Ticket sales for the Men’s Team A home matches in Puskás Arena

Privacy Policy relating to ticket sales for the Hungarian Men's Team A (hereinafter referred to as "the Hungarian national team") home matches to be held in Puskás Arena

1. Data of data controllers, where can you find information relating to data processing?

1.1. Where can you find information relating to data processing?

The Hungarian Football Federation (MLSZ) and the InterTicket Kft. prepared this policy in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter: GDPR or Regulation) with the specific purpose of making data processing operations transparent in an easily understandable way.

According to the agreement between the InterTicket Kft. and MLSZ the InterTicket Kft. is entitled to sell tickets for the matches of the Hungarian national team commissioned by MLSZ. The ticket sales process and the essential elements of data processing were jointly defined by MLSZ and InterTicket Kft., the ticket sales process is carried out with the help of MLSZ, thus MLSZ is the organizer of the matches, so MLSZ and the InterTicket Kft. act as joint data controllers in ticket sales.

This policy contains the main information about the specific processing (legal ground, purpose of processing, scope, duration of the data processed, person of the data controller and your rights).

The policy is supplemented by the document “General information on data processing” made by MLSZ which explains how you can exercise your rights against MLSZ and the obligations of MLSZ concerning the security of personal data and the rules for the modification of the policy. The document “General information on data processing” is available here.

This policy does not cover the data processing of data related to the Football Card, the Fan Club, marketing activities of MLSZ and InterTicket Kft., the entrance, complaint handling, with camera surveillance, exclusion, withhold for which the following information contain specifications:

• Football card data processing information: https://adatvedelem.mlsz.hu/dokumentumtar/adatkezelesi-tajekoztatok/szurkolokra-vonatkozo-adatkezelesek/jegyertekesites-futballkartya-stadionbiztonsag-marketing- 
• Fan club data processing information: https://adatvedelem.mlsz.hu/dokumentumtar/adatkezelesi-tajekoztatok/szurkolokra-vonatkozo-adatkezelesek/szurkoloi-klub 
• Entrance data processing information: https://adatvedelem.mlsz.hu/dokumentumtar/adatkezelesi-tajekoztatok/szurkolokra-vonatkozo-adatkezelesek/beleptetes-merkozesre 
• Information on the handling of complaints and claims submitted to the MLSZ: https://adatvedelem.mlsz.hu/adatbejelento-urlap

kamerás megfigyeléssel kapcsolatos adatkezelési tájékoztató: https://adatvedelem.mlsz.hu/dokumentumtar/adatkezelesi-tajekoztatok/szurkolokra-vonatkozo-adatkezelesek/kamerarendszer

• data processing information on fan’s exclusion, withhold and investigate his/her complaint: https://adatvedelem.mlsz.hu/dokumentumtar/adatkezelesi-tajekoztatok/szurkolokra-vonatkozo-adatkezelesek/szurkolo-kizarasa-visszatartasa-panaszanak-kivizsgalasa

InterTicket Kft.'s data processing information on customer service is available here: https://www.jegy.hu/adatkezelesi-szabalyzat 

1.2. Data of data controllers

InterTicket Kft:

Name of the Service Provider:	InterTicket Kft.
Seat and mailing address:	1139 Budapest, Váci út 99.
Registry:	Capital Court, as Court of Registration
Company registration number:	01-09-736766
Tax number:	10384709-2-41
E-mail address:	jegy@jegy.hu
Website address:	www.jegy.hu
Call center:	+36-1-266-0000
Customer support email address:	jegy@jegy.hu
Telefax:	+36-1-485-0345
Phone number of data protection officer:	266-0000 / extension 327
Email address of data protection officer:	adatvedelmi.tisztviselo@interticket.hu

 

Hungarian Football Federation:

email address: mlsz@mlsz.hu

email address of data protection officer: adatvedelem@mlsz.hu

mailing address: 1386 Budapest 62. Pf. 906/1

seat: 1112 Budapest, Kánai út 2.D.

