MagyarEnglish
• What's On
• Prices
• House Rules
• Payment Information
• Privacy Policy
• Contact
• Imprint
• Imprint

Data Controller

Budapest Film Zrt.
Registered office: 1082 Budapest, Corvin köz 1
Company registration number: 10906110-2-42
VAT number:

Purpose and Scope of this Policy

The Data Controller processes and stores personal data obtained during the operation of the website for purposes defined by law and for a specified period.

The purpose of this policy is to define the lawful order of data processing carried out by the Data Controller in connection with the operation of its website, and to ensure the enforcement of the website visitors' right to informational self-determination.

The aim of this policy is to ensure, through the application and operation of the provisions contained herein, that the Data Controller's activities comply in practice with data protection legislation, guarantee the enforcement of fundamental rights related to the protection of personal data as defined in data processing, and ensure compliance with data security requirements.

Definitions

Personal data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data transfer: Making data accessible to a specified third party.

Disclosure: Making data accessible to anyone.

Data erasure: Rendering data unrecognisable in such a way that its restoration is no longer possible.

Filing system: Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data subject: Any identified or identifiable natural person to whom the personal data relates.

Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

E-mail (electronic mail): Its name refers to the method of writing and transmission, which is carried out entirely electronically via computer networks.

Internet: A global network of computer networks that interconnects governmental, military, commercial, business, educational, research and other institutions, as well as individual users.

Website, web page, homepage: An electronic interface suitable for display and communication of information, typically located on servers connected to the Internet. These sites or pages have unique addresses (links) which can be entered into a browser application to navigate to the specific page. Website technology allows for forward and backward navigation between content elements and links.

Cookie: A program component used to create convenience functions for websites. There are two basic types: one stored on the user's own machine, and the other, a session cookie, stored on the server side. From a data processing perspective, the handling of session cookies needs to be regulated. Websites must inform and obtain declarations from visitors regarding the use of cookies.

Electronic newsletter: An electronic letter, typically automatically generated and sent by a dedicated application to the email addresses of individuals subscribed to a mailing list, for transactional, advertising, or other campaign-related information purposes.

Storage of Personal Data in Connection with Website Operation

Hosting and server provider:

Data Center Solutions Kft.
Registered office: 3300 Eger, Kodály Zoltán utca 6.
Web: https://domainwebtarhely.hu

The hosting and server provider performs data storage but is not authorised to process it.

The Data Controller declares that it has taken appropriate security measures to protect personal data against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and against becoming inaccessible due to changes in the technology used.

Information on the Use of Cookies

What is a cookie?

The Data Controller uses so-called cookies when you visit the website. A cookie is a small piece of data (a text file containing letters and numbers) that our website sends to your browser to save certain settings, facilitate the use of our website, and help us collect some relevant, statistical information about our visitors. Cookies do not contain personal information and are not capable of identifying individual users. Cookies often contain a unique identifier – a secret, randomly generated string of numbers – which is stored on your device. Some cookies expire after you close the website, while others are stored on your computer for a longer period.

Legal background and legal basis for cookies:

The background for data processing is provided by the General Data Protection Regulation (GDPR), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act), and Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services. The legal basis for processing session cookies is Article 6(1)(f) of the GDPR, and for other cookies, Article 6(1)(a) of the GDPR, or, in accordance with Section 5(1)(a) of the Info Act, your consent.

Main characteristics of cookies used by the website:

Session cookie: These cookies are temporarily activated while browsing is in progress. That is, from the moment the user opens the browser window until the moment they close it. As soon as the browser is closed, all session cookies are deleted. We do not store personal data in session cookies.

The site uses the following cookies necessary for its operation:

ba_test: We use this cookie in conjunction with the payment window. The cookie is necessary for secure transactions on the website.

ba_vid, ba_vid#: We use this cookie in conjunction with the payment window. The cookie is necessary for secure transactions on the website.

ba_sid, ba_sid#: We use this cookie in conjunction with the payment window. The cookie is necessary for secure transactions on the website.

a.gif: We use this cookie in conjunction with the payment window. The cookie is necessary for secure transactions on the website.

CookieConsent: Stores the user's cookie consent state for the current domain. Validity: 365 days.

