Privacy policy

  • I. INTRODUCTION:
  • II. ABOUT THE DATA PROCESSING

1. What is this Notice about? (scope of this Notice)

With this data protection notice (hereinafter: “Notice”) we provide information on which personal data of those who visit, register or purchase on the website: https://eventim-business.eventim.net/b2b-portal-hu/  we process, and about the purposes and methods of such data processing. Hereinafter, this website and all of its pages are collectively referred to as the "Websites" and any of them are referred to as the "Website".


2. What data does qualify as personal data? (definition of personal data)

Personal data means any information relating to an identified or identifiable individual (“Data Subject”). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

3. What does personal data processing mean? (definition of data processing)

Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

No automated decision-making is involved in the processing on behalf of Data Controller.

4. Who is the Data Controller? (contact details of the Data Controller)

The above Website is operated by CTS Eventim Hungary Kft  (seat: 1139 Budapest, Váci út 91/A 3.em..; Company reg nr. 01-09-877903; represented by Mr. Gyula Kovácska managing director and Mr. Christoph Klinger managing director – both independently; contact information: dataprotection@eventim.hu); this company determines the purpose and means of the processing of personal data and therefore, this company is the Data Controller of the personal data (hereinafter: “Data Controller”).

5. Is there any other company that processes personal data on behalf of the Data Controller? (data processors)

Yes, these companies are called data processors. This Notice lists the data processors involved in the data processing. 

6. Who is responsible for the accuracy and lawfulness of the personal data submitted to the Websites? (credibility of personal data)

The Data Controller does not check the personal data provided by the Data Subject, unless otherwise stated in this Notice; and the Data Subject is fully liable for the credibility of the personal data submitted by him or her. 
7. What is the legislation behind personal data protection? (legislative background)

The Data Controller especially took into consideration the following laws when creating this Notice: Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act No. CXII. of 2011 on Information Self-Determination and Freedom of Information (“Info Act”), Act No. V. of 2013 on the Civil Code (the “Civil Code”), Act No. CVIII. of 2001 on E-commerce Services (“E-commerce Act”), Act No. XLVIII. of 2008 on Advertising Activity (“Advertising Act”).

 

 

II. 1. FOR THE WEBSITE VISITORS:

Cookies keep unique identifier of computers or device and profile information. Cookies are not capable of identifying the visitors of the Websites; however, they are capable of identifying and recognizing the device used by the visitor when visiting the Websites. These cookies may be placed on the computer or device used for visiting the Website by the visitors of the Website during visiting the Websites. 

1. What kind of cookies are used on the Website?

On the Websites permanent, tracking and cookies related to one work session are used. The permanent cookies enable that the Websites remember the visitor visiting the Website more times, his or her settings and preferences. Cookies related to one work session help the Website recognize the visitor of the Website at the time of the visit even if the visitor of the Websites moves from page to page; but these cookies expire when the visitor leaves the Website.
There are several types of cookies used on the Websites; we differentiate them based on their functions, as follows:

- Technical cookies:
Use of technical cookies enables proper display and operation of the Websites, among others the login to the Websites or managing the purchase of tickets, and they are necessary for the proper display of the Websites.

- Functional cookies:
Functional cookies enable tracking the browsing of the Websites and the preferences used during browsing; with the help of these, the Websites can remember among others to the registration data, the events checked by the visitor, the language preferences, etc.

- Analytical cookies:
Analytical cookies enable tracking the behaviour of visitors of the Websites and as a result, based on the use and exploitage of the Website by the visitors, making it possible to develop the Website and to provide an even better user experience and to display more useful content. The Website uses Google Analytics and Google Signals to analyse and optimise the use of the Website.

If the visitor of the Website does not want his or her data concerning the use of the Websites (including the IP address) to be collected and processed by cookies, and he or she wishes to disable them, he or she may download and install the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu.