2. Introduction of processing cases and the categories of data processed

Ticket sales are implemented through the following data processing process:

1. Purchasing tickets online or at cashier with a club card or giving personal data
2. Checking in the Sports Safety and Security Database - Sportrendészeti Nyilvántartás (Hungarian acronym: SRNY as hereinafter) in case of name-based ticket sales
3. Checking Fan Club membership, applying discounts
4. Issue of a ticket
5. Ticket Exchange
6. Transmission of the ticket barcode to the Puskás Arena entrance system
7. Transfer of reporting data to MLSZ
8. Providing customer support

Information on each data processing is available below.

2.1. Purchasing tickets [data processing according to point a)-c)]

The process, purpose and person of the data processing

Customers can buy tickets for the matches of the Hungarian national team in Puskás Arena at the cashier or online.

Tickets can be purchased in person through InterTicket's national ticket office network. The contact details of the ticket offices are available on the Jegy.hu website.

2.1.1. Purchasing tickets at cashiers

If customers would like to buy tickets at the cashier and if the ticket sale is by name, they have to provide three mandatory data shall provide (name, date and place of birth) which have to be recorded in the ticket sales system of InterTicket Kft. Optionally, the mother’s maiden name may also be recorded.

Tickets may be purchased for third persons as well. Data processing for these purchases is the same as in the case of tickets purchased for the customer’s own use.

As a general rule, ticket purchases are not subject to verification of personal identity. At the same time, MLSZ as the organizer may decide to require ticket buyers to present their Club card, Football card (hereinafter jointly referred to as club cards) or personal identity card upon ticket purchases. 

Club cards issued by club teams are also accepted for ticket purchases for matches organized by MLSZ.

InterTicket Kft. processing the data provided in connection with the purchase of tickets, which is doing commission sales commissioned by the MLSZ. The contractual and settlement relationship is thus established between the customer and the InterTicket Kft. The role of MLSZ in data processing is to may prescribe the sale of tickets by name, and to process the data provided due to adherence to security and admission requirements as explained below.

The InterTicket Kft. issues the invoice of the purchase to the customer, for which InterTicket processes the customer's name and address.

The purpose of the sale of name-specific tickets and seasonal tickets data processing is to carry out the ticket sales in compliance with the stadium security requirements according to Article 72/B of Sports Act. 

Under the act referred to earlier, data can be used for criminal or infringement proceedings crimes for minor offence committed at the venue of the sporting event or while approaching or leaving the venue of the sporting event, and for exclusion from the participation in sporting events.

Under paragraphs (3) and (4) of Article 72 of the Sports Act, processing of personal data concerning ticket sales is obligatory when the entrance system is used; however, the use of a club card is only mandatory if so required by the sport organisation or MLSZ for the given match.

Before the ticket purchase InterTicket Kft. will check the Fan Club membership discounts due to the existence and validates discount for ticket sales by name.

If personal identification is required:

• customers shall present their club card or personal identity card for the purchase (when purchasing tickets for a third person, the customer must present the club card or personal identity card of the personal ticket holder),
• when a ticket is purchased using a club card number (or barcode), the name, birth place and date (also mother’s name if it was provided when redeem the card) required for the purchase can be loaded using the club card register, or
• if the club card number is not available, the cashier shall record the data required for the ticket purchase in the system based on the provided personal identity card or club card.

If the ticket purchase does not require the presence and presentation of a fan card, the cashier will record the ticket information based on the information provided by the customer and issue a ticket based thereon but may require a club card or proof of identity.

However, when personal tickets are sold, it must be borne in mind that identity check is carried out upon entry into the stadium and if the customer made an error when providing the name of the ticket holder, the ticket holder will not be allowed in the match. 

Based on the customer or ticket holder data provided, the ticket sales system examines whether the person concerned is banned, disqualified or excluded from matches (namely, the system queries the Sports Safety and Security Database - SRNY).

If there is a match on the basis of personal data provided in advance, the customer may provide his mother’s name even if he did not provide it first. Then the system performs an additional check. This option does not apply to the customer when purchasing with a club card or Football card.

Persons included in the SRNY database are not allowed to purchase tickets for the matches and no match tickets can be purchased for such persons for a particular match and/or venue.

If the system reply is affirmative (in case of banned/disqualified or excluded status) the personal data of the purchaser or the would-be ticket holder will not be stored in the ticket system, but the data of the person concerned will be available in SRNY log, as even the purchase attempt qualifies as a minor offence.

