1
M.10810496.2
EXPRESS ONE PRIVACY POLICY
(“Privacy Notice”)
DATA RELATING TO THE CONTROLLER
Express One Hungary Korlátolt Felelősségű Társaság (hereinafter referred to as Express One”)
pays particular attention to the protection of personal data processed and managed in connection with
the use of its parcel services and to compliance with the applicable privacy legislation.
With this in mind, in this Privacy Notice, Express One aims to provide comprehensive, transparent and
concise information about its data processing activities.
This Privacy Policy forms Annex 7 to Express One's current General Terms and Conditions (“GTC”).
This Privacy Notice aims to provide data subjects with adequate information in accordance with
Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”). Access and
download the GTC at the following link: http://expressone.hu/public/ASZF_2018_05_04.pdf. Access
and download this Privacy Notice at:
https://expressone.hu/public/Express_One_Hungary_Kft_Adatkezelesi_tajekoztato.pdf.
Subject to changes in the underlying legal environment, Express One expressly reserves the right to
amend and/or repeal this Privacy Notice at any time without prior direct notice to the data subjects. In
the event of a modification to this Privacy Notice, Express One will publish a notice and an alert on its
website (http://www.expressone.hu) at least 15 days before the amendment(s) take effect.
The details of Express One are as follows:
Name of the controller:
Express One Hungary Korlátolt Felelősségű Társaság
Registered office:
H-1239 Budapest, Európa utca 12.
Company registration number:
01-09-980899
Tax identification number:
13947109-2-43
Website:
http://www.expressone.hu
Email address:
ugyfelszolgalat@expressone.hu
Fax:
(+36) 1 8 777 499
Postal address:
H-1239 Budapest, Európa utca 12.
Community tax ID number:
HU13947109
2
M.10810496.2
Should you have any questions or comments about Express One's data processing and/or this Privacy
Notice, or if you wish to exercise any of the data subject rights provided in this Privacy Notice, you are
entitled to notify Express One using the contact details set out in Clause 4(II) hereof.
I.
DETAILS OF THE PROCESSING ACTIVITY
EXPRESS ONE CARRIES OUT DATA PROCESSING ACTIVITIES IN RELATION TO THE
FOLLOWING ACTIVITIES:
A.
COURIER AND EXPRESS POSTAL SERVICES
Subject to Act CLIX of 2012 on Postal Services (hereinafter: “Postal Services Act”)
1)
Domestic and international delivery to contracted partners and occasional customers
(courier and express postal services) for delivery by courier
2)
Domestic delivery to contracted partners (courier and express postal services)for
delivery at parcel lockers
3)
EURODIS
4)
Other postal services not replacing the universal service
and shipping services subject to Act V of 2013 on the Civil Code
5)
(hereinafter: "Civil Code")
B.
OTHER DATA PROCESSING
1.
Damage management
2.
Claims management
3
M.10810496.2
A.
COURIER AND EXPRESS POSTAL SERVICES
1.
DOMESTIC DELIVERY FOR CONTRACTED AND AD HOC CUSTOMERS, DELIVERY BY
COURIER
1.1.
Description of the service
Domestic home delivery is a service provided to both natural person and corporate consignors,
whereby Express One delivers or attempts to deliver the consignment the consignor wishes to send
and hands over to Express One, to the consignee or person entitled to receive it, as specified by the
consignor, subject to the conditions set out in the GTC and as set out in the courier service contract
concluded between the parties for home delivery.
1.1.1.
For ad hoc consignors
In the event of contracts concluded by an ad hoc principal by filling in the consignment note, the order
form or by registering online (eBox).
For the purposes of this section, Express One is a controller.
Data
subject
Personal data
processed in
relation to the
data subject
and
their source
Purpose of data
processing
1
Natural
person
consignor
Collected by
Express One
from the data
subject: name;
address; billing
address; place of
birth;
date of birth;
mother's maiden
name; tax
identification
number;
telephone
number; fax
number; email
address
Preparation and
performance of the
postal services
contract, accounting,
verification and ex-
post control of the
performance,
provision of data to
the supervisory
authority, and liaising.
for contracts
concluded via
eBox:
Collected by
Express One
Drafting a contract
for the provision of
services relating to
the information
society,
1
Government Decree No. 335/2012. (XII. 4.) on the detailed rules for the provision of postal services and the postal service for
official documents, and on the general terms and conditions of postal service providers and on items excluded from or
conditionally deliverable by postal services (hereinafter: “Postal Services Decree”)
4
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
from the data
subject: natural
person’s
identification data
required for
identification;
address; date,
duration and
place of use of
the service;
personal data
technically
necessary for the
provision of the
service.
determination and
amendment of its
content, monitoring
its performance,
invoicing the fees
arising from it, and
liaising for the
purpose of pursuing
claims in relation to
it.
For contracts
concluded via
eBox:
Collected by
Express One
from the data
subject: email
address.
To confirm receipt of
the customer's order
to the customer by
electronic means
without delay, and to
conclude the
contract.
2
.
Natural
person
representing
the
contracting
party
Collected from
the natural
person
representing the
contracting party:
name; telephone
number; fax
number.
Preparation for and
performance of the
contract to be
concluded with the
contracting party
and for the postal
services contract,
settlement of
accounts with,
certification and
post-contractual
control of
performance,
reporting data to the
supervisory
authority, and
liaison.
2 Act CVIII of 2001 on Specific Issues Related to Electronic Commerce and on Information Society Services (hereinafter: “E-
Commerce Act”)
5
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
for contracts
concluded via
eBox:
Collected by
Express One
from the natural
person
representing the
contracting party:
natural person’s
data required for
identification;
address; date,
duration and
place of use of
the service;
personal data
technically
necessary for the
provision of the
service.
