In every country except Hungary:

In Hungary:

Availability: Weekdays from 9 a.m. to 5 p.m.

Users outside Hungary enter into a contractual relationship with Cooltix GmbH. Users in Hungary enter into a contractual relationship with Cooltix Kft.

1. The Provider as data controller undertakes the obligation that every data processing related to its activity complies with the requirements set forth in this policy and the applicable law.

2. The information regarding the data processing of the Provider is permanently available at the footer of the Cooltix web page.

3. The Provider is entitled to unilaterally amend the Privacy Policy. In case of the amendment of the Privacy Policy, the Provider notifies the User via the disclosure of the changes on the Cooltix page at least eight (8) days prior to the changes entering into force. User, by the continued use of the service after the changes entering into force, accepts the amended Privacy Policy.

4. The Provider is committed to protecting the User’s personal data and considers the respect of its clients’ right to informational self-determination of high importance. The Provider manages the personal data confidentially by employing all of the required security measures in information technology and data administration.

5. The Provider data processing principles are in line with the General Data Protection Regulation (GDPR).

6. The Provider processes personal data indispensable for the use of its services, with the consent of the data subjects and exclusively bound to purpose.

7. The Company undertakes the obligation to disclose, in the clear and obvious notice before collecting, recording, and processing any personal data of its users, to inform them about the method, purpose, and principles of data collection. In addition to all this, in every case where the data collection, processing, and recording are not mandatory by law, the Company draws the attention of the User to the voluntary being of disclosure of information. In case of mandatory disclosure of information, it is necessary to indicate the legislation requiring data processing. The data subject is to be informed about the purpose of the data processing and about who will be handling and processing the personal data.

8. In every case where the Company intends to use the personal data disclosed for any purpose other than the purpose of the original data collection, it informs the User and acquires its preliminary and express consent, and provides an opportunity for denying the use.

9. The Provider, during the collection, recording, and processing of data, adheres in all cases to the limitations defined in legislation and informs the data subject about its activity according to the user’s needs in electronic mail. The Company commits itself to not apply any sanction against any user who denies the non-mandatory disclosure of information

1. Personal Data can be processed if the data subject gives consent or it is required by law or - with legal authorization in the scope defined in it - by decree of the local government for a purpose based on public interest. The legal basis of the data processing is the voluntary consent of the data subject, according to the GDPR on the Right of Informational Self-Determination and on Freedom of Information, on certain issues of electronic commerce services and information society services.

2. For the statement of a minor person incapable of acting or with limited capability, the consent of this person’s legal representative is required except for those parts of service where the declaration is addressed to a registration occurring en masse and does not require special consideration. For the validity of the legal declaration, including the consent of the minor data subject aged 16 or more, the agreement or the later consent of the legal representative is not required.

3. If the personal data was collected with the consent of the data subject, the data controller, in the absence of otherwise required by law, the data collected may be processed

a) for the purpose of complying with the related legal obligation, or

b) for the purpose of appropriation of a legitimate interest of a third person of the appropriation of this interest is proportional to the limitation of the right related to the personal data protection

without further consent and after the revocation of the data subject’s consent.

1. Personal data may only be processed for a certain purpose in order to exercise a right or comply with an obligation. The data processing must comply with the purpose of the data processing in every stage, and the collection and processing of the data must be fair and legal. Only such personal data may be processed, which is indispensable for the fulfillment of the purpose of data processing and suitable to achieve the purpose. The personal data may only be processed to the extent and for the duration required for the realization of the purpose. The data processing of the services of the Provider is based on voluntary consent; however, in certain cases, the processing, storage, and transmission of a range of the data provided are made obligatory by legislation. The Provider does not use the personal data for any purpose other than designated.

2. Online webshop service (purchase of admission ticket, voucher, book, media, parking ticket, etc.)

The data processing takes place on the basis of the User’s voluntary declaration based on proper notice, which is required to use the webshop service running on the webpage. The User provides the declaration upon using the service. The declaration contains the User’s express consent to use his/her personal data provided during the use of the page. The legal basis of the data processing is the voluntary consent of the data subject according to the Right of Informational Self-Determination and Freedom of Information.

