Data Protection Statement of Yettel Hungary

{(a)    Act C of 2003 on Electronic Communications (Electronic Communications Act);
(b)    Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act);
(c)    Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society-Related Services (E-commerce Act);
(d)    Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations on Business Advertising (Advertising Act);
(e)    Act CLXV of 2013 on Complaints and Public Interest Disclosures;
(f)    Decree No. 2/2015 (III. 30) of the National Media and Infocommunications Authority on the detailed rules of subscription contracts in the field of electronic communications (Subscription Agreement Decree);
(g)    Decree No. 4/2012 (I. 24.) of the National Media and Infocommunications Authority on the confidentiality and data protection obligations related to public electronic communications services, on the special conditions of data processing and confidentiality, on the security and integrity of networks and services, on the management of traffic and invoice data and the rules of calling line identification and call forwarding (NMIA Decree 4/2012);
(h)    Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council (Electronic Communications Directive) on privacy and electronic communications (Regulation 611/2013/EU);
(i)    Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (hereinafter: GDPR)).
t}

If you are using one of our electronic communication services as a subscriber, you can find detailed information on data protection in Annex 2 to the General Terms and Conditions (available only in Hungarian) [ (“The processing of Subscribers’ and users’ personal data at Yettel Hungary Ltd.” (Data Processing Information) (available only in Hungarian here).
Yettel operates a Compliance function to support the implementation of the Yettel’s Code of Ethics, internal policies and relevant legislations and other compliance related issues. This also covers the translation of ethics and compliance principles into day-to-day activities, answering and managing ethical and compliance questions and dilemmas, monitoring employees´ compliance and investigation of potential breaches.
Any person may raise a concern or report a potential breach to Yettel Hungary Compliance through sending an email to compliance@Yettel.hu. All reports are handled confidentially and nobody reporting such cases to us in good faith may suffer any disadvantage due to the reporting.
If you are using one of our mobile applications, the Privacy Notice provided at the time of downloading the application will be applicable to the processing of your personal data with regard to the use of the mobile application. The Privacy Notice can also be accessed subsequently from our application and at the following link.

If you are browsing through our websites or are using a service available on one of our websites, in addition to this information document you can find additional information on data protection in the document entitled “Legal disclaimer and terms of service”. More information about the cookies and the management thereof is available on our website at a pop-up window for consent management window where you can also do the settings which cookies you agree with.Additional conditions and provisions may be applicable to certain services available on our websites; additional information on these may be found on the associated websites where the given service or product is offered.
Yettel operates a compliance hotline that you can use to report breaches of laws, Yettel’s Code of Ethics or Yettel’s internal regulations. If you report an incident, your personal data will be subject to processing. You can find detailed information on the reporting process and processing personal data in the document entitled “Notice on compliance reports”. 
If you are using one of our mobile applications, the Privacy Notice provided at the time of downloading the application will be applicable to the processing of your personal data with regard to the use of the mobile application. The Privacy Notice can also be accessed subsequently from our application, or through the following link.

Yettel Hungary processes your personal data based on different legal bases during each data processing activity. Subscribers can find detailed information on the various data processing activities in the Privacy Notice. The legal bases used in the case of web-based products and applications are detailed in the relevant notices. 

The possible legal basis for our data processing activities, in general, are the following: 

• consent, if you have given consent to the processing of your personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
• compliance with a legal obligation to which Yettel is subject;
• processing is necessary in order to protect your or another natural person’s vital interests;
• processing is necessary for the purposes of the legitimate interests pursued by Yettel or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data.

Information is always provided on the legal basis of data processing for a given data processing purpose in the privacy notice applicable to the data processing at hand. 

4.1.1 In order to be able to provide our services to you, such as any of our tariff packages, the Yettel Wallet or MyTv services, etc., we require certain personal data.
These include:
(a)    your name, telephone number, email address, postal address, date of birth and other data that you provide when registering for our services or concluding a contract with us;
(b)    information related to payment, such as bank card data or other banking and payment data, that you also provide while concluding the contract.
These data are typically collected in the following cases:
(a)    when you register for one of our products or services,
(b)    when you purchase or use one of our products or services;
(c)    or when you subscribe to our newsletters or promotions pertaining to our products or services; or
(d)    when you request information or have questions or feedback regarding one of our products or services or our website.
These data are typically used
•    to provide the given service or product;
•    to process data related to your contract;
•    to conduct credit-rating checks,
•    to meet payment terms; and
•    to communicate with you
•    to complete or to manage information requests or inquiry as regards our product, service or website.