Preparation a
contract for the
provision of services
relating to the
information society,
determination and
amendment of its
content, monitoring
its performance,
invoicing the fees
arising from it, and
liaising for the
purpose of pursuing
claims in relation to
it.
for contracts
concluded via
eBox:
Collected by
Express One
from the natural
person
representing the
contracting party:
email address
To confirm receipt of
the customer's order
to the customer by
electronic means
without delay, and to
conclude the
contract.
2
Act CVIII of 2001 on Specific Issues Related to Electronic Commerce and on Information Society Services (hereinafter: “E-
Commerce Act”)
6
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
3
Natural
person
consignee
Collected and
transmitted by
the consignor:
name, residential
address, delivery
address, place of
birth; date of
birth; mother's
maiden name;
tax identification
number; phone
number; fax
number; email
address
Preparation and
performance of the
postal services
contract, accounting,
verification and ex-
post control of the
performance,
provision of data to
the supervisory
authority, and liaising.
Collected and
transmitted by
the consignor (as
other data
controller): email
address
By dispatching a
questionnaire via
email to assert
Express One’s
legitimate interests
(quality assurance
and
monitoring/improvin
g the quality of its
services)
Possibly
collected from the
consignor or the
consignee:
different delivery
address and/or
date. It may also
include an email
address or phone
number other
than the one
previously
specified, as well
as the
information
provided by the
modifying party in
the comment
box.
Preparation
and performance of
the postal services
contract, settlement
of accounts with,
certification and ex-
post control of its
performance.
Collected from
the consignee:
signature,
personal
Number
and type of
identification
7
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
document for the
postal services
contract
fulfilment of the
related legal
obligations, proof of
performance of the
contract, and
compliance with
legal obligations.
Result of the
satisfaction
survey made with
the consignee
and the
waybill number.
By dispatching a
questionnaire via
email to assert
Express One’s
legitimate interests
(quality assurance
and
monitoring/improvin
g the quality of its
services).
4
Natural
person
representing
the consignee
(or other
person
entitled to
receive the
consignment)
Collected and
transmitted by
the sender or the
natural person
consignee: name,
residential
address, phone
number;
Preparation and
performance of the
postal services
contract, accounting,
verification and ex-
post control of the
performance,
provision of data to
the supervisory
authority, and liaising.
Collected and
transmitted by
the consignor (as
other data
controller): email
address
By dispatching a
questionnaire via
email to assert
Express One's
legitimate interests
(quality assurance
and
monitoring/improvin
g the quality of its
services).
3
Government Decree No. 335/2012. (XII. 4.) on the detailed rules for the provision of postal services and the postal service
for official documents, and on the general terms and conditions of postal service providers and on items excluded from or
conditionally deliverable by postal services (hereinafter: “Postal Services Decree”)
8
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
Possibly
collected from the
consignor or the
consignee:
different delivery
address and/or
date. It may also
include an email
address or phone
number other
than the one
previously
specified, as well
as the
information
provided by the
modifying party in
the comment
box.
Preparation
and performance of
the postal services
contract, settlement
of accounts with,
certification and ex-
post control of its
performance.
Collected from
the person
representing the
consignee:
signature;
number and type
of the document
that can be used
for personal
identification;
indicating the
relationship
between the
consignee and
the
representative or
the capacity of
the consignee.
Fulfilment
of the legal
obligation relating to
the contract for
postal services,
proof of fulfilment of
the contract, and
compliance with the
legal obligation.
9
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject
and their
source
Purpose of data
processing
Result
By dispatching
of the satisfaction
a questionnaire
survey
via email to assert
made with the
Express One's
natural person
legitimate interests
representing
(quality assurance
the consignee
and monitoring/
and the waybill
improving the
number.
quality of
its services)
.
.
5
Witness
Collected from
the witness:
his/her capacity;
name, age,
signature; data
relating to proof
of identity
Proof of delivery of a
registered
consignment to a
consignee who is
illiterate, does not
know Latin
characters or is
otherwise unable to
write, and proof of
the consignee's
eligibility.
6
Legal re-
presentative
or guardian
Collected from
the legal
representative:
data required for
personal
identification;
signature;
Collected from a
guardian: non-
appealable
official decision;
official identity
card or official
certificate,
signature
Proof of delivery of a
personal delivery
request to a natural
person who is
incapacitated or
subject to
guardianship that
excludes his or her
capacity to act.
10
M.10810496.2
1.1.2.
For a contracted partner consignor
For the purposes of this section, Express One is a controller.
Data
subject
Processed
personal data of
the data subject
and its source
Legal basis for data
processing
Purpose of data
processing
1
.
The
natural
person
representin
g the
contracted
partner
Collected from the
natural person
representing the
contracting party:
name; phone
number; and fax
number.
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
[legislation containing legal
obligations: Article 54(1) of
the Postal Services Act]
Preparation and
performance of the
contract concluded
with contractual
partners for postal
services, accounting,
verification and ex-
post control of the
performance, and
provision of data to
the supervisory
authority, and liaising.
2
.
Natural
person
consignee
Collected and
transmitted by the
contractual
partner: name,
residential address,
place of birth; date
of birth; mother's
maiden name; tax
identification
number; phone
number; fax
number; email
address
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
[legislation containing legal
obligations: Article 54(1) of
the Postal Services Act]
Preparation and
performance of the
postal services
contract, accounting,
verification and ex-
post control of the
performance,
provision of data to
the supervisory
authority, and liaising.
Collected and
transmitted by the
contractual
partner: email
address
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
By dispatching a
questionnaire via
email to assert
Express One's
legitimate interests
(quality assurance
and
monitoring/improving
the quality of its
services).
