecommunications services, such as placing a call or sending a short text message, or use our broadband services;

(ii)    an emergency call is placed (during such an occurrence, the party receiving the emergency call must be provided with the subscriber’s location data);

(iii)    it is essential for investigating customer complaints;

(iv)    you use one of our location-based services, if you subscribe to such a Yettel service;

(v)    you register for certain location-based promotional activities; or if

(vi)    you wish to receive personalised offers based on location data on the basis of your consent.

(e)    The technical and analytical data generated during your use of different online services, for example, when you visit one of our websites and/or use one of our online services (browsing, online purchases, online service manipulation, chat, email, downloads, software updates, video streaming, etc.). A part of these data is stored as cookies and cannot necessarily be used to identify you personally, but it makes it possible for us to improve the quality of our services and to provide our clients with personalised solutions. The technical data we collect may include:

(i)    data relevant to your device, such as the serial number, type and version of your mobile device;

(ii)    network identifiers, i.e., IP addresses and port numbers;

(iii)    operating system, browser types, and their version numbers;

(iv)    type and category of service available online, such as browsing, social media/Facebook, etc.); 

(v)    time, location and mode of your use of the service and the log data;

(vi)    analytical data on your visit to our website and your use of our mobile application, including on where you navigated to our page from, which pages you visited on our website, which of our services and products you viewed and searched for, as well as the duration of your visit and your interactions with us. 

We usually use the data to:

• meet other obligations related to the provision of the service (for example, troubleshooting tasks or data provision requests related to network quality), or 
• ensure that we are able to bill the fees payable for the services and products provided, and if necessary to collect any outstanding receivables;
• use the recorded communication data for quality assurance purposes, to handle feedback, and to ensure the availability of customer service activities; 
• improve the customer experience (e.g. for the purposes of network management and network optimisation) and the services provided to us by third parties for this purpose;
• develop our services by making sure we understand your behaviour and preferences (if you have consented to this);
• analyse the use of our networks and services, in order to be able to identify general trends, and to create new services for our customers;

You have the right to object to the data processing by contacting us using the contact information provided, and if the data processing is based on consent, you also have the right to withdraw your consent, with the proviso that withdrawing your consent will not affect the legality of the data processing conducted on the basis of your previous consent. 

In order to protect your privacy, we do not process the content of your SMS messages, calls or other communications (e.g. emails) based on the data processing principle of data minimization and the communications principle of the confidentiality of electronic communications. Similarly, we do not process information about what content you access when using our services, such as what articles you read, what email or other messages you write, what pictures or videos you view, what music you listen to, what files you download or what terms you search for. Also, we do not process current and historical location (geolocation) data of GPS (or other global positioning systems) precision, but only cell identifiers for the purposes described in Section 4.1.2 d) above. 

For law enforcement, national security, and similar legal purposes, however, your communications and data traffic may be monitored and recorded by public authorities and other public bodies. Yettel is required by law to provide the technical means to do so to public authorities and other public bodies, and consequently Yettel has no discretion related to such activities. Due to the technical implementation of monitoring and recording, Yettel does not have any information on whether monitoring and recording is taking place or has taken place in the past. The legitimacy of these activities shall be the responsibility of the given public authority or other public body.    

If you use our services outside Hungary (roaming), the legal regulations, customs and practices in effect in the given country may be different from the legal regulations, customs and practices in Hungary. Yettel has no control over these and on the respective compliance of the electronic communications service provider providing roaming services in the country concerned. 

4.1.3 In order to provide you with third party services for which we act as a reseller, we also need certain personal data.

Yettel Hungary also sells third party products or services (hereinafter jointly referred to as “Services” in this section) as a reseller. These include SMS services used for mobile shopping, and – if available for a given service – the purchase of toll stickers, parking, gambling, etc. services using the Yettel app. In these cases, the value of the third party transaction will be debited to the subscriber’s balance with Yettel Hungary. 

If you use such a service sold by Yettel as a reseller, your personal data (e.g. mobile phone number) and other information you provide (e.g. vehicle registration number) or certain data related to the circumstances of use (e.g. time of purchase) will be processed by Yettel Hungary and the service provider as separate data controllers. Yettel has no control over how and for how long your personal data is processed by the service provider. For more information please see the Data Processing Notice and the General Terms and Conditions of the relevant service provider. 

Find details here. 

