Privacy

Edenred Magyarország Korlátolt Felelősségű Társaság [Edenred Hungary Limited] (head office/official mailing address: H–1134 Budapest, Váci út 45. , company registration number: 01-09-266926; electronic contact details: ugyfelszolgalat-hu@edenred.com and dpo.hungary@edenred.com; information related to data processing on the website: https://adatvedelem.edenred.hu/adatkezelesi-tajekoztato/; phone: +36 1 413 3333, represented by: Tamás Szendrő, hereinafter: Programme Manager) in accordance with the related legislative provisions specifying the protection of personal data1, informs the users of its services on the processing of data it applies.

1. Presentation of data processing

The Programme Manager provides services to legal and natural persons (hereinafter referred to as: “Client”), in the scope of which, PPS EU SA, a company registered in Belgium under the no. 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium; hereinafter referred to as: “Issuer”) and the Programme Manager provide to the natural persons specified by the Clients (hereinafter referred to as: “Card Holder”/”Data Subject”) a non-transferable microchip plastic card protected with a PIN code that can be used for paying the full or partial consideration for goods sold or services provided by the Participating Vendor.

The Issuer and the Programme Manager pays prompt attention on the protection of personal data, and for this reason it permanently takes due care to guarantee fair and transparent processing the essential requirement of which is to provide appropriate information on the processing of data. This Data Processing Policy provide information regarding, among others, the processing of personal data in the course of provision of the services of the Issuer and the Programme Manager and data processing for advertising purposes: the source and scope of acquiring the processed data, the legal basis, purpose and term of the data processing, the rights concerning and the options of choice between personal data, and it also includes all the contact details in which the Data Subject can get answers to his questions on the Issuer and the Programme Manager’s practice of data protection.

 

Summary of the processing of data related to the Programme Manager’s service provided to the Client
Data Controller The Programme Manager
The purposes of the processing Performance of the Services included in the Client GTC: administration related to production, crediting and use of the Card
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Data Subject’s surname; Data Subject’s forename; name on card (21 characters at most); date of birth; permanent residence (postal code, town, street, number); mailing address if other than residence (postal code, town, street, number); Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial no. of card; habitual residence in Hungary if Data Subject is a foreigner; workplace of the Data Subject; name, position, phone number and email address of the Client’s representative and contact person
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium).
purpose of data processing: management of card balances, authorisation of card transactions, online balance inquiries, issue and activation of Cards, crediting of e-money allocated for this purpose to the cards, providing access to data (e.g. transaction history, available balance), processing of transactions
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting Services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails concerning the Services (system messages, amendment of the GTC, update of the mobile application)

 

Summaries merely serve the purposes of convenience. Please read the complete information.

 

Summary of the processing of data concerning the Edenred Card Service provided by the Issuer to the Card Holder
Data Controller Issuer
The purposes of the processing The performance of the GTC concluded between the Issuer and the Card Holder[Article 6 (1) (b) of the GDPR]
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Data Subject’s surname; Data Subject’s forename; name on card (21 characters at most); date of birth; permanent residence (postal code, town, street, number); mailing address if other than residence (postal code, town, street, number); Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial no. of card; habitual residence in Hungary if Data Subject is a foreigner; account history; workplace of the Data Subject; Data Subject’s account number
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Card Service
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails concerning the Edenred Card Service (system messages, amendment of the GTC, update of the mobile application)

 

Summaries merely serve the purposes of convenience. Please read the complete information.

Summary of the processing of data by the Issuer concerning the Card Holders’ customer due diligence
Data Controller Issuer
The purposes of the processing Compliance with the obligation to perform customer due diligence and identification regarding the Card Holders
Legal grounds for data processing Compliance with legal obligation [GDPR Article 6 (1) c)] and Sections 7–11 of the AML
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s surname at birth; Data Subject’s forename at birth; Data Subject’s citizenship; Data Subject’s place and date of birth; maiden name of the Data Subject’s mother; Data Subject’s home address (postal code, town, street, number) or in the absence thereof, address of residence (postal code, town, street, number); type of Data Subject’s identification document; number of Data Subject’s identification document; Data Subject’s image; copy of the Data Subject’s documents
Term of data processing 8 years from the termination of the Edenred Card Service
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: assistance in performance of the customer due diligence and identification obligation.
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity

 

Summary of the processing of data related to the Programme Manager’s marketing and advertising activity
Data Controller The Programme Manager is the Data Controller in relation to the data processing related to the Programme Manager’s marketing and advertising activity.
The purposes of the processing Sending marketing and advertising messages to the Card Holder
Legal grounds for data processing The Data Subject’s consent [Article 6 (1) (b) of the GDPR and Section 6(1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities].
The consent may be withdrawn at any time.
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s email address; Data Subject’s mobile phone number
Term of data processing Until the consent is withdrawn
Processors Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for advertising purposes – sending of newsletters

 

 

