Privacy Notice

Effective date: 1st July 2018.

Download our Privacy Notice

Privacy Notice

DOWNLOAD

1. What is the purpose of this Privacy Notice?

This Notice was prepared for you by us, Barion Payment Inc. (hereinafter referred to as Service Provider or Barion), to summarise what we do with your personal data during the services we provide. Before you use our services, we would like you to know and clearly understand what happens to your data provided to us, what decisions you may make, and what rights you have in this connection.

We do not only do this because we are obliged by Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as Privacy Act) but also because we honestly believe that you being informed and able to make decisions is good for both you and us.

This Notice applies to all areas of services provided by Barion, including data processing on the www.barion.com website, in the secure.barion.com web application and through the Barion mobile application.

Please read this Notice, and do not hesitate to contact us if you have any questions.

2. Who are we?

Barion Payment Inc., an electronic money institution supervised by the National Bank of Hungary. Our services are based on the innovative opportunities provided by electronic money:

  • you can pay to others through the internet, on your mobile: even to a merchant or to each other
  • as a merchant you can accept payments through the internet, on a mobile phone and in your shop
  • you can even do all this with your bank card, even if you do not have a Barion wallet
  • you can pay by Barion for parking as well
  • through the structure of our advertising division we interconnect merchants and customers, so we offer personalised advertisements to help you easily find what you are interested in or looking for.

We are driven by the following when we process your data:

  • We protect your data with the same degree of care as we do in the case of your money held by us.
  • We ensure complete transparency in relation to the processing of your data. We want you to know and understand what happens to your data.
  • Just like your money, we shall not forward your data to any party, except if you or the laws expressly allow us to do so.
  • We want both of us to be satisfied: you receive the service you want and we only use your data for this in a fair manner, and we shall be capable of providing this service for you so that it is commercially profitable and successful.

We process your personal data in our capacity as a data controller. This means that we define the purpose and means of processing your personal data on the basis and in the interest of those described above.

3. Whose data is processed?

The data of anybody who uses our service described in Section 2 i.e.:

  • who registers and has a Barion wallet
  • who does not register and does not have a Barion wallet but pays by bank card at merchants who accept bank card payment via Barion.

Therefore, this Notice applies to both our registered and non-registered customers.

Barion services shall not be used by children under the age of 16, and thus we do not process their data.

4. Do we process your data even if you do not have a Barion wallet, you did not register but pay by bank card?

Yes, we do, as described in Section 3. If you shop and pay by bank card at a merchant who accepts bank card payment through Barion, then you also use our service and are our customer in relation to such bank card payment. Of course, in this case we process much less of your data, since you have not registered with us: we only process your data related to the bank card payment as provided by you or the merchant.

What are these categories of data?

Data you directly provide us with:

  • Identification and contact data (e.g. e-mail)
  • Bank card details provided during bank card payment (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant so that we can perform the payment and the information related to it:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the bank card payment transaction:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Such data is processed for the same reasons and with the same references as the data of customers who have Barion wallets. You can read about these in Section 5.

There is one more purpose in your case: we offer you the convenience service of connecting the payment transactions to your Barion wallet if you register in the future. This is based on our legitimate interest about which you can find details in Section 6.b). You shall be entitled to object to this data processing, so we shall process your data for this purpose until your future registration or your objection.

5. For what purpose and under what legal basis do we process your data?

What does this purpose mean?

It specifies the activity or the purpose for the execution or, respectively, achievement of which we use your data during our services.

What does the legal basis mean?

The legal basis means on what ground the data protection regulations allow us to process your data in order to execute this purpose.

Generally, we process your data so that you can use the services described in Section 2 and we can provide you with those. This is still too general, so let us summarise for you on the basis of what specific purposes and legal bases we work within that.

In the event that your data is required for the contract and, within that, for the provision of a specific service, then you cannot use the given service without this data.

For example: Your e-mail address and a password is required for registration – without this, you cannot create a Barion account. If you want to park, you must give the registration number of the car and the parking zone, otherwise you cannot use the parking service.

In the event that the data processing is based on legal regulations, i.e. it is required for performing our legal obligation and you do not provide us with it, then you cannot use our service either. For example: if you are not identified in terms of money laundering due to the lack of data then we cannot provide you with the service.