For this analysis, we use Google Analytics 360, a web analysis service of Google Ireland Ltd. ("Google"), on our website. Google Analytics 360 uses cookies that enable an analysis of the use of our websites. The information generated by the cookie about the use of our websites is in general transferred via a server operated by us in Europe to Google Analytics 360 in the US and stored there. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. You can find out more here:            https://business.safety.google/adsprocessorterms/sccs/p2p-intra-group/ (https://business.safety.google/adsprocessorterms/sccs/p2p-intra-group/)

We shorten your IP address on the server we operate before it is transferred to a Google Analytics 360 server. An exception to this are websites that we operate under joint responsibility with our partners, there your information will be transferred to Google Analytics 360 after using IP anonymization on our websites. If you are in the European Union, this function shortens your IP address within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. On behalf of EVENTIM, Google Analytics 360 will use this information to evaluate the use of the websites, to compile reports on the website activities and to provide EVENTIM with further services associated with the use of the website and the Internet. For more information on the terms of use and data protection of Google Analytics 360, please visit:

https://support.google.com/analytics/answer/6004245 (https://support.google.com/analytics//answer/6004245)

Google Signals is session data from websites and apps that Google associates with users who are signed in to their Google Account and who have turned on Ads personalisation. The association of this data with these logged-in users is used to enable cross-device remarketing and the export of key cross-device events to Google Ads. Google Signals is a feature of Google Analytics that allows you to view demographic data and aggregated data on user interest and behaviour. Where you have given your consent to the use of cookies, Google will use other information you have provided to Google for other purposes to pass this information on to us anonymously. This may include, but is not limited to, associating such information with the site and/or app-type visit data collected by Google Analytics. The personal data is collected during the ticketing process and is also processed when you visit the website without registration. For more information about Google Signals, please visit support.google.com/analytics/answer/9445345

Google Optimize is used on our website to enhance the attractiveness, content and functionality of our website. By making new functions and content available to a percentage of our users and statistically evaluating changes in usage, we can regularly improve our offering. Cookies are used for these activities, which are linked to a pseudonymous ID. Google will use this information to evaluate your use of our website and to create reports on the optimization test and the associated website activities. The data protection regulations of Google Analytics 360 defined above apply.

You can prevent the collection of information by Google Optimize by preventing the storage of cookies through an appropriate setting in your browser software or by deactivating tracking in the Cookie Settings. Please note, however, that in this case you may not be able to use all the functions of this website to their full extent.

- Google Ads tracking cookies:
On the Websites, information is obtained with the help of Google tracking cookies about the fact that the Website visitor reached the Website after seeing any of our advertisements displayed in the Google system or after clicking on it. Based on the information obtained through tracking cookies, statistics can be made about Website visitors who view or click on our advertisements. Based on content viewed on the Websites, Google is able to display targeted advertisements on the websites of other partners of Google.

 

If you have finished a ticket purchase from us, a cookie is set by Google Ads, Google Analytics 360. If you enter corresponding search terms in Internet search engines after your purchase, individual recommendations for EVENTIM products and services can be displayed to you on the basis of your purchase with the help of this cookie (search engine marketing).

Your personal data is processed in the process We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you would like to object to the data processing by Google Ads, Google Analytics 360, please click on the following link: Cookie Settings In connection with the use of Google Ads, Google Analytics 360, your personal data is transferred to the US. This data transfer is based on EU standard contractual clauses. This ensures an adequate protection of your personal data.

 

For further details on data processing by Google Ads, please refer to the corresponding information on data protection: Google: https://policies.google.com/privacy?hl=de (https://policies.google.com/privacy?hl=de) Google Ads: https://policies.google.com/technologies/ads (https://policies.google.com/technologies/ads) Explanation of Google's use of third party data: https://policies.google.com/technologies

/partner-sites (https://policies.google.com/technologies/partner-sites) 


- Facebook remarketing cookies:
On the Websites we try to get in touch again with previous visitors of the Websites with the help of Facebook remarketing cookies, by showing them advertisement concerning our services. With the help of remarketing cookies, we try to reach those visitors with social media campaign, who have already visited the Websites at least once. More information on facebook cookies is available at: https://www.facebook.com/policies/cookies


- Third party cookies:
In connection with some functions on the Websites, third party services also appear (e.g. a link to the Facebook page of an artist), in particular regarding social media sites (e.g. Facebook, Google+ or Twitter), which may contain third party cookies. The regulation of the use of such third party cookies is not covered by the regulations of the Data Controller; in this regard please see the regulations of third parties. Point II.6. of this Notice explains the use of cookies on the Facebook page of the Data Controller.

