Effective date: 2026.05.01.
eXpons Informatika Korlátolt Felelősségű Társaság (registered office: 2724 Újlengyel, Nyári Pál utca 15., Hungary; company registration number: 13-09-237794; tax number: 32033841-2-13; statistical number: 32033841-6210-113-13; represented by: Mátyás Pető, sole authorised managing director; hereinafter: "Data Controller") acknowledges the content of this Privacy Notice as binding upon itself in its capacity as Data Controller in connection with the intermediary services it provides on the parkolow.hu website.
The Data Controller processes the personal data of the user who uses its intermediary services (hereinafter: "Data Subject") in relation to the intermediary services. The Data Controller undertakes to ensure that the processing of personal data related to the intermediary services provided on the website complies with applicable legislation and the requirements set out in this Privacy Notice. The Data Controller reserves the right to unilaterally amend this Privacy Notice. Accordingly, it is recommended that you regularly visit the parkolow.hu website in order to keep track of any changes.
The Data Controller informs the Data Subject that in respect of the parking services provided by the Data Controller's partners, it acts as a data processor and the relevant partner is the independent data controller; accordingly, the partner's own privacy notice governs those parking services in all cases.
Upon request, we will send the Data Subject a copy of the currently effective Privacy Notice.
By providing the relevant personal data and ticking the appropriate check-box, the Data Subject declares that they have read and expressly accepted the version of this Privacy Notice in force at the time of providing the data.
The requirements set out in this Privacy Notice are consistent with applicable data protection legislation:
eXpons Informatika Korlátolt Felelősségű Társaság
Registered office: 2724 Újlengyel, Nyári Pál utca 15., Hungary
Contact person: Mátyás Pető
Contact details through which the Data Subject may exercise the rights set out in this Privacy Notice:
Any information relating to an identified or identifiable natural person (hereinafter: data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them – either comprehensively or for specific operations.
A declaration by the data subject objecting to the processing of their personal data and requesting the cessation of processing or the deletion of the processed data.
The natural or legal person, or body without legal personality, who or which determines the purposes and means of the processing of personal data, makes and implements decisions regarding the processing (including the means used), or has such decisions implemented by a processor appointed by them.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Making data accessible to a specific third party.
Making data accessible to anyone.
Rendering data unrecognisable in such a way that its restoration is no longer possible.
The permanent or time-limited prevention of the transmission, access, disclosure, alteration, modification, destruction, deletion, connection or alignment and use of data.
The complete physical destruction of data or the data carrier containing it.
The performance of technical tasks related to data processing operations, regardless of the method and means used to carry out the operations or the place of application.
The natural or legal person, or body without legal personality, who or which processes personal data on behalf of the controller – including on the basis of a statutory authorisation.
A natural or legal person, or body without legal personality, other than the data subject, the controller or the processor.
A Member State of the European Union or any other state party to the Agreement on the European Economic Area, as well as any state whose nationals enjoy the same status as nationals of states party to the Agreement on the European Economic Area under an international treaty concluded between the European Community and its Member States and that state.
Any state that is not an EEA state.
Personal data must be:
The controller shall be responsible for, and be able to demonstrate, compliance with the above ("accountability"). The Data Controller does not collect personal data relating to minors.
Persons with access to the data:
The Data Controller undertakes a strict confidentiality obligation without time limitation in respect of the personal data it processes, and shall not disclose such data to third parties without the consent of the Data Subject.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
For enquiry, information or clarification purposes, the Data Subject may contact the Data Controller prior to the commencement of the service by telephone or email.
The legal basis for processing is the consent of the Data Subject (Article 6(1)(a) GDPR).
The Data Controller processes personal data until the Data Subject withdraws their consent. Consent may be withdrawn at any time by sending an email to the ... email address.
Where a service is provided, the purpose of processing is to enable the Data Controller to provide its intermediary service by making it possible to book the parking service selected by the Data Subject. Further details of the service can be found on the website and in the General Terms and Conditions.
