| Details of the Controller: | |
|---|---|
| Name: | BlockChange Kft. |
| Company registration number: | 01-09-963064 |
| Registered office, postal address: | H-1051 Budapest, Szent István tér 3 |
| Court of registration: | Court of Registration of the Budapest-Capital Regional Court |
| E-mail address: | info@blockchange.hu |
| Central telephone number: | +36 70 478 0722 |
| Website: | www.blockchange.hu |
| Details of the Data Protection Officer: | |
| Name: | Judit Dávid |
| E-mail address: | adatvedelem@blockchange.hu |
| Telephone number: | +36 70 380 7397 |
1. Purpose of the Notice
The purpose of this Privacy and Data Processing Notice (hereinafter: “Notice”) is to inform you (as a customer or prospective customer of the Controller, hereinafter: “Data Subject”) – prior to the start of any processing activity by BlockChange Kft. (hereinafter: “Controller”) – about why and for what purpose the Controller uses your data, and what rights you have and how you can exercise these rights.
The Controller considers the rules, provisions and obligations set out in this Notice to be legally binding and applies these in the course of its operations, and declares that the data protection rules and procedures described and applied herein comply with applicable national (in particular Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (Privacy Act)) and European Union (in particular Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)) legal regulations on data protection.
2. Principles of processing
Personal data shall be
– processed lawfully, fairly and in a transparent manner in relation to the Data Subject (“lawfulness, fairness and transparency”);
– collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
– adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
– accurate and, where necessary, kept up to date (“accuracy”);
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
– processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
– The Controller is responsible for, and must be able to demonstrate compliance with, the above principles (“accountability”).
3. Purpose and legal basis of processing
3.1. Purpose of processing
The Controller processes personal data provided by Data Subjects or made available to it in any way (including in documents submitted by the Data Subject to the Controller and in any other form) in accordance with the legal regulations on trade secrets and data protection and solely for the following purposes:
a) Sale of virtual currencies (“Service”);
b) Customer service activities, communication;
c) Carrying out customer identification operations related to the prevention of money laundering and terrorist financing;
d) Preventing abuse and crime, and cooperating with the authorities in detecting and investigating these;
e) Customer convenience;
f) Complaints handling;
g) Communication with the purpose for marketing and advertising;
h) Improving the quality of service, providing personalised offers, obtaining socio-demographic data about the users sending the data.
3.2. Legal basis for processing
Processing of personal data
a) for the purposes set out in Sections 3.1(a) and (b), the legal basis is the performance of the contract (to which the Data Subject is one party and the Controller is the other party, Article 6(1)(b) of the GDPR),
b) for the purposes set out in Sections 3.1(c) and (d), the legal basis is compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR). The legal obligation of the Controller is provided for by Sections 15 and 16 (customer due diligence and enhanced customer due diligence obligations) of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: “AML Act”). The legal basis for processing is established by Section 65(1) of the AML Act,
c) for the purposes set out in Section 3.1(f), the legal basis is compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR). The legal obligation of the Controller is set out in Section 17/A(5) of Act CLV of 1997 on Consumer Protection.
d) for the purposes set out in Sections 3.1(e)(g) and (h), the legal basis is consent granted by the Data Subject (Article 6(1)(a) of the GDPR).
If the Data Subject fails to provide the data processed on the above legal basis, with the exception of Subsection (d), the Controller refuses to provide the service (fulfilment of the order by the Data Subject).
