Privacy and Security
3. Service Provider is committed to protecting Customers’ privacy, considers it of paramount importance to respect Customers’ right of informational self determination. Service Provider treats personal data confidentially and uses industry standard efforts to safeguard the confidentiality of data.
• Act CXII of 2011 on the Right of Informational Self Determination and on Freedom of Information (hereinafter referred to as Privacy Act);
• Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services (E Commerce Act);
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Business Advertising Act).
5. Service Provider will only use personal information indispensable to provide the Services requested with the consent of those involved.
6. The Company is committed that before collecting, recording or managing any personal data of its Customers it will publish clear, soliciting Customers' attention and unambiguous statements which informs Customers of the ways data is recorded, their purpose and principles. In addition, in cases when recording, including or handling any data is not made compulsory by some rule or regulation, Company will inform Customers that providing information is voluntary. If providing personal data is compulsory by law, the relevant rules and regulations must also be indicated. Those involved must also be informed of the purposes of data collection and of whom the data will be managed and used by.
7. If the Company intends to use the provided personal data for any other purposes than it was originally provided for, Company must inform Customer and obtain Customer’s express, prior consent and make it possible for Customer to prohibit such use.
8. Service Provider will comply with all restrictions specified by the relevant rules and regulations when collecting, recording or managing any personal data and will provide information of its activities, if so required by any persons affected, by email. The Company undertakes that it shall not enforce any sanctions against Customers who refuses to disclose information if it is not compulsory.
III. Legal basis of data processing
1. Personal data may be processed when the data subject has given their consent or when processing is decreed by law or by a local authority’s bye-law, based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest. The legal basis of data processing, in accordance with paragraph 1a of Section 5 of Act CXII of 2011 on the Right of Informational Self Determination and on Freedom of Information (Privacy Act), is the voluntary consent of the data subject and those included in Section 13 of Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services.
2. Where personal data is recorded under the data subject’s consent, the controller shall – unless otherwise provided for by law – be able to process the data recorded where this is necessary:
a) for compliance with a legal obligation pertaining to the controller, or
b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data, without the data subject’s further consent, or after the data subject having withdrawn his consent.
IV. Purpose of data processing, scope of processed data, time limit of data processing and those entitled to access data
1. Data processing of Service Provider’s Services are based on voluntary consent but in certain cases the processing, storing, transferring of a certain scope of data is compulsory by law. Service Provider shall not use personal data for purposes other than specified.
2. Purchasing Tickets and other products
Data processing is based on Customer’s voluntary consent which, in case of purchasing Tickets, is needed to use the website’s Ticket sales Service. The declaration contains the Customer's expressed consent for the use of their personal details provided during the use of the website. The legal basis of data processing, in accordance with paragraph 1a of Section 5 of Act CXII of 2011 on the Right of Informational Self Determination and on Freedom of Information (Privacy Act), is the voluntary consent of the data subject and those included in Paragraph 2 of Section 169 of Act C of 2000 on Accounting.
The purpose of data processing is to provide the Ticket sales Services at the website, such as orders, any relevant Services, documentation of shopping and payment and compliance with the requirements on accounting. Managed data: first and last name, phone number, email address , password entered at pre registration, if delivery is requested the specified delivery address, billing address, transaction number, transaction date and time, contents of receipt, customer number, InterTicket card number, in case of a VAT invoice: name, address and tax number. Time limits for the retention of data is 8 years.
If a password is chosen at pre registration, Customers need to provide their details only once and they can check their previous orders. Service Provider will manage the given details until the Customer prohibits such use by opting out. Data that may be provided the Customer: email address, phone number, name, place of residence, address, place and time of birth, product category used in Customer’s orders, date of purchase, payment methods used by Customer, amounts of purchases made by Customer.
5. Other data management
We provide information on data management not specified in this document at the time of the registration of such data. Please note that the court, prosecutor, investigating authority, offense authority, administrative authority, the data protection commissioner, as well as other bodies under the authorization of the legislation may request the manager of the data to provide information, provide and transfer data, and provide documents. Service Provider shall only disclose personal information to the authorities – if the authority has specified the exact purpose and the scope of data – to the extent necessary for the purposes of the request.
6. Data manager shall not check the provided personal information. The person providing the information will be solely responsible for the compliance of the provided information. When Customers provide their email address, they assume responsibility that only they will use the Service from this email address. In this respect the person who registers the email address will be responsible for every login used with the given email address. If Customer is not providing their own personal data, Customer has the duty to obtain consent from the affected person.
7. People in the employment of or in contractual relationship with Service Provider, as well as the employees of the courier company arranging the delivery of the products will be entitled to get to know the personal data.
V. Forwarding data
1. Service Provider will only transfer personal information to third parties in case of Customer’s prior and expressed consent. This does not apply to any mandatory transfers required by law.
2. By using the Service Customer agrees to Service Provider forwarding the data to the organizer of the given Event so that the organizer should be able to inform the Customer directly and without delay in case the Event is cancelled, rescheduled or of any important circumstances that may affect the viewer and also making it possible that Event organizer could refund or replace the Tickets directly.
3. The Company as Data controller is entitled and must forward all personal data that is available and lawfully stored to the relevant authorities if so ordered by a law or an enforceable order of an authority. Data controller cannot be made responsible for such data forwarding or any resulting consequences.