You must know that we can process one certain piece of your data for several purposes and under several legal bases, for example: we process your e-mail address for the provision of services, for improving the services, but we also process it for fraud prevention purposes, customer complaint management and the provision of personalised advertisements. Thus, it may happen that our contract has already been terminated, you have terminated your Barion wallet, but we still process certain data of yours because it is necessary for other purposes.

5.1 For the preparation and provision of the service you wish to use:

What is this purpose?

Anything that happens during the preparation and performance of the agreement related to our service. This depends on whether you have registered or you pay without registration.

In case of registered customers:

For example registration, creating a Barion wallet, issuing e-money, withdrawal of e-money, e-money transactions, bank card payment, payment of parking, giving account information, creating creating an acceptor.

These include convenience services which are only available to you if you expressly request them after registration. Obviously, you can also request them to be stopped any time. This includes, for example, the storing of bank card numbers.

In case of not registered customers:

Preparation and performance of payment by bank card.

What is our legal basis?

Preparation and performance of the contract.

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant so that we can perform the payment and the information related to it:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

  • data provided by you in relation to parking (e.g. registration number, parking zone, time).

5.2 Development and personalisation of our website and our services, development of new products, in order to improve and personalise the user experience:

What is this purpose?

We develop our services and products on the one hand to meet the expectations of our customers and the market, and to keep them competitive, while we make efforts to personalise them on the other hand so that they meet your personal expectations, interests and preferences. This applies to any channel through which you can reach us: website, application, customer service.

What is our legal basis?

Our legitimate interest as per Section 6.b).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

  • data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.3 For the safety and integrity of your data and our services

What is this purpose?

Identification of customers, and the protection and integrity of the customer moneys and data we handle as well as that of the Barion system and Barion services. We aim to protect the money and personal data provided to us by you and our customers and prevent them from unauthorised access or theft. In order to do so, we take all necessary technical and other measures. And during this, we also process your data.

What is our legal basis?

Our legitimate interest as per Section 6.c).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

  • data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.4 To provide personalised advertisements matching your interest

What is this purpose?

Through the structure of our advertising division we display personalised advertisements matching your interest. We do this so that you can see advertisements you are interested in or you are looking for, and thus we would like to make it easier for you to find the content that is relevant for you. This may take place in your Barion wallet or the application or on the websites of other third parties.

What is our legal basis?

Our legitimate interest as per Section 6.h).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Information provided by the device you use if you have accepted the use of cookies. You can find more information in the Cookie Notice.

Special rules of parking:

  • data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.5 Risk management and fraud prevention related to our services

What is this purpose?

In order to identify the risk of abuse of the operation of Barion and customer moneys we operate a risk management and fraud prevention monitoring system. We try to reduce financial losses arising from bank card abuse and other risks and to identify fraudsters. In other words, we protect everyone’s money: your money on your bank card or the money you have placed to us, and the money of our merchants as well as our own money.

What is our legal basis?

Our legitimate interest as per Section 6.d).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

By the use of cookies:

  • browser fingerprint

Data we receive from the fraud monitoring service provider:

  • Risk rating

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.6 For invoicing and accounting

What is this purpose?

On the basis of accounting, taxation and other regulations applicable to us we are obliged to issue invoices for our service fees, enter the invoices and receipts received and issued by us in the accounts, and meet the relevant accounting regulations. The invoices and documents constituting the basis of accounting may contain personal data.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

Data you directly provide us with:

  • E-mail address, invoicing data
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.7 For customer complaint management

What is this purpose?

As an electronic money issuer institution we are obliged to meet customer complaint management regulations. In addition to this, it is also in our interest that in case you have a complaint, we shall manage it as efficiently as possible, in a manner that is reassuring for you. You have the opportunity for this via e-mail, phone or personally. We shall record your call at the call centre.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

Data you directly provide us with in your complaint:

  • E-mail address and other personal identification data, if you provide them
  • Data provided by you in the customer complaint and required for the inspection of the customer complaint
  • Audio recording in case of customer complaint received on the phone

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.8 Management of chargeback claims in case of bank card payment/top up

What is this purpose?

