Section 5 of this Notice details the right to object which is applicable in the case of data processing operations performed based on legitimate interest.

1. What is the purpose of this Privacy Notice?

This Notice was prepared for you by us, Barion Payment Inc. (hereinafter referred to as Service Provider or Barion), to summarise what we do with your personal data during the services we provide. Before you use our services, we would like you to know and clearly understand what happens to your data provided to us, what decisions you may make, and what rights you have in this connection.

We do not only do this because we are obliged by Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as Privacy Act) but also because we honestly believe that you being informed and able to make decisions is good for both you and us.

This Notice applies to all areas of services provided by Barion, including data processing on the www.barion.com website, in the secure.barion.com web application and through the Barion mobile application. Furthermore, this Notice applies to users visiting the website of merchants who use Barion Smart Gateway.

Please read this Notice, and do not hesitate to contact us if you have any questions.

3. Who are we?

Barion Payment Inc, an electronic money institution supervised by the National Bank of Hungary. Our services are based on the innovative opportunities provided by electronic money:

• you can pay to others through the internet, on your mobile: even to a merchant or to each other
• as a merchant you can accept payments through the internet, on a mobile phone and in your shop
• you can even do all this with your bank card or bank transfer, even if you do not have a Barion Wallet
• you can pay by Barion for parking or purchase vignette as well
• through the structure of our advertising division we interconnect merchants and customers, so we offer personalised advertisements to help you easily find what you are interested in or looking for.

We are driven by the following when we process your data:

• We protect your data with the same degree of care as we do in the case of your money held by us.
• We ensure complete transparency in relation to the processing of your data. We want you to know and understand what happens to your data.
• Just like your money, we shall not forward your data to any party, except if you or the laws expressly allow us to do so.
• We want both of us to be satisfied: you receive the service you want and we only use your data for this in a fair manner, and we shall be capable of providing this service for you so that it is commercially profitable and successful.

We process your personal data in our capacity as a data controller. This means that we define the purpose and means of processing your personal data on the basis and in the interest of those described above.

2. Whose data is processed?

The data of anybody who uses our service described in Section 2 i.e.:

• who registers and has a Barion Wallet
• who does not register and does not have a Barion Wallet but pays by bank card or bank transfer at merchants who accept bank card payment via Barion.

The data of anybody who visits www.barion.com website or the website of merchants who use Barion Smart Gateway (hereinafter referred to as: Website visitor). We use cookies on these websites which is detailed in our Cookie Notice ( https://www.barion.com/de/informationen-zu-cookies/).

Therefore, this Notice applies to both our registered and non-registered customers, and website visitors.

Barion services shall not be used by children under the age of 16, and thus we do not process their data.

4. Do we process your data even if you do not have a Barion Wallet, you did not register but pay by bank card or bank transfer?

Yes, we do, as described in Section 3. If you shop and pay by bank card at a merchant who accepts bank card payment or bank transfer through Barion, then you also use our service and are our customer in relation to such bank card payment or bank transfer. Of course, in this case we process much less of your data, since you have not registered with us: we only process your data related to the bank card payment or bank transfer as provided by you or the merchant.

What are these categories of data in general?Data you directly provide us with:

• Identification and contact data (e.g. email)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive from the merchant so that we can perform the payment and the information related to it:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the bank card or bank transfer payment transaction:

• Transaction data (e.g. payment transaction identifiers, date, content)

In general, such data are processed for the same purposes and based on the same legal basis as the data of customers who have Barion Wallets. You can read about these purposes and legal basis in Section 5. Naturally, those data processing purposes which relate to services exclusively for registered users do not apply to you. For certain purposes the above categories of data may be supplemented by further data categories also described in Section 5.

We want you to know that we provide our registered customers with the convenience service to connect their payment transactions performed before registration, as non-registered customers to their Barion Wallet after registration. This is based on our legitimate interest about which you can find details in Section 6.b). You may find detailed information on this service in Section 5.11.

5. For what purpose and under what legal basis do we process your data?

What does this purpose mean?It specifies the activity or the purpose for the implementation or, respectively, achievement of which we use your data during our services and operation.

What does the legal basis mean?The legal basis means on what ground the data protection regulations allow us to process your data in order to implement this purpose.