Definitions used in this Data Processing Policy match the definitions included in the General Terms and Conditions regarding the ordering, delivery and utilization of Edenred Voucher Cards and the Card Holder GTC. For enhancing the interpretation of the Data Processing Policy, we repeat certain definitions in the following:
2.1.1. “Edenred Card“ or “Card” is a non-transferable microchip plastic card protected with a PIN code where the Electronic Money covered by the amount of money having been transferred by the Client in advance, in relation to the given card is recorded, and that can be used for paying the full or partial consideration for goods sold or services rendered by the Participating Vendor. The rules pertaining to the Card shall be implicitly applicable to the Additional Card.
2.1.2. “Edenred Card Service” means the complex service provided by the Issuer to the Card Holder under the Card Holder GTC concerning the placing on the market and use of Edenred Cards and the Card Holder GTC.
2.1.3. “Electronic money” means the amount embodied by the claim against the issuer of the electronic money that is stored electronically – including magnetic storing –, issued against the receipt of funds for the purpose of performing payment transactions provided in the Act on the Pursuit of the Business of Payment Services and, beyond the issuer of the electronic money, also accepted by other natural and legal persons, economic entities without legal personality and individual entrepreneurs. The electronic money qualifies as a non-cash means of payment.
2.1.4. “Authority” means the Hungarian National Authority for Data Protection and Freedom of Information or the Belgian Data Protection Authority (Autorité de la protection des données – Gegevensbeschermingsautoriteit, APD-GBA).
2.1.5. “Card Holder” is a natural person deemed by the Client eligible for using the Card to whom the Card is issued, and who undertakes to comply with the Card Holder GTC.
2.1.6. “Participating Vendor” or “Participating Business” is a natural or legal person accepting the Card from the Card Holders (or Additional Card Holders) in the case of the sale of products or the provision of services, and where the Programme Manager made accepting the Cards technically available, and who placed out the Mastercard or Edenred Acceptance Mark.
2.1.7. “Issuer” is PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium). PPS EU is operating under the supervision of the National Bank of Belgium, and has been authorised by the same to issue electronic money and provide payment services.
2.1.8. “Programme Manager”: Edenred Magyarország Kft. (registered office: H–1134 Budapest, Váci út 45.), the Issuer’s payment intermediary.
2.1.9. “Service” means the complex service provided by the Programme Manager to the Client in relation to the ordering, crediting, delivery and utilisation of the Card in accordance with these GTC.
2.1.10. “Client” is a natural or legal person providing the Edenred Card to the Card Holder.

Data Subjects include the employees (Card Holders) of the employer (Client) ordering the Services of the Programme Owner, and – in case of a respective order – the close relatives of the Card Holders as Additional Card Holders (hereinafter referred to as Data Subject)

4.1 The Programme Owner would acquire the the personal data of the Data Subject not directly from the Data Subject, but, in regard to the characteristics of the Service, from the Data Subject’s employer (Client), concurrently with the ordering by the employer of the card issued by the Programme Owner.

4.2 The Data Subject would activate the Card provided to him by his employer on the website https://myaccount.edenredkartya.hu/#/login, by creating a user account providing the e-mail address or the serial number of the card, or by entering his user account already created by providing his e-mail address and password. In activating/entering, the Data Subject shall not provide personal data regarding the Data Subject provided by the Data Subject’s employer to the Programme Owner, the electronic system applied by the Programme Owner would associate them with the Data Subject. The Data Subject would accept the GTC concerning the Card Holder (hereinafter referred to as: GTC) during the activation/entering, and in this context, he would get information on the data processing by learning the Data Processing Policy being an integral part of the GTC.

4.3 The main purpose of the Edenrend card Pro application is to enable the Card Holders to electronically register their Edenred Cards and to trace their personal expenses. The Data Subject would activate the Card provided to him by his employer in the Edenred card Pro application by creating a user account providing the e-mail address or the serial number of the card, or by entering his user account already created by providing his e-mail address and password. In activating/entering, the Data Subject shall not provide personal data regarding the Data Subject provided by the Data Subject’s employer to the Programme Owner, the electronic system applied by the Programme Owner would associate them with the Data Subject. The Data Subject would accept the GTC concerning the Card Holder during the activation/entering, and in this context, he would get information on the data processing by learning the Data Processing Policy being an integral part of the GTC.

5.1. Tthe legal basis to the data processing strictly essential for providing the Service is the conclusion and performance of the contract in the interest of the Data Subject based on the contract concluded by and between Programme Manager and the Client (Client GTC) regarding the cards ordered for the Data Subject [GDPR Article 6(1)(b)].
5.2. The legal basis of the data processing strictly necessary for the Issuer to perform its Edenred Card Service is the compliance with the Card Holder GTC concluded by and between Programme Manager and the Data Subject: activating the Card, assigning, crediting and using the e-money ordered to this effect to the Card, ensuring the access to data [e.g. account history, available balance], processing of transactions [Article 6(1)(b) of the GDPR]. Should the Data Subject not provide personal data required by the Issuer for providing the Edenred Card Service, the Data Subject will not be able to call upon the services provided by the Issuer and the Programme Manager. The Issuer acts as data controller with regard to the data processing in relation to the GTC concluded by and between the Issuer and the Data Subject.
5.3. The legal basis for data processing by the Issuer in connection with the customer due diligence and customer identification concerning the Card Holders is the compliance with legal obligations [Article 6(1)(c) of the GDPR, Sections 7–11 of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML)]. With respect to data processing connected with the customer due diligence and customer identification, the Issuer shall act as the data controller.
5.4. The legal basis for the Programme Manager for the data processing concerning the sending of advertisement is the Data Subject’s consent [Article 6 (1) (a) of the GDPR and Article 6 (1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities]. The Data Subject may provide his consent to receive advertisement on the Programme Manager’s website or in the Edenred mobile application.

6.1. Data processed for the purposes of complying with the Client GTC, term of the data processing

6.1.1. Programme Manager as data controller processes the following data in order to comply with the Client GTC, i.e. the provision of the Service to the Client:
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• date of birth
• permanent address (zip code, city, name and type of public area, house number)
• mailing address, if different from permanent address (zip code, city, name and type of public area, house number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• in case of foreign Data Subject, the place of residence in Hungary
• Data Subject’s workplace
• Name, position, phone number and email address of the Client’s representative and contact person

6.1.2. Personal data is processed by the Programme Manager as data controller in connection with manufacturing the Card and the administration in connection with crediting and usage of the Card.

6.1.3. The Programme Manager will process the Data Subject’s data until the period required to achieve the purpose of the Client GTC, i.e. for the total duration of the Service and 6 years following its termination (until the limitation period of the possible claims concerning the Service).