PHPSESSID: Preserves user session state across page requests.

Statistics cookie: Google Analytics cookie: Google Analytics is Google's analytics tool that helps website and app owners to get a more accurate picture of their visitors' activities. The service may use cookies to collect information and report on website usage statistics without individually identifying visitors to Google. The main cookies used by Google Analytics are ‘__ga’, ‘_gat’, ‘_gid’. In addition to reporting on website usage statistics, Google Analytics – along with some of the advertising cookies described above – can also be used to display more relevant ads in Google products (such as Google Search) and across the web. (Data processor: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.)

You can delete cookies placed by the website from your device at any time using your internet browser. You can find detailed information on deleting and managing cookies in your browser's help section. You can also block cookies using your browser or request notification each time your browser receives a new cookie. Blocking cookies may technically prevent you from using the website.

If you do not accept the use of cookies, certain functions will not be available to you. You can find more information on deleting cookies at the following links:

• For Google Chrome internet browser users: further information;
• For Mozilla Firefox internet browser users: further information;
• For Safari internet browser users: further information;
• For Microsoft Edge internet browser users: further information.

Purpose, Method, and Duration of Data Processing

Data processing is based on the voluntary, explicit consent of users of the content found on the https://biff.bpfilm.hu/ website, whereby the data provided during their visit and use of the website is used, serving the continuous relationship between the user availing of the website's services and the Data Controller, as well as public opinion research.

The purpose of data processing is to ensure the provision of services available on the https://biff.bpfilm.hu/ website, operate an information interface, compile statistics, and handle enquiries received through the website.

The storage of visitor statistics serves exclusively statistical purposes.

The Data Controller does not use personal data for purposes other than those specified. The processing of data provided in this way is based on the user's voluntary consent.

Data Processed When Using the Contact Form

The contact forms on the website allow users to send messages and request quotes from the Data Controller. Personal data provided during the enquiry will be used by the Data Controller solely for contacting you and will not be passed on.

Purpose of data processing: To send a reply to the enquiry (e.g., in the case of a price quote).

Legal basis for data processing: In the case of sending a reply, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (GDPR Article 6(1)(b))

Scope of data processed: The following personal data is stored when contacting via the website: name, email address, phone number.

Duration of data processing: The Data Controller processes your personal data for different periods depending on the nature of the contact. In the case of providing a price quote, the data is retained after providing the necessary information for the duration of the offer's validity period according to Section 6:64 of the Civil Code (Ptk.), unless a legitimate claim can be asserted regarding the subject of the ad hoc contact, in which case it may be retained for a maximum of 5 years for evidentiary purposes.

Ticket Purchase

Tickets can be purchased via the website. Purchases can be made by reservation, in which case payment is made upon collection of the ticket, or by advance payment. The data processing information related to online payments is provided in a separate document on the website.

Purpose of data processing: Ticket sales.

Legal basis for data processing: In the case of online ticket purchases, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (GDPR Article 6(1)(b))

Scope of data processed: Name, email address.

Duration of data processing: In the case of ticket reservations, the storage of personal data ceases upon collection of the tickets. In the case of online payments, payment data is stored for 8 years in accordance with accounting regulations.

Miscellaneous Provisions

Only the Data Controller is authorised to access the data you provide.

The Data Controller does not verify the data provided by the user; the user is solely responsible for its accuracy and adequacy.

The Data Controller treats all data and facts relating to users confidentially and uses them exclusively for the development of its services and for its own research and statistical purposes. The publication of reports prepared from these may only take place in a form that is not suitable for the individual identification of users.

The website's data processing is carried out in accordance with the legal provisions in force at all times and the data protection rules set out in this policy; it uses them exclusively in the course of its activities and does not transfer them to any other natural or private person under any legal title without the user's consent. Exceptions are data disclosures based on legal obligations and the use of data in a statistically aggregated form, which does not contain the user's name or any data suitable for their identification.

If the Data Controller wishes to use the provided data for purposes other than those described in this Privacy Policy, it will duly inform the user at the provided e-mail address and obtain their prior, explicit consent, or provide the user with the opportunity to prohibit the different use of the data.