If the ticket buyer or would-be ticket holder is not found in the SRNY database, the personal data of the buyer necessary for ticket purchase (name, place and date of birth, optionally the mother’s name) will be stored in the central ticketing system’s database.

Personal tickets will bear the name and date of birth of the beneficiary.

2.1.2. Online ticket purchases

Data required for purchasing tickets:

• for personal tickets: name, place and date of birth and, optionally, mother’s maiden name;
• for purchases linked to club cards: card number and PIN number.

Online purchases are executed in a web-based system operated by InterTicket Kft. The scope of personal data processed and the ticket purchasing process are the same as with purchases at the cashier.

In case customer data are provided using a club card, the card number must be entered into the system (along with the PIN code upon web shop purchases) and the IT system will retrieve the customer’s personal data required for ticket purchases based on the entered number.

If payment is by card, the customer will enter the data requested by the bank on their proprietary platform. In this respect, InterTicket Kft. does not have access to card data and does not carry out any data processing transactions.

Duration of processing

Data processed for ticket sales will be deleted from the ticketing system three business days - unless the competent authority requires the MLSZ as the organizer to retain the data for an additional period of up to 30 days - after the match, and personal data will be deleted in accordance with legal requirements.

The invoices are kept by InterTicket Kft. as an accounting document for 8 years.

Legal ground of processing

The legal ground of processing is the legal obligation under point c) of paragraph (1) of Article 6 of the Regulation; since the organiser may apply a security entry and control system (hereinafter: entry system) at its discretion or if so required by the National Police Command, for the individual identification of the participants under paragraph (1) of Article 72 of Sports Act, an entrance system is applied for sporting events with particular security risk and sporting events with high security risk in respect of football.

Under paragraph (2) of the same section, if an entry system is applied, the organiser or a person selling tickets on behalf of the organizer can only sell personal tickets or season tickets.

Under paragraph (4) of the same section, when selling ticket and seasonal tickets and during the entry, the organiser or the ticket sellers acting on behalf of the organiser is entitled to establish the spectator’s identity on the basis of an identity document.

Under paragraph (5) of the same section, if an entry system is applied, the organiser or the ticket sellers acting on behalf of the organiser may compare the identity of the spectator with the data of the SRNY database when selling tickets or season tickets.

The issue and keeping of the invoice is a legal obligation under Article 6 (1) (c) of the Regulation, the issue the invoice under section 159 (1) of Act CXXVI of 2007 on Value Added Tax, and the custody under section 169 (2) of Act C of 2000 on Accounting.

The legal basis for the performance of the contract pursuant to Article 6 (1) (b) of the Regulation also appears behind the processing of ticket purchase data, since without processing the data provided for the purchase of tickets, InterTicket Kft. cannot sell the ticket to the customer. 

2.2. Ticket exchange

The process, purpose and person of the data processing

If the customer has bought a personal ticket and would like to hand it over a third person, he/she has the opportunity within the ticket exchange. 

InterTicket Kft. shall exchange the tickets at the request of the customer. 

In connection with the ticket exchange, the new ticket holder shall also be subject to the data processing procedures specified in the ticket purchase process, except that InterTicket Kft. shall not issue an invoice to the new ticket holder.

Duration of processing

The storage of the new ticket purchaser's personal data is governed by the provisions of the ticket purchase.

Legal ground of processing

The legal ground of processing for the exchange of tickets pursuant to Article 6 (1) (b) of the Regulation is the performance of a contract with a former ticket holder which includes the possibility of exchanging tickets. for the exchange of tickets pursuant to Article 6 (1) (b) of the Regulation is the performance of a contract with a former ticket holder which includes the possibility of exchanging tickets.

2.3. Forwarding of the ticket barcode to the Puskás Arena entrance system

The process, purpose and person of the data processing

It is the responsibility of InterTicket Kft. to forward the barcode of the ticket purchased to the Puskás Arena entrance system. The barcode itself does not contain any personal information, however, together with other data, InterTicket Kft. and MLSZ can identify who the customer of the bar code ticket is (in the case of a registered ticket sale).