In case of bank card payment the bank card companies and the issuing banks allow card owners to contest the legitimacy of the transaction performed with their bank card in the event that the merchant where the purchase took place did not perform the contract (e.g. did not ship the goods ordered). At us, such an event may take place in the event of bank card payments at a merchant or bank card top up, in case of both registered and non-registered customers. In such case we obtain all the details of the purchase from the merchant which we forward to our acquirer. This way we can identify unfounded chargeback claims and avoid that our acquirer enforces the amount thereof against us and the merchant.

What is our legal basis?

Our legitimate interest as per Section 6.f).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data related to payment (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
  • Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.9 For the prevention of money laundering and terrorist financing

What is this purpose?

As an electronic money institution we are obliged to observe and meet regulations on the prevention of money laundering and terrorist financing. On the basis of this, in case of reaching certain value limits, we are obliged to identify you on the basis of your personal identification documents and we must continuously monitor your transactions, payments and withdrawals in Barion. In order to do so we also operate a monitoring system.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

Data you directly provide us with:

  • Your personal identification data required by law (e.g. name, place and date of birth, mother’s name, identification documents and copy thereof)
  • Your identification and contact details given during registration or later (e.g. e-mail, password, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant so that we can perform the payment and the information related to it:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.10 Preparation of statistics

What is this purpose?

Preparation of statistics about the use of our website, mobile application and services.

What is our legal basis?

Our legitimate interest as per Section 6.g).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

  • data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.11 To enforce our rights and claims

What is this purpose?

Certain claims (e.g. for damages) may be raised against the other party even before a court of justice for a certain period of time even after our agreement has been terminated. This period is currently 5 years in Hungary. Therefore, if our agreement has been terminated, you or we may wish to enforce a claim on the basis of the agreement. These cases may include, for example, that you have a claim for damages because we did not execute withdrawal properly and we transferred the money to a bank account other than what you specified. We can only inspect this or prove the opposite if the data is available.

What is our legal basis?

Our legitimate interest as per Section 6.a).

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data related to payment (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
  • Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

5.12 For direct marketing and sending newsletters:

What is this purpose?

We shall directly contact you in order to promote products and services offered by Barion, or to promote products and services offered by third parties, or with personalised offers via e-mail, messages sent to your Barion account, mail or phone. We shall send you newsletters for the same purpose. We shall do all these if you have given your consent.

What is our legal basis?

Your consent.

What are the categories of data we use for this?

Data you directly provide us with:

  • Your identification and contact details given during the registration or later (e.g. e-mail, password, home address, identification document numbers, phone number).
  • Data given during the issuance and withdrawal of e-money (e.g. bank account number)
  • Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
  • Technical data (e.g. IP address)

Data we receive from the merchant:

  • Purchase data related to payment (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
  • Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name)

Data generated during the use of the Barion wallet, the transactions, issuing or withdrawing e-money:

  • Transaction data (e.g. payment transaction identifiers, date, content)

Special rules of parking:

data provided by you in relation to parking (e.g. registration number, parking zone, time)

6. What is legitimate interest? What can you do in this case?

Legitimate interest was referred to in the previous section several times. When we process data with reference to legitimate interest, we take the following interests into consideration:

  1. a) Enforcement of our rights and claims: Claims arising from any potential breach of contract shall lapse after 5 years under the relevant statute of limitations; that is, rights may be lawfully enforced – either by or against us – within five years of the termination of the contract concluded between us. Therefore, the data processed under the contract for the provision and performance of services shall be retained for 5 years following the termination of the contract concluded between us, in order to enforce such claims or to ensure lawful defence against such enforcement of claims.
  2. b) Development and personalisation of our services, development of new products, the improvement and personalisation of user experience: The development and improvement of our services and the user experience is essential to maintain quality services, retain customers and gain new customers.
  3. c) The safety and integrity of your data and our services: As an electronic money institution, we are obliged by not only the provisions of the GDPR but also by legal regulations and the regulations of the National Bank of Hungary (as the supervisory body) to take all necessary organisational, technical and other measures to securely retain the money of our customers and the data processed by us. In addition to this, it is the fundamental and major interest of our company as well as our customers to do all measures in order to protect your money and data from potential misuse or unauthorised use.
  4. d) Risk management and fraud prevention related to our services: As and electronic money institution we are also obliged by legal regulations and the regulations of the National Bank of Hungary as the supervisory body to maintain a risk management and monitoring system to manage the risks related to our activity. In addition to this, it is the fundamental and major interest of our company as well as our customers to do all measures in order to protect your money from potential fraud and risks.
  5. e) Registration of customers withdrawing consent or objecting to data processing: In order to be able to fulfil your request and not to address you with data processing activities which you have banned (e.g. direct marketing, personalised advertisements), this needs to be recorded.
  6. f) Management of chargeback claims in case of bank card payment/top up: To allow us and the merchant to contest the chargeback claims enforced by the acquirer against us in a well founded manner, the data and documents related to the transaction available to us and the merchant, certifying the contractual performance of the purchase and the order, shall be obtained. This way we and the merchant are able to lawfully act against unfounded chargeback claims.
  7. g) Preparation of statistics: The development and improvement of our services and the user experience is essential to maintain quality services, retain customers and gain new customers. We need to prepare statistics for this about the use of our website, our mobile application and our services.

When we refer to legitimate interest during data processing, you shall be entitled to object to our data processing. In the event, however, that we prove that the above reasons for data processing are compelling reasons that override your interests and rights or are related to the establishment, exercise or defence of legal claims, then we shall be allowed to continue data processing. In our opinion the above cases (a) -g)) belong to this scope.

  1. h) Providing personalised advertisements matching your interest: Through the structure of our advertising division we display personalised advertisements matching your interest. We ensure the profitable operation of our advertisement division through this, and we can provide our other services at low prices or free of charge to you and our customers.

In this case you also shall be entitled to object to data processing and we shall not process your data any longer for this purpose. We shall display advertisements in your Barion wallet or the application or on the websites of other third parties also after this, but not in a personalised manner matching your interest.

7. How long is your data processed?

Your personal data shall be processed exclusively for the above purposes, and only for the time necessary for those purposes. After that, the data shall be securely deleted.

What does the necessary time mean?

The period of time depends on what purpose and legal basis your data is processed.

Generally, your data is processed in order to provide our services, thus we process your data provided to us until the performance thereof but no later than the termination of our contract. We can only deviate from this if the processing of your data is required for other purposes as well. What are these cases from the ones listed in Section 5:

  • We shall fulfil legal obligations: in such case we comply with the provisions of the legal regulation:

Invoicing, accounting – 8 years following the termination of contract

Customer complaint management – 5 years

Prevention of money laundering and terrorist financing – 8 years following the termination of contract

  • Processed on the basis of legitimate interest: In such case, we shall process your data as long as our legitimate interest exists and the data processing purpose is executed on the basis of that. If you successfully object to data processing, then until your objection. For more detailed information, see Section 6.
  • Processed on the basis of your consent:

You shall be entitled to withdraw your consent any time. If you withdraw your consent, we shall delete your data.

8. Who do we share your data with?

We shall only forward your data provided to us to any third party:

  • if you have consented to it
  • in order to perform the contract or if it is necessary for our legitimate interest
  • if we are obliged to do so by law.

Our data processors

Our data processors are our contracted partners who cooperate with us in providing our services. It means that in these cases they act on behalf of us, following our decisions and we are still responsible for the data processing. They shall not use your data independently; if our contract with them is terminated, they shall ensure the deletion of the data. In each such case we shall take care that the given data processor shall execute proper technical and organisational measures to preserve the security of data. Such control mechanism is amongst others the restriction of access to the data and the infrastructure storing the data as well as the agreement concluded with them obliging them to observe the relevant legal regulations. Given that we work as a payment service provider, we shall also meet the strict requirements set forth by law and the National Bank of Hungary on outsourcing in the case of data processors.

