en
or login with
or register with

Privacy

The protection of your personal data is of utmost importance to DESTRA Kft. and its partners. Any personally identifiable data required for the use of our website are collected and processed in accordance with the effective Hungarian and EU data protection requirements.

DATA PROCESSING NOTICE

Preamble

DESTRA Korlátolt Felelősségű Társaság processes your data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and with the relevant laws.

This Notice provides a brief overview of what types of data we use and in what ways, as well as your options for exercising your data protection rights.

Please refer to the GDPR for the detailed rules.

I. Data Controller

DESTRA Korlátolt Felelősségű Társaság (‘Data Controller’)

Registered seat: H-3795 Hangács, Rákóczi út 43., Hungary

Branch office: H-2040 Budaörs, Szabadság út 117. A. ép. 3. em., Hungary

Email: info@destra.hu

Phone: +36 70 233 2244

Website: www.destra.hu

II. Laws governing data processing

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’);
  • Act CXII of 2011 on informational self-determination and freedom of information (‘Freedom of Information Act’);
  • Act V of 2013 on the Civil Code (‘the Civil Code’);
  • Act LIII of 2017 on the prevention and combating of money laundering and terrorist. financing (‘Money Laundering Act’) (for identification, reporting and registration-related data specified in the Act);
  • Act C of 2000 on Accounting, Section 169 (for the retention of receipts).

III. Definitions

  1. personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. processing:any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law;
  4. processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  5. recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law are not regarded as recipients; the processing of those data by those public authorities must be in compliance with the applicable data protection rules according to the purposes of the processing;
  6. third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  7. filing system:any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  8. personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  9. representative:a natural or legal person established in the European Union who, designated by the controller or processor in writing pursuant to GDPR Article 27, represents the controller or processor with regard to their respective obligations under the Regulation;
  10. enterprisea natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
  11. data asset inventory: a document for assessing the scope and nature of personal data processed by a controller;
  12. technical and organisational measures: rules of procedure established by the controller as appropriate in view of the nature, scope, circumstances and objectives of data processing and the risk of varying degrees of probability and severity posed to the rights and freedoms of natural persons, aimed at ensuring and demonstrating that personal data are processed in compliance with the GDPR. Such measures are revised and updated by the controller as necessary.

IV. Scope of persons affected by data processing and the legal basis of processing

Covers any person who signs a rental contract and any person who is given the right to drive a rented vehicle (collectively referred to as ‘Customer’).

The legal bases for data processing are as follows:

  1. Consent by the data subject (the data subject has given consent to the processing of his or her personal data for one or more specific purposes, as per Article 6(1)(a) GDPR)
    In some cases the legal basis for data processing is consent by the data subject, which is given by contacting DESTRA Kft. to initiate the establishment of a legal relationship and to start the procedure for requesting our services. Consent is always given voluntarily, but failure to give consent may prevent the establishment of a legal relationship between the data subject and DESTRA Kft. Such processing includes sending newsletters, processing for marketing purposes, recording and collecting data on visitors’ site use patterns, and the use of anonymous user identifiers (cookies).
  2. Rental contracts between the Customer and DESTRA Kft. (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, as per Article 6(1)(b) GDPR)

If the Customer enters into a contract with DESTRA Kft., he or she provides—in the contract and in any accompanying documents—data that are required for the conclusion and performance of the contract. In this case, the grounds for data processing is contractual performance.
If the Customer does not consent to the processing of any data requested by DESTRA Kft. or indicated in the contract, he or she may refuse to provide such data. If provision of such data is required by law or if the contract cannot be performed without such data, refusal to provide the data will prevent the conclusion of the contract.

  1. Based on a legal obligation (processing is necessary for compliance with a legal obligation to which the controller is subject, as per Article 6(1)(c) GDPR)

This includes compliance with invoicing, accounting or bookkeeping obligations (e.g. under the Act on Accounting).