Generally, we process your data so that you can use the services described in Section 2 and we can provide you with those. This is still too general, so let us summarise for you on the basis of what specific purposes and legal bases we work within that.

In the event that your data is required for the contract and, within that, for the provision of a specific service, then you cannot use the given service without this data.

For example: Your email address and a password is required for registration – without this, you cannot create a Barion account. If you want to park, you must give the registration number of the car and the parking zone, otherwise you cannot use the parking service.

In the event that the data processing is based on legal regulations, i.e. it is required for performing our legal obligation and you do not provide us with it, then you cannot use our service either. For example: if you are not identified in terms of money laundering due to the lack of data then we cannot provide you with the service.

You must know that we can process one certain piece of your data for several purposes and under several legal bases, for example: we process your email address for the provision of services, for improving the services, but we also process it for fraud prevention purposes, customer complaint management. Thus, it may happen that our contract has already been terminated, you have terminated your Barion Wallet, but we still process certain data of yours because it is necessary for other purposes.

When we refer to legitimate interest during data processing, you have the right to object to our data processing (Right to object). In the event, however, that we prove that our reasons for data processing are compelling reasons that override your interests and rights or are related to the establishment, exercise or defence of legal claims, then we shall be allowed to continue data processing.

5.1 The preparation and provision of the service you wish to use:

What is this purpose?

Anything that happens during the preparation and performance of the agreement related to our service. This depends on whether you have registered or you pay without registration.

For registered customers:

For example registration, creating a Barion Wallet, issuing e-money, withdrawal of e-money, e-money transactions, bank card payment, payment of parking, giving account information, creating a shop.

These include convenience services which are only available to you if you expressly request them after registration. Obviously, you can also request them to be stopped any time. This includes, for example, the storing of bank card numbers.

For not registered customers:

Preparation and performance of payment by bank card or bank transfer.

What is our legal basis?

Preparation and performance of the contract.

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive fromthe merchant so that we can perform the payment and the information related to it:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawinge-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

By the use of cookies:

• data collected with authentication and work session cookies (see Cookie Notice)

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data listed in Section 4 and data collected with authentication and work session cookies (see Cookie Notice).

5.2 Improvement of our website, our services and the user experience, development of new products:

What is this purpose?

We develop our services and products to meet the expectations of our customers and the market, and to keep them competitive. This applies to any channel through which you can reach us: website, application, customer service.

What is our legal basis?

Our legitimate interest under Section 6.b).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data listed in Section 4.

5.3 The safety and integrity of your data and our services

What is this purpose?

Identification of customers, and the protection and integrity of the customer moneys and data we handle as well as that of the Barion system and Barion services. We aim to protect the money and personal data provided to us by you and our customers and prevent them from unauthorised access or theft. In order to do so, we take all necessary technical and other measures. And during this, we also process your data.

What is our legal basis?

Our legitimate interest under Section 6.c).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

By the use of cookies:

• data collected with authentication and work session cookies (see Cookie Notice)

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data collected with authentication and work session cookies (see Cookie Notice) and data listed in Section 4, except for data provided during bank transfer payment and data necessary for the completion of bank transfer, as well as data created during payment transaction performed by bank transfer.

5.4 Risk management and fraud prevention related to our services

What is this purpose?

In order to identify the risk of abuse of the operation of Barion and customer moneys we operate a risk management and fraud prevention monitoring system. We try to reduce financial losses arising from bank card abuse and other risks and to identify fraudsters. In other words, we protect everyone’s money: your money on your bank card or the money you have placed to us, and the money of our merchants as well as our own money.

What is our legal basis?

Our legitimate interest under Section 6.d).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

By the use of cookies:

• your device’s fingerprint
• browsing and purchasing habits on the website:
• viewing of a website and its order within one visit
• viewing of one product site, selection of a product category, clicking on the details of a product
• clicking on a product, its selection, its placement to the shopping cart or removal therefrom
• entering the product’s name in the search engine, selection and modification of one characteristic of the product
• confirmation of the purchase
• launching of the selected payment method, payment process
• clicking on an offer, promotion within the website
• log-in as registered user or registration as new user, subscription to the newsletter
• registered data of the user in an encrypted form
• identifier of the Barion user and its identifier of the session spanning through the websites of merchants who use Barion Smart Gateway, and its timestamps
• Google Analytics user identifier and session identifier. Apart from the identifier, no other data comes into our possession.
• operating system and its language setting, type of browser
• public visitor IP-address seen on the visited website and its location

Data we receive from the fraud monitoring service provider:

• Risk rating

For not registered customers: Data collected with the use of cookies listed above in section 5.4 and risk rating received from the fraud monitoring service provider, as well as data listed in Section 4, except for data provided during bank transfer payment and data generated during payment transaction performed by bank transfer.