 

  • Google tag manager:

The Website uses Google Tag Manager, a tag management application/service provided by Google Inc., which allows you to create, update and manage tags. Tags are small code elements on websites that are used, among other things, to measure traffic and visitor behavior, as well as to determine the impact of online advertising. With the help of Google Tag Manager, you can set the conditions under which the individual code elements are activated. This allows user interactions to be tracked and cookies can also be set and read.  Google Tag Manager does not manage data, but ensures the activation of tags that collect data, e.g. the users’  IP address is managed.  You can find more information about Google Tag Manager at the following link: https://support.google.com/tagmanager/answer/6102821?hl=hu

 

  • Stay 22

Eventim works with the Stay22 (Stay22 Technologies Inc., 917 Mont-Royal Ave E. Montreal QC H2J 1X3, Canada) third party service provider partner network and we use their hotel map plug-in on our website. The hotel card provided by Stay22 is embedded in our webshop. If you follow the included affiliate links and then take advantage of the offers, you may receive affiliate rewards from Stay22. In order to track whether you have taken advantage of the offers, the third party provider needs to know that you have followed the affiliate link used on our website. For the purposes of attribution of the affiliate links mentioned above, affiliate links may be accompanied by certain values that are part of the link or may be stored in some other way, such as a cookie. 

The scope of the data processed: These cookies can be turned off by disabling the setting of targeted cookies in the cookie settings.

Legal basis for processing: your explicit consent in accordance with Article 6. para (1) (a) of the GDPR.

For more information, please visit https://www.stay22.com/privacy  and for information about Stadia Maps Ltd. services, please visit https://stadiamaps.com/privacy/ 

 

 

II.1.1. Description and purpose of data processing With respect to functional, analytical, Google Ads, Facebook remarketing and third party cookies:

The Data Controller uses cookies collectively for identifying the Website visitors or users, administrating the “shopping cart”, tracking the way of browsing of the Websites by the visitors and their preferences, and to enhance Website user experience, as well as to provide content related services on the Websites and the services offered to be provided by the Data Controller on the Websites, as well as to contact the Data Subject with advertisement.

 

Legal basis of data processing Article 6(1)(a) of the GDPR  – consent.Personal data is processed based on the consent of the Website visitor, which can be given by clicking on the “Accept”-button of the pop-up window on the Website; by clicking on “Change Settings” the Website visitor is able to choose among the options on the Cookie settings/policies site.Data Subject agrees that we may contact him or her with our advertisement within the framework of Google Ads or Facebook remarketing campaign. In case of data processing based on consent, the Data Subject is entitled to withdraw his/her consent at any time. 

Scope of the processed data and their source The cookies carry the unique identification number of the computer or device used for visiting the Website (IP address), the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.

Possible consequences of not providing data: website content is not fully displayed.        

Period of data processing Personal data is processed until the end of visiting the Website or until the consent is withdrawn. Cookies placed on the computer or device of the Website visitor will stay there until the user of the computer or device deletes them. The data sent by us and linked to cookies will be automatically deleted by Google after 14 months. The maximum lifetime of Google Analytics cookies is 2 years. In case of Facebook remarketing cookies the period is 180 days.

Data processor and its processing activity Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5 Ireland), Facebook (Meta Ireland Platforms Limited, (székhely: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2) Írország, elérhetőség adatvédelmi kérdésekben: https://www.facebook.com/policy.php

 

II.1.2. Description and purpose of data processing technical cookies: To ensure and provide the content related services on the Website and the services offered to be provided by the Data Controller on the Website (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website).

