Privacy

On behalf of PPS EU SA, Edenred Magyarország Korlátolt Felelősségű Társaság [Edenred Hungary Limited] (head office/official mailing address: H–1134 Budapest, Váci út 45. , company registration number: 01-09-266926; electronic contact details: ugyfelszolgalat-hu@edenred.com and dpo.hungary@edenred.com; information related to data processing on the website: https://adatvedelem.edenred.hu/adatkezelesi-tajekoztato/; phone: +36 1 413 3333, represented by: Tamás Szendrő, hereinafter: Programme Owner) in accordance with the related legislative provisions specifying the protection of personal data1, hereby informs the data subjects on the applied data processing activities.

PPS EU SA (a company registered in Belgium under the number 0712.775.202, having its address under 1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium, hereinafter: Issuer) provides services to legal and natural persons (hereinafter: Client) and natural persons (hereinafter: Card Holder/Data Subject) , under the scope of which service provision the Issuer.
The Issuer and the Programme Owner pays prompt attention on the protection of personal data, and for this reason it permanently takes due care to guarantee fair and transparent processing the essential requirement of which is to provide appropriate information on the processing of data. This Data Processing Policy provide information regarding, among others, the processing of personal data in the course of provision of the services of the Issuer and the Programme Owner and data processing for advertising purposes: the source and scope of acquiring the processed data, the legal basis, purpose and term of the data processing, the rights concerning and the options of choice between personal data, and it also includes all the contact details in which the Data Subject can get answers to his questions on the Issuer and the Programme Owner’s practice of data protection.

 

Summary of the data processing activities related to the Issuer’s Service provided to the Client
Data Controller Issuer
The purposes of the processing Performance of the services included in the Client contract: management of card crediting
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Name, position and contact details (phone number, email address) of the contact person;
Data processing prior to the conclusion of a Limited-Purpose Payment Account contract: surname, given name, date of birth, email address;
Data processed during card crediting: surname, given name, date of birth, card serial number, sub-account;
Data request: card serial number, name indicated on the card, surname, given name, date of birth, expiry date of the card, card type, status
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the service provided to the Client
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting Services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails related to the service

 

Summaries merely seve the purposes of convenience. Please read the complete information.

Summary of the Issuer’s processing of data concerning the Edenred Ticket Restaurant SZÉP Card Service provided to the Card Holder
Data Controller Issuer
The purposes of the processing Performance of the Edenred Ticket Restaurant SZÉP Card Services included in the Card Holder contract
Legal grounds for data processing The performance of the Contract concluded between the Issuer and the Card Holder [Article 6 (1) (b) of the GDPR]
Scope of the processed data Data Subject’s surname; Data Subject’s given name; Data Subject’s surname at birth; Data Subject’s given name at birth; name on card (max. 21 characters); date of birth; place of birth; mother’s maiden name; Data Subject’s citizenship; postal address or, in the absence thereof, place of residence (postcode, city/town, street name and number); type of the Data Subject’s ID document; number of the Data Subject’s ID document; expiry date of the Data Subject’s ID document; copies of the Data Subject’s documents; Data Subject’s image, PEP status;
Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial number of the card; transaction details; transaction history; Data Subject’s workplace; Data Subject’s bank account number
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Ticket Restaurant SZÉP Card Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Ticket Restaurant SZÉP Card Service
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails related to the Edenred Ticket Restaurant SZÉP Card Service

 

Summaries merely serve the purposes of convenience. Please read the complete information.

 

Summary of the processing of data related to the Programme Owner’s marketing and advertising activity
Data Controller The Programme Owner
The purposes of the processing Sending marketing and advertising messages to the Card Holder
Legal grounds for data processing The Data Subject’s consent [Article 6 (1) (b) of the GDPR and Section 6(1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities].
The consent may be withdrawn at any time.
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s email address; Data Subject’s mobile phone number
Term of data processing Until the consent is withdrawn
Processors Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for advertising purposes – sending of newsletters

 

Summaries merely serve the purposes of convenience. Please read the complete information.

Definitions used in this Data Processing Policy match the definitions included in the Card Holder and Employer Client GTC related to Edenred Ticket Restaurant SZÉP Card. For enhancing the interpretation of the Data Processing Policy, below we repeat certain definitions:
2.1.1. Card or Edenred Ticket Restaurant SZÉP Card: a plastic cash substitute, which:
• enables the Card Holder to submit payment orders exclusively against the SZÉP Card benefits credited to the payment account,
• is readable with an electronic terminal at the Participating Vendor, and enables the submission of payment orders via the terminal.