6.2. Data processed for the purposes of complying with the Card Holder GTC, term of the data processing

6.2.1. The Issuer processes the following data as data controller in order to comply with the Card Holder GTC i.e. the provision of his Edenred Card Service by the Issuer to the Card Holder:
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• date of birth
• permanent address (zip code, city, name and type of public area, house number)
• mailing address, if different from permanent address (zip code, city, name and type of public area, house number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• data of the transaction
• in case of foreign Data Subject, the place of residence in Hungary
• account history
• Data Subject’s workplace
• Data Subject’s bank account number

6.2.2. The Issuer will process the Data Subject’s data until the period required to achieve the purpose of the Card Holder GTC, i.e. for the total duration of the Service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Card Service).

6.3. Data processed for the purpose of customer due diligence and customer identification, and the term of data processing
6.3.1. The Issuer processes the following data for the purpose of complying with its legal obligations (customer due diligence and customer identification):
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s surname at birth
• Data Subject’s forename at birth
• Data Subject’s citizenship
• Data Subject’s place and date of birth
• Data Subject’s mother’s birth name
• Data Subject’s postal address (failing this, address of residence)
• Type of Data Subject’s identification document
• Number of Data Subject’s identification document
• Data Subject’s image
• Copy of the Data Subject’s documents
6.3.2. The Issuer will process the Data Subject’s data for the period required for the fulfilment of its relevant legal obligations, i.e. for the total duration of the Edenred Card Service and 8 years following its termination.

6.4. Data processed for the purpose of marketing and advertising activity, term of the processing

6.4.1. During the data processing for advertisement purposes, the Programme Manager will send advertisements via phone (text message) or e-mails or push notifications (pop-up messages on mobile phones) to the Data Subject concerning the products of the Programme Manager, the Edenred Group and the Participating Vendors, and on the incidental campaigns, according to the Data Subject’s consent.

6.4.2. For this purpose it processes the following data:
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s email address
• Data Subject’s mobile phone number

6.4.3. The Programme Manager keeps record of the personal data of Data Subjects having made declaration of consent regarding the receipt of advertisements.

6.4.4. For sending advertisement, the Programme Manager keeps on processing the personal data processed per the declaration of consent provided by the Data Subject until revocation. The Data Subject can give his declaration of consent by ticking the relevant checkbox on the Programme Manager’s website or the Edenred mobile application. The Data Subject may revoke his consent at any time via the unsubscribe link at the bottom of the marketing letter sent to the provided e-mail address.

The Issuer and the Programme Manager will transmit and disclose the Data Subject’s data to the members of the Edenred Group 1and its contractual partners2 (including natural persons) in the course and for the purpose of and to the extent required for providing the Service and the Edenred Card Service, in relation to the card use.

7.1. Data Processors belonging to the Issuer and the Programme Manager’s contractual partners employed for complying with the provision of the Service and the Edenred Card Service, and for performing the marketing / promotional activity:

• Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: assistance in performance of the customer due diligence and identification obligation, operation of systems and provision of support in relation to the provision of the Edenred Card Service
• PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium).
purpose of data processing: management of card balances, authorisation of card transactions, online balance inquiries, issue and activation of Cards, crediting of e-money allocated for this purpose to the cards, providing access to data (e.g. transaction history, available balance), processing of transactions
• Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
• Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
• Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
• Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
• The Rocket Science Group LLC d/b/a MailChimp (head office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for marketing purposes – sending of newsletters, sending of information e-mails concerning the Edenred Card Service (system messages, amendment of the GTC, update of the Edenred Mobile application)

The Rocket Science Group LLC d / b / a MailChimp provides adequate safeguards for the transfer of personal data by applying general data protection clauses pursuant to Article 46 (2) (c) of the GDPR.

9.1. The Issuer and the Programme Manager shall delete the Data Subject’s data upon the expiry of the data handling period.

9.2. The Issuer and the Programme Manager will ensure the security of the processed data and takes any measure against unauthorised access, modification, forwarding, disclosure, erasure or destruction, accidental destruction and deterioration, and inaccessibility due to the change of the technology applied, as well as in order to ensure an adequate protection of the Data Subjects’ personal data per the legislation.

9.3. The Issuer and the Programme Manager processes the Data Subject’s data automatically and manually in a computer database applying the measures necessary for maintaining the data security requirements, and it has arranged to have the processing of the Data Subject’s data within a closed system protected by password in any event and saved in a hard disk, and that these systems would be used by those authorised to know the data exclusively in relation to the provision of the service, in a strictly necessary extent.

9.4. Those authorised to know the personal data are the Issuer and the Programme Manager (the Issuer and the Programme Manager’s employees employed in a post that manage matters concerning the card use), the members of the Edenred Group, and the contractual partners of the Issuer and the Programme Manager.

9.5. The Issuer and the Programme Manager ensures to provide complete information about the data protection rules to those authorised to access the data. As a guarantee to data security, the senior executives and employees of the Issuer and the Programme Manager are bound by obligation of confidence and legal liability concerning the personal data learned in this regard.

10.1. At the Data Subject’s request, the Issuer and/or Programme Manager shall provide information on [Article 15 (1) of the GDPR; right to information]:
• which personal data of the Data Subject are processed
• the purposes of the processing
• the categories of recipients to whom the personal data are transferred
• the term of processing
• the Data Subject’s rights and remedies

10.2. Before initiating the procedures regulated in this section, the Data Subject is entitled to call upon the Issuer and/or the Programme Manager with his claim (to be submitted electronically) in order to eliminate his anxieties concerning the data processing and to restore legality. The Issuer and/or the Programme Manager shall examine the claim within a month, makes a decision on whether it is well-founded and informs the Data Subject electronically in writing. If the Issuer and/or the Programme Manager ascertains the grounds for the Data Subject’s claim, restores the legality of data processing or ends the data processing, including further data recording and data transmission. In this case, the Issuer and/or the Programme Manager may no longer process the Data Subject’s personal data unless the Issuer and/or the Programme Manager demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. The Issuer and/or the Programme Manager will communicate the claim and the relevant actions taken, to those to whom he transmitted the data concerned by the claim.