The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR).
Data will be deleted 5 years after the cessation of the relationship with the Data Subject, pursuant to Section 6:22 of the Civil Code.
In respect of the data listed in this section, a data transfer takes place to the parking service provider selected by the Data Subject upon confirmation of the booking by the Data Subject; the legal basis and purpose of such transfer is the performance of the intermediary service.
If the Data Subject has a complaint regarding the service, they may contact the Data Controller by email or telephone.
The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR).
Data will be deleted 5 years after the cessation of the relationship with the Data Subject, pursuant to Section 6:22 of the Civil Code.
The Data Controller engages the processors listed in the table below to perform the technical tasks related to its data processing operations. The rights and obligations of the processor in relation to the processing of personal data are determined by the Data Controller within the framework of the GDPR and the relevant legislation on data processing. The Data Controller is responsible for the lawfulness of the instructions it provides. The processor may not make substantive decisions regarding the processing; it may only process personal data in accordance with the Data Controller's instructions, may not process data for its own purposes, and must store and preserve personal data in accordance with the Data Controller's instructions.
| Name and contact details of the processor | Activity carried out during processing |
|---|---|
| ... (hosting provider) | Has access to all personal data processed by the Data Controller pursuant to this Privacy Notice. Its task is the storage of personal data processed by the Data Controller. |
The Data Controller handles the personal data provided by the Data Subject in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.
The Data Controller takes all reasonably expected and necessary measures to ensure the security of data and provides appropriate protection against, in particular, unauthorised access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller ensures data security through appropriate technical measures (e.g. logical protection, in particular the encryption of passwords and communication channels) and organisational measures (physical protection).
The Data Controller does not transfer data to third countries and does not process personal data of minors.
The Data Controller maintains social media accounts, which are in all cases subject to the applicable terms of use and data processing rules of the relevant platform.
The data protection rights and remedies available to the Data Subject, together with the relevant provisions and limitations of the GDPR in this regard, are set out in detail in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 thereof). The most important provisions are summarised below.
The Data Subject has the right to obtain from us confirmation as to whether personal data concerning them are being processed. Where that is the case, the Data Subject has the right to access the personal data and the following information:
Where personal data are transferred to a third country, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer.
We will provide the Data Subject with a copy of the personal data undergoing processing. Where the Data Subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the Data Subject.
The Data Subject has the right to obtain from us without undue delay the rectification of inaccurate personal data concerning them. The Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(1) The Data Subject has the right to obtain from us the erasure of personal data concerning them without undue delay where one of the following grounds applies:
(2) Where we have made the personal data public and are obliged pursuant to paragraph (1) to erase the personal data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, inter alia:
(1) The Data Subject has the right to obtain from us restriction of processing where one of the following applies:
Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
We shall inform the Data Subject before the restriction of processing is lifted.
We shall communicate any rectification, erasure or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, we shall inform the Data Subject of those recipients.
(1) The Data Subject has the right to receive the personal data concerning them which they have provided to us, in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us, where:
In exercising the right to data portability pursuant to paragraph (1), the Data Subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on legitimate interests, including profiling. In that case we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the Data Subject may exercise the right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the Data Subject has the right to object, on grounds relating to their particular situation, to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The Data Subject may enforce their rights before a court under the GDPR and the Civil Code, and may also contact the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1055 Budapest, Falk Miksa utca 9–11., Hungary; telephone: +36 1 391 1400; email: [email protected]) in connection with any complaint arising from the Data Controller's data processing practices. The detailed rights and remedies available in connection with data processing are set out in Articles 77, 79 and 82 of the GDPR.
The Data Subject has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
The Data Subject has the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
The Data Subject has the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the GDPR.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the Data Subject has their habitual residence.
Before initiating any proceedings, it is advisable to send the complaint to the Data Controller first.