Forwarding the barcode is essential because otherwise the valid tickets will not be recognized by the access system. 

Duration of processing

The barcode loses the quality of personal data when InterTicket Kft. InterTicket Kft. and MLSZ delete the personal data related to it. Cancellation is governed by the rules of ticket purchase.  

Legal ground of processing

The legal ground of processing is the fulfilment of the contract between InterTicket Kft. and the customer according to Article 6 (1) (b) of the Regulation, as without data transfer, entry cannot be ensured in case of a match entry system.

2.4. Transfer of reporting data to MLSZ

The process, purpose and person of the data processing

In the framework of data processing, MLSZ, as the organizer of the matches of the Hungarian national team, acts as data controller. Within the framework of data processing, MLSZ receives the data provided for the purchase of tickets in the system provided by InterTicket Kft., supplemented with the exact seating data.

The purpose of data processing is to enable the MLSZ, as the organizer of the match, to perform its duties of entry and secure organization as required by the Sports Act. 

Additionally, MLSZ's processing of data is required by UEFA Safety and Security Regulations sections 16.01, 16.02 and 16.03, which require MLSZ to have the personal data of ticket holders. 

MLSZ can identify the ticket holder based on personal data associated with the seat, be able to provide information to the incoming health care personnel in case of a medical emergency, and committing an offense or a crime, or in the event of a violation of the rules of the course, the processing of the data is also necessary for the filing of an accusation or action.

Duration of processing

Data processed for ticket sales will be deleted from the ticketing system three business days - unless the competent authority requires the MLSZ as the organizer to retain the data for an additional period of up to 30 days - after the match, and personal data will be deleted in accordance with legal requirements.  

Legal ground of processing

The legal ground of processing is the legitimate interest under Article 6 (1) (f) of the Regulation to be able, as organizer of the match, to perform its duties relating to the safe conduct of the match and, if necessary, to have information to conduct the necessary legal proceedings.

3. Data recipients, categories of recipients

Data controllers will not transfer personal data they process to anyone else unless they are required to do so by the authorities or make an accusation. The InterTicket Kft. forwards the barcode of the ticket to the operator of the Puskás Arena, who enters the barcode into the entry system. 

The Puskás Arena is operated by the National Sports Centres. 

Seat: 1146 Budapest, Hermina út 49., 

Tax number: 15598158-2-42 the InterTicket Kft. 

 

Data of the hosting provider of InterTicket Kft.:

Name of the hosting provider:	T-Systems Adatpark
Hosting provider address:	1087 Budapest, Asztalos Sándor u. 13.

 

In the case of MLSZ:

• the data controller related to the processing of data subject applications is the operator of mlsz.hu, the RelativeGROUP Kft. (seat: 2000 Szentendre, Tölgy utca 12.).
• the storage and filing tasks of your records of MLSZ performed by the PRIV-DAT Dokumentum Archiváló és Tároló Kft. (seat: 1211 Budapest, Weiss Manfréd út 5-7.),
• the data contained in the report database is stored on a server operated by Nádor Rendszerház Kft., locally on a server in the server room of Invitech Zrt. (seat: 1152 Budapest, Telek utca 7-9.; registration number: 01-09-074755; mailing address: 1152 Budapest, Telek utca 7-9.; email address: info@nador.hu; website: www.nador.hu).

 

4. Source of personal data

The data is provided by the data subject (or on behalf of the ticket purchaser or the legal representative of the fan), and the result of the SRNY query comes from the police led SRNY. Informing the customer of the processing of his/her personal data is done by means of a notice posted in the cashier. Informing the online customer is done by presenting the information available on adatvedelem.mlsz.hu.

In instances when the customer purchases tickets for a third person, users are notified of the availability of data processing information on the tickets.

5. Your rights in relation to processing

5.1. Where and how can you exercise your rights?

The data subject is entitled to exercise the rights listed in this policy against the person designated as data controller. If the InterTicket Kft. or MLSZ receives a request from a data subject in which it is not acting as data controller, it shall forward the request to the data controller and informing the data subject.