Possibly collected
from the consignor
or the consignee:
different delivery
address and/or
date. It may also
include
an e-mail
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Preparation and
performance of the
postal services
contract, settlement of
accounts with,
11
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
address or phone
number other than
the one previously
provided, and the
information
provided by the
amending party in
the comment box.
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
[legislation containing legal
obligations: Article 41(6) of
the Postal Services Act and
Article 9(3) of the Postal
Services Decree]
certification and ex-
post control of its
performance.
and Article 6(1)(a) and (f) of
the GDPR
(consent and legitimate
interest)
Collected from the
consignee:
signature, the type
and
number of the
document that can
be used for
personal
identification
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
Fulfilment of the legal
obligation relating to
the contract for postal
services, proof of
fulfilment of the
contract, and
compliance with the
legal obligation.
[legislation containing legal
obligations: Articles 41(10)
and 54(1) of the Postal
Services Act and Article
22(5)(a) of the Postal
Services Decree]
Result of the
satisfaction survey
made with the
consignee and the
waybill number.
Article 6(1)(a) of the GDPR
(the data subject’s consent)
By dispatching a
questionnaire via
email to assert
Express One's
legitimate interests
(quality assurance
and
monitoring/improving
the quality of its
services).
3
.
Natural
person
representin
g the
consignee
(or other
Collected and
transmitted by the
contractual partner
or the natural
person
consignee (as other
data controller):
name;
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Preparation and
performance of the
postal services
contract, settlement of
accounts with,
certification
and ex-post control
12
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
person
entitled to
receive the
consignmen
t)
residential address;
phone number;
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
of its performance,
provision of data to
the supervisory
authority,
and liaising.
[legislation containing legal
obligations: Article 54(1) of
the Postal Services Act]
Collected and
transmitted by the
contractual
partner: email
address
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
By dispatching a
questionnaire via
email to assert
Express One’s
legitimate interests
(quality assurance
and
monitoring/improving
the quality of its
services).
Possibly collected
from the consignor
or the consignee:
different delivery
address and/or
date. It may also
include an
email address or
phone number other
than the one
previously specified,
as well as the
information
provided by the
modifying party in
the comment box.
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
[legislation containing legal
obligations: Article 41(6) of
the Postal Services Act and
Article 9(3) of the Postal
Services Decree]
Preparation and
performance of the
postal services
contract, settlement of
accounts with,
certification and ex-
post control of its
performance.
and Article 6(1)(a) and (f) of
the GDPR
(consent and legitimate
interest)
Collected from the
person representing
the consignee:
signature; number
and type of the
document that can
be used for personal
identification;
indicating the
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
Fulfilment of the legal
obligation relating to
the contract for postal
services, proof of
fulfilment of the
contract, and
compliance with
13
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
relationship
between the
consignee and the
representative or
the capacity of the
consignee.
[legislation containing legal
obligations: Articles 41(10)
and 54(1) of the Postal
Services Act and Article
22(5)(a) of the Postal
Services Decree]
a legal obligation.
AND
[Article 6(1)(f) of the GDPR]
(required for asserting the
data controller’s legitimate
interests)
Result of
the satisfaction
survey made with
the natural person
representing the
consignee and the
waybill number.
Article 6(1)(a) of the GDPR
(the data subject’s consent)
By dispatching a
questionnaire via
email to assert
Express One's
legitimate interests
(quality assurance
and
monitoring/improving
the quality of its
services).
4
.
Witness
Collected from the
witness: his/her
capacity; name,
age, signature; data
relating to proof of
identity
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6(1)(c) of the GDPR
(required for the performance
of a legal obligation)
Proof of delivery of a
registered
consignment to an
consignee who is
illiterate, does not
know Latin characters
or is otherwise unable
to write, and proof of
the
consignee's eligibility.
[legislation containing legal
obligations: Article 26(1) of
the Postal Services
Decree]
5
.
Legal
representati
ve or
guardian
Collected from the
legal representative:
data required for
personal
identification;
signature;
Article 6(1)(b) of the GDPR
(processing is required for the
performance of the contract)
AND
Article 6 (1)(c) of the GDPR
Proof of delivery of a
personal
delivery request to a
natural person who is
incapacitated or
subject to
guardianship that
excludes
14
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
Collected from a
guardian: non-
appealable official
decision; official
identity card or
official certificate,
signature
(required for the performance
of a legal obligation)
[legislation containing legal
obligations: Article 26(2) of
the Postal Services Decree]
his or her capacity to
act.
15
M.10810496.2
2.
DOMESTIC DELIVERY TO CONTRACTED PARTNERS FOR DELIVERY TO A PARCEL
LOCKER
2.1 Description of the service
Parcel locker service is defined in Clause 7.1 of the GTC.
2.1.1 For a contracted partner consignor:
For the purposes of this section, Express One is a controller.
Data
subject
Personal data processed
in relation to the data
subject and their source
Legal basis for
data
processing
Purpose of data
processing
1
Natural person
representing
the contracted
partner
Collected from the natural
person representing the
contracted party: name;
phone number; fax number
and email address
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
Preparation and
performance of the
contract concluded with
contractual partners for
postal services,
accounting, verification
and ex-post control of
the performance, and
provision of data to the
supervisory authority,
and liaising.
[legislation
containing legal
obligations:
Article 54(1) of
the Postal
Services Act]
2
Natural person
consignee
Collected and transmitted
by the contracted partner
(as other data controller):
name, residential address,
delivery address, place of
birth; date of birth; mother's
maiden name; tax
identification number; phone
number; fax number; email
address
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
Preparation and
performance of the
postal services
contract, settlement of
accounts with,
certification and ex-post
control of its
performance,
provision of data
to the supervisory
authority, and liaising.