For website visitors, regardless whether they are our customers or not: Data collected with the use of cookies listed above in Section 5.4.

You may find further information on cookies in the Cookie Notice (https://www.barion.com/de/informationen-zu-cookies/).

Automated decision-making:

We use data collected with the use of cookies for risk analysis and assessment for fraud prevention purposes, and such use is based on automated decision-making. As a result of this we consider certain payment transactions as suspected fraudulent transactions, the completion of which we refuse or make subject to additional conditions.

During automated decision-making the following logic is used:

During risk analysis we evaluate the risks of a given transaction with real-time scoring method. During scoring, certain characteristics and circumstances receive different scores whereby we also take into account fraud patterns. Based on the result of scoring, the transaction is classified as low, medium or high-risk transaction.

You have the following rights related to automated decision-making:

1. a) you may request not to be subject to such decision;
2. b) you may request intervention of a person with the appropriate competence and powers in order to supervise and eventually revise the decision-making;
3. c) you may express your opinion concerning decision-making based on automated data processing; and
4. d) you may lodge an objection against the decision with us.

You may do this here: https://www.barion.com/de/support/i-have-a-complaint/.

5.5 Invoicing and accounting

What is this purpose?

On the basis of accounting, taxation and other regulations applicable to us we are obliged to issue invoices for our service fees, enter the invoices and receipts received and issued by us in the accounts, and meet the relevant accounting regulations. The receipts and documents constituting the basis of accounting may contain personal data.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• email address;
• name, address.

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• transaction data;
• last 4 digits of the card used in the case of bank card payment/top up;
• amount of fees;
• Balance of the Barion account.

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you: email address, address, invoicing name and address, registration plate, parking zone, date and time, fee category of the e-vignette, amount of the fee for parking/purchase of vignette, identifier of the parking transaction.

For non-registered customers we do not perform services subject to a fee or services which may be subject to invoicing obligation.

5.6 Customer complaint management

What is this purpose?

As an electronic money institution we are obliged to meet customer complaint management regulations. In addition to this, it is also in our interest that in case you have a complaint, we shall manage it as efficiently as possible, in a manner that is reassuring for you. You have the opportunity for this via email, phone or personally. We shall record your call at the call center.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with in your complaint:

• Email address and other personal identification data, if you provide them (such as name)
• Data provided by you in the customer complaint and required for the inspection of the customer complaint
• Voice recording in case of customer complaint received on the phone

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers:

Data you directly provide us with in your complaint:

• Email address and other personal identification data, if you provide them (such as name)
• Data provided by you in the customer complaint and required for the inspection of the customer complaint
• Voice recording in case of customer complaint received on the phone

5.7 Processing of chargeback claims in the case of bank card payment/top up

What is this purpose?

In case of bank card payment the bank card companies and the issuing banks allow card owners to contest the legitimacy of the transaction performed with their bank card via his or her bank in the event that the merchant where the purchase took place did not perform the contract (e.g. did not ship the goods ordered). If the objection of the card holder is well founded and successful, he or she is entitled to the chargeback of the amount paid by bank card. At us, such an event may take place in the event of bank card payments at a merchant or bank card top up, in case of both registered and non-registered customers. In such case we obtain all the details of the purchase from the merchant which we forward to our acquirer. This way we can identify unfounded chargeback claims and avoid that our acquirer enforces the amount thereof against us and the merchant.

What is our legal basis?

Our legitimate interest under Section 6.f).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name) we receive from the merchant, and data listed in Section 4, except for data provided during bank transfer payment, data necessary for performance of bank transfer and data generated during payment transaction performed by bank transfer.

5.8 The prevention of money laundering and terrorist financing

What is this purpose?

