I’m a visual type... What happens with my personal data? (Infographics)
Anyone can become familiar with the various data management procedures by reading the data-management policy but assistance is also provided in the flow charts hereunder.
The red arrows denote the route of the personal data, the black arrows denote the flow of the data which, in itself, is not personal and from which information concerning the individual cannot be derived.
What role does the MLSZ have in relation to the central club-card and central ticket-sales system?
The MLSZ, as national football federation, ensures all the infrastructural conditions for the football competition system. In the interest of security at sporting events and in its competitions the MLSZ collaborated in the formation of the central club-card system and the central ticket-sales system.
The majority of clubs joined the central club-card system which was established with the collaboration of the MLSZ. Only Ferencvárosi TC (FTC) and Nagyerdei Stadion (DVSC) operate their own club-card system.
As coordinator, the MLSZ ensures the operation of the local club-card systems and ticket-sales systems, ensures the systems communicate with each other, and ensures professional service providers operate the IT background. With all of these arrangements a safe football experience can be achieved.
The MLSZ does not have access to the data of club-card holders, nor to the data of supporters purchasing tickets for club matches.
The MLSZ strictly manages the data of football-card users and those who purchase tickets for sporting events organised by the MLSZ.
On the basis of which laws does the data management take place?
The following laws regulate the significant circumstances of data management:
The Sports Act entitles the match organiser to manage the personal data related to club cards and related to name-specific tickets.
What is the aim of the data management?
On the basis of the stipulations of the Sports Act – in the instance of an entrance system being operated – only name-specific entry tickets or season tickets may be sold. The central club-card system has been developed in the interest of making ticket-purchasing easier. Personal data is managed by the data manager in the interest of the operation of the system, the performance of card requests, the fulfilment of these requests and the usage of club cards.
Above and beyond this personal data may also be used in order to maintain contact and to send offers, providing the given user has expressly consented.
The data may also be used in order to exclude persons from sporting events should they be subject to procedures, deriving from infringement of the law at such events, by the authorities.
Who manages my data?
The club from which the supporter requested the club card manages that person’s personal data. If the club card is requested through the MLSZ, it is known as a Football card; in this instance the MLSZ will manage the card holder’s data.
The Football card is for those who do not have ties to one particular club, or who mainly attend national team matches. With a Football card you can attend any match where the organiser has made the use of a club card compulsory but has also made the use of a neutral (neither home, nor away team) card possible.
The MLSZ’s and the clubs’ club card systems work separately from each other, and the data are stored in separate databases.
The manager of data related to tickets (or season tickets) is the match organiser.
The MLSZ does not have access to the personal data of club card owners (except for the Football cards), nor for personal data related to club-team events.
What personal data do they manage?
Ticket, season ticket and/or club card owners’ name, date and place of birth, their mother’s maiden name, and their address are managed.
In order to maintain contact – according to the instructions of the card holder – and/or for marketing purposes, the data manager handles the card holder’s:
From the perspective of operating the club card system (user identification, documenting their statements and ensuring the trouble-free operation of the system) the following data is indispensable:
Do they manage biometric data?
The systems established by the MLSZ or with its collaboration do not handle biometric data. We call biometric data those data which are connected to a person’s biological characteristics and which are suitable for identification purposes, for example, finger print, palm scan, face and iris pattern.
Which clubs are participating in the club card system?
The football clubs qualify as independent data managers.
The majority of clubs are part of the central club-card system established by the MLSZ:
Only Ferencvárosi TC (FTC) and DVSC (or rather the Nagyerdei Stadion) operate their own club card systems, but in the interest of making it easier for visiting supporters to purchase tickets, visiting supporters may also use the central ticket sales system:
Who will participate in managing my personal data as a data processor?
The below data processors (who strictly carry out technical tasks with the personal data) may come into contact with club card and ticket data:
The individual clubs may employ other data processors; the given club will provide information in relation to this in their data management policy.
What kind of data management takes place when purchasing a ticket?