Below we describe the features of such data processing activities conducted by Yettel Hungary, indicating the recipients of data transfer and their contact details: 

Purchase of a toll sticker by SMS
-    Categories of data processed: mobile phone number, vehicle registration number, country code and category, details of the toll sticker purchased (type, expiry date)
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: Nemzeti Mobilfizetési Rendszer Zrt. www.nemzetimobilfizetes.hu 

Mobile parking via SMS and IP-based mobile parking ticket purchase transactions (using the Yettel app)
-    Scope of data processed: mobile phone number, vehicle registration number, country code and category, type of transaction, amount to be paid, date of transaction, result of transaction (successful / unsuccessful) and error code in case of unsuccessful transactions, e-vignette data (e.g. category, type, expiry date, identifier), county where the e-vignette is valid (in case of regional e-vignette).Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: Nemzeti Mobilfizetési Rendszer Zrt. www.nemzetimobilfizetes.hu (for public parking), EME Zrt. www.fizessenmobillal.hu (for indoor parking)

Gambling by SMS
-    Categories of data processed: mobile phone number
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: Szerencsejáték Zrt. www.szerencsejatek.hu 

Payment by SMS – randivonal.hu
-    Categories of data processed: mobile phone number
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: Dating Central Europe Zrt. www.randivonal.hu 

Payment by SMS at drinks and food vending machines
-    Categories of data processed: mobile phone number
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: Alois Dallmayr Automaten-Service Kft. http://hu.dallmayr.com 

Payment by SMS – jobmonitor.hu
-    Categories of data processed: mobile phone number
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the transfer: profession.hu Kft. www.jobmonitor.hu

Payment by SMS – csajokespasik.hu
-    Categories of data processed: mobile phone number
-    Source of data: the data subject (the person using the service)
-    Legal basis for processing: to take steps upon the request of the data subject prior to the conclusion of the contract and/or for the performance of the contract, including the billing of fees arising from the contract and the potential enforcement of claims and rights, as well as the handling of complaints.
-    Recipient of the data transfer: The Cook Ltd. www.csajokespasik.hu​​​​​

Your personal data may be shared with the following third parties:

(a)    any company that is a member or subsidiary of the Yettel Group;

(b)    data processors acting on our behalf in respect of, for example, performance of postal services, performance of device repair tasks, systems operations, for companies carrying out market research, surveys, or for companies providing customer service, etc.);

(c)    third parties that provide services for the use of which you have ordered or are using, such as pay-parking;

(d)    law-enforcement bodies and other authorities, where we are under an obligation to cooperate for law-enforcement or other purposes; and

(e)    third party operators, such as collection agencies or credit rating companies.

In the interest of supporting its sales or customer management activities, Yettel Hungary uses data processors (e.g. making telesales and telemarketing calls, etc.), for the performance of which activities these data processors may access certain personal data stored in the systems of Yettel Hungary.

In order to prevent abuse, Yettel Hungary may use data processors to verify the identity of subscribers and other persons who ensure the fulfilment of their contractual obligations. Such data processors verify the identity of data subjects based on data retrieved from a central register established by legal regulations.

Yettel Hungary may use data processors to recover debts arising from subscriber contracts, may transfer personal data of indebted subscribers to third parties, and may operate a common data file including the data content specified in legal regulations with other communications service providers, involving a party providing the technical background, to prevent the evasion of payment and other obligations. To guard certain facilities (e.g. stores), Yettel Hungary uses the services of third parties that, in certain cases and to the extent required for the performance of guarding duties, may become aware of your personal data (e.g. checking the recordings stored on security cameras at the stores).

Yettel Hungary forwards the devices submitted for inspection or repairs to third-party subcontractors, in which case these contracted partners may gain access to personal data stored on the devices and may also become aware of the personal data contained in the work acceptance report drawn up for such repairs. The general terms and conditions for device insurance are available here.

Yettel Hungary uses operational, information technology (IT) and other services from its contracted partners for its own operations, network development, modernization and the provision of certain services, which may have access to some of your personal data when acting as a data processor. During that, your personal data may also be accessed by service providers located outside the EEA, in which case we will always ensure the appropriate level of protection by legal means in accordance with the GDPR and the relevant guidelines. Please see below the information on international data transfers.

Yettel Hungary uses third-party data processors for the performance of logistics and data storage tasks (e.g. handling and storage of products and documentation).

The delivery of certain products and consignments is performed by contracted partners on behalf of Yettel Hungary; these partners qualify as data controllers pursuant to Section 54 (1) of Act CLIX of 2012 on Postal Services.

Yettel Hungary uses the services of third-party data processors for the performance of complaint handling and troubleshooting tasks, during of which the data needed to respond to complaints or repair faults may be processed.

Yettel Hungary uses third-party data processors to perform invoice printing and sending tasks.

