Vehicle users, website visitors, newsletter subscribers
Privacy policy
The purpose of this Privacy Notice is to provide transparent information on how Mercarius Fleet Management Limited Liability Company (hereinafter referred to as the “Data Controller” or the “Company”) processes the personal data of:
- users of vehicles leased under long-term rental arrangements,
- users visiting the Company’s websites (in particular, https://www.molmercarius.hu and https://mercarius.hu),
- and individuals subscribing to the Company’s newsletter.
This Privacy Notice covers, in particular, data processing activities related to vehicle use, the use of cookies on the Company’s websites, and the provision of the newsletter service.
The processing of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as Act C of 2003 on Electronic Communications of Hungary.Below, the Company outlines its data management practices.
1. DETAILS OF THE DATA CONTROLLER
Company Name: Mercarius Fleet Management Limited Liability Company
Registered Office: H-1142 Budapest, Komáromi út 36-38, Hungary
E-mail: info@molmercarius.hu
Website: https://www.molmercarius.hu/
Data Protection Officer (DPO):
- Name: András Lévai
- Telephone: +36 1 770 1000
2. CATEGORIES OF PERSONAL DATA PROCESSED
2.1. Data of vehicle users
In the course of providing long-term vehicle rental services, we process the following personal data relating to the actual user of the vehicle:
- Personal identifiers: name.
- Contact details: e-mail address, telephone number.
- Vehicle-related data: the registration number of the vehicle used by you, the lessee of the vehicle (the organization that has entered into a contractual relationship with us).
2.1. Data relating to website visitors (Cookies)
To provide a customized user experience, the Company’s website uses anonymous user identifiers, known as cookies.
The types of data processed through cookies include, in particular:
- IP address
- Website access path
- Date, time, and duration of browsing activity
- Performance measurement data related to the pages visited
Google Analytics cookies (e.g., _ga, _gat, _gid) collect information about how visitors use the website (such as browser usage, the number of new visitors, and similar statistics). The data is transmitted anonymously to Google Analytics servers to help us improve the operation and services of the website.
Marketing cookies (e.g., cookies provided by third-party service providers such as facebook.com, including fr, c_user, datr, sb, spin, wd, and xs) are used to track visitors’ activities across websites and to display relevant advertisements.
2.3. Data of newsletter subscribers
Visitors may subscribe to the Company’s newsletter service through the Company’s website.
Categories of personal data processed:
- Name (optional)
- E-mail address
3. PURPOSE, LEGAL BASIS AND RETENTION PERIOD OF DATA PROCESSING
| Activity / Purpose | Legal basis | Retention period |
|---|---|---|
| Communication related to vehicle operation (e.g. maintenance, repairs, tire replacement, booking and coordinating technical inspections, providing information on technical matters, developments and legal obligations, communication related to roadside assistance services (domestic and international assistance), coordination of vehicle return appointments, etc.) | Legitimate interest: Performance of the vehicle rental agreement concluded with your employer and ensuring the availability of the vehicle, including maintaining its technical condition and compliance with legal requirements as a legitimate financial interest. | 15 days following the termination of your use of the vehicle. |
| Claims and damage handling | Legitimate interest: Administration of claims relating to damage caused to or by the vehicle, including investigation and management of damages, determination of the extent of damage and liability, enforcement of compensation claims, defense against compensation claims, and prevention of future damages. | 5 years from the date of the damage event. |
| Handling official and legal matters (e.g. fines administration, Green Card insurance certificate, vehicle use authorizations) | Legitimate interest:Fulfilment of legal obligations related to vehicle use and cooperation with public authorities, including handling administrative procedures, payment of fines, issuing authorizations required for vehicle use, and providing a Green Card insurance certificate where necessary. | 2 years following the termination of vehicle use (aligned with the limitation periods applicable to traffic administrative fines and road toll claims). |
| Customer satisfaction surveys | Consent: Voluntary consent provided prior to the survey. Participation in the survey is possible without providing personal data. | 30 days after completion of the survey or until consent is withdrawn, whichever occurs first. |
| Direct marketing by e-mail
Examples include sending general marketing communications (advertisements), newsletters, other marketing content, or market research questionnaires related to the use of certain services through the MOL Move Loyalty Program. |
Legitimate interest:
The Data Controller has a legitimate economic interest in:
|
Until the end of the individual's eligibility to use the vehicle. |
| Newsletter service | Consent pursuant to Article 6(1)(a) GDPR, provided by the data subject through submitting their e-mail address in the designated section of the website. | Consent may be withdrawn at any time, free of charge and without providing reasons. Upon withdrawal, the Company will cease sending newsletters and delete the subscriber’s personal data. |
Cookies used on the website
|
|
The data subject may prevent the placement of certain cookies through browser settings or request that the browser notify them whenever a website attempts to place a cookie. Detailed guidance on cookie settings can be found in the help pages of individual browsers (e.g. Chrome, Firefox, Edge, Internet Explorer). |
4. DATA TRANSFERS AND RECIPIENTS
The following partners may have access to the data for the purpose of performing their duties:
- Service partners and tire service providers: For carrying out repairs and seasonal tire changes, where such services are provided by external providers, including the organization and recording of service and tire change appointments.
- Insurance companies: In connection with claims handling related to vehicles, for the purpose of clarifying issues arising during the claims settlement process.
- Mez&Mol Ltd. (registered office: 3531 Miskolc, Nagyváthy J. u. 36., legal representative: Anett Mezey-Molnár), for administrative and organizational tasks related to tire services for vehicles.
- Computer Mosaic Ltd. (registered office: 3531 Miskolc, Győri kapu 24/B., legal representative: József Venczel), developer of the tire inventory and logistics support software used for vehicle tire management, who may access the software database (and the personal data stored therein) for maintenance, troubleshooting, and development purposes.