As an electronic money institution we are obliged to observe and meet regulations on the prevention of money laundering and terrorist financing. On the basis of this, in case of reaching certain value limits, we are obliged to identify you on the basis of your personal identification documents and we must continuously monitor your transactions, payments and withdrawals in Barion. In order to do so we also operate a monitoring system. If necessary, we are obliged to report suspicious transactions to the competent authorities.

What is our legal basis?

Our legal obligation

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your personal identification data required by law (e.g. name, place and date of birth, mother’s name, identification documents and copy thereof)
• Your identification and contact details given during registration or later (e.g. email, password, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive from the merchant so that we can perform the payment and the information related to it:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

Data generated during online customer identification:

• Video recording on online customer identification.

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data listed in Section 4.

5.9 TPreparation of statistics

What is this purpose?

Preparation of statistics about the use of our website, mobile application and services.

What is our legal basis?

Our legitimate interest under Section 6.g).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

By the use of cookies (if you have consented to the use of cookies):

• Usage of website and application

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data listed in Section 4. and the website and application usage information collected by the use of cookies (if you granted your consent to the use of cookies).

For website visitors, regardless whether they are our customers or not: information about the use of the website, provided that you granted your consented to the use of the cookie.

5.10 To enforce our rights and claims

What is this purpose?

Certain claims (e.g. for damages) may be raised against the other party even before a court of justice for a certain period of time even after our agreement has been terminated. This period is currently 5 years in Hungary. Therefore, if our agreement has been terminated, you or we may wish to enforce a claim on the basis of the agreement. These cases may include, for example, that you have a claim for damages because we did not carry out withdrawal properly and we transferred the money to a bank account other than what you specified. We can only inspect this or prove the opposite if the data is available.

What is our legal basis?

Our legitimate interest under Section 6.a).

What are the categories of data we use for this?

For registered customers:

Data you directly provide us with:

• Your identification and contact details given during the registration or later (e.g. email, password, home address, phone number).
• Data given during the issuance and withdrawal of e-money (e.g. bank account number)
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)
• Technical data (e.g. IP address)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)
• Data and documents constituting the basis of the purchase (e.g. shipping address, delivery note, customer name)

Data generated during the use of the Barion Wallet, the transactions, issuing or withdrawing e-money:

• Transaction data (e.g. payment transaction identifiers, date, content)

Special data in the case of Parking and purchase of Vignette:

data related to parking and purchase of vignette provided by you (registration plate, parking zone, date and time, fee category of the e-vignette, validity period of the e-vignette, invoicing data, if invoice is requested)

For not registered customers: Data listed in Section 4.

For website visitors, regardless whether they are our customers or not: in the case of data processing subject to consent data necessary for certifying consent (such as: period and date of cookie consent).

5.11 To personalise services provided by Barion and user experience

What is this purpose?

Currently, this is a convenience service provided for our registered customers: if a registered customer provides an email address during registration with which he or she launched transactions earlier as non-registered customer via Barion, such transactions will be listed under Barion Wallet information (History menu item). In this list data stored for other purposes related to prior transactions of the registered customer are indicated.

What is our legal basis?

Our legitimate interest under Section 6.b).

What are the categories of data we use for this?

Due to the nature of this purpose, this concerns exclusively registered customers:

Data you directly provide us with:

• Email address provided at the time of registration
• Bank card details in case of bank card payment and top up (e.g. card owner’s name, card number, expiry)
• Data provided during bank transfer payment (such as name of the service provider holding the payment account)

Data we receive from the merchant:

• Purchase data (e.g. amount of purchase, detailed shopping cart content, i.e. what you purchased)
• Data necessary for completion of bank transfer payment (such as phone number, email)

Data generated during the bank card or bank transfer payment transaction:

• Transaction data (e.g. payment transaction identifiers, date, content)

5.12 Marketing purpose: personalisation of ads, offers, examination of behavioural habits for this purpose

What is this purpose?

With these cookies we collect data on the visits of the website of Barion or the websites of merchants who use Barion Smart Gateway (third party websites): on what you clicked on, what products or services you were looking at or purchased, or when you interrupted the purchase.

We collect and analyze such data in order to model purchasing habits and create target groups and profiles, which enable personalisation of digital advertisements and offers. Our aim is to ensure that an ad or offer is displayed only to those who may be interested in it. These cookies allow you not to see irrelevant advertisements and offers, only the ones you are interested in or you are currently looking for.