You may exercise your rights to InterTicket Kft. at the following contacts:

Complaint handling location and contact details:

1139 Budapest, Váci út 99. 6. emelet  +36-1-266-0000  jegy@jegy.hu  On workdays 10 am-4 pm

 

You may exercise your rights to MLSZ through the contact details listed in point 1, or the data subject may use the forms provided by the MLSZ, which you can access here.

5.2 The right to withdraw consent

You are entitled to withdraw your consent to processing at any time; in such case the data provided will be erased from our system. Please take into account that this right can only be exercised in the event of processing based on your consent.

5.3 Request for information and request for a copy (right of access)

You shall have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you are entitled:

• to gain access to the data processed (namely request a copy) and
• to be informed about the following:
• the purposes of the processing;
• the categories of your personal data processed;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed;
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you, and in case of a processing based on legitimate interest, you have the right to object to such processing;
• the right to lodge a complaint with the supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making (if any), including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

The purpose of the exercise of right may aim to assess and check the lawfulness of processing; therefore, in case of multiple requests for information, we may charge a reasonable fee for the fulfilment of the information requests.

We will provide you with an access to personal data in a form you ask which can be via email, by post or personal information.

5.4 Right to rectification

You shall have the right to obtain from us without delay the rectification of inaccurate personal data concerning you.

5.5 Right to restriction of processing

You shall have the right to obtain from us restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data (if there is no need for verification, we will not apply any restriction either);
• if the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead;
• we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; 
• you have objected to processing but it is based on our legitimate grounds (in this case, until the verification whether our legitimate grounds override yours, the processing must be restricted).

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

We will inform you about the lifting of restriction of processing in advance (at least 3 working days before the restriction of processing is lifted).

Please note that in some cases the restriction of processing might have other consequences and thus you might lose some benefits going with processing (e.g. purchasing tickets on the Internet, obtaining discounts for fans or even losing the right to enter the pitch as a player). We will inform you about these contingencies during the exercise of this right.

5.6 Right to erasure – right to be forgotten

You shall have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your consent, and there is no other legal ground for the processing;
• you object to the processing based on legitimate interest, and there are no overriding legitimate grounds (namely legitimate interests) for the processing;
• the personal data have been unlawfully processed, and it has been established on the basis of the complaint;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.

If, for any legitimate ground, we have made your personal data public and we are obliged to erase them for any reason listed above, and by taking account of available technology and the cost of

implementation, we shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data (right to be forgotten). 

The erasure shall not apply to the extent that processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject (such case is, for example, the processing carried out during invoicing, since the storage of the invoice is required by law, or the compulsory registration of the sportsman, registration of the license);
• for the establishment, exercise or defence of legal claims (e.g. if we have a claim you have not fulfilled, or if the processing of a consumer complaint or a complaint against data processing is in progress).

5.7 Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on legitimate interest. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

5.8 Right to portability

If data processing is necessary for the performance of the contract or processing is based on your voluntary consent, you shall have the right to receive the data you provided for us in machine- understandable form which we will provide you in JSON or csv format; if it is technically feasible, you can ask to have the data transmitted in this form to another controller.

5.9 Remedies

If you think we have breached a legislative provision relating to the processing of personal data, or we have not executed your request for the termination of alleged unlawful processing of personal data, you may request an investigation procedure from the Hungarian National Authority for Data Protection and Freedom of Information (mailing address: 1363 Budapest, Pf.: 9., email: ugyfelszolgalat@naih.hu ). 

 

Furthermore, please note that you also have the right to bring a civil action in a court. 

 

6. Security of personal data

By using necessary access managing, internal organisational and technical solutions during the operation of IT systems, we ensure that unauthorised persons cannot take possession of your data, unauthorised persons cannot erase, save the data from the system or modify them. We also enforce the privacy and data security requirements against our processor.

We keep records of the personal data breaches; according to our procedure for managing breaches, if a breach under the Regulation happens, we will inform you (if possible) and the supervisory authority.

This Privacy Policy shall be valid from 28.07.2021.

Downloads

• guide_on_data_processing_for_ticket_sales_to_National_A_team_football_metches_in_Puskas_Arena_MLSZ_IT_20210728.pdf
• guide_on_data_processing_for_ticket_sales_to_National_A_team_football_metches_in_Puskas_Arena_MLSZ_IT_20191025.pdf

---