4.1.2 Other data also need to be processed in order to be able to provide our services:

We can collect other data on you while you are using our products, services or web pages. These data may include:
(a)    data related to your contract (for example, the end date of your loyalty period) and data related to your communication with us (e.g., your queries addressed to our customer service, your feedback and data related to your compliance with payment terms and invoicing dates);
(b)    product use data, such as the date you last used an application, how long you spent using a certain application, or how much you spent on a given product or service;
(c)    network data, including the data on mobile calls and short text messages (e.g. the dates of the calls and short text messages originated or received by you (but not their content), or the duration of the calls originated or received on our network);
(d)    positioning data (not recorded as a geographical address, but as cell data), when:
(i)    you use our telecommunications services, such as placing a call or sending a short text message, or use our broadband services;
(ii)    an emergency call is placed (during such an occurrence, the party receiving the emergency call must be provided with the subscriber’s location data);
(iii)    it is essential for investigating customer complaints;
(iv)    you use one of our location-based services, if you subscribe to such a Yettel service; or when
(v)    you register for certain location-based promotional activities.
(e)    The technical and analytical data generated during your use of different online services, for example, when you visit one of our websites and/or use one of our online services (browsing, online purchases, online service manipulation, chat, email, downloads, software updates, video streaming, etc.). A part of these data is stored as cookies and cannot necessarily be used to identify you personally, but it makes it possible for us to improve the quality of our services and to provide our clients with personalised solutions. The technical data we collect may include:
(i)    data relevant to your device, such as the serial number, type and version of your mobile device;
(ii)    network identifiers, i.e., IP addresses and port numbers;
(iii)    operating system, browser types, and their version numbers;
(iv)    type and category of service available online, such as browsing, social media/Facebook, etc.); 
(v)    time, location and mode of your use of the service and the log data;analytical data on your visit to our website and your use of our mobile application, including on where you navigated to our page from, which pages you visited on our website, which of our services and products you viewed and searched for, as well as the duration of your visit and your interactions with us. 
Yettel does not process the content of the services available online (e.g. the content of chat conversations, articles, voice calls, emails, images, videos, list of downloaded files, etc.) or user names and passwords, results of online search engines, and GPS accurate actual or historical location data (only cell codes), thereby guaranteeing the protection of your privacy, and the enforcement of the data processing principle of data minimisation.
We usually use the data to:
•    meet other obligations related to the provision of the service (for example, troubleshooting tasks or data provision requests related to network quality), or 
•    ensure that we are able to bill the fees payable for the services and products provided, and if necessary to collect any outstanding receivables;
•    use the recorded communication data for quality assurance purposes, to handle feedback, and to ensure the availability of customer service activities; 
•    improve the customer experience (e.g. for the purposes of network management and network optimisation);
•    develop our services by making sure we understand your behaviour and preferences;
•    analyse the use of our networks and services, in order to be able to identify general trends, and to create new services for our customers;
You have the right to object to the data processing by contacting us using the contact information provided, and if the data processing is based on consent, you also have the right to withdraw your consent, with the proviso that withdrawing your consent will not affect the legality of the data processing conducted on the basis of your previous consent. 

4.1.3 We also need certain personal data to be able to ensure such third party services for you whereby we proceed as re-sellers. 