We only process such data if you granted expressly your consent. When you give us your consent, we start to process the data collected by necessary operational cookies for bank card fraud prevention purposes for this purpose as well. In lack of your consent we do not act in this way and we only use the data for bank card fraud prevention purposes.

We use these qualifications based on purchasing habits derived from the data or share them with our contractual media and advertising partners (https://docs.barion.com/Barion_Pixel). Therefore the placement of their cookies is also necessary, so your consent also covers the approval of the placement of these cookies.

What is our legal basis?

Your consent.

What are the categories of data we use for this?

We collect such data with the use of cookies in the case of website visitors who provided their consent, regardless whether they are our customers or not.

• Browsing and purchasing habits on the website:
• viewing of a website and its order within one visit
• viewing of one product site, selection of a product category, clicking on the details of a product
• clicking on a product, its selection, its placement to the shopping cart or removal therefrom
• entering the product’s name in the search engine, selection and modification of one characteristic of the product
• confirmation of the purchase
• launching of the selected payment method, payment process
• clicking on an offer, promotion within the website
• log-in as registered user or registration as new user, subscription to the newsletter
• registered data of the user in an encrypted form
• identifier of the Barion user and its identifier of the session spanning through the websites of merchants who use Barion Smart Gateway, and its timestamps
• Google Analytics user identifier and session identifier. Apart from the identifier, no other data comes into our possession.
• operating system and its language setting, type of browser
• public visitor IP-address seen on the visited website and its location
• cookie identifiers received from our contractual media and advertising partners: with the purpose of synchronising and matching different user identifiers of Barion and the partner’s system. You can find the list of these partners here: (https://docs.barion.com/Barion_Pixel)

You may find further information on cookies in the Cookie Notice (https://www.barion.com/de/informationen-zu-cookies/).

Profiling:

We use and analyse the above data collected with the use of cookies for profiling. It aims to allow personalisation of digital advertisements and offers. As a result of this, personalised advertisements and offers appear only to those users who may be interested in them. This allows that you only see advertisements and offers which may be interesting for you or which you are currently looking for.

During profiling the following logic is used:

Data collected with cookies describe the behaviour of certain users and/or groups from purchasing perspective. With the processing and analysing of such data we model purchasing habits, search for purchasing patterns and based on the above we create target groups and profiles which most likely comply with the current purchasing willingness and intent of the user in question, and may most likely lead to a sales transaction.

You have the following rights with regard to profiling:

1. a) you may ask not to be subject to the profiling (by withdrawing your consent);you may ask human interaction;
2. b) you may express your opinion with regard to profiling; and
3. c) you may lodge an objection with us against the profiling.

You may do this here: https://www.barion.com/de/informationen-zu-cookies/.

6. What is legitimate interest? What can you do in this case?

Legitimate interest was referred to in the previous section several times. When we process data with reference to legitimate interest, we take the following interests into consideration:

1. a) Enforcement of our rights and claims: Claims arising from any potential breach of contract shall lapse after 5 years under the relevant statute of limitations; that is, rights may be lawfully enforced – either by or against us – within five years of the termination of the contract concluded between us. Therefore, the data processed under the contract for the provision and performance of services shall be retained for 5 years following the termination of the contract concluded between us, in order to enforce such claims or to ensure lawful defence against such enforcement of claims.
2. b) Improvement of our services and the user experience, development of new products: The development and improvement of our services and the user experience is essential to maintain quality services, retain customers and gain new customers.
3. c) The safety and integrity of your data and our services: As an electronic money institution, we are obliged by not only the provisions of the GDPR but also by legal regulations and the regulations of the National Bank of Hungary (as the supervisory body) to take all necessary organisational, technical and other measures to securely retain the money of our customers and the data processed by us. In addition to this, it is a fundamental and major interest of our company as well as our customers to do all measures in order to protect your money and data from potential misuse or unauthorised use.
4. d) Risk management and fraud prevention related to our services: As and electronic money institution we are also obliged by legal regulations and the regulations of the National Bank of Hungary as the supervisory body to maintain a risk management and monitoring system to manage the risks related to our activity. In addition to this, it is a fundamental and major interest of our company as well as our customers to do all measures in order to protect your money from potential fraud and risks. In this, one of the most important means is risk analysis performed in relation to fraudulent activities.
5. e) Management of chargeback claims in case of bank card payment/top up: To allow us and the merchant to contest the chargeback claims enforced by the acquirer against us in a well-founded manner, the data and documents related to the transaction available to us and the merchant, certifying the contractual performance of the purchase and the order, shall be obtained. This way we and the merchant are able to lawfully act against unfounded chargeback claims.
6. f) Preparation of statistics: The development and improvement of our services and the user experience is essential to maintain quality services, retain customers and gain new customers. We need to prepare statistics for this about the use of our website, our mobile application and our services.
7. g) To personalise services provided by Barion and user experience: The convenience service provided for registered customers aims to enhance customer satisfaction by ensuring that after registration registered customers may access automatically and transparently data of previous transactions performed as non-registered customers. The personalisation of our services and the user experience, and thus ensuring customer satisfaction are essential to maintain quality services, retain customers and gain new customers.