Our data processor partners:

  • The secure servers of Barion are operated by Sense/Net Inc. with 22 years of experience, and they also take part in customer service tasks.
    Address of data processor: H-1117 Budapest, Infopark sétány 1. I. épület 5. emelet 5, Hungary
  • Bank card fraud prevention is performed by SEON Technologies Ltd.
    Address of data processor: H-1136 Budapest, Pannónia utca 32, Hungary
  • The customer service call centre is operated by Minerva-Soft Development and Services Limited Liability Company.
    Address of data processor: H-3900 Szerencs, Lipták út 1/a, Hungary
  • In-Voice Control Limited Liability Company cooperates with us in performing our accounting tasks.
    Address of data processor: H-1046 Budapest, Leiningen Károly utca 16/B, Hungary
  • KBOSS.hu Commercial and Services Limited Liability Company (widely known name: szamlazz.hu) cooperates with us in issuing e-invoices for mobile parking.
    Address of data processor: H-1031 Budapest, Záhony utca 7, Hungary

Other data transfer

Our banking partners:

Bank card payment and top up

In case of payment and top up by bank card, your data shall be transferred to the acquirer in order to perform the contract.

In relation to chargeback claim management data is also transferred to them in accordance with the provisions of Section 5.8 for the protection of our legitimate interest and that of the merchant.

However, the acquirer shall not qualify as our data processor because it shall be entitled to dispose of the data independently in accordance with the provisions of the contracts concluded by the bank card owner with their own bank. Data processing by our acquirer partner as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Withdrawal:

The withdrawal of e-money shall take place via bank transfer. Thus, in order to perform the contract, we transfer your data provided in the withdrawal order to our bank holding our escrow account to allow it to perform the bank transfer. However, it shall not qualify as our data processor because it shall be entitled to dispose of the data independently. Data processing by the bank holding our escrow account as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Parking:

Mobile parking is provided as a public service by National Mobile Payment Plc. as an integrator under the relevant laws. The parking opportunity is offered to you by us as their reseller. When you park with Barion, we shall transfer your data related to parking to National Mobile Payment Plc. in order to perform the contract. However, it shall not qualify as our data processor because it shall be entitled to dispose of the data independently. The processing of data by National Mobile Payment Plc. as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Experts required for prudent operation:

We are obliged by law to employ an auditor and an internal auditor. These experts also ensure that our activity complies with legal regulations. We may transfer personal data to them in order to allow them to perform their work. However, the auditor and the internal auditor shall not qualify as our data processors because they shall be entitled to dispose of the data independently on the basis of the legal regulations and professional provision applicable to them.

Attorney at law required for the enforcement of rights and the performance of liabilities:

In some cases we need legal expertise and consultancy during the operation of Barion for which we use an external attorney at law. Most frequent cases: we must inspect a customer complaint, we enforce a claim, or there is a legal dispute between us. We may transfer personal data to them in order to allow them to perform their work. However, the attorney at law shall not qualify as our data processor because they shall be entitled to dispose of the data independently on the basis of the legal regulations and professional provision applicable to them.

Legal obligation

We may transfer your data to third parties if we are obliged by law to do so. We are obliged by law to perform such data transfer to the National Bank of Hungary, police investigation bodies and other authorities, as well as to our escrow account holding bank in order to prevent money laundering and terrorist financing; and we may check your personal data in the personal data and address register.

9. How do we protect your data?

Your personal data is processed by the same software which processes your money and bank card details, therefore your data is as safe as your money.

Since the protection of personal data is of key importance, together with our server supply partner we have developed a security system which protects your data not only from the pirates of the internet (hackers) but also from the employees of Barion itself, from terror attacks and natural disasters. So, for example, encryption is used so that none of the employees of Barion alone can access the secret key which allows for the decryption of card data.

Our team with 22 years of experience in operation developed a thoroughly documented and regulated information technology system in compliance with the regulations of the National Bank of Hungary, meeting the COBIT standard.

In addition to this, since we also process bank card data, our company complies with PCI DSS (Payment Card Industry Data Security Standards). The PCI DSS has been developed by Visa, MasterCard, Amex, JCB and Discover, and every stakeholder on the bank card market follows this standard today. In compliance with the standard, we do not store the secret code on the back of the card (CVC).