Legal basis of data processing Article 6(1)(f) of the GDPR – legitimate interest. The legitimate interest: to ensure the provision of the service and to enable the Data Controller to filter the unlawful use or unlawful content from the Website.

Scope of the processed data and their source The cookies carry the unique identification number of the computer or device used for visiting the Website, the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.

Period of data processing Personal data is processed until the end of visiting the Website or until the objection.

 

2. How can you disable placing cookies on your computer or device?


Website visitors can disable placing cookies on their computer or device by adequate browser settings. Further, the visitors of the Website can choose on the “Cookie settings/policies” site of the Website whether the functional, analytical, tracking or third party cookies may be enabled in the course of browsing the Website. The changes can be amended anytime on the ”Cookie settings/policies” site.
However, it should be noted that disabling cookies on the computer or device may result that the user experience will be compromised; in such case, the visitor of the Website may not reach certain elements of the Website in the form as if the placing of cookies had been enabled.
When disabling functional cookies, the Website visitor does not allow among others that we send him or her reminders about the products placed in the shopping cart, or that the Websites remember his or her language preferences etc.
When disabling analytical cookies, the Website visitor does not allow among others that we analyse his or her activity on the Websites in order to display tailored content on the Website, or contact him or her with personalised offers at the contact points provided by him or her (if he or she provided such data, e.g. in the course of registration).
When disabling Google Ads tracking cookies, the Website visitor does not allow cookies to be placed on his computer in connection with advertisements, especially when clicking on advertisements.
When disabling third party cookies, the Website visitor does not allow that third parties, in particular social media sites (e.g. Facebook, Google+ or Twitter) place cookies on his or her computer or device used for visiting the Website.

 

Consent management

In order to obtain data protection-compliant consent for using cookies and services requiring consent on our website, we use the tool of the consent manager provider consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden, website: www.consentmanager.de.

The consent tool records, logs, and saves the website visitor's settings. To ensure that the selected settings can be clearly assigned to the respective website visitor, certain user information (including the IP address) is collected, transmitted, and stored by the consent tool.

For further information, please refer to the privacy policy of consentmanager AB: https://www.consentmanager.de/datenschutz/

Legal basis: Article 6 para. 1 point f of the GDPR (legitimate interest of the Data controller)

 

 


II. 2. FOR THOSE WHO SEND E-MAIL TO THE CORPORATE E-MAIL ADDRESS

 

II.2.1. Description and purpose of data processing Review and reply to unexpected messages sent to the corporate email address info@eventim.hu.       

Legal basis of data processing Article 6(1)(a) of the GDPR - voluntary consent of the data subject. The 

Scope of the processed data and their source Data Controller may receive e-mails, like spam messages, unexpected e-mails, or job applications at the corporate inbox; in which case the Data Controller controls personal data such as the sender’s e-mail address, name, other voluntarily provided personal data based on the voluntary consent of the person sending the e-mail. Possible consequences of not providing the data: it is not possible to contact with Data subject.

Period of data processing Depending on the content of the unsolicited e-mail, the data processing may last until the consent is withdrawn, or it will be erased without further delay (if the e-mail carries unlawful content or if it was sent in error).  

 

 

 

II. 3. PROCESSING OF CONTRACTUAL CONTACT DATA

Description and purpose of data processing The purpose of the data processing is to enable the Data Controller to contact and maintain direct contact with its partners, their employees, contact persons - i.e. the data Subject - in the course of its business activities. 

Legal basis of data processing Pursuant to Article 6 (1) (f) of the GDPR, the legal basis for processing is the legitimate interest of the Data Controller or third party.

Scope of the processed data and their source The Data Controller processes the data of the Data Subjects for the purposes of maintaining contact with the contracting partner. Scope of Data Subjects: name, position, e-mail address, telephone number. Source of the Data: the Data Subject or the Company's business partner, the contracting party. The Company presumes that its Clients and Business Partners have appropriate authorisation or consent from the Data Subject in relation to the provided data originating from the natural person or have given them information about the provision of their personal data.      