Given that the User's provision of data is voluntary and free from external influence, we may process their data until the User prohibits it in writing to the Data Controller's contact details, in which case the Data Controller will complete the deletion from the records within 48 hours.

The Data Controller does not assume responsibility for its previously deleted pages that have been archived by internet search engines and other services. The removal of these must be handled by the operator of the archiving site.

Information on Rights Related to Data Processing

Pursuant to Article 15 of the GDPR, the data subject may request access to personal data concerning him or her as follows:
The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

• (a) the purposes of the processing;
• (b) the categories of personal data concerned;
• (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• (e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• (f) the right to lodge a complaint with a supervisory authority;
• (g) where the personal data are not collected from the data subject, any available information as to their source;
• (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Pursuant to Article 16 of the GDPR, the data subject shall have the right to obtain from the Data Controller the rectification of personal data concerning him or her.
Upon the data subject's request, the Data Controller shall without undue delay rectify inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Pursuant to Article 17 of the GDPR, the data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her as follows:
The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• (b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
• (c) the data subject objects to the processing for reasons of public interest, exercise of official authority, or legitimate interests of the controller (or a third party), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
• (d) the personal data have been unlawfully processed;
• (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
• (f) the personal data have been collected in relation to the offer of information society services.

Where the Data Controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The Data Subject's right to erasure may be restricted only if one of the exceptions set out in the GDPR applies, i.e., the continued retention of personal data may be considered lawful if the above grounds exist:

• (a) for exercising the right of freedom of expression and information; or
• (b) for compliance with a legal obligation; or
• (c) for the performance of a task carried out in the public interest; or
• (d) for the exercise of official authority vested in the controller; or
• (e) for reasons of public interest in the area of public health;
• (f) for archiving purposes in the public interest; or
• (g) for scientific or historical research purposes or statistical purposes; or
• (h) for the establishment, exercise or defence of legal claims.

Pursuant to Article 18 of the GDPR, the data subject shall have the right to obtain from the Data Controller restriction of processing of personal data concerning him or her as follows:
The data subject shall have the right to obtain from the Data Controller restriction of processing where one of volunte applies:

• (a) the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
• (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• (c) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
• (d) the data subject has objected to processing for reasons of public interest, exercise of official authority, or legitimate interests of the controller (or a third party); pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.

Where processing has been restricted as above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the Data Controller before the restriction of processing is lifted.

Pursuant to Article 20 of the GDPR, the data subject shall have the right to data portability concerning him or her as follows:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

• (a) the processing is based on the Data Subject's consent, or on the performance of a contract to which the Data Subject is party
• (b) and the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right to data portability shall be without prejudice to the right to erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right to data portability shall not adversely affect the rights and freedoms of others.

Pursuant to Article 7(3) of the GDPR, the data subject shall have the right to withdraw his or her consent to the processing of his or her personal data at any time as follows:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be entitled to withdraw consent as easily as to give it.

Within five years following the death of the data subject, the rights to which the deceased was entitled during his or her lifetime, as defined by law, may be exercised by a person authorised by the data subject through an administrative provision, or a declaration made to the data controller in a public document or a private document of full probative force.

If the data subject has not made such a declaration, his or her close relative as defined in the Civil Code (Ptk.) shall be entitled to exercise certain rights to which the deceased was entitled during his or her lifetime, even in the absence of such a declaration.

Legal Remedies

If the Data Subject believes that the Data Controller has violated any legal provision regarding data processing, or has not fulfilled any of their requests, they may initiate proceedings with the National Authority for Data Protection and Freedom of Information to terminate the presumed unlawful data processing.

National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf.: 9.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Web: https://naih.hu

In the event of a violation of their rights, or if the Data Controller has not fulfilled any of their requests, the Data Subject may also turn to a court against the Data Controller. The court shall proceed in the case without delay. The adjudication of the case falls within the competence of the regional court. In this case, they are free to decide whether to file their claim with the regional court of their place of residence (permanent address) or their place of stay (temporary address).

Convenient and secure online payment is provided by Barion Payment Zrt.
Hungarian National Bank license number: H-EN-I-1064/2013.