2.1.2. Authority: means the Hungarian National Authority for Data Protection and Freedom of Information or the Belgian Data Protection Authority (Autorité de la protection des données – Gegevensbeschermingsautoriteit, APD-GBA).
2.1.3. Card Holder: the natural person who is entitled to use the Card based on the Framework Contract concluded with the Issuer.
2.1.4. Participating Vendor or Service Provider: the natural person, legal entity or other economic entity who/which is in a contractual legal relationship with the Issuer (payment service provider) as specified in Section 1(3) of the Decree and actually provides the services detailed in the same, with the exception of the service intermediary.
2.1.5. Issuer or Payment Service Provider: PPS EU SA, a company registered in Belgium under the number 0712.775.202, with its registered address at: 1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium. PPS EU is operating under the supervision of the National Bank of Belgium, and has been authorised by the same to issue electronic money and provide payment services. Issuer qualifies as a payment service provider who is authorised to issue the Card and engage in activities relating to the use of the same as provided in the Decree.
2.1.6. Programme Owner: Edenred’s Hungarian subsidiary, a company established in Hungary under the name: Edenred Magyarország Kft.; registered office: H–1134 Budapest, Váci út 45.), the Issuer’s payment intermediary.
2.1.7. Decree: Government Decree 76/2018 (20 April) on the rules of the issue and use of Széchenyi Recreational Cards.
• Service or Edenred Ticket Restaurant SZÉP Card Service: all services provided to the Card Holder by the Issuer.
2.1.8. Client or Employer: the Card Holder’s employer, who credits Széchenyi Recreation Card Benefit to the Card Holder’s payment account.

Data Subjects include employees of the legal and natural persons (Client) ordering the services of the Issuer and the Programme Owner.

The Issuer and Programme Owner obtain certain personal data of the Data Subject not directly from the Data Subject, but – having regard to the characteristics of the service – partly from the Client via data transfer. At the same time, however, the Issuer will, during the online contracting necessary for using the Card, request such personal data directly from the Data Subject that are essential for the establishment of the contract and the provision of the services related to the Card, while they are not required for the placement of the Order.

5.1. The legal basis to the data processing strictly necessary for providing the Service is the conclusion and performance of the contract in the interest of the Data Subject on the basis of the contract established by and between the Issuer and the Client in relation to the cards ordered for the Data Subject [GDPR Article 6(1)(b)].
5.2. The legal basis of the data processing strictly necessary for the Issuer to perform the Edenred Ticket Restaurant SZÉP Card Service provided to the Card Holder is the performance of the Edenred Ticket Restaurant SZÉP Card contract concluded by and between the Issuer and the Data Subject: manufacturing, activating, crediting and using the Card, ensuring access to data [e.g. transaction history, available balance], processing of transactions [Article 6(1)(b) of the GDPR]. Should the Data Subject fail to provide the personal data strictly necessary for the Issuer to provide the Edenred Ticket Restaurant SZÉP Card Service, the Data Subject will not be able to call upon the services provided by the Issuer and the Programme Owner. The Issuer acts as data controller with regard to the data processing related to the contract concluded by and between the Issuer and the Data Subject.
5.3. The legal basis for the Programme Owner for the data processing concerning the sending of advertisement is the Data Subject’s consent [Article 6 (1) (a) of the GDPR and Article 6 (1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities]. The Data Subject may provide his consent to receive advertisement on the Programme Owner’s website or in the Edenred mobile application.

6.1. Data processed for the purposes of complying with the Client GTC, term of the data processing

6.1.1. The Issuer as data controller processes the following data in order to comply with the Client GTC, i.e. to provide the service to the Client:
• name, position and contact details (phone number, email address) of the contact person
• data processing prior to the conclusion of a Limited-Purpose Payment Account contract: surname, given name, date of birth, email address
• data processed during card crediting: surname, given name, date of birth, card serial number, sub-account
• data request: card serial number, name indicated on the card, surname, given name, date of birth, expiry date of the card, card type, status

6.1.2. Personal data is processed by the Issuer as data controller in connection with the establishment of the Card Holder contract and the administration related to crediting and usage of the Card.

6.1.3. The Issuer will process the Data Subject’s data until the period required to achieve the purpose of the Client contract, i.e. for the total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the service).

6.2. Data processed for the purposes of complying with the Card Holder contract, term of the data processing

6.2.1. The Issuer processes the following data as data controller in order to comply with the Card Holder contract, i.e. to provide the Edenred Ticket Restaurant SZÉP Card Service to the Card Holder:
6.2.1.1. Data necessary for contracting
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• place and date of birth
• mother’s maiden name,
• postal address, or, in the absence thereof, address of residence (postcode, city/town, street name and number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• data of the transaction
• transaction history
• Data Subject’s workplace
• Data Subject’s bank account number

6.2.1.2. Data necessary for identifying the contracting party
• Data Subject’s surname and given name
• Type, number, expiry date and copy of the Data Subject’s ID documents
• PEP status
• Data Subject’s image
• Data Subject’s citizenship

6.2.2. The Issuer will process the data specified in Clause 6.2.1.1 until the period required to achieve the purpose of the Card Holder contract, i.e. for the total duration of the Edenred Ticket Restaurant SZÉP Card Service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Ticket Restaurant SZÉP Card Service), while the data specified in Clause 6.2.1.2 shall be processed for 30 days from activation.

6.3. Data processed for the purpose of marketing and advertising activity, term of the processing

6.3.1. During the data processing for advertisement purposes, the Programme Owner will send advertisements via phone (text message) or e-mails or push notifications (pop-up messages on mobile phones) to the Data Subject concerning the products of the Programme Owner, the Edenred Group and the Participating Vendors, and on the incidental campaigns, according to the Data Subject’s consent.

6.3.2. For this purpose it processes the following data:
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s email address
• Data Subject’s mobile phone number

6.3.3. The Programme Owner keeps record of the personal data of Data Subjects having made declaration of consent regarding the receipt of advertisements.