4. Scope and source of the data processed
The Controller collects/may collect the following personal data for the above purposes:
4.1. During the service provided by the cryptocurrency ATM operated by the Controller
4.1.1. For transaction(s) with an aggregate value of less than HUF 300,000:
– Mobile phone number (legal basis: performance of the contract)
4.1.2. For transaction(s) with an aggregate value of HUF 300,000 or more:
– Mobile phone number (legal basis: performance of the contract)
– A copy of both sides of the ID card, or the photo-page of the passport, or the photo-page of the card-format driver’s licence and a copy of the address side of the address card (legal basis: compliance with a legal obligation to which the Controller is subject):
● Facial image on ID card, passport, or card-format driver’s licence
● Number of ID card, passport, or card-format driver’s licence
● Family name and given name
● Place and date of birth
● Nationality
● Mother’s maiden name
● Gender
● Address
– Facial image captured during the transaction (legal basis: compliance with a legal obligation to which the Controller is subject)
– Identifier of the e-wallet (crypto wallet) used for the transaction (legal basis: performance of the contract)
In the case of a politically exposed person (in addition to the above – legal basis: compliance with a legal obligation to which the Controller is subject):
– Politically exposed person status,
– Source of funds.
If the customer is a resident or a national of a high-risk third country with strategic deficiencies (in addition to the above – legal basis: compliance with a legal obligation to which the Controller is subject):
– Source of funds
– Purpose of transaction.
For the purpose specified in Section 3.1.(e), a unique identification code generated from the fingerprint of the Data Subject on the basis of their consent. The fingerprint pattern cannot be generated from the identification code, it can only be used for identification purposes.
4.2. In the course of the services available on the website and application operated by the Controller
– E-mail address, password (legal basis: performance of the contract)
– Mobile phone number (legal basis: performance of the contract)
– Unique customer identifier generated in the service provider’s system (legal basis: performance of the contract)
– A copy of both sides of the ID card, or the photo-page of the passport, or the photo-page of the card-format driver’s licence and a copy of the address side of the address card (legal basis: compliance with a legal obligation to which the Controller is subject):
● Facial image on ID card, passport, or card-format driver’s licence
● Number of ID card, passport, or card-format driver’s licence
● Family name and given name (if different, name at birth as well)
● Mother’s maiden name
● Place and date of birth:
● Nationality
● Address
– For non-Hungarian citizens, in the absence of an address card, a copy of a utility bill less than 3 months old (legal basis: compliance with a legal obligation to which the Controller is subject):
● Address
– A real-time self-portrait taken by the customer, showing the date the picture was taken on and the customer’s identity document (legal basis: compliance with a legal obligation to which the Controller is subject)
– Bank account number (legal basis: performance of the contract)
4.3. For the purpose specified in Section 3.1.(f), the name and address of the Customer pursuant to Section 17/A(5) of Act CLV of 1997 on Consumer Protection.
4.4. For the purpose specified in Section 3.1.(g), the e-mail address and mobile phone number of the Data Subject on the basis of the Data Subject’s consent.
4.5. For the purpose specified in Section 3.1.(h), the Data Subject’s consent – through the acceptance of cookies – to the collection of web statistics about the following Data Subject activities on the BlockChange website:
● which pages they have viewed
● which part of the website they have clicked on
● what language they have used the site in
● how many pages they have visited
The Controller is entitled to make the above-mentioned data available in an aggregated, anonymised and processed form to the following third parties in the course of using the following services: Google Analytics, AT Internet XitiAnalytics, Google Search, Google Tag Manager, Google Adwords
The Controller’s website collects aggregated data without identifying the individual for the purpose of measuring visits to the website and the viewing activity within the website.
The Controller’s servers automatically register (log) the IP address of users, the type of operating system and browser program used, the URL of the pages visited and the time of the visit at each access level of the Website. These data are processed by the Controller only in an aggregated, anonymised and processed form in order to correct potential errors on the Website, to improve its quality and for statistical purposes.
In all cases, the Controller obtains the data referred to in Sections 4.1-4.4 directly from the Data Subject.
The Controller obtains the data referred to in Section 4.5 by means of cookies.
5. Duration of processing
5.1. Pursuant to Sections 56 and 57 of the AML Act, the Controller processes the personal data for a period of eight years from the termination of the business relationship or the execution of the transaction order. In the case of an official request, the Controller shall retain the data for the period specified in the request, but for not more than ten years from the termination of the business relationship or the execution of the transaction order (Section 58(1) of the AML Act).