10.3. At the Data Subject’s request, the Issuer and/or the Programme Manager will make available the duplicate copy of the personal data in a commonly used electronic format or any other format chosen by the Data Subject. [Article 15 (3) of the GDPR; right of access, right to be provided copies].
10.4. At the Data Subject’s request, his personal data will be modified, rectified. The Issuer and/or the Programme Manager we also provides possibility to rectify the personal data via the user profile [Article 16 of the GDPR; right of rectification]. The exercise of the Data Subject’s rights to access and the rectification of his personal data, the Data Subject may call upon the Issuer and/or the Programme Manager in an e-mail sent to the addresses adatkezeles-hu@edenred.com or dpo.hungary@edenred.com.
10.5. At the Data Subject’s request, the Issuer and/or the Programme Manager will erase the Data Subject’s personal data. The Issuer and/or the Programme Manager may refuse to comply with the request due to reasons included in Article 17 (3) of the GDPR, e.g. in the case when personal data are required for proposing or vindicating a legal claim, or for the compliance with the obligation per the law of the Union or a member state to be applied to the Issuer and/or the Programme Manager, or out of public interest or for exercising the right of freedom of expression and information. [Article 17 of the GDPR; right of erasure].

10.6. The Data Subject may cancel his declaration of consent to the communication of advertisements may be cancelled at any time without restriction and justification, free of charge, and he may also make a claim regarding the prohibition of receiving advertisements. In this case, the Issuer and the Programme Manager immediately erases the Data Subject’s name and any personal data from the records and will no longer send any advertisement to the Data Subject. This can be achieved by filling a notice of withdrawal either on the post, by sending a letter to the Programme Manager’s head office, or electronically by sending an email to adatkezeles-hu@edenred.com or dpo.hungary@edenred.com, and on the Programme Manager’s website, or in the Edenred mobile application [right of withdrawing the consent]. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.7. The Data Subject is entitled to request the restriction (blocking) of processing personal data
• should he contest the accuracy of the personal data, he may request the blocking of the data until the Issuer and/or the Programme Manager checks the accuracy of the personal data;
• if processing is unlawful and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
• the Issuer and/or the Programme Manager no longer needs the personal data, but it is required by the Data Subject for the establishment, exercise or defence of legal claims [Article 18 of the GDPR; right to restriction of processing (blocking)].
The Issuer and/or the Programme Manager fulfils the blocking request by storing the personal data separately from the other personal data. Thus for example, in the case of electronic files, it saves them on an external data carrier, or transfers personal data stored on paper in a separate folder. With the exception of storage, the Issuer and/or the Programme Manager will only process such personal data with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Issuer and/or the Programme Manager shall advise the Data Subject in advance about the release of the restriction of processing.

10.8. The Data Subject is entitled to receive his or her personal data in a structured, commonly used and machine-readable format, and has the right to transmit these data to another controller. In addition, at a relevant explicit request, the Issuer and/or the Programme Manager ensures the direct transmission the Data Subject’s data to a Processor specified by the Data Subject. [Article 20 (1) and (2) of the GDPR; right to data portability].

10.9. The Issuer and/or the Programme Manager will inform the Data Subject on the actions taken within one month from receiving the Data Subject’s request. The Issuer and/or the Programme Manager shall inform You within one month from receipt of the request about the reasons of the refusal and about the opportunity of lodging a complaint with the Authority and seeking a judicial remedy.

10.10. The exercise of this right is free of charge. In certain cases the Issuer and/or the Programme Manager may charge a fee based on administrative costs, or refuse to take action on the basis of the application, if the Data Subject requests a copy of his or her data, or if the Data Subject’s application is clearly ungrounded or – especially on account of its repeated nature – exaggerated.

10.11. The Issuer and/or the Programme Manager retains the right to request further information necessary for the confirmation of the Data Subject’s identity, should it have doubts about the identity of the person who submitted the request. Such a case is when the Data Subject exercises his right of requesting a duplicated copy, in which case it is reasonable from the Issuer and/or the Programme Manager to check if the request has come from the authorised person.

10.12. If the Data Subject thinks that the Issuer and/or the Programme Manager offended his right to the protection of personal data, or should the Issuer and/or the Programme Manager perform illegal data processing, the Data Subject may initiate the procedure of the Authority.

10.12.1. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
• postal address: H–1530 Budapest, P.O. box: 5.
• email: ugyfelszolgalat@naih.hu
• telephone number: +36 (1) 391 1400
• website address: www.naih.hu
10.12.2. Contact details of the Belgian Data Protection Authority:
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
• postal address: Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles – Brussels, Belgium
• email: contact@apd-gba.be
• telephone number: +32 2 274 48 00
• website address: https://www.autoriteprotectiondonnees.be/
10.13. Should the Data Subject consider that the Issuer and/or the Programme Manager offended his right to the protection of personal data, he may initiate a legal hearing and may demand the reimbursement of the damage caused to the Data Subject by the illegal processing of his data or by violating the data security, or, in case of the violation of a personality right, the payment of a restitution. In the event of a judicial enforcement, the Data Subject may start the action at the court of his or her residence or habitation.

11.1. Should the Programme Manager modify the GTC with an influence on the Data Processing Policy, it shall place an appropriate announcement on the website and shall send the modified policy to the e-mail address provided by the Data Subject so that the Data Subject may study it.

11.2. Where the Issuer and/or the Programme Manager intends to further process the personal data for a purpose other than that for which the personal data were obtained, it will provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.

11.3. The Issuer and/or the Programme Manager shall inform the data subject at the latest on the first occasion of disclosing the data also to other recipient(s).