[legislation
containing legal
16
M.10810496.2
Data
subject
Personal data processed
in relation to the data
subject and their source
Legal basis for
data
processing
Purpose of data
processing
obligations:
Article 54(1) of
the Postal
Services Act]
Collected and transmitted
by the contracted partner
(as other data controller):
email address
Article 6(1)(f) of
the GDPR
(Express One's
legitimate
interests).
By dispatching a
questionnaire via email
to assert Express One's
legitimate interests
(quality assurance and
monitoring/improving
the quality of its
services).
Collected from the
consignee: signature and
description, letter and
numerical code of the
document proving identity.
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
[legislation
containing legal
obligations: Article
54(1) of the Postal
Services Act and
Article 22(5)(a)
and (b) of
the Postal Services
Decree]
Fulfilment of the legal
obligation relating to the
contract for postal
services, proof of
fulfilment of the
contract, and
compliance with the
legal obligation.
Result of the satisfaction
survey made with the
consignee and the waybill
number.
Article 6(1)(a) of
the GDPR (the
data subject’s
consent(
By dispatching a
questionnaire via email
to assert Express One's
legitimate interests
(quality assurance and
monitoring/improving
the quality of its
services).
3
Natural person
Collected and transmitted
by the contracted partner
(as other
Article 6(1) (b) of
the GDPR
Preparation and
performance of
17
M.10810496.2
Data
subject
Personal data processed
in relation to the data
subject and their source
Legal basis for
data
processing
Purpose of data
processing
representing
the consignee
(or other
person entitled
to receive the
consignment)
data controller): name,
residential address and
phone number
(data processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
the postal services
contract, accounting,
verification and ex-post
control of the
performance, provision
of data
to the supervisory
authority, and liaising.
[legislation
containing legal
obligations:
Article 54(1) of the
Postal Services
Act]
Collected and transmitted
by the contracted partner
(as other data controller):
email address
Article 6(1)(f) of
the GDPR
(Express One's
legitimate
interests).
By dispatching a
questionnaire via email
to assert Express One's
legitimate interests
(quality assurance and
monitoring/improving
the quality of its
services).
Collected from the natural
person representing the
consignee: signature and
description, letter and
numerical code of the
document proving identity.
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
Fulfilment of the legal
obligation relating to the
contract for postal
services, proof of
fulfilment of the
contract, and
compliance with the
legal obligation.
[legislation
containing legal
obligations:
Articles 41(10) and
54(1) of the Postal
Services
18
M.10810496.2
Data
subject
Personal data processed
in relation to the data
subject and their source
Legal basis for
data
processing
Purpose of data
processing
Act and
Article 22(5)(a)
and (b) of the
Postal Services
Decree]
Result of the
Article 6 (1)(a)
By dispatching a
natural person
of the GDPR
questionnaire
the satisfaction survey
(the data subject’s
end date of validation
made with the natural
consent)
via email to assert
person representing the
Express One's legitimate
consignee and the waybill
number.
interests
(quality assurance
and monitoring/
improving the
quality of its
services).
4
Witness
Collected from the witness:
his/her capacity; name, age,
signature; data relating to
proof of identity
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
Proof of delivery of a
registered consignment
to an consignee who is
illiterate, does not know
Latin characters or is
otherwise unable to
write, and proof of the
consignee's eligibility.
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of a
legal obligation)
[legislation
containing legal
obligations: Article
26(1) of the Postal
Services
Decree]
5
Legal
representative
or guardian
Collected from the legal
representative: data
required for personal
identification; signature;
Collected from a guardian:
non-appealable official
decision; official identity
card or official certificate
and signature
Article 6(1)(b) of
the GDPR
(processing is
required for the
performance of the
contract)
AND
Article 6(1)(c) of
the GDPR
(required for the
performance of
Proof of delivery of a
personal delivery
request to a natural
person who is
incapacitated or subject
to guardianship that
excludes his or her
capacity to act.
19
M.10810496.2
Data
subject
Personal data processed
in relation to the data
subject and their source
Legal basis for
data
processing
Purpose of data
processing
a legal obligation)
[legislation
containing legal
obligations: Article
26(1) of the Postal
Services
Decree]
20
M.10810496.2
3.
DELIVERY ABROAD FOR CONTRACTED AND AD HOC CUSTOMERS, DELIVERY BY
COURIER ("EURODIS")
In the case of the provision of courier services across the borders of Hungary, Express One will
process the data indicated in Clause a, with the exception that, subject to limited exceptions, data
collected from the consignee or from a natural person representing the consignee will not be
processed.
4.
OTHER POSTAL SERVICES NOT REPLACING THE UNIVERSAL SERVICE
4.1 Description of the service
Other postal services that do not replace the universal service provided by Express One are defined
in Clauses 1.1 and 7.1 of the GTC.
4.1.1.
For ad hoc consignors
See: the applicable provisions set out in Clause 1.1.1.
4.1.2.
For a contracted partner consignor
See: the applicable provisions set out in Clause 1.1.2.
5.
SHIPPING SERVICE
5.1 Description of the service
Shipping service is a service provided exclusively to companies that are the contractual partners of
Express One, whereby Express One delivers or attempts to deliver the consignment dispatched and
handed over to Express One by the consignor company to the consignee (consignee) or the person
entitled to receive it, as specified by the consignor company, subject to the conditions set out in the
GTC and in the shipping contract concluded between the parties. Further provisions on shipping are
set out in Articles 6:257 to 6:271 of the Civil Code.
For the purposes of this section, Express One is a controller.
Data
subject
Processed
personal data of
the data subject
and its source
Legal basis for data
processing
Purpose of data
processing
1
Natural
person
representing
the
contracting
party
Collected from the
natural person
representing the
contracting party:
name; phone
number; fax number
and email address.