6.3.4. For sending advertisement, the Programme Owner keeps on processing the personal data processed per the declaration of consent provided by the Data Subject until revocation. The Data Subject can give his declaration of consent by ticking the relevant checkbox on the Programme Owner’s website or the Edenred mobile application. The Data Subject may revoke his consent at any time via the unsubscribe link at the bottom of the marketing letter sent to the provided e-mail address.

The Issuer will transmit and disclose the Data Subject’s data to the members of the Edenred Group1 and its contractual partners2 (including natural persons) in the course and for the purpose of and to the extent required for providing the Edenred Ticket Restaurant SZÉP Card Service, in relation to the card use.

7.1. Data Processors belonging to the Issuer’s and Programme Owner’s contractual partners employed for complying with the provision of the Edenred Ticket Restaurant SZÉP Card Service and for performing the marketing and promotional activity:

• Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Ticket Restaurant SZÉP Card Service
• Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
• Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
• Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
• Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
• The Rocket Science Group LLC d/b/a MailChimp (head office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for marketing purposes – sending of newsletters, sending of information e-mails concerning the Edenred Ticket Restaurant SZÉP Card Service

The Rocket Science Group LLC d/b/a MailChimp provides appropriate safeguards for the transfer of personal data by applying standard data protection clauses specified in Article 46(2)(c) of the GDPR.

9.1. The Issuer and the Programme Owner shall delete the Data Subject’s data upon the expiry of the data handling period.

9.2. The Issuer and the Programme Owner will ensure the security of the processed data and takes any measure against unauthorised access, modification, forwarding, disclosure, erasure or destruction, accidental destruction and deterioration, and inaccessibility due to the change of the technology applied, as well as in order to ensure an adequate protection of the Data Subjects’ personal data per the legislation.

9.3. The Issuer and the Programme Owner processes the Data Subject’s data automatically and manually in a computer database applying the measures necessary for maintaining the data security requirements, and it has arranged to have the processing of the Data Subject’s data within a closed system protected by password in any event and saved in a hard disk, and that these systems would be

¹The members of the Edenred Group are listed on the www.edenred.hu website, as modified from time to time.
²In the course of providing the service, Edenred and the Issuer shall be entitled to unilaterally employ other data processors at any time. The list of data processors is available at the www.edenredkartya.hu, under the menu item “Data Processing Policy”

used by those authorised to know the data exclusively in relation to the provision of the service, in a strictly necessary extent.

9.4. Those authorised to know the personal data are the Issuer and the Programme Owner (the Issuer and the Programme Owner’s employees employed in a post that manage matters concerning the card use), the members of the Edenred Group, and the contractual partners of the Issuer and the Programme Owner.

9.5. The Issuer and the Programme Owner ensures to provide complete information about the data protection rules to those authorised to access the data. As a guarantee to data security, the senior executives and employees of the Issuer and the Programme Owner are bound by obligation of confidence and legal liability concerning the personal data learned in this regard.

10.1. At the Data Subject’s request, the Issuer and/or Programme Owner shall provide information on [Article 15 (1) of the GDPR; right to information]:
• which personal data of the Data Subject are processed
• the purposes of the processing
• the categories of recipients to whom the personal data are transferred
• the term of processing
• the Data Subject’s rights and remedies

10.2. Before initiating the procedures regulated in this section, the Data Subject is entitled to call upon the Issuer and/or the Programme Owner with his claim (to be submitted electronically) in order to eliminate his anxieties concerning the data processing and to restore legality. The Issuer and/or the Programme Owner shall examine the claim within a month, makes a decision on whether it is well-founded and informs the Data Subject electronically in writing. If the Issuer and/or the Programme Owner ascertains the grounds for the Data Subject’s claim, restores the legality of data processing or ends the data processing, including further data recording and data transmission. In this case, the Issuer and/or the Programme Owner may no longer process the Data Subject’s personal data unless the Issuer and/or the Programme Owner demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. The Issuer and/or the Programme Owner will communicate the claim and the relevant actions taken, to those to whom he transmitted the data concerned by the claim.

10.3. At the Data Subject’s request, the Issuer and/or the Programme Owner will make available the duplicate copy of the personal data in a commonly used electronic format or any other format chosen by the Data Subject. [Article 15 (3) of the GDPR; right of access, right to be provided copies].
10.4. At the Data Subject’s request, his personal data will be modified, rectified. The Issuer and/or the Programme Owner we also provides possibility to rectify the personal data via the user profile [Article 16 of the GDPR; right of rectification]. The exercise of the Data Subject’s rights to access and the rectification of his personal data, the Data Subject may call upon the Issuer and/or the Programme Owner in an e-mail sent to the addresses adatkezeles-hu@edenred.com or dpo.hungary@edenred.com.
10.5. At the Data Subject’s request, the Issuer and/or the Programme Owner will erase the Data Subject’s personal data. The Issuer and/or the Programme Owner may refuse to comply with the request due to reasons included in Article 17 (3) of the GDPR, e.g. in the case when personal data are required for proposing or vindicating a legal claim, or for the compliance with the obligation per the law of the Union or a member state to be applied to the Issuer and/or the Programme Owner, or out of public interest or for exercising the right of freedom of expression and information. [Article 17 of the GDPR; right of erasure].