All of the club card systems connect to the central ticket sales system. When purchasing tickets, club cards are checked; the system checks if the PIN code matches to the card number given and also checks the card’s validity. Following successful authentication the personal data registered in the club card systems goes to the organiser’s ticket sales system on the basis of the user’s consent.
A club card register ensures the communication between the individual club card systems, and among the ticket sales systems, club card systems and external systems. Club card register does not store personal data, but records card numbers, date of issue and date of rejection, as well as the club identifier.
The MLSZ does not have access to the club card holder’s personal data or to personal data related to club teams’ events. Without the express authorisation of the given person (without the card usage during ticket purchasing) individual clubs do not have access to the data of other clubs or the MLSZ; moreover, following the ticket purchase the visiting club cannot access the data of the visiting supporters.
Who has access to the personal data, if the tickets are purchased as follows?
For how long is my data stored?
Should the stipulations of the authorities and the organising club not deviate, the personal data is stored for three working days following the expiry of the entry ticket, season ticket or club card. Personal data is immediately deleted upon the redemption or expiry of the ticket/season ticket or club card.
The photo provided to the data manager for printing the club card is automatically deleted upon being printed.
If the person, who requested a card on the online pre-registration website does not collect the card within 30 days, personal data is deleted. In addition, the card is destroyed if it has been printed.
Data is stored in the website system log for 365 days.
Returned Football cards are destroyed within no more than 10 days following the request to delete them. In the case of consent-based data management the declaration of consent will be destroyed as soon as possible after the consent is revoked.
Who else has access to my data?
In the interest of ensuring that a banned person may not be able to purchase a ticket, the ticket system checks the personal data supplied in the manner described below against the Sport Safety and Security Database managed by the policy based on 73 (6) b of the Sports Act. The organiser of the match sends the ticket purchaser’s personal data in encrypted form by a hash algorithm (stripped of any personal characteristic) to the police. The police encrypt the data stored in their database using the same hash algorithm, and establish based upon the comparison of the sent and recorded data, whether the person purchasing the ticket is subject to any ban. The system sends back the answer to the organiser. The police do not acquire knowledge of personal data of persons not subject to any ban.
On the basis of 72/B. § Para (5) of the Sports Act within three working days following the expiry of the ticket, season ticket or club card it is possible to forward the given spectator’s name, date and place of birth, mother’s name and address – for use as evidence in a criminal- or legal procedure – to the investigating authority, prosecution or court.
In the interest of exclusion, the stewards are to give the recorded personal data to the organiser
The organiser shall forward the name, the place and date of birth of the person they have excluded, as well as the time period of the exclusion, the name of the sports venue and the scope of events which is covered in the exclusion to the Sport Safety and Security Database within three days.
Which data security measures are used to ensure my personal data is protected?
When purchasing tickets online you can only access personal data with the correct combination of the card number and PIN code. Club cards may also be used at ticket offices without the PIN code so long as the cards are physically present.
The club, as data manager, and possibly their data processers may have access to personal data, but each club only sees the data of supporters purchasing tickets for that club’s matches, or of their own club-card holders. The MLSZ only sees data of those holding a Football card or of those purchasing tickets for the MLSZ’s events.
The systems communicate with each other via encrypted VPN (virtual private network) channels, with certification based encryption.
The data is forwarded to the Police via the afore-mentioned method following the application of a hash algorithm.
How can I ask for my data to be deleted or corrected?
Should you wish your data to be deleted, corrected or blocked, request information on the management of your data, or object to the data management, do so – if possible, in writing – to your data manager, that is, the card-issuer, in the instance of ticket purchasing, at the organiser of the sporting event, or in the instance of purchasing a season ticket, the issuing club.
To whom can I turn if I object to my personal data to be handled?
Should you have a problem regarding the management of data related to the club card, please contact the card-issuing data manager or contact the central club-card Customer Service.
In the event of your rights being infringed you may take the data manager to court. The court shall prioritise the case.
Above and beyond this you may turn to the National Authority for Data Protection and Freedom of Information with your complaint:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information)
Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
Should you have any further questions, please contact MLSZ Customer Service.