Article 6(1)(b) of the
GDPR (processing is
required for the
performance of the
contract)
AND
GDPR, Article 6(1) (f)
(required
Preparation and
performance of the
shipping services contract,
settlement of accounts
with, certification and ex-
post control of its
performance, liaising.
21
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
for asserting the legitimate
interests of Express One)
2
Natural
person
consignee
Collected and
transmitted by the
contractual partner
(as other data
controller): name,
residential address,
delivery address,
place of birth; date
of birth; mother's
maiden name; tax
identification
number; phone
number; fax number;
email address
Article 6(1)(b) of the
GDPR (processing is
required for the
performance of the
contract)
AND/OR
Article 6(1)(c) of the
GDPR (required for the
performance of a legal
obligation
AND)
Preparation and
performance of the
shipping services contract,
settlement of accounts
with, certification and ex-
post control of its
performance, liaising.
Article 6(1)(f) of the GDPR
(for asserting Express
One's legitimate
interests).
Collected and
transmitted by the
contractual
partner: email
address
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
By dispatching a
questionnaire via email to
assert Express One's
legitimate interests
(quality assurance and
monitoring/improving the
quality of its services).
Collected from the
consignee: signature
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
Required for asserting
Express One's legitimate
interests (proof
of contract performance).
Result of the
satisfaction survey
made with the
consignee and the
waybill number.
Article 6(1)(a) of the
GDPR (the data subject’s
consent)
By dispatching a
questionnaire via email to
assert Express One's
legitimate interests
(quality assurance and
monitoring/improving the
22
M.10810496.2
Data
subject
Personal data
processed in
relation to the
data subject and
their source
Legal basis for data
processing
Purpose of data
processing
quality of its services).
3
Natural
person
representing
the
consignee
Collected and
transmitted by the
contractual
partner: name and
phone number
Article 6(1)(b) of the
GDPR (processing is
required for the
performance of the
contract)
AND/OR
Preparation and
performance of the
shipping services contract,
settlement of accounts
with, certification and ex-
post control of its
performance and liaising.
Article 6(1)(f) of the GDPR
(for asserting Express
One's legitimate
interests).
Collected and
transmitted by the
contractual
partner: email
address
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
By dispatching a
questionnaire via email to
assert Express One's
legitimate interests
(quality assurance and
monitoring/improving the
quality of its services).
Collected from the
natural person
representing the
consignee: signature
Article 6(1)(f) of the GDPR
(Express One's legitimate
interests).
Required for asserting
Express One's legitimate
interests (proof
of contract performance).
Result of
the satisfaction
survey made with
the natural person
representing the
consignee and the
waybill number.
Article 6(1)(a) of the
GDPR (the data subject’s
consent)
By dispatching a
questionnaire via email to
assert Express One's
legitimate interests
(quality assurance and
monitoring/improving the
quality of its services).
6.
DATA PROCESSING RELATED TO OTHER ACTIVITIES
Where Express One also performs a processing activity not covered by this Privacy Notice, at the time
the personal data is obtained, Express One will provide the information required by the applicable
legislation.
23
M.10810496.2
7.
ADDITIONAL INFORMATION RELATING TO THE PROCESSING DESCRIBED IN
CLAUSES 1 TO 5
7.1.
Using a data processor
Express One uses/may use a subcontractor for the performance of courier service contracts, contracts
for delivery to parcel lockers and transport service contracts.
Where a subcontractor is used, personal data relating to the consignee and the person authorised to
receive the data will be transmitted to the subcontractor responsible for the territory in question on the
basis of the data processing arrangements between Express One and the subcontractor.
In relation to the performance of the contract, the subcontractor should collect the signatures of the
consignee or the person authorised to receive the consignment, and the witness, or the legal
representative, and transmit this personal data to Express One. In the event of delivery of a registered
consignment at a point of delivery in accordance with the Postal Act, in addition to the signature, the
subcontractor should also request the name, letter code and number of the document proving the
identity of the consignee or other authorised consignee.
In addition to the subcontractors involved in the performance of the contracts, Express One may also
transmit personal data to additional data processors (e.g. data processors providing accounting
services, etc.) to the extent necessary for the purpose of fulfilling its obligations under applicable
legislation. Such transmissions take place, inter alia, in the case of transfers to a data processor used
for the preparation and issue of EXO invoices for the services.
In addition to the above, in the event of services provided across the borders of Hungary, the data
necessary for the fulfilment of the service will be transmitted to Express One's contractual partners
(members of the EURODIS network).
7.2.
Data transmission
The authorised and competent authorities, bodies, etc. may contact Express One in accordance with
the applicable legislation and request it to transmit personal data processed by Express One. In such
a case, Express One is obliged to comply with the request of the requesting authority, body, etc. in
accordance with the law and to transmit the requested personal data requested to the authority, body,
etc. in accordance with and to the extent specified in the request. Otherwise, personal data will not be
transmitted.
As a postal service provider, Express One may forward the data related to the performance of the
postal service and those that come to its knowledge during the performance of the postal service to a
data manager or data processor in a third country exclusively for the purpose of the performance of
the postal service and the confirmation, financial settlement and ex post inspection of the
performance. [ Article 54 (4) of the Postal Services Act].
Express One does not otherwise transmit personal data to third countries or international
organisations.
7.3.
Retention period for personal data
The duration of the storage of personal data is determined taking into account the following criteria:
24
M.10810496.2
a)
Personal data relating to the sender and to the natural person acting on behalf of the
sender: documents containing personal data within the scope of Article 169 (2) of Act C of
2000 on Accounting (hereinafter: Accounting Act”) will be retained for 8 years from the date
of their creation.
If other legislation provides for a different retention period for Express One, the retention
period provided for by the legislation will apply.
