Privacy policy - festivals

Privacy notice
PMI

Philip Morris Magyarország Kft. (hereinafter: the “Data Controller”) hereby provides the following information regarding the relevant circumstances of its data processing activities carried out at festivals, on-site activations, and similar events (hereinafter collectively: the “Festival” or “Festivals”).

I. GENERAL SECTION

Purpose and Scope of this Privacy Notice	This Privacy Notice contains the relevant circumstances relating to the data processing activities described in Section II. For matters not regulated in this detailed Privacy Notice, the provisions of the PMI Consumer Privacy Notice shall apply.
Data Controller	Philip Morris Magyarország Kft. Address: 1085 Budapest, Kálvin tér 12. Phone: +36 80 888 222 Email: PMHU.GDPR@pmi.com
Rights of the Data Subject	The data subject shall be entitled to exercise the following rights: Right to Withdraw Consent Where processing is based on consent (Article 6(1)(a) GDPR), the data subject may withdraw such consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Right of Access The data subject has the right to obtain confirmation as to whether personal data concerning them are being processed, and, where that is the case, access to personal data and the following information: purposes of processing; categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject, and to object to such processing; the right to lodge a complaint with a supervisory authority; and where the data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed about the appropriate safeguards relating to the transfer. The controller shall provide the data subject with a copy of the personal data undergoing processing, provided that such data are available to the controller. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject. Right to Rectification The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning them. The data subject shall also have the right to request the completion of incomplete personal data, including by means of providing a supplementary statement. Right to Erasure (“Right to be Forgotten”) The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data must be erased for compliance with a legal obligation in The European Union or Member State law to which the controller is subject; or the personal data have been collected in relation to the offer of information society services. Where the controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested the erasure of any links to, or copies or replications of, those personal data. Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, inter alia: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by The European Union or Member State law to which the controller is subject; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defence of legal claims. Right to restriction of processing The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or the data subject has objected to processing; in this case, the restriction shall apply for the period pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted pursuant to paragraph (1), such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the The European Union or of a Member State. The controller shall inform the data subject, at whose request the restriction of processing has been implemented, before the restriction of processing is lifted. Notification obligation related to the rectification or erasure of personal data, or restriction of processing The controller shall communicate any rectification, erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject, upon request, about those recipients. Right to data portability The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent or on a contract; and b) the processing is carried out by automated means. When exercising the right to data portability pursuant to paragraph (1), the data subject shall have the right to request that the personal data be transmitted directly from one controller to another, where technically feasible. The exercise of the right referred to in paragraph (1) shall be without prejudice to the rules relating to the right to erasure. The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to in paragraph (1) shall not adversely affect the rights and freedoms of others. Right to object The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data based on legitimate interests. In such a case, the controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defence of legal claims. Where personal data are processed for direct for business acquisition purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such purposes. Where the data subject objects to processing for direct for business acquisition purposes, the personal data shall no longer be processed for such purposes. In connection with the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise the right to object by automated means using technical specifications. In order to submit a request related to the exercise of data subject rights, we recommend that you click on the following link and download the relevant form: https://hu.iqos.com/documents/hu/Elektronikus_nyomtatvany_erintetti_joggyakorlas.pdf which, once completed, should be sent to the following email address: PMHU.GDPR@pmi.com. The protection of your personal data is very important to us; therefore, if you have any concerns regarding the protection of your data, please contact us via one of the following channels so that we can resolve the issue as quickly as possible: Telephone: +36 80 888 222 E-mail: PMHU.GDPR@pmi.com The data subject has the right to lodge a complaint with a supervisory authority (Hungarian National Authority for Data Protection and Freedom of Information, 1055 Budapest, Falk Miksa utca 9–11, https://naih.hu, phone: +36 (1) 391-1400, postal address: 1363 Budapest, P.O. Box 9, e-mail: ugyfelszolgalat@naih.hu). If the data subject is a foreign national, they may also lodge a complaint with the supervisory authority in their place of residence. In case of a violation of their rights, the data subject may bring proceedings before a court. The court shall act with priority in such cases. Jurisdiction over data protection cases lies with the tribunal (regional court), and the action may also be brought, at the data subject's choice, before the tribunal of their place of residence or habitual residence. The Controller informs the data subject that any person who has suffered material or non-material damage as a result of a breach of legislation is entitled to compensation from the Controller in accordance with the rules of civil law. Before lodging a complaint with a supervisory authority or turning to the courts, and in order to facilitate consultation and the quickest possible resolution of the issue, we kindly ask you to contact our Company, preferably using the email address indicated in the “Controller” section of this notice.