Period of data processing the period necessary for the purposes of processing, which may in some cases correspond to the term of a contractual relationship, but not longer than the period until the withdrawal of consent or the period for the exercise of any right of recourse (5 years from the performance of the contract (limitation period) 

 

II. 4. DATA PROCESSING IN RELATION TO THE EXERCISE OF DATA SUBJECT’S RIGHTS

Description and purpose of data processing The Data Controller keeps a record of the exercise of the data subject's rights in order to ensure the principle of accountability under the regulations of the GDPR, to keep a record of the exercise of the data subject's rights in relation to the processing of his or her personal data and to keep documents relating to the exercise of those rights, and to keep a record of the number of times the Data Subject has exercised his or her data subject rights.                                                 

Legal basis of data processing        Pursuant to the Article 6(1)(f) of the GDPR the Legitimate interest of the Controller. The Data Controller has a legitimate interest in being able to justify when and what action it has taken in relation to the Data Subject's requests and thereby complied with the provisions of the GDPR. The Data Controller can demonstrate compliance by keeping separate records in view of the potentially large number of Data Subject’s requests.                       

Scope of the processed data and their source The applicant's personal identification data, the content of the request, and the content of the data subject's exercise of rights record (name of the data subject as the person asserting the right, method and date of receipt of the application, subject of the application, time and method of taking measures restricting or denying the exercise of the data subject's right, as well as its legal and factual reasons, the fact that the data subject's right has been ensured, the date of fulfillment of the Data Subject's request).               

Period of data processing 5 years

 

 

II.5. DATA MANAGEMENT RELATED TO THE WHISTLEBLOWING REPORTING SYSTEM

Description and purpose of data processing We have created an online portal for reporting violation. The whistleblowing system allows you to contact us and report compliance and legal violations without fear of reprisals. Provided that this is legally permissible, violations can be reported without providing personal data. We process personal data to the extent that it is communicated to us to verify a report made through the reporting center and to investigate suspected compliance and violations. We may have additional questions. For this purpose, we communicate through this whistleblowing system. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. However, as part of the whistleblowing reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.

During anonymous communication with us, your IP address and current location are never stored. After submitting the report, the reporter will receive access data to the mailbox of the online portal so that he can continue to communicate with us in a protected manner. In order to achieve the stated purpose, it may also be necessary to transfer personal data to external bodies, such as law firms, criminal or competition authorities within or outside the European Union.

Legal basis of data processing point c) of Article 6 (1) of the GDPR

Scope of the processed data and their source: We process the data that the notifier provides us in connection with the notification.

In addition, we also process the data of the persons named by the person reporting the abuse during the reporting of violations (e.g. the name or position of the person who caused the violation, the name or position of the persons also affected by the violation, a description of the behavior or actions of the person concerned in relation to the reported violation of duty, which may contribute to the for their identification).

Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting abuse, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process whistleblower reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated.

The data controller of the whistleblowing system The whistleblowing online portal is operated by CTS EVENTIM AG &Co. We use it together with KGaA, Contrescarpe 75a, 28195 Bremen, Germany. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us and compliance@eventim.de . at address.

Data processor: Deloitte

 

II.6. DATA PROCESSING RELATED TO THE COMPLIANCE SYSTEM

Description and purpose of data processing EVENTIM Compliance operates an independent, impartial and confidential Compliance reporting system. Employees and third parties, including customers and suppliers, have the opportunity to report potential violations through confidential reporting channels and thus contribute to their clarification.

Legal basis of data processing point c) of Article 6 (1) of the GDPR

Scope of the processed data and their source: the data provided by the Notifier. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. However, as part of the abuse reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.

Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting Compliance case, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process Compliance reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated.