10.6. The Data Subject may cancel his declaration of consent to the communication of advertisements may be cancelled at any time without restriction and justification, free of charge, and he may also make a claim regarding the prohibition of receiving advertisements. In this case, the Issuer and the Programme Owner immediately erases the Data Subject’s name and any personal data from the records and will no longer send any advertisement to the Data Subject. This can be achieved by filling a notice of withdrawal either on the post, by sending a letter to the Programme Owner’s head office, or electronically by sending an email to adatkezeles-hu@edenred.com or dpo.hungary@edenred.com, and on the Programme Owner’s website, or in the Edenred mobile application [right of withdrawing the consent]. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.7. The Data Subject is entitled to request the restriction (blocking) of processing personal data
• should he contest the accuracy of the personal data, he may request the blocking of the data until the Issuer and/or the Programme Owner checks the accuracy of the personal data;
• if processing is unlawful and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
• the Issuer and/or the Programme Owner no longer needs the personal data, but it is required by the Data Subject for the establishment, exercise or defence of legal claims [Article 18 of the GDPR; right to restriction of processing (blocking)].
The Issuer and/or the Programme Owner fulfils the blocking request by storing the personal data separately from the other personal data. Thus for example, in the case of electronic files, it saves them on an external data carrier, or transfers personal data stored on paper in a separate folder. With the exception of storage, the Issuer and/or the Programme Owner will only process such personal data with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Issuer and/or the Programme Owner shall advise the Data Subject in advance about the release of the restriction of processing.

10.8. The Data Subject is entitled to receive his or her personal data in a structured, commonly used and machine-readable format, and has the right to transmit these data to another controller. In addition, at a relevant explicit request, the Issuer and/or the Programme Owner ensures the direct transmission the Data Subject’s data to a Processor specified by the Data Subject. [Article 20 (1) and (2) of the GDPR; right to data portability].

10.9. The Issuer and/or the Programme Owner will inform the Data Subject on the actions taken within one month from receiving the Data Subject’s request. The Issuer and/or the Programme Owner shall inform You within one month from receipt of the request about the reasons of the refusal and about the opportunity of lodging a complaint with the Authority and seeking a judicial remedy.

10.10. The exercise of this right is free of charge. In certain cases the Issuer and/or the Programme Owner may charge a fee based on administrative costs, or refuse to take action on the basis of the application, if the Data Subject requests a copy of his or her data, or if the Data Subject’s application is clearly ungrounded or – especially on account of its repeated nature – exaggerated.

10.11. The Issuer and/or the Programme Owner retains the right to request further information necessary for the confirmation of the Data Subject’s identity, should it have doubts about the identity of the person who submitted the request. Such a case is when the Data Subject exercises his right of requesting a duplicated copy, in which case it is reasonable from the Issuer and/or the Programme Owner to check if the request has come from the authorised person.

10.12. If the Data Subject thinks that the Issuer and/or the Programme Owner offended his right to the protection of personal data, or should the Issuer and/or the Programme Owner perform illegal data processing, the Data Subject may initiate the procedure of the Authority.

10.12.1. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
• postal address: H–1363 Budapest, P.O. box: 9.
• email: ugyfelszolgalat@naih.hu
• telephone number: +36 (1) 391 1400
• website address: www.naih.hu.
10.12.2. Contact details of the Belgian Data Protection Authority:
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
• postal address: Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles – Brussels, Belgium
• email: contact@apd-gba.be
• telephone number: +32 2 274 48 00
• website address: https://www.autoriteprotectiondonnees.be/
10.13. Should the Data Subject consider that the Issuer and/or the Programme Owner offended his right to the protection of personal data, he may initiate a legal hearing and may demand the reimbursement of the damage caused to the Data Subject by the illegal processing of his data or by violating the data security, or, in case of the violation of a personality right, the payment of a restitution. In the event of a judicial enforcement, the Data Subject may start the action at the court of his or her residence or habitation.

11.1. If the Issuer modifies the GTC and such modification affects the Data Processing Policy, the Issuer shall place a notice on the website www.edenred.hu to enable the Data Subject familiarize himself or herself with the modification.

11.2. Where the Issuer and/or the Programme Owner intends to further process the personal data for a purpose other than that for which the personal data were obtained, it will provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.

11.3. The Issuer and/or the Programme Owner shall inform the data subject at the latest on the first occasion of disclosing the data also to other recipient(s).

Effective from: 26 January 2022

Data Processing Policy

On behalf of PPS EU SA, Edenred Magyarország Korlátolt Felelősségű Társaság [Edenred Hungary Limited] (head office/official mailing address: H–1134 Budapest, Váci út 45. , company registration number: 01-09-266926; electronic contact details: ugyfelszolgalat-hu@edenred.com and dpo.hungary@edenred.com; information related to data processing on the website: https://adatvedelem.edenred.hu/adatkezelesi-tajekoztato/; phone: +36 1 413 3333, represented by: Tamás Szendrő, hereinafter: Programme Owner) in accordance with the related legislative provisions specifying the protection of personal data1, hereby informs the data subjects on the applied data processing activities.