Effective from: 1 November 2021

Data Processing Policy

Edenred Magyarország Korlátolt Felelősségű Társaság [Edenred Hungary Limited] (head office/official mailing address: H–1134 Budapest, Váci út 45. , company registration number: 01-09-266926; electronic contact details: ugyfelszolgalat-hu@edenred.com and dpo.hungary@edenred.com; information related to data processing on the website: https://adatvedelem.edenred.hu/adatkezelesi-tajekoztato/; phone: +36 1 413 3333, represented by: Tamás Szendrő, hereinafter: Programme Manager) in accordance with the related legislative provisions specifying the protection of personal data1, informs the users of its services on the processing of data it applies.

I. Presentation of data processing

1. Presentation of data processing

The Programme Manager provides services to legal and natural persons (hereinafter referred to as: “Client”), in the scope of which, PPS EU SA, a company registered in Belgium under the no. 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium; hereinafter referred to as: “Issuer”) and the Programme Manager provide to the natural persons specified by the Clients (hereinafter referred to as: “Card Holder”/”Data Subject”) a non-transferable microchip plastic card protected with a PIN code that can be used for paying the full or partial consideration for goods sold or services provided by the Participating Vendor.

The Issuer and the Programme Manager pays prompt attention on the protection of personal data, and for this reason it permanently takes due care to guarantee fair and transparent processing the essential requirement of which is to provide appropriate information on the processing of data. This Data Processing Policy provide information regarding, among others, the processing of personal data in the course of provision of the services of the Issuer and the Programme Manager and data processing for advertising purposes: the source and scope of acquiring the processed data, the legal basis, purpose and term of the data processing, the rights concerning and the options of choice between personal data, and it also includes all the contact details in which the Data Subject can get answers to his questions on the Issuer and the Programme Manager’s practice of data protection.

 

Summary of the processing of data related to the Programme Manager’s service provided to the Client
Data Controller The Programme Manager
The purposes of the processing Performance of the Services included in the Client GTC: administration related to production, crediting and use of the Card
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Data Subject’s surname; Data Subject’s forename; name on card (21 characters at most); date of birth; permanent residence (postal code, town, street, number); mailing address if other than residence (postal code, town, street, number); Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial no. of card; habitual residence in Hungary if Data Subject is a foreigner; workplace of the Data Subject; name, position, phone number and email address of the Client’s representative and contact person
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium).
purpose of data processing: management of card balances, authorisation of card transactions, online balance inquiries, issue and activation of Cards, crediting of e-money allocated for this purpose to the cards, providing access to data (e.g. transaction history, available balance), processing of transactions
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting Services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails concerning the Services (system messages, amendment of the GTC, update of the mobile application)

 

Summaries merely serve the purposes of convenience. Please read the complete information.

 

Summary of the processing of data concerning the Edenred Card Service provided by the Issuer to the Card Holder
Data Controller Issuer
The purposes of the processing The performance of the GTC concluded between the Issuer and the Card Holder[Article 6 (1) (b) of the GDPR]
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Data Subject’s surname; Data Subject’s forename; name on card (21 characters at most); date of birth; permanent residence (postal code, town, street, number); mailing address if other than residence (postal code, town, street, number); Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial no. of card; habitual residence in Hungary if Data Subject is a foreigner; account history; workplace of the Data Subject; Data Subject’s account number
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Card Service
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails concerning the Edenred Card Service (system messages, amendment of the GTC, update of the mobile application)

 

Summaries merely serve the purposes of convenience. Please read the complete information.

Summary of the processing of data by the Issuer concerning the Card Holders’ customer due diligence
Data Controller Issuer
The purposes of the processing Compliance with the obligation to perform customer due diligence and identification regarding the Card Holders
Legal grounds for data processing Compliance with legal obligation [GDPR Article 6 (1) c)] and Sections 7–11 of the AML
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s surname at birth; Data Subject’s forename at birth; Data Subject’s citizenship; Data Subject’s place and date of birth; maiden name of the Data Subject’s mother; Data Subject’s home address (postal code, town, street, number) or in the absence thereof, address of residence (postal code, town, street, number); type of Data Subject’s identification document; number of Data Subject’s identification document; Data Subject’s image; copy of the Data Subject’s documents
Term of data processing 8 years from the termination of the Edenred Card Service
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: assistance in performance of the customer due diligence and identification obligation.
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity

 

Summary of the processing of data related to the Programme Manager’s marketing and advertising activity
Data Controller The Programme Manager is the Data Controller in relation to the data processing related to the Programme Manager’s marketing and advertising activity.
The purposes of the processing Sending marketing and advertising messages to the Card Holder
Legal grounds for data processing The Data Subject’s consent [Article 6 (1) (b) of the GDPR and Section 6(1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities].
The consent may be withdrawn at any time.
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s email address; Data Subject’s mobile phone number
Term of data processing Until the consent is withdrawn
Processors Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for advertising purposes – sending of newsletters

 

 