V. Scope of data processed

For natural persons signing a rental contract:

· name

· nationality

· place and date of birth

· mother’s name

· address or place of stay

· ID card type and number

· driving licence number

· email address

· telephone number

· credit card or bank card details (number, date of expiry, issuer)

· name of the bank managing the payment account associated with the bank card

· whether the deposit can be debited to the bank account

· data on previous traffic violations

For drivers:

· name

· nationality

· place and date of birth

· mother’s name

· address or place of stay

· ID card type and number

· driving licence number

· email address

· telephone number

· data on previous traffic violations

VI. The process of data registration and processing

Data registration is done primarily through www.destra.hu (‘the Website’): The Customer contacts the Data Controller via the Website, and provides his or her data using a dedicated interface. In such cases the data subject must accept this Notice and consent to data processing as described herein. The Notice can be found on the Website. Data subjects must declare that they consent to the processing of their data. Data registration from any other sources is performed by the Data Controller exclusively with the consent and knowledge of the data subject. Data processing by DESTRA Kft. is linked to rental activities, and therefore the process and the scope of data processed are as follows: Customers may contact the Data Processor via the Website, where they must provide the data necessary for entering into a rental contract. Data subjects must provide their personal details and any data relevant to the rental relationship, must accept the Data Processing Notice and must consent to the processing of such data as described therein.

VII. Principles of data processing

The Data Controller processes data lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).

  1. The Data Controller collects data for specified, explicit and legitimate purposes and does not process them further in a manner that is incompatible with those purposes (purpose limitation).
  2. Data processing by the Data Controller is adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (data minimisation). Accordingly, the Data Controller does not collect or store any data in excess of what is absolutely necessary for attaining the objective of data processing.
  3. Data processing by the Data Controller is accurate and up to date. The Data Controller takes every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).
  4. The Data Controller keeps personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, subject to any storage obligations provided for in relevant legislation (storage limitation).
  5. The Data Controller ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
  6. The Data Controller is responsible for, and demonstrates compliance with, the principles described above (accountability). Accordingly, the Data Controller ensures that the rules described in this Notice are continuously complied with, that its data processing activities are continuously reviewed, and that its data processing procedures are modified or supplemented as necessary. The Data Controller draws up documentation to attest compliance with its legal obligations.

VIII. Duration of data processing

Data processed on the basis of voluntary consent are processed until such consent is revoked, but for no more than 5 years as provided for by Section 6:22 of the Civil Code.

Data processed on the basis of a contract are retained for 5 years as per Section 6:22 of the Civil Code.

Data processed on the basis of legal requirements are retained for the duration specified by law (Section 169 of the Act on Accounting), i.e. for 8 years.

IX. Data security

In line with its obligations under the Freedom of Information Act, the Data Controller makes every effort to ensure the security of Customers’ data, and takes any technical and organisational measures and establishes any rules of procedure necessary for compliance with the Freedom of Information Act and any other data protection and confidentiality rules. Data stored in the Data Controller’s database can only be accessed by staff specifically authorised to do so.

X. Customers’ rights and how they can be exercised

In accordance with the provisions of the GDPR, the Data Controller provides the following rights to its Customers.

  • Right to information

Data subjects have the right to information in the case of all legal bases of data processing. The Data Controller provides concise, transparent, comprehensible, readily accessible, clear and easily understandable information to data subjects. Information is provided in writing or in any other way, including electronically where appropriate.

  • Right of access

Data subjects have the right of access in the case of all legal bases of data processing. Data subjects have the right to obtain confirmation from the Data Controller as to whether their personal data are being processed and, where that is the case, to access their personal data as well as the following information:

the purposes of data processing;

  1. the categories of personal data concerned;
  2. the recipients or categories of recipients to whom the Data Processor disclosed or intends to disclose their personal data;
  3. the planned duration of storing the personal data, where appropriate;
  4. the data subject’s right to request the Data Controller to rectify or, in the case of data processing based on certain legal bases, delete or limit the processing of their personal data, and the right to object to the processing of such personal data in the case of data processing based on certain legal bases;
  5. the right to submit complaints to the supervisory authority;
  6. where the data were collected from a person other than the data subject, all available information on the source of such data;
  7. whether there has been automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Data Controller makes copies of the personal data processed available to the data subject.