VI. Security measures
1. With regard to processing and handling personal data Service Provider will act with the greatest possible diligence. Service Provider uses the reasonably achievable, most effective cutting edge tools and procedures in the field of security Services.
2. Data controller shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects.
3. Controllers, and within their sphere of competence, data processors must implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of the Privacy Act and other regulations concerning confidentiality and security of data processing.
4. Service Provider will employ such technical, structural and organizational measures to defend the security of data management that provides appropriate level of security to the risks arising in connection with data management.
5. Both Service Provider's IT System and network are protected against computer assisted fraud, espionage, sabotage, vandalism, fire, flood, furthermore against computer viruses, cyber intrusions and attacks leading to refusal of Services. Service Provider uses server level and application level protection features to ensure security.
6. Electronic messages transmitted via the Internet, are vulnerable to network threats irrespective of protocol (email, web, ftp, etc) which may result in fraudulent activity or disclosure or modification of information. Service Provider shall take all reasonable precautions to protect from such threats. Service Provider shall monitor the Systems in order to record any security deviation and to provide proof in case of all security events. However, the Internet is commonly – therefore, also to the User – known to be not one hundred percent secure. Service Provider shall not be responsible for damages caused by inevitable attacks despite its best efforts.
VII. Rights of data subjects; enforcement; objecting to the processing of personal data; judicial remedy and compensation
1. Requests for changes in personal details or for deleting personal details can be sent from the registered email address or by post, via a written, fully conclusive private document expressing such request. Certain personal data can also be modified using the website’s personal profile page. Following the fulfilment of a request for the deletion or modification of personal data, the earlier (deleted) data can no longer be restored.
Users may request information on their personal data being processed. Data controller will only consider such a request sent by email valid, if the request is sent from the User's registered email address. Upon the data subject’s request the data controller shall provide information concerning the data relating to User, including those processed by a data processor on its behalf or according to their notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and the conditions and effects of the data incident and measures taken with a view to eliminate them and – in case of data transfer – the legal basis and the recipients. Requests to provide information by email must be sent firstname.lastname@example.org. Service Provider must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within no more than 30 days.
The information prescribed in Subsection (4) shall be provided free of charge for any category of data once a year. Additional information concerning the same category of data may be subject to a charge. Where any payment is made in connection with data that was processed unlawfully, or the request led to rectification, it shall be refunded.
The data controller may refuse to provide information to the data subject in the cases defined in the Privacy Act. Should a request for information be denied, the data controller should inform the data subject in writing as to the provision of this Act serving grounds for refusal. Where information is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as Authority). Data controllers shall notify the Authority of refused requests once a year, by 31 January of the following year.
2. The data subject may request from the data controller the rectification of his personal data, and the deletion or blocking of his personal data, except for where processing is rendered mandatory.
3. With a view to verifying legitimacy of data transfer and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
4. Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the data controller shall rectify the personal data in question.
5. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.
6. If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing writing or, on the consent of the data subject, electronically within thirty days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.
7. Prior to data processing being initiated the data subject shall be informed whether his consent is required or processing is mandatory.
8. The data subject shall have the right to object to the processing of data relating to him:
a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
In the event of objection, the controller shall investigate the cause of objection within the shortest possible time inside a 15 day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision.
If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
If the data subject disagrees with the decision taken by the controller, or if the controller fails to meet the deadline, the data subject shall have the right under Section 22 of the Privacy Act to turn to court within 30 days of the date of delivery of the decision or from the last day of the time limit.
If data that are necessary to assert the data recipient’s rights are withheld owing to the data subject’s objection, the data recipient shall have the right under Section 22 of the Privacy Act to turn to court against the controller within 15 days from the date the decision is delivered in order to obtain the data. The controller is authorised to summon the data subject to court.
If the data controller fails to send notice, the data recipient shall have the right to request information from the controller concerning the circumstances of non disclosure, upon which the controller shall make available the information requested within 8 days of receipt of the data recipient’s request. Where information had been requested, the data recipient might bring an action against the controller within 15 days from the date of receipt of the information, or from the deadline prescribed therefor. The controller is authorised to summon the data subject to court.
The controller shall not delete the data of the data subject if law has prescribed processing. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the court has found the objection justified.
12. In the event of any infringement of his rights, the data subject, and in the cases referred to in Section 21 of the Privacy Act, the data recipient may turn to court action against the controller. The court shall hear such cases in priority proceedings.
The burden of proof to show compliance with the law lies with the data controller. In the cases under Subsections (5) and (6) of Section 21 of the Privacy Act, the burden of proof concerning the lawfulness of transfer of data lies with the data recipient.
The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.
Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf.
When the court’s decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data processing Systems, to respect the data subject’s objection, or to disclose the data requested by the data recipient referred to in Section 21 of the Privacy Act.
If the court rejects the petition filed by the data recipient in the cases defined in Section 21 of the Privacy Act, the controller shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within the time limit referred to in Subsection (5) or (6) of Section 21 of the Privacy Act.
The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects under protection by the Privacy Act.
13. If data controller causes damage to a data subject because of unlawful processing or by any breach of data security requirements, they shall pay for such damages. The data controller shall be liable for damages caused by the data processor. The controller shall be released from liability for damages and from paying restitution if it demonstrates that the damage or the violation of personal rights were brought about by reasons beyond its data processing activity. No compensation shall be paid and no restitution shall be demanded where the damage or the violation of rights was caused by intentional or serious negligent conduct on the part of the aggrieved party or the data subject.