II. Definitions

Definitions used in this Data Processing Policy match the definitions included in the General Terms and Conditions regarding the ordering, delivery and utilization of Edenred Voucher Cards and the Card Holder GTC. For enhancing the interpretation of the Data Processing Policy, we repeat certain definitions in the following:
2.1.1. “Edenred Card“ or “Card” is a non-transferable microchip plastic card protected with a PIN code where the Electronic Money covered by the amount of money having been transferred by the Client in advance, in relation to the given card is recorded, and that can be used for paying the full or partial consideration for goods sold or services rendered by the Participating Vendor. The rules pertaining to the Card shall be implicitly applicable to the Additional Card.
2.1.2. “Edenred Card Service” means the complex service provided by the Issuer to the Card Holder under the Card Holder GTC concerning the placing on the market and use of Edenred Cards and the Card Holder GTC.
2.1.3. “Electronic money” means the amount embodied by the claim against the issuer of the electronic money that is stored electronically – including magnetic storing –, issued against the receipt of funds for the purpose of performing payment transactions provided in the Act on the Pursuit of the Business of Payment Services and, beyond the issuer of the electronic money, also accepted by other natural and legal persons, economic entities without legal personality and individual entrepreneurs. The electronic money qualifies as a non-cash means of payment.
2.1.4. “Authority” means the Hungarian National Authority for Data Protection and Freedom of Information or the Belgian Data Protection Authority (Autorité de la protection des données – Gegevensbeschermingsautoriteit, APD-GBA).
2.1.5. “Card Holder” is a natural person deemed by the Client eligible for using the Card to whom the Card is issued, and who undertakes to comply with the Card Holder GTC.
2.1.6. “Participating Vendor” or “Participating Business” is a natural or legal person accepting the Card from the Card Holders (or Additional Card Holders) in the case of the sale of products or the provision of services, and where the Programme Manager made accepting the Cards technically available, and who placed out the Mastercard or Edenred Acceptance Mark.
2.1.7. “Issuer” is PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium). PPS EU is operating under the supervision of the National Bank of Belgium, and has been authorised by the same to issue electronic money and provide payment services.
2.1.8. “Programme Manager”: Edenred Magyarország Kft. (registered office: H–1134 Budapest, Váci út 45.), the Issuer’s payment intermediary.
2.1.9. “Service” means the complex service provided by the Programme Manager to the Client in relation to the ordering, crediting, delivery and utilisation of the Card in accordance with these GTC.
2.1.10. “Client” is a natural or legal person providing the Edenred Card to the Card Holder.

III. Data Subject

Data Subjects include the employees (Card Holders) of the employer (Client) ordering the Services of the Programme Owner, and – in case of a respective order – the close relatives of the Card Holders as Additional Card Holders (hereinafter referred to as Data Subject)

IV. Sources of the acquisition of personal data by the Programme Owner

4.1 The Programme Owner would acquire the the personal data of the Data Subject not directly from the Data Subject, but, in regard to the characteristics of the Service, from the Data Subject’s employer (Client), concurrently with the ordering by the employer of the card issued by the Programme Owner.

4.2 The Data Subject would activate the Card provided to him by his employer on the website https://myaccount.edenredkartya.hu/#/login, by creating a user account providing the e-mail address or the serial number of the card, or by entering his user account already created by providing his e-mail address and password. In activating/entering, the Data Subject shall not provide personal data regarding the Data Subject provided by the Data Subject’s employer to the Programme Owner, the electronic system applied by the Programme Owner would associate them with the Data Subject. The Data Subject would accept the GTC concerning the Card Holder (hereinafter referred to as: GTC) during the activation/entering, and in this context, he would get information on the data processing by learning the Data Processing Policy being an integral part of the GTC.

4.3 The main purpose of the Edenrend card Pro application is to enable the Card Holders to electronically register their Edenred Cards and to trace their personal expenses. The Data Subject would activate the Card provided to him by his employer in the Edenred card Pro application by creating a user account providing the e-mail address or the serial number of the card, or by entering his user account already created by providing his e-mail address and password. In activating/entering, the Data Subject shall not provide personal data regarding the Data Subject provided by the Data Subject’s employer to the Programme Owner, the electronic system applied by the Programme Owner would associate them with the Data Subject. The Data Subject would accept the GTC concerning the Card Holder during the activation/entering, and in this context, he would get information on the data processing by learning the Data Processing Policy being an integral part of the GTC.

5.1. Tthe legal basis to the data processing strictly essential for providing the Service is the conclusion and performance of the contract in the interest of the Data Subject based on the contract concluded by and between Programme Manager and the Client (Client GTC) regarding the cards ordered for the Data Subject [GDPR Article 6(1)(b)].
5.2. The legal basis of the data processing strictly necessary for the Issuer to perform its Edenred Card Service is the compliance with the Card Holder GTC concluded by and between Programme Manager and the Data Subject: activating the Card, assigning, crediting and using the e-money ordered to this effect to the Card, ensuring the access to data [e.g. account history, available balance], processing of transactions [Article 6(1)(b) of the GDPR]. Should the Data Subject not provide personal data required by the Issuer for providing the Edenred Card Service, the Data Subject will not be able to call upon the services provided by the Issuer and the Programme Manager. The Issuer acts as data controller with regard to the data processing in relation to the GTC concluded by and between the Issuer and the Data Subject.
5.3. The legal basis for data processing by the Issuer in connection with the customer due diligence and customer identification concerning the Card Holders is the compliance with legal obligations [Article 6(1)(c) of the GDPR, Sections 7–11 of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML)]. With respect to data processing connected with the customer due diligence and customer identification, the Issuer shall act as the data controller.
5.4. The legal basis for the Programme Manager for the data processing concerning the sending of advertisement is the Data Subject’s consent [Article 6 (1) (a) of the GDPR and Article 6 (1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities]. The Data Subject may provide his consent to receive advertisement on the Programme Manager’s website or in the Edenred mobile application.

VI. The purpose of the data processing, the scope of data processed, the term of data processing

6.1. Data processed for the purposes of complying with the Client GTC, term of the data processing

6.1.1. Programme Manager as data controller processes the following data in order to comply with the Client GTC, i.e. the provision of the Service to the Client:
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• date of birth
• permanent address (zip code, city, name and type of public area, house number)
• mailing address, if different from permanent address (zip code, city, name and type of public area, house number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• in case of foreign Data Subject, the place of residence in Hungary
• Data Subject’s workplace
• Name, position, phone number and email address of the Client’s representative and contact person

6.1.2. Personal data is processed by the Programme Manager as data controller in connection with manufacturing the Card and the administration in connection with crediting and usage of the Card.

6.1.3. The Programme Manager will process the Data Subject’s data until the period required to achieve the purpose of the Client GTC, i.e. for the total duration of the Service and 6 years following its termination (until the limitation period of the possible claims concerning the Service).