5.2. The fingerprint identification code specified in Section 4.2 is processed until the Data Subject’s consent is withdrawn. After the withdrawal of consent, the identification code is erased and the Data Subject can no longer identify themselves with their fingerprint.
5.3. With regard to the data specified to in Section 4.3, pursuant to Section 17/A(7) of Act CLV of 1997 on Consumer Protection, the duration of processing is 5 (five) years.
6. Data processing and data transfer
6.1. Processing
The Controller uses a Data Processor in the course of processing:
Name: VARIANCE HODLING Kft.
Company registration number: 01-09-329921
Registered office: H-1118 Budapest, Rétköz utca 5
6.2. Data transfer
The Data Controller shall provide data to the court, the prosecutor, the authorities dealing with administrative offences, the administrative authority, the investigative authority or other bodies authorised by law in order to provide information, to communicate or transfer data or to make documents available. In this context, the provision of data is limited to what is strictly necessary to achieve the purpose of the authority which ordered the provision of data – provided that the authority has specified the exact scope of the data and the exact purpose. The Controller cannot be held liable for the performance of such transfers and the possible consequences thereof, and no claims may be made against it.
7. Rights of the Data Subject
The Data Subject can request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning them or to object to processing. Moreover, the Data Subject is entitled to the right to data portability and the right to judicial remedy, as well as the right to decide on automated decision-making, including profiling, in individual cases. The Controller does not currently employ automated decision-making and profiling.
7.1. Right of access by the Data Subject
The Data Subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
– the purposes of processing;
– the categories of personal data affected;
– the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
– planned time limit for the storage of personal data;
– the Data Subject’s right to rectification, erasure or restriction of processing and to object to processing;
– the right to lodge a complaint with a supervisory authority;
– where the personal data are not collected from the Data Subject, any available information as to their source;
– the existence of automated decision-making, including profiling, and comprehensible information about the logic applied, as well as the significance and the envisaged consequences of such processing for the Data Subject.
The Controller provides the Data Subject with 1 copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the Controller provides the information in a commonly used electronic form.
7.2. Right to rectification
The Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning them and, taking into account the purposes of processing, the Data Subject also has the right to have incomplete personal data completed.
7.3. Right to data deletion
The Data Subject has the right to obtain from the Controller the deletion of personal data concerning them without undue delay and the Controller shall erase personal data without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the Data Subject withdraws the consent on which the processing is based, and there is no other legal basis for processing;
– the Data Subject objects to the processing, and there are no overriding grounds for processing;
– the personal data have been unlawfully processed;
– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
– the personal data have been collected in relation to the offer of information society services.
The erasure of data cannot be initiated if processing is necessary:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
– for reasons of public interest in the area of public health;
– for archiving, scientific or historical research or statistical purposes for reasons of public interest;
– for the establishment, exercise or defence of legal claims.
7.4. Right to restriction of processing
The Data Subject has the right to obtain from the Controller restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
– the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; or
– the Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or a Member State.
7.5. Right to data portability
The Data Subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Controller.
7.6. Right to object
The Data Subject has the right to object at any time, on grounds relating to their particular situation to the processing of personal data concerning them, including profiling based on the above-mentioned provisions. In such cases, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests and rights of the Data Subject or for the establishment, exercise or defence of legal claims.
7.7. Right to judicial remedy
Where Data Subject believes that the processing of their personal data by the Controller violates their rights under the effective privacy laws – in particular, the provisions of the GDPR –, they may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.
Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
Website: http://naih.hu/
Address: H-1055 Budapest, Falk Miksa utca 9-11
Postal address: H-1363 Budapest, Pf.: 9
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The Data Subject is entitled to lodge a complaint with other supervisory authorities, in particular with those established in the Member State of their habitual residence, place of work or the location of the alleged infringement.
8. Miscellaneous provisions
The Notice enters into force on 1 April 2022 for an indefinite period.
Budapest, 16 March 2022
BlockChange Kft.
Judit Dávid
Managing Director
BlockChange Kft.
Bálint Kollár
Managing Director