Yettel Hungary may also sell third party products or service as re-seller (hereinafter referred to as ’service’ as regards this paragraph).  These are the high-way ticket purchase, parking, gambling etc services applied via SMS within the frame of the so-called mobile purchasing.  The consideration of such service provided by a third party shall be charged to the burden of the balance of the subscriber by the Yettel Hungary. Thereupon, such transactions and the consideration thereof is included in the invoices and annexes thereto issued by Yettel Hungary that shall be kept for 8 years for the compliance with legal obligations of Yettel Hungary (act C of 2000 on Accounting) (see paragraph 7 here below as well). We keep the service related data for a period of 1 year upon the termination of the contract concluded with You (implementation of the transaction) for the conclusion and performance of the contract, except for the case, if the limitation period of any contractual claim or legal consequence may be longer, including the suspension or interruption of such limitation period.
If you make a consumer complaint with regard to the above services, we are obliged to keep and to represent upon a request by supervising authority the complaint, the data contained therein, and data provided by you in the course of the complaint handling, a copy of the minutes of the complaint and the response provided thereon for a period of 5 years based on paragraph 17/A (7) of the Act CLV of 1997 on Consumer Protection. We keep the consumer complaint related voice recordings for 2 years upon paragraph I.7 of Annex No. 2 (Privacy Notice) of the Yettel Hungary’s General Terms and Conditions 
In case you use such service, Yettel Hungary and the service provider manage your personal data (for example: mobile phone number) and other information you provided (for example: plate number) or certain data from the service related circumstances (for example. date of purchase) as independent data controllers.
Details are available only in Hungarian here.
You find hereby below the details of data processings made by Yettel Hungary, specifying the recipient of the data transmission and contact details thereof:

High-way ticket purchase via SMS:

• Categories of processed data: mobile phone number, plate number, nationality and category of vehicle, data of the purchased vignette (type, validity period),
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Nemzeti Mobilfizetési Zrt. www.nemzetimobilfizetes.hu 

Mobile parking via SMS:

• Categories of processed data: mobile phone number, plate number, nationality and category of the vehicle, period and place of parking,
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Nemzeti Mobilfizetési Zrt. www.nemzetimobilfizetes.hu (közterületi parkolás esetén), EME Zrt. www.fizessenmobillal.hu (zárttéri parkolás esetén)

Gambling via SMS:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Szerencsejáték Zrt. www.szerencsejatek.hu 

SMS payment - randivonal.hu:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Dating Central Europe Zrt. www.randivonal.hu 

SMS payment by vending machines:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Alois Dallmayr Automaten-Service Kft. http://hu.dallmayr.com 

SMS payment – SMS waitress:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Multisms Kft - 1147 Budapest Telepes utca 72-74. subbasement 37., https://www.facebook.com/SMS-Pincér-Multisms-Kft-950663338347929/

SMS payment – jofogas.hu:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: Schibsted Classified Media Hungary Kft. www. jofogas.hu 

 
SMS payment – jobmonitor.hu:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: profession.hu Kft. www.jobmonitor.hu

SMS payment – csajokespasik.hu:

• Categories of processed data: mobile phone number
• Source of data: the data subject (person using the service, ie. subscriber)
• Legal basis of data processing: implementation of measures requested by the data subject before the conclusion of the contract and / or performance of the contract, including the invoicing of contractual fees, any claim or right enforcement and the compliant management as well.
• Adressee of the data transmission: The Cook Kft. www.csajokespasik.hu  

Your personal data may be shared with the following third parties:
(a)    any company that is a member or subsidiary of the Yettel Group;
(b)    data processors acting on their behalf in respect of, for example, performance of postal services, performance of device repair tasks, systems operations, etc.);
(c)    third parties that provide services for the use of which you have granted consent, such as pay-parking);
(d)    law-enforcement bodies and other authorities, where we are under an obligation to cooperate for law-enforcement or other purposes; and
(e)    third party operators, such as collection agencies or credit rating companies.