Where Express One's legitimate interest [Article 6(1)(f) of the GDPR] would require the
retention of personal data for a longer period, the personal data may be retained for as long
as the underlying legitimate interest allows.
b)
Personal data relating to the consignee and to the natural person representing the
consignee/person authorised to receive the data: Documents containing personal data
within the scope of Article 169 (2) of the Accounting Act will be retained for 8 years from the
date of their creation.
If other legislation provides for a different retention period for Express One, the retention
period provided for by the legislation will apply.
Where Express One's legitimate interest [Article 6(1)(f) of the GDPR] would require the
retention of personal data for a longer period, the personal data may be retained for as long as
the underlying legitimate interest allows.
Personal data relating to satisfaction surveys will be kept for a period justified by and in
accordance with EXO's legitimate interest. In the course of assessing this, it also takes into
account, among other things, the date of submitting the satisfaction survey and the time
required for processing it.
7.4.
Consequences of failure to provide data
The provision of the personal data listed for each processing is a prerequisite for the performance or
conclusion of the relevant contract. If the specified personal data are not provided, the contract will not
be concluded or will not be performed.
B. OTHER DATA PROCESSING
1.
DAMAGE MANAGEMENT
Express One will handle and adjudicate any claims for damages in accordance with applicable
legislation and the GTC.
For the purposes of this section, Express One is a controller.
25
M.10810496.2
Data subject
Personal data processed in
relation to the data subject
and their source
Legal basis
for data
processing
Purpose of data
processing
1
The consignor who
enforces the claim
Collected directly
from the data
subject: name;
residential address;
e-mail address;
phone number;
Based on the
logbook: name of
consignor, name of
consignee; place of
recording; waybill
number;
consignment
contents;
consignment status
information;
signature
Article 6(1)(c) of
the GDPR
(required for the
performance of
a legal
obligation)
Article 44-52 of
the Postal
Services Act
AND
Article 6(1)(f) of
the GDPR
(Express One's
legitimate
interests).
Asserting the rights
of Express
One and the person
entitled to
compensation,
fulfilling Express
One's obligations
based on law,
gathering evidence
that may be used in
a dispute
2
The consignee
claiming the damage
or the authorised
representative of
the consignee
Collected directly
from the data
subject: name;
residential address;
e-mail address;
phone number;
Based on the
logbook: name of
consignor, name of
consignee; place of
recording; waybill
number;
consignment
contents;
consignment status
information;
signature
Article 6(1)(c) of
the GDPR
(required for the
performance of
a legal
obligation)
Article 44-52 of
the Postal
Services Act
AND
Article 6(1)(f) of
the GDPR
(Express One's
legitimate
interests).
Asserting the rights
of Express
One and the person
entitled to
compensation,
fulfilling Express
One's obligations
based on law,
gathering evidence
that may be used in
a dispute
2.1.
Processor: the use of a data processor in relation to the data processing activities defined
in this point. For the purposes of this Clause, Express One's data processors are its
subcontractors contracted for the delivery of the consignment and recorded in the logbook
during the delivery of the consignment. For more information about them, see Clause 7.1.
2.2.
Data transmission: The authorised and competent authorities, bodies, etc. may contact
Express One in accordance with the applicable legislation and request it to transmit
personal data processed by Express One. In such a case, Express One is obliged to
comply with the request of the requesting authority, body, etc. in accordance with the law
and to transmit the requested personal data requested to the authority, body, etc. in
accordance with and to the extent specified in the request.
26
M.10810496.2
If the damage is also related to Express One's insurance contracts, the data relating to
the damage and its notification will be transmitted to the competent insurer acting as a
data controller.
Otherwise, the personal data will be transmitted to the competent authority or judicial
body in the course of any enforcement proceedings.
2.3.
Retention period for personal data: The retention period for damage reports and the
documents related to their processing is the period specified in the applicable legislation
or, if necessary to assert Express One's legitimate interest, the period justified by the
legitimate interest.
2.4.
Consequences of failure to provide data: Express One is unable to process a notice
made by an unidentified person.
2.
CLAIMS MANAGEMENT
Express One may process the following personal data in relation to claims arising from contracts with
Express One.
For the purposes of this section, Express One is a data controller.
Data subject
Processed
personal data of
the data subject
and its source
Legal basis for data
processing
Purpose of data
processing
The consignor
or consignee
Collected directly
from the data
subject or a third
person: name;
residential address;
e-mail address;
phone number;
Article 6(1)(f) of the
GDPR (Express One's
legitimate interests).
Collection of evidence
that may be used while
asserting the rights of
Express One and in a
dispute.
3.1.
Processor: the use of a data processor may be required in relation to the processing of
claims. In particular, the legal representative appointed by Express One in relation to the
case may be a data processor for the purpose of claims management.
3.2.
Data transmission: The authorised and competent authorities, bodies, etc. may contact
Express One in accordance with the applicable legislation and request it to transmit
personal data processed by Express One. In such a case, Express One is obliged to
comply with the request of the requesting authority, body, etc. in accordance with the law
and to transmit the requested personal data requested to the authority, body, etc. in
accordance with and to the extent specified in the request.
In other respects, personal data will be transmitted to the competent authorities, courts, bodies
and legal representative in the course of any legal proceedings.
3.3.
Retention period for personal data: The retention period for documents relating to the
management of a claim will be commensurate with the time required to
27
M.10810496.2
enforce Express One's legitimate interest, but will not normally exceed 5 years from the
date when the underlying contract terminates or the claim becomes due.
Consequences of failure to provide data: In the event that Express One does not receive any data
required for the processing of a claim, it will seek other lawful means to pursue its claims.
II.
ADDITIONAL PROVISIONS
1.