The data controller of the online Compliance reporting portal We use the Compliance system together with the company is CTS Eventim Austria GmbH Compliance Mariahilferstraße 41-43, A-1060 Wien, Österreich. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us or at the following e-mail address compliance@eventim.at 

  • III. DATA PROCESSORS

The Data Controller may share (besides its own competent staff) the personal data with the below companies as data processors for the below purposes:

 

-Operation of software and IT framework 

CTS EVENTIM AG & Co. KgaA

- Hosting provider:
 Perftech d.o.o. : Baragova ulica 7E, 1000 Ljubljana, Slovenia


- Other data transfers:

In case of an exceptional authority request or request of other organizations, if authorized by the law, the Data Controller is obliged to provide information, communicate, transfer data or provide documentation, in particular, the Data Controller may make the personal data of the Data Subject accessible in case of an official request made by the court, the police; infringement of IP rights, property rights or other infringement of law or in case of reasonable suspicion of the above or in case of endangering or violating the Data Controller’s interests or the provision of its Services. In such cases the Data Controller transfers personal data to the requester – in the event it determined the exact purpose and scope of data – only to the extent necessary to achieve the purpose of the request.

- Data transfer to third countries
It may occur that the Data Controller transfers personal data to a service provider seating outside of the European Union, a so called “third country”. In case the personal data is transferred to a third country, the Data Controller guarantees that data transfer is only carried out to a country which is qualified as secure country by the European Commission. The Data Controller requires from all recipients of personal data to take appropriate security measures to protect personal data when transmitted to third countries, by applying the general data protection clause of Article 46 (2) of the GDPR.

- Web Analytics Measurements
Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland),  as an independent, external provider supports the independent measure of the frequency of visits and other web analytical data of the Websites. Detailed information on the data processing can be found at the following link: http://www.google.com/analytics. The Data Controller uses the data provided by Google Analytics solely for statistical purposes and to optimize the operation of the website.

IV. WHAT ARE YOUR RIGHTS RELATED TO THE DATA PROCESSING?

The detailed rights and remedies of the individuals – which include Employees and the people listed in Section 1 – are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Employer provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.

In the course of Data processing, the Data Subject is entitled especially to the rights set out in this point.

  • Right to information and access
    • Right to rectification
    • Right to deletion
    • Right to restriction of data processing
    • Right to data portability
    • Right to object
    • Right to withdraw consent

Right to information and access
The Data Subject is entitled to receive information about the facts related to the data processing prior the start of the data processing.
The Data Subject is entitled to request information on his or her personal data and on the processing thereof. The Data Controller provides the opportunity to the Data Subject to receive information on the personal data processed and to receive copy or extract of the documents containing the personal data.
The Data Subject is entitled to receive information as to whom, for which purpose and in what scope his or her personal data processed by the Data Controller have been forwarded.
The Data Controller is obliged to provide information regarding the personal data and the processing thereof. The Data Controller is obliged to provide information in writing and in plain language without undue delay, but within one (1) month from the submission of the request at the latest. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than within one (1) month on the reasons of lack of taking measures, and inform the Data Subject on the possibility of the legal remedy before the court and the Hungarian National Authority for Data Protection and Freedom of Information.

Right to rectification
The Data Subject is entitled to request the rectification and correction of his or her personal data. Furthermore, having regard to the aim of the data processing, he or she is entitled to request the supplementation of the incomplete personal data. The Data Subjects are recommended to review their personal data from time to time in order for the optimal use of the services provided by the Data Controller and if necessary, to contact the Data Controller to clarify their data as described above.
Within five years of the death of the Data Subject the rights of access, rectification, restriction and deletion shall be exercised by the person authorized by the Data Subject in a public document or a private document with full probative value placed at the Data Controller or failing that, close relatives of the Data Subject shall exercise these rights.

Right to deletion
The Data Subject is entitled to request the deletion of his or her personal data:
a) for which the Data Controller does not have the consent or statutory authorization to control (right of objection),
b) that are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
c) regarding which the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing,
d) that have been unlawfully processed,
e) that have to be erased for compliance with a legal obligation.