In the interest of supporting its sales or customer management activities, Yettel Hungary uses data processors (e.g. operation of sales points, making telesales, telemarketing calls, recording and investigation of customer complaints, etc.), for the performance of which activities these data processors may access certain personal data stored in the systems of Yettel Hungary.
Yettel Hungary may assign data processors for the identity verification of subscirbers’ and other persons ensuring the performance of a contractual duty (for example guarantor) in order to prevent any fraud event. Such data processors shall verify the identity of the data subjects based on the data queried from the central data base set up by legislation.
In order to recover claims arising from subscriber contracts, Yettel Hungary may assign data processors, may transfer the personal data of the subscriber concerned with outstanding balances to third parties and to set up a data base together with other communications service providers and with the involvement of the party ensuring the technical background with a content specified by regulation to prevent any fraud with regard to the payment and other contractual duties.
To guard certain facilities (e.g. stores), Yettel Hungary uses the services of third parties that, in certain cases and to the extent required for the performance of guarding duties, may become aware of your personal data (e.g. checking the recordings stored on security cameras at the stores).
Yettel Hungary forwards the devices submitted for inspection or repairs to third-party subcontractors, in which case these contracted partners may gain access to personal data stored on the devices and may also become aware of the personal data contained in the work acceptance report drawn up for such repairs.
For the purpose of its own operation, for the development and modernization of its own network and for the provision of certain services, Yettel Hungary uses operational, information technology (IT) and other services provided by its contracted partners, which, acting as data processors, may have access to some of your personal data. In the course thereof, service providers located outside of the EEC region may have access to your personal data, and Yettel ensures the proper level of security by means of  legal actions in compliance with the GDPR and relevant guidelines in all such cases, please see the below information on the international data transmissions.
Yettel Hungary uses third-party data processors for the performance of logistics and data storage tasks (e.g. handling and storage of products and documentation).The delivery of certain products and consignments is performed by contracted partners on behalf of Yettel Hungary; these partners qualify as data controllers pursuant to Section 54 (1) of Act CLIX of 2012 on Postal Services.
Yettel Hungary uses the services of third-party data processors for the performance of complaint handling and troubleshooting tasks, in the course of which the data needed to respond to complaints or repair faults may be processed thereby.
Yettel Hungary uses third-party data processors to perform invoice printing and delivery tasks.
In the interest of optimising advertising displayed in electronic form, Yettel Hungary may transfer certain personal data to service providers operating online search engines and social media networks.
Yettel Hungary may also sell third party products or services as reseller. These are the highway ticket purchase, parking, gambling services applied via SMS service within the mobile purchase. In case you use such service, Yettel Hungary transfers the data processed for the prupose of concluding and / or performing the contract to the third party providing the specific product or service. Further information is available in paragraph 4.1.3 here above. 
Yettel Hungary shall be entitled to transfer the subscribers’ data as per the section 158 of the Act C of 2003 on the Electronic Communications to other service providers and / or to a common data base developed by the service providers to prevent any fraud event with regard to duties on payment or other contractual duty.

Yettel Hungary uses the following third-party data processors to perform debt collection tasks:

• Creditexpress Magyarország Kft. (company registration number: 01-09-677951, registered address: H-1146 Budapest, Hungária krt. 179-187);
• Ecovis Holding Kft. (company registration number: 01-09-874037, registered address: H-1036 Budapest, Bécsi út 52);
• Vitári Law Office (Budapest Bar Association registration no. 448, registered address: H-1089 Budapest, Gaál Mózes u. 5-7);
• E.R.T. Hungary Kft. (company registration number: 01-09-888186, registered address: H-1145 Budapest, Újvilág u. 50-52);
• Consequence Europe Magyarország Kft. (company registration number: 01-09-721680, registered address: H-1013 Budapest, Pauler utca 11);
• SOLVENTIS Követeléskezelő Kft. (company registration number: 07-09-019231, registered address: H-8000 Székesfehérvár, Milleniumi utca 11).

Yettel Hungary has a contractual relationship with a collection agency (Intrum Justitia Zrt. (registered address: H-1139 Budapest, Papp Károly u. 4-6, company registration number: 01-10-044857)) and, pursuant to the provisions of the Civil Code on the assignment of claims, it may transfer certain claims to it.