DATA SECURITY
Express One stores the personal data it processes as follows:
electronically stored personal data/documents are stored on Express One's IT systems.
the personal data/documents stored on paper are stored in areas owned by Express One or
by a company that is Express One's data processor and specifically provides document
storage services [company name: Iron Mountain Magyarország Kft.; registered office: H-1093
Budapest, Czuczor utca 10. IV. és V. emelet; company registration number: 01-09-364901].
In relation to the processing and storage of data, Express One and its data processor will implement
appropriate technical and organisational measures to ensure an adequate level of data security,
including:
saving data at appropriate intervals and tracking changes;
access to personal data (computer network) stored by Express One is restricted to authorised
persons for the sole purpose of the processing and to the limited extent related to their work;
placing the technical device(s) used for storing personal data in a locked room and physically
protecting it;
the minimisation of the export of data from protected areas;
sealed (delivered) shipment data is available for 45 days, then it is archived and only those
users can have access to it who need it for their work;
protecting the IT system with an authorisation system and hardware and software solutions
(including firewall, antivirus, etc.) that respect the principles set out in EXO's user policy.
2.
DATA SUBJECTS' RIGHTS IN RELATION TO DATA PROCESSING
I.
In relation to Express One’s processing of his or her personal data, the data subject is
entitled to:
28
M.10810496.2
a.
receive information from the controller [Articles 13 and 14 of the GDPR] (see Clause 2.1. of
this Privacy Notice);
b.
withdraw his or her consent (if applicable) [Article 7(3) of the GDPR] (see Clause 2.2 of this
Privacy Notice);
c.
have access to his or her personal data [Article 15 of the GDPR] (see Clause
2.3 of this Privacy Notice);
d.
request rectification of his or her personal data [Article 16 of the GDPR] (see Clause 2.4 of
this Privacy Notice);
e.
request the erasure of his or her personal data [Article 17 of the GDPR] (see Clause
2.5 of this Privacy Notice);
f.
request the restriction of the processing of his or her personal data [Article 18 of the
GDPR] (see Clause 2.6 of this Privacy Notice);
g.
exercise the right to data portability in relation to his or her personal data [Article 20 of the
GDPR] (see Clause 2.7 of this Privacy Notice);
h.
object to the processing of his or her personal data [Article 21 of the GDPR] (see Clause
2.8 of this Privacy Notice);
i.
complain to a supervisory authority about data processing [Article 77 of the GDPR] (see
Clause 2.9.1 of this Privacy Notice);
j.
seek judicial redress [Article 79 of the GDPR] (see Clause 2.9.2 of this Privacy Notice);
k.
claim damages [Article 82 of the GDPR] (see Clause 2.10 of this Privacy Notice).
II.
While exercising his or her rights, the data subject must provide Express One with
sufficient information to enable Express One to comply with its obligations set out in the
applicable legislation in relation to the exercise of the data subject's rights. In this context,
the data subject should specify, among other things, the right he or she wishes to exercise
and, depending on the right he or she wishes to exercise, any additional information
required for the exercise of that right (e.g. in the case of a request for rectification of his or
her data, the data to be rectified).
The contact details for receiving the data subject's requests under this point are as follows:
email address: adatvedelem@expressone.hu
Phone: +36-70-866 8733
Address: H-1239 Budapest, Európa utca 12.
postal address: H-1239 Budapest, Európa utca 12.
2.1
Right to information
29
M.10810496.2
The controller takes appropriate measures to provide the data subject with all the information referred
to in Articles 13 and 14 and all the information referred to in Articles 15 to 22 and Article 34 concerning
the processing of personal data in a concise, transparent, intelligible and easily accessible form, in
clear and plain language, in particular in the case of any information addressed to children. Such
information must be provided in writing or by other means, including electronic means, where
appropriate. Oral information may also be given at the request of the data subject, provided that the
identity of the data subject has been verified by other means.
2.2
Right to withdraw consent
If a processing operation is based on the data subject's consent, the data subject is entitled to
withdraw his or her consent at any time. However, the withdrawal of consent does not affect the
lawfulness of the processing performed prior to withdrawal, based on consent.
2.3
Right of access
The data subject has the right to obtain from Express One (as controller) confirmation as to whether or
not personal data concerning him or her are being processed, and, where that is the case, access to
the personal data and the information listed in Article 15(1) of the GDPR:
Where personal data are transferred to a third country or to an international organisation, the data
subject has the right to be informed of the appropriate safeguards relating to such transfer [Article
15(2) of the GDPR].
Express One provides the data subject with a copy of the personal data processed upon request. For
additional copies requested by the data subject, Express One may charge a reasonable fee based on
administrative costs. Where the data subject makes the request by electronic means, and unless
otherwise requested by the data subject, the information shall be provided in a commonly used
electronic form [Article 15(3) of the GDPR]. The right to obtain a copy may not adversely affect the
rights and freedoms of others [Article 15(4) of the GDPR].
2.4
Right to rectification
The data subject has the right to request Express One to rectify any inaccurate personal data
concerning him or her without undue delay. In addition, taking into account the purposes of the
processing, the data subject is entitled to have incomplete personal data completed, including by
means of providing a supplementary statement.
Express One communicates any rectification of personal data carried out in accordance with Article 16
to each consignee to whom the personal data have been disclosed, unless this proves impossible or
involves disproportionate effort. Express One informs the data subject about those consignees if the
data subject requests it.
2.5
Right to erasure
The data subject has the right to obtain from Express One the erasure of personal data concerning
him or her without undue delay. Express One, on the other hand, is obliged to erase personal data of
the data subject without undue delay if one of the following grounds applies:
30
M.10810496.2
a)
the personal data are no longer necessary for the purposes for which they were collected
or otherwise processed;
b)
the data subject withdraws his or her consent that forms the basis of processing according
to Article 6(1)(a) of the GDPR or Article 9(2)(a), and there is no other legal ground for
processing;
c)
the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there
are no overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2) of the GDPR;
d)
the personal data have been unlawfully processed;
e)
personal data must be erased in order to comply with a legal obligation applicable to the
data controller under Union or Member State law to which Express One is subject;
f)
the personal data has been collected in relation to the offer of information society services
referred to in Article 8(1) of the GDPR.