II. SPECIFIC SECTION

Data Processing Activities at Festivals

1. QR Code Generation

Description of the purpose of data processing	The data subject is provided access to the PMI Customer Support Point (hereinafter: CSP) by means of a QR code issued to them, which is valid for the duration of the Festival. This QR code enables access to the CSP and the provision of services offered by the Controller and used by the data subject at the Festival (device personalization, device charging with or without a replacement device, fully anonymous CO measurement—where the CO value is measured by the data subject themselves and is not recorded by the Controller, thus known only to the data subject—hereinafter: services). The purpose of processing is to provide these services to entitled individuals, to keep records of the services provided, to record the points earned by the data subject as a result of using the services, and to provide gifts to data subjects who have accumulated a specified number of points.
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	Last name and first name Domestic mobile phone number Information on whether the data subject is an IQOS Club member Information on whether the data subject uses nicotine-containing products Type of nicotine-containing product used by the data subject QR code
Legal basis of the processing	The processing of personal data is based on Article 6(1)(b) of the GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is a party.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29.; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity besides the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	In the absence of providing the data required for generating the QR code, the data subject will not be able to access the CSP, will not be able to use the services, and will not be entitled to points or gifts based on the use of the services.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.

2. Access control

Description of the purpose of data processing	Ensuring access to the CSP area for the data subject by the Controller in cases where the data subject possesses a QR code generated for them by the Controller.
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	QR code
Legal basis of the processing	The processing of personal data is based on Article 6(1)(b) of the GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is a party.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity beyond the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	If the data subject does not provide the required personal data, they will not be able to access the CSP area.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.

3. Questionnaire

Description of the purpose of data processing	The Controller performs this data processing activity for the purpose of determining whether the data subject has information, or adequate information, about the existence of the CSP at the Festival venue, and about the services that are available to data subjects at that location.
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	QR code Responses provided by the data subject in the questionnaire
Legal basis of the processing	The processing of personal data is based on Article 6(1)(f) of the GDPR, i.e. the processing is necessary for the purposes of the legitimate interests pursued by the Controller. The Controller's legitimate interest is to ensure that data subjects have appropriate information about the CSP and the services available.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity beyond the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	If the data subject does not provide the referenced personal data, they will not be able to complete the questionnaire.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.

4. Points collection

Description of the purpose of data processing	The Controller records the number of points earned by the data subject in order to provide a gift to those data subjects who achieve the required number of points by completing the questionnaire and using the services.
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	QR code Information on whether the data subject has completed the questionnaire Services used by the data subject Number of points earned by the data subject through the use of the services
Legal basis of the processing	The processing of personal data is based on Article 6(1)(b) of the GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is a party.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity beyond the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	If the data subject does not provide the referenced personal data, they will not be able to collect points and, therefore, will not be entitled to receive a gift.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.

5. Services

Description of the purpose of data processing	The Controller performs these data processing activities for the purpose of providing the following services: device personalization (engraving, embossing, rhinestone decoration; hereinafter: Service 1) charging the device with or without providing a replacement device (hereinafter: Service 2)
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	Personal data processed within the framework of Service 1: full name of the data subject email address of the data subject mobile phone number of the data subject type of device codentify of the holder codentify of the charger information on whether the data subject requested a replacement device Personal data processed within the framework of Service 2: the data listed under points a–g in relation to Service 1 visible damages on the device number of the charging station
Legal basis of the processing	The processing of personal data is based on Article 6(1)(b) of the GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is a party.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29.; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity besides the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	If the data subject does not provide the referenced personal data, they will not be able to use the services.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.

6. Summary (reporting)

Description of the purpose of data processing	The Controller prepares an internal summary of the responses provided by the data subjects in the questionnaire and the number of such responses, as well as of the services used by the data subjects, for the purpose of monitoring the popularity of the services and communicating in a differentiated manner via newsletter with those data subjects who visited the CSP and those who did not.
Categories of data subjects	IQOS Club members participating in the Festival
Processed personal data	QR code Responses provided by the data subject in the questionnaire Services used by the data subject Information on whether the data subject visited the CSP
Legal basis of the processing	The processing of personal data is based on Article 6(1)(f) of the GDPR, i.e. the processing is necessary for the purposes of the legitimate interests pursued by the Controller. The Controller's legitimate interest is to assess which of its services were in highest demand among data subjects, thereby allowing it to anticipate which services are likely to be most in demand at future events, and to enable tailored communication with those data subjects who visited the CSP and those who did not.
Data transfers, data processing	The Controller uses the following data processor for the processing activities described in this document: COMPOFFICE-R Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1141 Budapest, Öv utca 29; hereinafter: Data Processor). The Data Processor operates the IT system related to the data processing activities. Personal data are not transferred to any other legal entity beyond the Data Processor specified above.
Data retention period	The processing of the data for this specific purpose shall take place exclusively during the duration of the Festival.
Nature of data provision	The provision of data is voluntary.
Consequences of failure to provide data	In the absence of data, the Controller will not be able to prepare the summary.
Who has access to the data	Authorized staff members of the Controller present at the Festival and authorized staff members of the Data Processor.
Automated decision-making based on the data	No automated decision-making takes place.