When we refer to legitimate interest during data processing, you have the right to object to our data processing (Right to object). In the event, however, that we prove that the above reasons for data processing are compelling reasons that override your interests and rights or are related to the establishment, exercise or defence of legal claims, then we shall be allowed to continue data processing. Our opinion is that cases (a) -(g) above belong to this scope.

7. How long is your data processed?

Your personal data shall be processed exclusively for the above purposes, and only for the time necessary for those purposes. After that, the data shall be securely deleted.

What does the necessary time mean?

The period of time depends on what purpose and legal basis your data is processed.

Generally, your data is processed in order to provide our services, thus we process your data provided to us until the performance thereof but no later than the termination of our contract. We can only deviate from this if the processing of your data is required for other purposes as well. What are these cases from the ones listed in Section 5:

• We shall fulfil legal obligations: in such case we comply with the provisions of the legal regulation:

Invoicing, accounting – 8 years following the termination of contract

Customer complaint management – 5 years

Prevention of money laundering and terrorist financing – 8 years following the termination of contract

• Processed on the basis of legitimate interest: In such case, we shall process your data as long as our legitimate interest exists and the data processing purpose is implemented on the basis of that. If you successfully object to data processing, then until your objection. For more detailed information, see Section 6.
• Processed on the basis of your consent:

You have the right to withdraw your consent any time. If you withdraw your consent, we shall delete your data.

We process data collected with cookies for the purposes of personalisation of advertisements and offers and examination of behavioural habits under Section 5.12 until withdrawal of your consent, but for no more than 5 years. The data processing term is different from the lifespan of the cookies which indicates only the period of data collection.

8. Who do we share your data with?

We shall only forward your data provided to us to any third party:

• if you have consented to it
• in order to perform the contract or if it is necessary for our legitimate interest
• if we are obliged to do so by law.

Our data processors

Our data processors are our contracted partners who cooperate with us in providing our services. It means that in these cases they act on behalf of us, following our decisions and we are still responsible for the data processing. They shall not use your data independently; if our contract with them is terminated, they shall ensure the deletion of the data. In each such case we shall take care that the given data processor shall implement proper technical and organisational measures to preserve the security of data. Such control mechanism is amongst others the restriction of access to the data and the infrastructure storing the data as well as the agreement concluded with them obliging them to observe the relevant legal regulations. Given that we work as a payment service provider, we shall also meet the strict requirements set forth by law and the National Bank of Hungary on outsourcing in the case of data processors.

You can find the current list of our data processor partners here (https://docs.barion.com/Contributing_Partners)

Other data transfer

Our banking partners:

Bank card payment and top up :

In case of payment and top up by bank card, your data shall be transferred to the acquirer in order to perform the contract.

In relation to chargeback claim management data is also transferred to them in accordance with the provisions of Section 5.8 for the protection of our legitimate interest and that of the merchant.

However, the acquirer shall not qualify as our data processor because it shall be entitled to dispose of the data independently in accordance with the provisions of the contracts concluded by the bank card owner with their own bank. Data processing by our acquirer partner as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Bank transfer payment and top up:

In case of payment and top up by bank transfer, your data shall be transferred to the payment service provider ensuring connection to the bank system and via this provider to the payment service providers holding your payment account in order to perform the contract.