Data processors related to website and newsletter operation, and administrative services:
- Provider of administrative software (newsletter management and operation of the business administration system)
- Provider of the business administration system support: BMA Informatics Ltd. (registered office: 1012 Budapest, Pálya u. 9. 3rd floor, tax number: 14944996-2-43)
- IT operations provider: Négypólus Technical and Commercial Ltd. (registered office: 1132 Budapest, Váci út 64/a, tax number: 10704217-2-41, company registration number: 01-09-927194)
- Hosting service provider: DAM Invisible Technology Plc. (registered office: 1118 Budapest, Budaörsi út 64., tax number: 27775969-2-43)
Authorities and other authorized bodies:
Courts, public prosecutors, investigative authorities, law enforcement authorities, administrative authorities, the Hungarian National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, and other bodies authorized by law may request information, disclosure of data, or access to documents from the Data Controller. In such cases, the Data Controller shall only disclose the minimum amount of data strictly necessary to fulfil the purpose of the request, provided that the exact purpose and scope of the requested data are specified.
5. YOUR RIGHTS
Your data protection rights and remedies, and their limitations, are set out in detail in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR).
You may request information about your data at any time, request rectification, erasure, or restriction of processing of your data, object to processing based on legitimate interest, and in certain cases you have the right to data portability. Below we summarize the most important provisions.
Right to information: Where the Data Controller processes personal data concerning you, it is obliged to provide you with information – even without your request – about the main characteristics of the processing, including the purpose, legal basis and duration of processing, the identity and contact details of the Data Controller and its representative, the recipients of the personal data (including, in the case of transfers to countries outside the European Economic Area, the indication of appropriate safeguards), the legitimate interests pursued in the case of processing based on legitimate interest, as well as your rights and remedies (including the right to lodge a complaint with a supervisory authority), if you do not already have this information.
Right of access: You have the right to obtain confirmation from the Data Controller as to whether personal data concerning you are being processed, and if so, to access such personal data and information relating to the processing, including the purposes of processing, the categories of personal data concerned, the recipients of the data, the (planned) storage period, your rights and remedies (including the right to lodge a complaint with a supervisory authority), and, where data are collected from you, information about their source. Upon your request, the Data Controller shall provide you with a copy of the personal data undergoing processing. For additional copies requested by you, the Data Controller may charge a reasonable fee based on administrative costs. The right to obtain a copy must not adversely affect the rights and freedoms of others. The Data Controller will inform you, upon request, about the availability, method, possible costs and other details of obtaining the copy.
Right to rectification: You have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure: You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay, and the Data Controller is obliged to erase such data without undue delay where certain conditions apply. In particular, the Data Controller must erase your personal data upon request if (i) the data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) you withdraw consent and there is no other legal basis for processing; or the data have been unlawfully processed; (iii) you object to processing and there are no overriding legitimate grounds; (iv) the data must be erased to comply with a legal obligation under EU or Member State law; or (v) the data were collected in connection with information society services.
If consent given for direct marketing or customer satisfaction surveys is withdrawn, you will no longer receive direct marketing messages from the Data Controller. Please note that withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Right to restriction of processing: You have the right to request that the Data Controller restrict processing where one of the following applies:
a) you contest the accuracy of the personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the data;
b) the processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use;
c) the Data Controller no longer needs the data, but you require them for legal claims; or
d) you have objected to processing, pending verification of overriding legitimate grounds.
Where processing is restricted, such personal data may be processed (except for storage) only with your consent, or for legal claims, or for the protection of others’ rights, or for important public interest reasons of the Union or a Member State.
You will be informed in advance if the restriction is lifted.
Right to data portability: You have the right to receive the personal data you have provided to the Data Controller in a structured, commonly used, machine-readable format and to transmit those data to another controller without hindrance, where:
a) processing is based on consent or on a contract to which you are a party; and
b) processing is carried out by automated means.
When exercising the right to data portability, you also have the right, where technically feasible, to request direct transmission of personal data between controllers. The right to data portability shall not prejudice the provisions on the right to erasure and shall not adversely affect the rights and freedoms of others.
Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data based on legitimate interests, including profiling where applicable. In such case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds which override your interests, rights and freedoms, or are necessary for legal claims.
Exercise of rights: The Data Controller shall inform you without undue delay, and in any event within one month of receipt of the request, of the actions taken in relation to your request concerning the rights listed above. Where necessary, taking into account the complexity and number of requests, this period may be extended by a further two months. The Data Controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
If the Data Controller does not take action on your request, it shall inform you without undue delay and at the latest within one month of receipt of the request of the reasons for not taking action, as well as of your right to lodge a complaint with the competent data protection supervisory authority (in Hungary: the National Authority for Data Protection and Freedom of Information – “NAIH”) and to seek judicial remedy. The contact details of the NAIH are: 1055 Budapest, Falk Miksa u. 9–11, mailing address: 1363 Budapest, P.O. Box 9, tel.: +36 1 391 1400, fax: +36 1 391 1410, e-mail: ugyfelszolgalat@naih.hu, website: http://naih.hu/.
Contact details of supervisory authorities within the EU: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
Without prejudice to any administrative or non-judicial remedies available to you, including the right to lodge a complaint with a supervisory authority, you have the right to an effective judicial remedy if you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data not complying with the GDPR. Proceedings against the Data Controller or its data processor shall be brought before the courts of the Member State where the Data Controller or the processor has an establishment. Such proceedings may also be brought before the courts of the Member State of your habitual residence. In Hungary, such cases fall within the jurisdiction of the regional courts. Information on courts and jurisdiction is available at: https://birosag.hu/.