6.2. Data processed for the purposes of complying with the Card Holder GTC, term of the data processing

6.2.1. The Issuer processes the following data as data controller in order to comply with the Card Holder GTC i.e. the provision of his Edenred Card Service by the Issuer to the Card Holder:
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• date of birth
• permanent address (zip code, city, name and type of public area, house number)
• mailing address, if different from permanent address (zip code, city, name and type of public area, house number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• data of the transaction
• in case of foreign Data Subject, the place of residence in Hungary
• account history
• Data Subject’s workplace
• Data Subject’s bank account number

6.2.2. The Issuer will process the Data Subject’s data until the period required to achieve the purpose of the Card Holder GTC, i.e. for the total duration of the Service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Card Service).

6.3. Data processed for the purpose of customer due diligence and customer identification, and the term of data processing
6.3.1. The Issuer processes the following data for the purpose of complying with its legal obligations (customer due diligence and customer identification):
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s surname at birth
• Data Subject’s forename at birth
• Data Subject’s citizenship
• Data Subject’s place and date of birth
• Data Subject’s mother’s birth name
• Data Subject’s postal address (failing this, address of residence)
• Type of Data Subject’s identification document
• Number of Data Subject’s identification document
• Data Subject’s image
• Copy of the Data Subject’s documents
6.3.2. The Issuer will process the Data Subject’s data for the period required for the fulfilment of its relevant legal obligations, i.e. for the total duration of the Edenred Card Service and 8 years following its termination.

6.4. Data processed for the purpose of marketing and advertising activity, term of the processing

6.4.1. During the data processing for advertisement purposes, the Programme Manager will send advertisements via phone (text message) or e-mails or push notifications (pop-up messages on mobile phones) to the Data Subject concerning the products of the Programme Manager, the Edenred Group and the Participating Vendors, and on the incidental campaigns, according to the Data Subject’s consent.

6.4.2. For this purpose it processes the following data:
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s email address
• Data Subject’s mobile phone number

6.4.3. The Programme Manager keeps record of the personal data of Data Subjects having made declaration of consent regarding the receipt of advertisements.

6.4.4. For sending advertisement, the Programme Manager keeps on processing the personal data processed per the declaration of consent provided by the Data Subject until revocation. The Data Subject can give his declaration of consent by ticking the relevant checkbox on the Programme Manager’s website or the Edenred mobile application. The Data Subject may revoke his consent at any time via the unsubscribe link at the bottom of the marketing letter sent to the provided e-mail address.

VII. Data processing

The Issuer and the Programme Manager will transmit and disclose the Data Subject’s data to the members of the Edenred Group 1and its contractual partners2 (including natural persons) in the course and for the purpose of and to the extent required for providing the Service and the Edenred Card Service, in relation to the card use.

7.1. Data Processors belonging to the Issuer and the Programme Manager’s contractual partners employed for complying with the provision of the Service and the Edenred Card Service, and for performing the marketing / promotional activity:

• Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: assistance in performance of the customer due diligence and identification obligation, operation of systems and provision of support in relation to the provision of the Edenred Card Service
• PPS EU SA, a company registered in Belgium under the number 0712.775.202 (1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium).
purpose of data processing: management of card balances, authorisation of card transactions, online balance inquiries, issue and activation of Cards, crediting of e-money allocated for this purpose to the cards, providing access to data (e.g. transaction history, available balance), processing of transactions
• Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
• Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
• Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
• Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
• The Rocket Science Group LLC d/b/a MailChimp (head office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for marketing purposes – sending of newsletters, sending of information e-mails concerning the Edenred Card Service (system messages, amendment of the GTC, update of the Edenred Mobile application)

VIII. Data transfer to third country

The Rocket Science Group LLC d / b / a MailChimp provides adequate safeguards for the transfer of personal data by applying general data protection clauses pursuant to Article 46 (2) (c) of the GDPR.

IX. Data security, persons authorized to know the data

9.1. The Issuer and the Programme Manager shall delete the Data Subject’s data upon the expiry of the data handling period.

9.2. The Issuer and the Programme Manager will ensure the security of the processed data and takes any measure against unauthorised access, modification, forwarding, disclosure, erasure or destruction, accidental destruction and deterioration, and inaccessibility due to the change of the technology applied, as well as in order to ensure an adequate protection of the Data Subjects’ personal data per the legislation.

9.3. The Issuer and the Programme Manager processes the Data Subject’s data automatically and manually in a computer database applying the measures necessary for maintaining the data security requirements, and it has arranged to have the processing of the Data Subject’s data within a closed system protected by password in any event and saved in a hard disk, and that these systems would be used by those authorised to know the data exclusively in relation to the provision of the service, in a strictly necessary extent.

9.4. Those authorised to know the personal data are the Issuer and the Programme Manager (the Issuer and the Programme Manager’s employees employed in a post that manage matters concerning the card use), the members of the Edenred Group, and the contractual partners of the Issuer and the Programme Manager.

9.5. The Issuer and the Programme Manager ensures to provide complete information about the data protection rules to those authorised to access the data. As a guarantee to data security, the senior executives and employees of the Issuer and the Programme Manager are bound by obligation of confidence and legal liability concerning the personal data learned in this regard.

10.1. At the Data Subject’s request, the Issuer and/or Programme Manager shall provide information on [Article 15 (1) of the GDPR; right to information]:
• which personal data of the Data Subject are processed
• the purposes of the processing
• the categories of recipients to whom the personal data are transferred
• the term of processing
• the Data Subject’s rights and remedies

10.2. Before initiating the procedures regulated in this section, the Data Subject is entitled to call upon the Issuer and/or the Programme Manager with his claim (to be submitted electronically) in order to eliminate his anxieties concerning the data processing and to restore legality. The Issuer and/or the Programme Manager shall examine the claim within a month, makes a decision on whether it is well-founded and informs the Data Subject electronically in writing. If the Issuer and/or the Programme Manager ascertains the grounds for the Data Subject’s claim, restores the legality of data processing or ends the data processing, including further data recording and data transmission. In this case, the Issuer and/or the Programme Manager may no longer process the Data Subject’s personal data unless the Issuer and/or the Programme Manager demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. The Issuer and/or the Programme Manager will communicate the claim and the relevant actions taken, to those to whom he transmitted the data concerned by the claim.