However, these payment service providers shall not qualify as our data processors because they shall be entitled to dispose of the data independently in accordance with the instructions of the contracts concluded by the payment service provider holding your payment account and you. Data processing by the payment service providers as data controllers shall be governed by their own privacy notices and data protection regulations, for which Barion shall not take responsibility.

Withdrawal :

The withdrawal of e-money shall take place via bank transfer. Thus, in order to perform the contract, we transfer your data provided in the withdrawal order to our bank holding our escrow account to allow it to perform the bank transfer. However, it shall not qualify as our data processor because it shall be entitled to dispose of the data independently. Data processing by the bank holding our escrow account as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Parking and purchase of Vignette

Mobile parking and purchase of vignettes are provided as public services by Nemzeti Mobilfizetési Zrt. (National Mobile Payment Plc.) as an integrator under the relevant laws. The parking and vignette purchasing opportunity is offered to you by Barion as their reseller. When you park with Barion or purchase vignettes with Barion, we shall transfer your data related to parking and the purchase of vignettes to Nemzeti Mobilfizetési Zrt. in order to perform the contract. However, it shall not qualify as our data processor because it shall be entitled to dispose of the data independently. The processing of data by Nemzeti Mobilfizetési Zrt. as a data controller shall be governed by its own privacy notice and data protection regulations, for which Barion shall not take responsibility.

Media and advertising partners:

In accordance with Section 5.12 we transfer qualifications based on purchasing habits derived from data to our media and advertising partners in order to ensure that they display personalised advertisements and offers relevant to you. You can find the list of our partners here (https://docs.barion.com/Barion_Pixel).

Experts required for prudent operation:

We are obliged by law to employ an auditor and an internal auditor. These experts also ensure that our activity complies with legal regulations. We may transfer personal data to them in order to allow them to perform their work. However, the auditor and the internal auditor shall not qualify as our data processors because they shall be entitled to dispose of the data independently on the basis of the legal regulations and professional provision applicable to them.

Attorney at law required for the enforcement of rights and the performance of liabilities:

In some cases, we need legal expertise and consultancy during the operation of Barion for which we use an external attorney at law. Most frequent cases: we must inspect a customer complaint, we enforce a claim, or there is a legal dispute between us. We may transfer personal data to them in order to allow them to perform their work. However, the attorney at law shall not qualify as our data processor because they shall be entitled to dispose of the data independently on the basis of the legal regulations and professional provisions applicable to them.

Legal obligation

We may transfer your data to third parties if we are obliged by law to do so. We are obliged by law to perform such data transfer to the National Bank of Hungary, police investigation bodies and other authorities, as well as to our escrow account holding bank in order to prevent money laundering and terrorist financing; and we may check your personal data in the personal data and address register.

9. How do we protect your data?

Your personal data is processed by the same software which processes your money and bank card details, therefore your data is as safe as your money.

Since the protection of personal data is of key importance, together with our server supply partner we have developed a security system which protects your data not only from the pirates of the internet (hackers) but also from the employees of Barion itself, from terror attacks and natural disasters. So, for example, encryption is used so that none of the employees of Barion alone can access the secret key which allows for the decryption of card data.

Our team with 22 years of experience in operation developed a thoroughly documented and regulated information technology system in compliance with the regulations of the National Bank of Hungary, meeting the COBIT standard.

In addition to this, since we also process bank card data, our company complies with PCI DSS (Payment Card Industry Data Security Standards). The PCI DSS has been developed by Visa, MasterCard, Amex, JCB and Discover, and every stakeholder on the bank card market follows this standard today. In compliance with the standard, we do not store the secret code on the back of the card (CVC).

Some examples of the safety measures:

• Two persons are required at the same time to access the server. Not even the chief executive officer or the technical director of the company alone has access to the server storing confidential information, in particular card data, so the data cannot be obtained from our employees by blackmail or threat.
• Not even the developers have access to the live servers
• Card data is stored in an encrypted database, not recorded elsewhere, not even entered into logs
• Each key pressed as well as the screen is recorded during the access to the servers therefore we can monitor our colleagues at all times
• Our servers are protected by a firewall and other protection software
• Our networks and servers are protected by anti-virus software
• We use 2048 bit HTTPS encryption

10. What rights do you have and what decisions can you make?

You have several data protection rights so that you can learn what happens to your data and you can influence that.