• Yettel Hungary uses the following third-party data processors to perform debt collection tasks:
  •    Vitári Law Office (Budapest Bar Association registration no. 448, registered address: H-1011 Budapest, Hunyadi János út 13. Ground Floor);
  Yettel Hungary has a contractual relationship with collection agency and, pursuant to the provisions of the Civil Code on the assignment of claims, it may transfer certain claims thereof on the following comopanies:
  •    Intrum Justitia Zrt. (registered seat: H-1139 Budapest, 1139 Budapest, Fiastyúk u. 4-8., company registration number: 01-10-044857),
  •    Faktor-Ring Pénzügyi és Tanácsadó Zrt. (registered seat: 1072 Budapest, Dob u. 56‒58, company registration number: 01-10-044036
  •    Agria Portfólió Zrt. (registered seat: 3300 Eger, II. Rákóczi Ferenc út 44. VII/52., company registration number: 10-10-020187).

• Name, address and company registration number of Serbian branch office: Yettel Common Operation Ogranak Beograd (address: Omladinskih brigade 90, 11070 Belgrade, company registration number: 29505365)
• Name, address and company registration number of Montenegro branch office: Yettel Common Operation Zrt. Dio stranog drustva Podgorica (address: Rimski trg 4, 81000 Podgorica, company registration number: 02952165).

We ensure the security of your personal data by implementing the following measures:
a.    When we process your data through other operators or data processors, we ensure at all times that the given operators and data processors apply the appropriate technical and organisational measures in order to ensure that the data are kept secure. Such control mechanisms include controlling access to the data and the infrastructure that houses the data, as well as the entry into agreements with the third party that sets out a requirement of compliance with the applicable laws. When developing our products and services, we are already paying attention to integrating and establishing appropriate data protection guarantees.
b.    When you use your telephone number or username and password to log in to your My Yettel account to use one of our services, we encrypt all data using a cryptographic protocol such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption. We also apply such cryptographic protocols on all web pages where we collect personal data. Purchases through such web pages can only be made using browsers that support TLS or SSL (e.g. Internet Explorer, Safari, Firefox or Chrome). This means that your personal data are protected during the transfer online;
c.    If you have a username and password that provide access to our services and you have been inactive for some time, you are automatically logged out of your account to ensure the safety of your data;
d.    When your telephone device connects to the Yettel network, communication between your device and the network is done through an encrypted channel, ensuring thereupon the confidentiality of communication. Yettel ensures the confidentiality of the communication content via organizational and technological measures within its own systems. If the applied service requires the co-operation with one of the co-service providers (for example mobile termination to another network), it happens based upon such a third party contract that ensures the compliance with the relevant legislations. 
e.    If needed, we use data protection impact analyses to gauge how a given activity would impact the safety of your personal data.

Right of access

You have the right to obtain from Yettel confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and information on the circumstances of data processing. The information requested may cover the following data: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed by Yettel, the envisaged period for which the personal data will be stored, or, if the personal data are not collected directly from you, any available information as to their source. 

Rectification

You have the right to obtain from Yettel without undue delay the rectification of inaccurate personal data, and to have incomplete personal data completed. 
Right to erasure (‘right to be forgotten’) 
You shall have the right to obtain from Yettel the erasure of personal data concerning you without undue delay where one of the following grounds applies: 
a)    the personal data are no longer necessary;
b)    the consent on which the processing is based is withdrawn and there is no other legal ground for processing;
c)    you object to the processing and there are no overriding legitimate grounds for processing;
d)    the personal data have been unlawfully processed by Yettel;
e)    the personal data have to be erased for compliance with a legal obligation.
Yettel shall not erase the data if data processing is required on one of the following grounds: (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation which requires processing by law; (iii) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

You have the right to obtain from Yettel the restriction of processing where one of the following applies:
a)    you contest the accuracy of the personal data, for a period enabling Yettel to verify the accuracy of the personal data;
b)    the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c)    Yettel no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
d)    you have objected to processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You shall be informed by Yettel before the restriction of processing is lifted. 

Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Yettel’s legitimate interests. In this event, Yettel shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms, or which are related to the establishment, exercise or defence of legal claims.

Right to data portability

If this does not adversely affect the rights and freedoms of others, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You also have the right to have Yettel directly transfer these data to another data controller, where
a)    the processing is based on your consent or is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; and
b)    the processing is carried out by automated means, i.e. personal data are processed in an IT system and are not paper-based.