  • Right of rectification

Data subjects have the right of rectification in the case of all legal bases of data processing. If requested by the data subject, the company will rectify any inaccurate personal data processed by it without undue delay. The data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  • Right to erasure (‘right to be forgotten’)

Data subjects do not automatically have the right to erasure (‘right to be forgotten’) in the case of all legal bases of data processing. The Data Controller will erase personal data without undue delay where any of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws the consent on which the processing is based (in the case of consent-based data processing), and there is no other legal grounds for data processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing in the case of the legal bases for data processing referred to in points 17 and 18 (for data processing based on public authority or legitimate interest);
  4. the personal data have been processed unlawfully;
  5. the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the company is subject.

  • Right to restriction of processing

Customers have the right to restriction in the case of all legal bases of data processing. If requested by the data subject, the Data Controller will restrict data processing where any of the following applies:

  1. the accuracy of the personal data is contested by the data subject; in this case, processing will be restricted for a period enabling the Data Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

Where processing has been restricted according to the previous point, such personal data may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The Data Controller informs all parties to whom the personal data have been transmitted about this obligation.

  • Right to object

Data subjects have the right to object in cases where the legal basis for data processing is public authority or legitimate interest. If the Data Controller receives an objection from the data subject, it may not continue to process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes. Where the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

  • Right to data portability

Data subjects have the right to data portability in cases where the legal basis for data processing is consent or a contract, provided that data processing is automated.

The Data Controller will ensure that the data subject receives the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format and that those data can be transmitted by the data subject to another controller.

  • Right to have recourse to the courts

If the Customer is of the opinion that the Data Controller has violated his or her right to the protection of personal data, the Customer may bring legal action against the Data Controller before a court for the violation of his or her rights. The court handles the case as a matter of urgency. The lawsuit is adjudicated by the competent regional court. The lawsuit may also be launched before the regional court with jurisdiction over the registered seat of the Data Controller or, at the data subject’s discretion, the place of residence or place of stay of the data subject. Persons who do not otherwise have legal capacity in lawsuits may still be party to the proceedings. The Data Controller must compensate any damages caused to others through the unlawful management of the data subject’s data or through any violation of the requirements of data security. If, through the unlawful processing of the data subject’s data or the violation of the requirements of data security, the Data Controller violates the data subject’s rights relating to personality, the data subject may claim a compensation for emotional distress from the Data Controller. The Data Controller will be exempt from liability for damages and from the obligation to pay a compensation for emotional distress if it can demonstrate that the damage or the violation of the data subject’s rights relating to personality was due to an unavoidable cause outside the scope of data processing. No compensation for damages or emotional distress will be paid if the damage, or the injury caused by the violation of the rights relating to personality, was caused intentionally or through gross negligence by the injured party or the data subject, respectively.

  • Right to have recourse to the authorities

Data subjects may lodge complaints and requests for information with the competent authority:

Name: Nemzeti Adatvédelmi és Információs Hatóság (National Authority for Data Protection and Freedom of Information)

Registered Seat: H-1125 Budapest Szilágyi Erzsébet fasor 22/c., Hungary
Postal address: H-1530 Budapest, Pf.: 5., Hungary
Email: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: http://naih.hu

XI. Use of cookies on the website and use of email addresses for marketing purposes

When you browse www.destra.hu, we may use cookies or similar technologies to identify your browser or device. A cookie is a small file that is placed on your computer when you visit a website. When you revisit the same website later, it will recognise your browser based on the cookie. Cookies can also be used to store user settings and other information. On other platforms, where cookies are either unavailable or cannot be used, other technologies are used with purposes similar to that of cookies; these include advertising IDs on Android mobile devices. You can set your browser settings to reject all cookies or to be notified when a cookie is being sent. Please note, however, that some site features or services may not work properly without cookies.

The Data Controller does not send email advertisements to the email address provided during registration unless the Customer has given express prior consent. Such consent can be revoked at any time without limitation and without specifying the reasons by clicking the link at the bottom of the advertising email.

The Data Controller reserves the right to update or modify this Data Protection Notice and publish the modified version on www.destra.hu at any time without prior notification. The Notice is available at www.destra.hu/adatvédelem

The Data Protection Notice is effective as of 25 May 2018.

DESTRA Kft.