Right to access in relation to data processing:

You can request information through our contact points any time on how we process your personal data, in particular about the scope, purpose and duration of data processing, the source of the data and who we share such data with, as well as your data protection rights. Requesting such information is free of charge; however, in case of repeated requests regarding the same set of data, we shall be entitled to request reimbursement of costs.

Right to rectification of data:

In the event that the data processed by us are incorrect, you may request the rectification of your data.

Right to erasure:

You may request us to erase your data if

• the purpose of data processing terminated
• the data was processed on the basis of your consent, you have withdrawn your consent, and we have no other legal ground for the processing
• we processed your data on the basis of our legitimate interest and you successfully objected to it
• the data processing is unlawful
• erasure is prescribed by law
• it is related to internet services provided to children
• it was ordered by the court of justice or the National Authority for Data Protection and Freedom of Information

Right to restriction of data processing:

You may request us to restrict data processing if

• you contest the accuracy of the data
• the data processing is unlawful, but you oppose erasure
• the purpose of data processing has terminated but you need it for the exercise or defence of your legal claims
• you have objected to data processing, pending the verification whether our legitimate grounds override yours.

Right to withdraw consent:

In the event that data processing took place on the basis of your consent, you may withdraw your consent any time. Our data processing prior to your withdrawal remains lawful since your consent was valid at that time.

As mentioned above, we may process the same data for several purposes and on several legal grounds at the same time. If you withdraw your consent we shall not process your data for the purpose based on your consent. However, we may continue processing your data for other purposes (e.g. performing legal obligations or our legitimate interest).

Right to object:

When we refer to legitimate interest during data processing, you have the right to object to our data processing. In the event, however, that we prove that our reasons for data processing are compelling reasons that override your interests and rights or are related to the establishment, exercise or defence of legal claims, then we shall be allowed to continue data processing.

Right to data portability:

If we process your data because you have given your consent or because we need it to perform our contract and we perform automated data processing, you may request us to transfer the data processed by us to you. We shall not prevent that you transfer such data to any other data controller. Moreover, we shall transfer it to such data controller upon your request.

If you wish to learn more about your data protection rights, you can find the relevant detailed rules in Articles 15 - 21 of the GDPR.

11. How can you contact us?

Our official contact information:

Registered seat: H-1117 Budapest, Irinyi József utca 4-20. 2. emelet, Hungary

Court of registration: Company Registry Court of the Budapest-Capital Regional Court

Company registration number: Cg. 01-10-048552

VAT number: 25353192-2-43

Community VAT number: HU25353192

Number of licence of operation: H-EN-I-1064/2013

Electronic money institution identifier: 25353192

Represented by: Sándor Kiss, Chief Executive Officer, Chairman of the Board of Directors

If you have any questions or complaints regarding the processing of your data by us or our Privacy Notice, please contact our data protection officer at the following contact points:

Contact information of our data protection officer:

Márton Kövecses-Varga

Barion Payment Inc

Address: H-1117 Budapest, Irinyi József utca 4-20. 2. emelet, Hungary

Email: compliance@barion.com,

Phone: +36 1 464 7099

12. Where can you make a complaint?

First of all, contact us and our data protection officer at the contact points provided in Section 11.

We shall make efforts to reply to your complaint according to our best knowledge as soon as possible but within 1 month the latest. We may extend the term for reply by 2 months if necessary.

If you have made a complaint and you are not satisfied with our response, or we have refused your request or you believe that your data protection rights had been otherwise violated, you can submit your complaint or request to the following places:

• The National Data Protection Authority:
• Based on our registered seat: Nemzeti Adatvédelmi és Információszabadság Hatóság (National (Hungarian) Authority for Data Protection and Freedom of Information) (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary; phone: +36-1-391-1400; fax: +361-391-1410; email: a(href='mailto:ugyfelszolgalat@naih.hu') ugyfelszolgalat@naih.hu; web: a(href='http://www.naih.hu') www.naih.hu)
• Based on your permanent or temporary place of residence: Find your national data protection authority on http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
• The court of your permanent or temporary place of residence.