1. Presentation of data processing

PPS EU SA (a company registered in Belgium under the number 0712.775.202, having its address under 1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium, hereinafter: Issuer) provides services to legal and natural persons (hereinafter: Client) and natural persons (hereinafter: Card Holder/Data Subject) , under the scope of which service provision the Issuer.
The Issuer and the Programme Owner pays prompt attention on the protection of personal data, and for this reason it permanently takes due care to guarantee fair and transparent processing the essential requirement of which is to provide appropriate information on the processing of data. This Data Processing Policy provide information regarding, among others, the processing of personal data in the course of provision of the services of the Issuer and the Programme Owner and data processing for advertising purposes: the source and scope of acquiring the processed data, the legal basis, purpose and term of the data processing, the rights concerning and the options of choice between personal data, and it also includes all the contact details in which the Data Subject can get answers to his questions on the Issuer and the Programme Owner’s practice of data protection.

 

Summary of the data processing activities related to the Issuer’s Service provided to the Client
Data Controller Issuer
The purposes of the processing Performance of the services included in the Client contract: management of card crediting
Legal grounds for data processing Conclusion and performance of a contract in the interest of the Data Subject [Article 6 (1) (b) of GDPR].
Scope of the processed data Name, position and contact details (phone number, email address) of the contact person;
Data processing prior to the conclusion of a Limited-Purpose Payment Account contract: surname, given name, date of birth, email address;
Data processed during card crediting: surname, given name, date of birth, card serial number, sub-account;
Data request: card serial number, name indicated on the card, surname, given name, date of birth, expiry date of the card, card type, status
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the service provided to the Client
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting Services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails related to the service

 

Summaries merely seve the purposes of convenience. Please read the complete information.

Summary of the Issuer’s processing of data concerning the Edenred Ticket Restaurant SZÉP Card Service provided to the Card Holder
Data Controller Issuer
The purposes of the processing Performance of the Edenred Ticket Restaurant SZÉP Card Services included in the Card Holder contract
Legal grounds for data processing The performance of the Contract concluded between the Issuer and the Card Holder [Article 6 (1) (b) of the GDPR]
Scope of the processed data Data Subject’s surname; Data Subject’s given name; Data Subject’s surname at birth; Data Subject’s given name at birth; name on card (max. 21 characters); date of birth; place of birth; mother’s maiden name; Data Subject’s citizenship; postal address or, in the absence thereof, place of residence (postcode, city/town, street name and number); type of the Data Subject’s ID document; number of the Data Subject’s ID document; expiry date of the Data Subject’s ID document; copies of the Data Subject’s documents; Data Subject’s image, PEP status;
Data Subject’s email address; Data Subject’s mobile phone number; amount to be credited; serial number of the card; transaction details; transaction history; Data Subject’s workplace; Data Subject’s bank account number
Term of data processing Total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Ticket Restaurant SZÉP Card Service)
Processors Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Ticket Restaurant SZÉP Card Service
Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: sending of information e-mails related to the Edenred Ticket Restaurant SZÉP Card Service

 

Summaries merely serve the purposes of convenience. Please read the complete information.

 

Summary of the processing of data related to the Programme Owner’s marketing and advertising activity
Data Controller The Programme Owner
The purposes of the processing Sending marketing and advertising messages to the Card Holder
Legal grounds for data processing The Data Subject’s consent [Article 6 (1) (b) of the GDPR and Section 6(1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities].
The consent may be withdrawn at any time.
Scope of the processed data Data Subject’s surname; Data Subject’s forename; Data Subject’s email address; Data Subject’s mobile phone number
Term of data processing Until the consent is withdrawn
Processors Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for advertising purposes – sending of newsletters

 

Summaries merely serve the purposes of convenience. Please read the complete information.

2. Definitions

Definitions used in this Data Processing Policy match the definitions included in the Card Holder and Employer Client GTC related to Edenred Ticket Restaurant SZÉP Card. For enhancing the interpretation of the Data Processing Policy, below we repeat certain definitions:
2.1.1. Card or Edenred Ticket Restaurant SZÉP Card: a plastic cash substitute, which:
• enables the Card Holder to submit payment orders exclusively against the SZÉP Card benefits credited to the payment account,
• is readable with an electronic terminal at the Participating Vendor, and enables the submission of payment orders via the terminal.

2.1.2. Authority: means the Hungarian National Authority for Data Protection and Freedom of Information or the Belgian Data Protection Authority (Autorité de la protection des données – Gegevensbeschermingsautoriteit, APD-GBA).
2.1.3. Card Holder: the natural person who is entitled to use the Card based on the Framework Contract concluded with the Issuer.
2.1.4. Participating Vendor or Service Provider: the natural person, legal entity or other economic entity who/which is in a contractual legal relationship with the Issuer (payment service provider) as specified in Section 1(3) of the Decree and actually provides the services detailed in the same, with the exception of the service intermediary.
2.1.5. Issuer or Payment Service Provider: PPS EU SA, a company registered in Belgium under the number 0712.775.202, with its registered address at: 1160 Brussels, boulevard du Souverain 165 boîte 9, Belgium. PPS EU is operating under the supervision of the National Bank of Belgium, and has been authorised by the same to issue electronic money and provide payment services. Issuer qualifies as a payment service provider who is authorised to issue the Card and engage in activities relating to the use of the same as provided in the Decree.
2.1.6. Programme Owner: Edenred’s Hungarian subsidiary, a company established in Hungary under the name: Edenred Magyarország Kft.; registered office: H–1134 Budapest, Váci út 45.), the Issuer’s payment intermediary.
2.1.7. Decree: Government Decree 76/2018 (20 April) on the rules of the issue and use of Széchenyi Recreational Cards.
• Service or Edenred Ticket Restaurant SZÉP Card Service: all services provided to the Card Holder by the Issuer.
2.1.8. Client or Employer: the Card Holder’s employer, who credits Széchenyi Recreation Card Benefit to the Card Holder’s payment account.