Right to restriction of data processing
Instead of deletion, the Data Controller restricts the processing of personal data in the following cases:
a) upon the request of the Data Subject, when the Data Subject challenges the accuracy of the personal data; in such case the restriction lasts until the Data Controller verifies the accuracy of the personal data, or
b) when the Data processing is unlawful and the Data Subject opposes the deletion of the personal data and requests the restriction on the use of the personal data instead, or
c) when the Data Controller no longer needs the personal data for the purpose of data processing, but the Data Subject requires that for its legal interests, or
d) when the Data Subject has objected to data processing, but it is necessary to determine, whether the legal interests of the Data Controller override those of the Data Subject.

The Data Controller will communicate any rectification or deletion of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller informs the individual about those recipients if he/she so requests.

Right to data portability
The Data Subject is entitled to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and is entitled to transmit those data to another Data Controller.

Right to object
The Data Subject is entitled to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data which is necessary for reasons of public interest or for carrying out a task falling within the scope the Data Controller’s public powers or for enforcing the legal interests of the Data Controller or a third party. In case of objection, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which relate to filing, enforcing or defence of legal claims.

Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such reason, which includes profiling if it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

The user may object to the data processing based on legitimate interests by sending an e-mail to the Data Controller at dataprotection@eventim.hu. Where the legal basis for the processing is the legitimate interest of the Controller, the Controller has carried out and may continue to carry out the balancing of interests test in accordance with the relevant provisions of the GDPR. The user has the right to view the legitimate interest assessment test prepared in relation to the processing based on legitimate interests, upon request, by sending an e-mail to the Data Controller at dataprotection@eventm.hu or by post.

Right to withdraw consent
The Data Subject may withdraw his or her consent without reasoning given to the data processing at any time. Withdrawal of consent does not affect the legitimacy of the data processing based on consent given prior to withdrawal.

  • V. HOW CAN YOU EXERCISE YOUR RIGHTS?

The Data Subject may submit his or her request for information, correction, deletion or locking to the following e-mail address: dataprotection@eventim.hu.
In case the Data Subject contacts the Data Controller with respect to this Notice, asks questions, makes comments, this information will be retained and used by the Data Controller for the purpose of providing adequate answer.
The Data Controller is obliged to provide information regarding the request for correction, locking or deletion in writing and in plain language without delay, but no later than within one (1) month from the submission of the request. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than one (1) month on the grounds of measures, and inform the Data Subject on the possibility of the legal remedy to turn to the court and the Hungarian National Authority for Data Protection and Freedom of Information.
The Data Controller informs the Data Subject and those to whom personal data has been forwarded for the purposes of data processing on the correction, locking and deletion. The information may be omitted if it does not infringe the rightful interest of the Data Subject taking into consideration the purpose of the data processing.

  • VI. HOW CAN YOU SEEK LEGAL REMEDY?

In case of any disagreement between the Data Subject and the Data Controller in connection with the data processing, it is advisable to contact the responsible personnel of the Data Controller before taking any legal actions.
In order to remedy the violation of his or her rights, the Data Subject is entitled to turn to the courts or to the Hungarian National Authority for Data Protection and Freedom of Information.
When the Data Subject turns to the court, he or she is entitled to initiate a litigation at the competent court within the geographical area in which the Data Subject resides or has his or her habitual residence, instead of the competent court based on the seat of the Data Controller.
Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
Address: 1055 Budapest, Falk Miksa u. 9-11, Hungary
Postal address: 1363 Budapest, Pf.: 9.
Phone number: +36 (1) 391-1400
E-mail address: ugyfelszolgalat@naih.hu
Webpage: www.naih.hu

  • VII. HOW CAN WE UPDATE THIS NOTICE?

The Data Controller reserves the right to modify this Notice in the future at its discretion in particular in case of the change of law, or a change in the applicable data protection practice to ensure that the Notice provides relevant and adequate information about the collecting and processing of the personal data of the Data Subjects.

 

Dated: Budapest, 2025.08.05