Express One is not obliged to erase personal data if the processing is necessary:
a)
for exercising the right of freedom of expression and information;
b)
for compliance with a legal obligation which requires processing by Union or
Member State law to which Express One is subject;
c)
in the public interest in the field of public health;
d)
for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes, in so far as the right to erasure is likely to render impossible or
seriously impair the achievement of the objectives of such processing; or
e)
for the establishment, exercise or defence of legal claims.
Express One communicates any erasure of personal data carried out in accordance with Article 17(1)
to each consignee to whom the personal data have been disclosed, unless this proves impossible or
involves disproportionate effort. Express One informs the data subject about those consignees if the
data subject requests it.
2.6
Right to the restriction of processing
If one of the following conditions is met, the data subject has the right to have Express One restrict the
processing:
a)
the data subject contests the accuracy of the personal data. In this case, the restriction
applies for the period of time required to allow the data controller to verify the accuracy of the
personal data;
b)
the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead;
31
M.10810496.2
c)
Express One no longer needs the personal data for the purposes of the processing, but they
are required by the data subject for the establishment, exercise or defence of legal claims;
d)
the data subject has objected to the processing pursuant to Article 21(1) of the GDPR. In such
a case, the restriction applies for the period until it is established whether the legitimate
grounds of the controller prevail over the legitimate grounds of the data subject.
Where processing has been restricted as above, such personal data may, with the exception of
storage, only be processed with the data subject's consent or for the establishment, exercise or
defence of legal claims or for the protection of the rights of another natural or legal person or for
reasons of important public interest of the Union or of a Member State. Express One informs the data
subject (who has requested and has been granted restriction of processing) before lifting the
restriction of processing.
Express One communicates all restrictions of processing personal data carried out in accordance with
Article 18 to each consignee to whom the personal data have been disclosed, unless this proves
impossible or involves disproportionate effort. Express One informs the data subject about those
consignees if the data subject requests it.
2.7
Right to data portability
The data subject is entitled to receive the personal data concerning him or her, which he or she has
provided to a controller (e.g. Express One acting as controller), in a structured, commonly used and
machine-readable format and have the right to transmit those data to another controller without
hindrance from the controller to which the personal data have been provided (e.g. Express One acting
as controller), where:
a)
the processing is based on consent or a contract; and
b)
the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to this clause, the data subject is entitled to
request the direct transfer of personal data between controllers, where technically feasible.
The exercise of this right is without prejudice to the right to erasure [Article 17 of the GDPR] and may
not adversely affect the rights and freedoms of others.
32
M.10810496.2
2.9
Available legal remedies
Express One informs the data subject of the action it has taken regarding the request within 1 (one)
month of receipt of the requests detailed above.
If no action is taken, Express One informs the data subject without delay and at the latest within 1
(one) month of receipt of the request of the reasons for the lack of action and of the data subject's right
to (i) lodge a complaint with a supervisory authority and (ii) seek judicial remedy.
2.9.1
Right to complain
If a data subject considers that the processing of personal data relating to him or her infringes the
GDPR, he or she the right to lodge a complaint with a supervisory authority, in particular in the
Member State of his or her habitual residence, place of work or place of the alleged infringement.
In Hungary, the supervisory authority is:
Name
National Authority for Data Protection and Freedom of
Information
Postal address
H-1530 Budapest, POB: 5
Address
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C
Phone
(+36) 1 391-1400
Fax
(+36) 1 391-1410
The data subject is entitled to object at any time, on grounds relating to his or her particular
situation, to the processing of his or her personal data based on Article 6(1)(f) of the GDPR
(processing based on legitimate interests), including profiling based on that same provision.
In that case, Express One may no longer process the personal data, unless Express One
demonstrates compelling legitimate grounds for the processing which override the interests,
rights and freedoms of the data subject or for the establishment, exercise or defence of legal
claims.
Where personal data are processed for direct marketing purposes, the data subject is entitled
to object at any time to processing of personal data concerning him or her for such
marketing, which includes profiling to the extent that it is related to such direct marketing. In
such a case, the personal data may no longer be processed for such purposes.
2.8
Right to object
33
M.10810496.2
Email
ugyfelszolgalat@naih.hu
URL
http://naih.hu
34
M.10810496.2
2.9.2
Right to judicial redress
If in the data subject’s opinion his or her rights under the GDPR have been infringed as a result of the
processing of his or her personal data in a way that does not comply with the GDPR, the data subject
is entitled to take legal action.
In such a case, proceedings against Express One as data controller may be brought before the courts
of the Member State where Express One is established, i.e. Hungary, or, at the choice of the data
subject, before the courts of the Member State where the data subject has his or her habitual
residence.
2.10
Right to damages
If the data subject has suffered financial or non-financial loss as a result of a breach of the GDPR, he
or she is entitled to receive compensation from the data controller or data processor for the loss
suffered.
Each data controller involved in the processing shall be liable for any damage caused by processing in
breach of the GDPR.
A data processor is only liable for any damage caused by the processing if it has failed to comply with
the obligations expressly imposed on data processors by the GDPR or if it has disregarded or acted
contrary to lawful instructions from the data controller.
The data controller or data processor is exempt from liability for damages if he or she proves that it is
not in any way responsible for the event giving rise to the damage.
Where more than one controller or processor is involved in the same processing and their liability can
be established, each controller or processor is jointly and severally liable for the total damage.
For the jurisdiction of courts, see 2.9.2.