3. Data Subject

Data Subjects include employees of the legal and natural persons (Client) ordering the services of the Issuer and the Programme Owner.

4. Sources of the acquisition of personal data by the Issuer and the Programme Owner

The Issuer and Programme Owner obtain certain personal data of the Data Subject not directly from the Data Subject, but – having regard to the characteristics of the service – partly from the Client via data transfer. At the same time, however, the Issuer will, during the online contracting necessary for using the Card, request such personal data directly from the Data Subject that are essential for the establishment of the contract and the provision of the services related to the Card, while they are not required for the placement of the Order.

5.1. The legal basis to the data processing strictly necessary for providing the Service is the conclusion and performance of the contract in the interest of the Data Subject on the basis of the contract established by and between the Issuer and the Client in relation to the cards ordered for the Data Subject [GDPR Article 6(1)(b)].
5.2. The legal basis of the data processing strictly necessary for the Issuer to perform the Edenred Ticket Restaurant SZÉP Card Service provided to the Card Holder is the performance of the Edenred Ticket Restaurant SZÉP Card contract concluded by and between the Issuer and the Data Subject: manufacturing, activating, crediting and using the Card, ensuring access to data [e.g. transaction history, available balance], processing of transactions [Article 6(1)(b) of the GDPR]. Should the Data Subject fail to provide the personal data strictly necessary for the Issuer to provide the Edenred Ticket Restaurant SZÉP Card Service, the Data Subject will not be able to call upon the services provided by the Issuer and the Programme Owner. The Issuer acts as data controller with regard to the data processing related to the contract concluded by and between the Issuer and the Data Subject.
5.3. The legal basis for the Programme Owner for the data processing concerning the sending of advertisement is the Data Subject’s consent [Article 6 (1) (a) of the GDPR and Article 6 (1) of Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activities]. The Data Subject may provide his consent to receive advertisement on the Programme Owner’s website or in the Edenred mobile application.

6. The purpose of the data processing, the scope of data processed, the term of data processing

6.1. Data processed for the purposes of complying with the Client GTC, term of the data processing

6.1.1. The Issuer as data controller processes the following data in order to comply with the Client GTC, i.e. to provide the service to the Client:
• name, position and contact details (phone number, email address) of the contact person
• data processing prior to the conclusion of a Limited-Purpose Payment Account contract: surname, given name, date of birth, email address
• data processed during card crediting: surname, given name, date of birth, card serial number, sub-account
• data request: card serial number, name indicated on the card, surname, given name, date of birth, expiry date of the card, card type, status

6.1.2. Personal data is processed by the Issuer as data controller in connection with the establishment of the Card Holder contract and the administration related to crediting and usage of the Card.

6.1.3. The Issuer will process the Data Subject’s data until the period required to achieve the purpose of the Client contract, i.e. for the total duration of the service and 6 years following its termination (until the limitation period of the possible claims concerning the service).

6.2. Data processed for the purposes of complying with the Card Holder contract, term of the data processing

6.2.1. The Issuer processes the following data as data controller in order to comply with the Card Holder contract, i.e. to provide the Edenred Ticket Restaurant SZÉP Card Service to the Card Holder:
6.2.1.1. Data necessary for contracting
• Data Subject’s surname
• Data Subject’s forename
• name on card (21 characters at maximum)
• place and date of birth
• mother’s maiden name,
• postal address, or, in the absence thereof, address of residence (postcode, city/town, street name and number)
• Data Subject’s email address
• Data Subject’s mobile phone number
• amount to be credited
• card serial number
• data of the transaction
• transaction history
• Data Subject’s workplace
• Data Subject’s bank account number

6.2.1.2. Data necessary for identifying the contracting party
• Data Subject’s surname and given name
• Type, number, expiry date and copy of the Data Subject’s ID documents
• PEP status
• Data Subject’s image
• Data Subject’s citizenship

6.2.2. The Issuer will process the data specified in Clause 6.2.1.1 until the period required to achieve the purpose of the Card Holder contract, i.e. for the total duration of the Edenred Ticket Restaurant SZÉP Card Service and 6 years following its termination (until the limitation period of the possible claims concerning the Edenred Ticket Restaurant SZÉP Card Service), while the data specified in Clause 6.2.1.2 shall be processed for 30 days from activation.

6.3. Data processed for the purpose of marketing and advertising activity, term of the processing

6.3.1. During the data processing for advertisement purposes, the Programme Owner will send advertisements via phone (text message) or e-mails or push notifications (pop-up messages on mobile phones) to the Data Subject concerning the products of the Programme Owner, the Edenred Group and the Participating Vendors, and on the incidental campaigns, according to the Data Subject’s consent.

6.3.2. For this purpose it processes the following data:
• Data Subject’s surname
• Data Subject’s forename
• Data Subject’s email address
• Data Subject’s mobile phone number

6.3.3. The Programme Owner keeps record of the personal data of Data Subjects having made declaration of consent regarding the receipt of advertisements.