Some examples of the safety measures:

  • Two persons are required simultaneously to access the server. Not even the chief executive officer or the technical director of the company alone has access to the server storing confidential information, in particular card data, so the data cannot be obtained from our employees by blackmail or threat.
  • Fingerprint admission system to the room of the system developers
  • Not even the developers have access to the live servers
  • Card data is stored in an encrypted database, not recorded elsewhere, not even entered into logs
  • Each key pressed as well as the screen is recorded during the access to the servers therefore we can monitor our colleagues at all times
  • Our servers are protected by a firewall and other protection software
  • Our networks and servers are protected by anti-virus software
  • We use 2048 bit HTTPS encryption

10. What rights do you have and what decisions can you make?

You have several data protection rights so that you can learn what happens to your data and you can influence that.

Right of access in relation to data processing:

You can request information through our contact points any time on how we process your personal data, in particular about the scope, purpose and duration of data processing, the source of the data and who we share such data with, as well as your data protection rights. Requesting such information is free of charge; however, in case of repeated requests regarding the same set of data, we shall be entitled to charge the costs.

Right to rectification of data:

In the event that the data processed by us are incorrect, you may request the rectification of your data.

Right to erasure:

You may request us to erase your data if

  • the purpose of data processing has terminated
  • the data was processed on the basis of your consent, you have withdrawn your consent, and we have no other legal ground for the processing
  • we processed your data on the basis of our legitimate interest and you successfully objected to it
  • the data processing is unlawful
  • erasure is prescribed by law
  • it is related to internet services provided to children
  • it was ordered by the court of justice or the National (Hungarian) Authority for Data Protection and Freedom of Information

Right to restriction of data processing:

You may request us to restrict data processing if

  • you contest the accuracy of the data
  • the data processing is unlawful, but you oppose erasure
  • the purpose of data processing has terminated but you need it for the exercise or defence of your legal claims
  • you have objected to data processing, pending the verification whether our legitimate grounds override yours.

Right to withdraw consent:

In the event that data processing took place on the basis of your consent, you may withdraw your consent any time. Our data processing prior to your withdrawal remains lawful since your consent was valid at that time.

As mentioned above, we may process the same data for several purposes and on several legal grounds simultaneously. If you withdraw your consent we shall not process your data for the purpose based on your consent. However, we may continue processing your data for other purposes (e.g. performing legal obligations or our legitimate interest).

Right to object:

When we refer to legitimate interest during data processing, you shall be entitled to object to our data processing. In the event, however, that we prove that the our reasons for data processing are compelling reasons that override your interests and rights or are related to the establishment, exercise or defence of legal claims, then we shall be allowed to continue data processing.

Right to data portability:

If we process your data because you have given your consent or because we need it to perform our contract and we perform automated data processing, you may request us to transfer the data processed by us to you. We shall not prevent that you transfer such data to any other data controller. Moreover, we shall transfer it to such data controller upon your request.

If you wish to learn more about your data protection rights, you can find the relevant detailed rules in Articles 15 - 21 of the GDPR.

11. How can you contact us?

Our official contact information:

Registered seat: H-1117 Budapest, Infopark sétány 1. I. épület 5. emelet 5, Hungary

Court of registration: Company Registry Court of the Budapest-Capital Regional Court

Company registration number: 01-10-048552

VAT number: 25353192-2-43

Community VAT number: HU25353192

Number of licence of operation: H-EN-I-1064/2013

Electronic money institution identifier: 25353192

Represented by: Sándor Kiss, Chief Executive Officer, Chairman of the Board of Directors

If you have any questions or complaints regarding the processing of your data by us or our Privacy Notice, please contact our data protection officer at the following contact points:

Contact information of our data protection officer:

dr. Botond Noszlopi

Barion Payment Inc.

Address: H-1117 Budapest, Infopark sétány 1. I. épület 5. emelet 5, Hungary

E-mail: [email protected],

Phone: +36 1 464 70 99

12. Where can you make a complaint?

First of all, contact us and our data protection officer at the contact points provided in Section 11.

We shall make efforts to reply to your complaint according to our best knowledge as soon as possible but within 1 month the latest. We may extend the term for reply by 2 months if necessary.

If you have made a complaint and you are not satisfied with our response, or we have refused your request or you believe that your data protection rights had been otherwise violated, you can submit your complaint or request to the following places:

  • National (Hungarian) Authority for Data Protection and Freedom of Information
    (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary; phone: +36-1-391-1400; e-mail: [email protected])
  • The court of your permanent or temporary place of residence.