In the interest of optimising advertising displayed in electronic form, Yettel Hungary may transfer certain personal data to service providers operating online search engines and social media networks (if you have consented to this, e.g. by allowing cookies for marketing purposes). The cookie information is available here, including information about Google Consent Mode, where personal data is encrypted on the basis of consent, and the status of consent given in relation to cookies is also transmitted to Google, Facebook and Exponea.

Yettel Hungary also sells third party products or services as a reseller. This includes the purchase of toll stickers, parking, gambling betting, etc. via SMS in the context of mobile shopping and also in the Yettel application. If you use such a service, the data processed for the purpose of concluding and/or performing the contract will be transferred by Yettel Hungary to the third party selling the product or providing the service. For more information, see Section 4.1.3 above. 

To prevent the evasion of payment or other contractual obligations, Yettel Hungary may transfer subscriber data, as defined in Section 158 of the Act C of 2003 on Electronic Communications, to other electronic communications service providers or to a common data file created by the service providers.

• Yettel Hungary has a contractual relationship with a claims management company and, in accordance with the provisions of the Civil Code on the assignment of claims, assigns certain of its claims to the following companies: INTRUM Zrt. (company registration no.: 01-10-044857, registered office: H-1139 Budapest, Fiastyúk u. 4-8.);
• Faktor-Ring Pénzügyi és Tanácsadó Zrt. (company registration no.: 01-10-044036, registered office: 1072 Budapest, Dob u. 56‒58.).

Yettel Hungary uses the following account information service provider for solvency assessments: STATOSFERA Ltd. (registered office: 3530 Miskolc, Hunyadi János utca 56., company registration number: 05-09-028450; email: support@statosfera.com, website: www.statosfera.com)

We ensure the security of your personal data by implementing the following measures:

a.    When we process your data through other operators or data processors, we always ensure that the given operators and data processors apply the appropriate technical and organizational measures in order to ensure that the data are kept secure. Such control mechanisms include controlling access to the data and the infrastructure that houses the data, as well as the entry into agreements with the third party that sets out a requirement of compliance with the applicable laws. When developing our products and services, we are already paying attention to integrating and establishing appropriate data protection guarantees.

b.    When you use your telephone number or username and password to log in to your Yettel online administration account to use one of our services, we encrypt all data using a cryptographic protocol such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption. We also apply such cryptographic protocols on all web pages where we collect personal data. Purchases through such web pages can only be made using browsers that support TLS or SSL (e.g. Internet Explorer, Safari, Firefox or Chrome). This means that your personal data are protected during the transfer online;

c.    If you have a username and password that provide access to our services and you have been inactive for some time, you are automatically logged out of your account to ensure the safety of your data;

d.    When your handset is connected to Yettel’s network, the communication between your handset and the network is encrypted to ensure the confidentiality of the content of the communication. Yettel ensures the confidentiality of the content of communication through organizational and technological measures within its own systems. If the provision of the service used requires cooperation with a service provider partner (e.g. call termination to another network), this is done based on an agreement with a third party that ensures compliance with the applicable legislation. 

e.    If needed, we use data protection impact analyses to gauge how a given activity would impact the safety of your personal data.

Right of access

You have the right to obtain from Yettel confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and information on the circumstances of data processing. The information requested may cover the following data: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed by Yettel, the envisaged period for which the personal data will be stored, or, if the personal data are not collected directly from you, any available information as to their source. 

Rectification

You have the right to obtain from Yettel without undue delay the rectification of inaccurate personal data, and to have incomplete personal data completed. 

Right to erasure (‘right to be forgotten’) 

You shall have the right to obtain from Yettel the erasure of personal data concerning you without undue delay where one of the following grounds applies: 

a)    the personal data are no longer necessary;

b)    the consent on which the processing is based is withdrawn and there is no other legal ground for processing;

c)    you object to the processing and there are no overriding legitimate grounds for processing;

d)    the personal data have been unlawfully processed by Yettel;

e)    the personal data must be erased for compliance with a legal obligation.

Yettel shall not erase the data if data processing is required on one of the following grounds: (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation which requires processing by law; (iii) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

You have the right to obtain from Yettel the restriction of processing where one of the following applies:

a)    you contest the accuracy of the personal data, for a period enabling Yettel to verify the accuracy of the personal data;

b)    the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

c)    Yettel no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or

d)    you have objected to processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You shall be informed by Yettel before the restriction of processing is lifted. 

Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Yettel’s legitimate interests. In this event, Yettel shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms, or which are related to the establishment, exercise or defence of legal claims.

Right to data portability

If this does not adversely affect the rights and freedoms of others, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You also have the right to have Yettel directly transfer these data to another data controller, where

a)    the processing is based on your consent or is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; and

b)    the processing is carried out by automated means, i.e. personal data are processed in an IT system and are not paper-based.