6.3.4. For sending advertisement, the Programme Owner keeps on processing the personal data processed per the declaration of consent provided by the Data Subject until revocation. The Data Subject can give his declaration of consent by ticking the relevant checkbox on the Programme Owner’s website or the Edenred mobile application. The Data Subject may revoke his consent at any time via the unsubscribe link at the bottom of the marketing letter sent to the provided e-mail address.

7. Data processing

The Issuer will transmit and disclose the Data Subject’s data to the members of the Edenred Group1 and its contractual partners2 (including natural persons) in the course and for the purpose of and to the extent required for providing the Edenred Ticket Restaurant SZÉP Card Service, in relation to the card use.

7.1. Data Processors belonging to the Issuer’s and Programme Owner’s contractual partners employed for complying with the provision of the Edenred Ticket Restaurant SZÉP Card Service and for performing the marketing and promotional activity:

• Edenred Magyarország Kft.: (registered office: H-1134 Budapest, Váci út 45.)
purpose of data processing: operation of systems and provision of support in relation to the provision of the Edenred Ticket Restaurant SZÉP Card Service
• Programming Pool Romania (registered office: Strada Transilvaniei 18A, Baia Mare, Romania)
purpose of data processing: supply of software supporting services related to the Card, IT support
• Idemia Hungary Kft. (registered office: Tó-Park, hrsz.: 3301/21., 2045 Törökbálint, Tópark utca)
purpose of data processing: manufacturing of cards
• Y-Collective Kft. (registered office: H–7628 Pécs, Arany János u. 24.)
purpose of data processing: extranet operation, processing of card orders, operation of website and Edenred Mobile Application; IT support activity
• Y-Shift Kft. (head office: H–7636 Pécs Neumann János utca 24., Hungary)
purpose of data processing: data processing for advertising purposes
• The Rocket Science Group LLC d/b/a MailChimp (head office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA)
purpose of data processing: data processing for marketing purposes – sending of newsletters, sending of information e-mails concerning the Edenred Ticket Restaurant SZÉP Card Service

8. Transmission of data to third countries

The Rocket Science Group LLC d/b/a MailChimp provides appropriate safeguards for the transfer of personal data by applying standard data protection clauses specified in Article 46(2)(c) of the GDPR.

9. Data security, parties entitled to obtain the data

9.1. The Issuer and the Programme Owner shall delete the Data Subject’s data upon the expiry of the data handling period.

9.2. The Issuer and the Programme Owner will ensure the security of the processed data and takes any measure against unauthorised access, modification, forwarding, disclosure, erasure or destruction, accidental destruction and deterioration, and inaccessibility due to the change of the technology applied, as well as in order to ensure an adequate protection of the Data Subjects’ personal data per the legislation.

9.3. The Issuer and the Programme Owner processes the Data Subject’s data automatically and manually in a computer database applying the measures necessary for maintaining the data security requirements, and it has arranged to have the processing of the Data Subject’s data within a closed system protected by password in any event and saved in a hard disk, and that these systems would be

¹The members of the Edenred Group are listed on the www.edenred.hu website, as modified from time to time.
²In the course of providing the service, Edenred and the Issuer shall be entitled to unilaterally employ other data processors at any time. The list of data processors is available at the www.edenredkartya.hu, under the menu item “Data Processing Policy”

used by those authorised to know the data exclusively in relation to the provision of the service, in a strictly necessary extent.

9.4. Those authorised to know the personal data are the Issuer and the Programme Owner (the Issuer and the Programme Owner’s employees employed in a post that manage matters concerning the card use), the members of the Edenred Group, and the contractual partners of the Issuer and the Programme Owner.

9.5. The Issuer and the Programme Owner ensures to provide complete information about the data protection rules to those authorised to access the data. As a guarantee to data security, the senior executives and employees of the Issuer and the Programme Owner are bound by obligation of confidence and legal liability concerning the personal data learned in this regard.

10. The Data Subject’s rights and remedies

10.1. At the Data Subject’s request, the Issuer and/or Programme Owner shall provide information on [Article 15 (1) of the GDPR; right to information]:
• which personal data of the Data Subject are processed
• the purposes of the processing
• the categories of recipients to whom the personal data are transferred
• the term of processing
• the Data Subject’s rights and remedies

10.2. Before initiating the procedures regulated in this section, the Data Subject is entitled to call upon the Issuer and/or the Programme Owner with his claim (to be submitted electronically) in order to eliminate his anxieties concerning the data processing and to restore legality. The Issuer and/or the Programme Owner shall examine the claim within a month, makes a decision on whether it is well-founded and informs the Data Subject electronically in writing. If the Issuer and/or the Programme Owner ascertains the grounds for the Data Subject’s claim, restores the legality of data processing or ends the data processing, including further data recording and data transmission. In this case, the Issuer and/or the Programme Owner may no longer process the Data Subject’s personal data unless the Issuer and/or the Programme Owner demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. The Issuer and/or the Programme Owner will communicate the claim and the relevant actions taken, to those to whom he transmitted the data concerned by the claim.