10.3. At the Data Subject’s request, the Issuer and/or the Programme Manager will make available the duplicate copy of the personal data in a commonly used electronic format or any other format chosen by the Data Subject. [Article 15 (3) of the GDPR; right of access, right to be provided copies].
10.4. At the Data Subject’s request, his personal data will be modified, rectified. The Issuer and/or the Programme Manager we also provides possibility to rectify the personal data via the user profile [Article 16 of the GDPR; right of rectification]. The exercise of the Data Subject’s rights to access and the rectification of his personal data, the Data Subject may call upon the Issuer and/or the Programme Manager in an e-mail sent to the addresses adatkezeles-hu@edenred.com or dpo.hungary@edenred.com.
10.5. At the Data Subject’s request, the Issuer and/or the Programme Manager will erase the Data Subject’s personal data. The Issuer and/or the Programme Manager may refuse to comply with the request due to reasons included in Article 17 (3) of the GDPR, e.g. in the case when personal data are required for proposing or vindicating a legal claim, or for the compliance with the obligation per the law of the Union or a member state to be applied to the Issuer and/or the Programme Manager, or out of public interest or for exercising the right of freedom of expression and information. [Article 17 of the GDPR; right of erasure].

10.6. The Data Subject may cancel his declaration of consent to the communication of advertisements may be cancelled at any time without restriction and justification, free of charge, and he may also make a claim regarding the prohibition of receiving advertisements. In this case, the Issuer and the Programme Manager immediately erases the Data Subject’s name and any personal data from the records and will no longer send any advertisement to the Data Subject. This can be achieved by filling a notice of withdrawal either on the post, by sending a letter to the Programme Manager’s head office, or electronically by sending an email to adatkezeles-hu@edenred.com or dpo.hungary@edenred.com, and on the Programme Manager’s website, or in the Edenred mobile application [right of withdrawing the consent]. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.7. The Data Subject is entitled to request the restriction (blocking) of processing personal data
• should he contest the accuracy of the personal data, he may request the blocking of the data until the Issuer and/or the Programme Manager checks the accuracy of the personal data;
• if processing is unlawful and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
• the Issuer and/or the Programme Manager no longer needs the personal data, but it is required by the Data Subject for the establishment, exercise or defence of legal claims [Article 18 of the GDPR; right to restriction of processing (blocking)].
The Issuer and/or the Programme Manager fulfils the blocking request by storing the personal data separately from the other personal data. Thus for example, in the case of electronic files, it saves them on an external data carrier, or transfers personal data stored on paper in a separate folder. With the exception of storage, the Issuer and/or the Programme Manager will only process such personal data with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Issuer and/or the Programme Manager shall advise the Data Subject in advance about the release of the restriction of processing.

10.8. The Data Subject is entitled to receive his or her personal data in a structured, commonly used and machine-readable format, and has the right to transmit these data to another controller. In addition, at a relevant explicit request, the Issuer and/or the Programme Manager ensures the direct transmission the Data Subject’s data to a Processor specified by the Data Subject. [Article 20 (1) and (2) of the GDPR; right to data portability].

10.9. The Issuer and/or the Programme Manager will inform the Data Subject on the actions taken within one month from receiving the Data Subject’s request. The Issuer and/or the Programme Manager shall inform You within one month from receipt of the request about the reasons of the refusal and about the opportunity of lodging a complaint with the Authority and seeking a judicial remedy.

10.10. The exercise of this right is free of charge. In certain cases the Issuer and/or the Programme Manager may charge a fee based on administrative costs, or refuse to take action on the basis of the application, if the Data Subject requests a copy of his or her data, or if the Data Subject’s application is clearly ungrounded or – especially on account of its repeated nature – exaggerated.

10.11. The Issuer and/or the Programme Manager retains the right to request further information necessary for the confirmation of the Data Subject’s identity, should it have doubts about the identity of the person who submitted the request. Such a case is when the Data Subject exercises his right of requesting a duplicated copy, in which case it is reasonable from the Issuer and/or the Programme Manager to check if the request has come from the authorised person.

10.12. If the Data Subject thinks that the Issuer and/or the Programme Manager offended his right to the protection of personal data, or should the Issuer and/or the Programme Manager perform illegal data processing, the Data Subject may initiate the procedure of the Authority.

10.12.1. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
• postal address: H–1530 Budapest, P.O. box: 5.
• email: ugyfelszolgalat@naih.hu
• telephone number: +36 (1) 391 1400
• website address: www.naih.hu
10.12.2. Contact details of the Belgian Data Protection Authority:
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
• postal address: Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles – Brussels, Belgium
• email: contact@apd-gba.be
• telephone number: +32 2 274 48 00
• website address: https://www.autoriteprotectiondonnees.be/
10.13. Should the Data Subject consider that the Issuer and/or the Programme Manager offended his right to the protection of personal data, he may initiate a legal hearing and may demand the reimbursement of the damage caused to the Data Subject by the illegal processing of his data or by violating the data security, or, in case of the violation of a personality right, the payment of a restitution. In the event of a judicial enforcement, the Data Subject may start the action at the court of his or her residence or habitation.

XI. Miscellaneous provisions

11.1. Should the Programme Manager modify the GTC with an influence on the Data Processing Policy, it shall place an appropriate announcement on the website and shall send the modified policy to the e-mail address provided by the Data Subject so that the Data Subject may study it.

11.2. Where the Issuer and/or the Programme Manager intends to further process the personal data for a purpose other than that for which the personal data were obtained, it will provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.

11.3. The Issuer and/or the Programme Manager shall inform the data subject at the latest on the first occasion of disclosing the data also to other recipient(s).

Effective from: 1 November 2021