10.3. At the Data Subject’s request, the Issuer and/or the Programme Owner will make available the duplicate copy of the personal data in a commonly used electronic format or any other format chosen by the Data Subject. [Article 15 (3) of the GDPR; right of access, right to be provided copies].
10.4. At the Data Subject’s request, his personal data will be modified, rectified. The Issuer and/or the Programme Owner we also provides possibility to rectify the personal data via the user profile [Article 16 of the GDPR; right of rectification]. The exercise of the Data Subject’s rights to access and the rectification of his personal data, the Data Subject may call upon the Issuer and/or the Programme Owner in an e-mail sent to the addresses adatkezeles-hu@edenred.com or dpo.hungary@edenred.com.
10.5. At the Data Subject’s request, the Issuer and/or the Programme Owner will erase the Data Subject’s personal data. The Issuer and/or the Programme Owner may refuse to comply with the request due to reasons included in Article 17 (3) of the GDPR, e.g. in the case when personal data are required for proposing or vindicating a legal claim, or for the compliance with the obligation per the law of the Union or a member state to be applied to the Issuer and/or the Programme Owner, or out of public interest or for exercising the right of freedom of expression and information. [Article 17 of the GDPR; right of erasure].

10.6. The Data Subject may cancel his declaration of consent to the communication of advertisements may be cancelled at any time without restriction and justification, free of charge, and he may also make a claim regarding the prohibition of receiving advertisements. In this case, the Issuer and the Programme Owner immediately erases the Data Subject’s name and any personal data from the records and will no longer send any advertisement to the Data Subject. This can be achieved by filling a notice of withdrawal either on the post, by sending a letter to the Programme Owner’s head office, or electronically by sending an email to adatkezeles-hu@edenred.com or dpo.hungary@edenred.com, and on the Programme Owner’s website, or in the Edenred mobile application [right of withdrawing the consent]. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10.7. The Data Subject is entitled to request the restriction (blocking) of processing personal data
• should he contest the accuracy of the personal data, he may request the blocking of the data until the Issuer and/or the Programme Owner checks the accuracy of the personal data;
• if processing is unlawful and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
• the Issuer and/or the Programme Owner no longer needs the personal data, but it is required by the Data Subject for the establishment, exercise or defence of legal claims [Article 18 of the GDPR; right to restriction of processing (blocking)].
The Issuer and/or the Programme Owner fulfils the blocking request by storing the personal data separately from the other personal data. Thus for example, in the case of electronic files, it saves them on an external data carrier, or transfers personal data stored on paper in a separate folder. With the exception of storage, the Issuer and/or the Programme Owner will only process such personal data with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Issuer and/or the Programme Owner shall advise the Data Subject in advance about the release of the restriction of processing.

10.8. The Data Subject is entitled to receive his or her personal data in a structured, commonly used and machine-readable format, and has the right to transmit these data to another controller. In addition, at a relevant explicit request, the Issuer and/or the Programme Owner ensures the direct transmission the Data Subject’s data to a Processor specified by the Data Subject. [Article 20 (1) and (2) of the GDPR; right to data portability].

10.9. The Issuer and/or the Programme Owner will inform the Data Subject on the actions taken within one month from receiving the Data Subject’s request. The Issuer and/or the Programme Owner shall inform You within one month from receipt of the request about the reasons of the refusal and about the opportunity of lodging a complaint with the Authority and seeking a judicial remedy.

10.10. The exercise of this right is free of charge. In certain cases the Issuer and/or the Programme Owner may charge a fee based on administrative costs, or refuse to take action on the basis of the application, if the Data Subject requests a copy of his or her data, or if the Data Subject’s application is clearly ungrounded or – especially on account of its repeated nature – exaggerated.

10.11. The Issuer and/or the Programme Owner retains the right to request further information necessary for the confirmation of the Data Subject’s identity, should it have doubts about the identity of the person who submitted the request. Such a case is when the Data Subject exercises his right of requesting a duplicated copy, in which case it is reasonable from the Issuer and/or the Programme Owner to check if the request has come from the authorised person.

10.12. If the Data Subject thinks that the Issuer and/or the Programme Owner offended his right to the protection of personal data, or should the Issuer and/or the Programme Owner perform illegal data processing, the Data Subject may initiate the procedure of the Authority.

10.12.1. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
• postal address: H–1363 Budapest, P.O. box: 9.
• email: ugyfelszolgalat@naih.hu
• telephone number: +36 (1) 391 1400
• website address: www.naih.hu.
10.12.2. Contact details of the Belgian Data Protection Authority:
Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
• postal address: Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles – Brussels, Belgium
• email: contact@apd-gba.be
• telephone number: +32 2 274 48 00
• website address: https://www.autoriteprotectiondonnees.be/
10.13. Should the Data Subject consider that the Issuer and/or the Programme Owner offended his right to the protection of personal data, he may initiate a legal hearing and may demand the reimbursement of the damage caused to the Data Subject by the illegal processing of his data or by violating the data security, or, in case of the violation of a personality right, the payment of a restitution. In the event of a judicial enforcement, the Data Subject may start the action at the court of his or her residence or habitation.

11. Miscellaneous provisions

11.1. If the Issuer modifies the GTC and such modification affects the Data Processing Policy, the Issuer shall place a notice on the website www.edenred.hu to enable the Data Subject familiarize himself or herself with the modification.

11.2. Where the Issuer and/or the Programme Owner intends to further process the personal data for a purpose other than that for which the personal data were obtained, it will provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.

11.3. The Issuer and/or the Programme Owner shall inform the data subject at the latest on the first occasion of disclosing the data also to other recipient(s).

Effective from: 26 January 2022