The purpose of data processing is the provision of a webshop service on the web page, the ordering and its service, the documenting of the purchase and payment, and the fulfillment of the accounting obligation. Furthermore, the purpose of data processing is the identification of the User as a ticket buyer, the completion of the service ordered, the possibility of the sending of the related notifications, the invoicing and the completion of the payment, the registration of the User and differentiating them from each other. Data processed: surname and first name, phone number, e-mail address, the password given during the preliminary registration, delivery address given upon requesting home delivery, the billing address given for the issuing of invoice, the number, date, and time of the transaction, the content of receipt, customer code, in case of VAT invoice the name, address, and tax number, other data requested by event organizer during purchase. Duration of data processing: 8 years

3. Registration

During the preliminary registration, with the provision of a password, the User will have the possibility to provide his/her data only one time instead of having to do so for each purchase. The data provided will be processed by the Provider until the User – by unsubscribing – prohibits the use of the data for this purpose. The data that can be provided upon the decision of the User, e-mail address, phone number, name, residence, dwelling, place and date of birth, the products and product category purchased by the User on the orders, the time of purchase, the payment used by the User, the total amount of the items purchased by the User.

4. Online season ticket purchase, renewal

The data processing takes place on the basis of the User’s voluntary declaration based on proper notice, which is required - in case of season ticket purchase - to use the ticket purchase service running on the webpage and for the delivery of further notifications relating to the season ticket. The User provides the declaration upon using the service. The declaration contains the User’s express consent to use his/her personal data provided during the use of the page. The legal basis of the data processing is the voluntary consent of the data subject according to the Right of Informational Self-Determination and Freedom of Information and the contents of the Act on Accounting.

The purpose of data processing is the provision of season ticket purchase and renewal service on the web page, the documentation of the purchase and payment, and the fulfillment of the accounting obligation. Furthermore, the purpose of data processing is the identification of the User as a ticket buyer, the completion of the service ordered, the possibility of the sending of the related notifications, the invoicing and the completion of the payment, the registration of the User and differentiating them from each other, the notification about the annual renewal options of the season ticket (via e-mail or postal letter), a reminder about the next season ticket performance (via e-mail or postal letter), in case of a free season ticket, notification in every two months about the programs and events of the performance venue (via e-mail) - to facilitate the choices of the User. Data processed: surname and first name, phone number, e-mail address, the password given during the preliminary registration, delivery address given upon requesting home delivery, the billing address given for the issuing of invoice, the number, date, and time of the transaction, the content of receipt, customer code, in case of VAT invoice the name, address, and tax number. Duration of data processing: 8 years

5. Electronic newsletter

If the User subscribes to the newsletter, the data controller may send a newsletter at a frequency according to its own decision (but a maximum of twice a week) except if the User requests the sending of the newsletter at a higher frequency. The data controller, if possible, tries to offer events for the readers of the newsletter tailored to the user’s interest estimated according to his/her residence and/or former purchases and other data provided. Upon subscription to the newsletter, the User consents that the data controller processes his/her personal data required for this.

Purpose of data processing: sending e-mail newsletters also containing advertisements for those interested. Legal basis of data processing: consent of data subject, Act of on Essential Conditions of and Certain Limitations to Business Advertising. Scope of data processed: name, e-mail address, residence, data listed on the registration, data on earlier purchases, data related to the interests of the User, provided by User.

Duration of data processing: until the revocation of consent The newsletter can be canceled by clicking on the Unsubscribe link at the bottom of the newsletter. The personal data will be deleted within ten business days from the receipt of the deletion request.

6. Cookie and location

The data controller, in order to provide tailored service, saves a small data packet (“cookie”) on the User’s computer. The purpose of the cookie is to provide working of the web page at the highest possible standard to improve user experience. Upon visiting the web page and using its certain functionality, the user gives consent to store the mentioned cookies on the User’s computer and to access them by the data controller. The User can set and prevent the cookie activities with the browser. However, be advised that in this latter case, without the use of cookies, the User may not be able to use all the services of the web page. More detailed information about the cookies is available upon clicking on

the “More information” button at the cookie notification appearing on the cooltix.com web page (Cooltix.com Privacy Policy).

If the User uses the service from a mobile device (e.g., smartphone), then upon downloading, the program asks for permission to use the location as data. With the User’s permission, the application can offer personally tailored searches that consider the actual location of the User. The location as data will not be recorded in the data controller’s system, and it enables only certain functions (more precise search, “around you” function, etc.) to be used during the actual transaction.

7. Statistical data

The data controller may use the data for statistical purposes. The use of the statistically aggregated data must not contain the name or any other data suitable for the identification of the User in any form.

8. The technically recorded data during the operation of the system

The technically recorded data during the operation of the system are the data of the User’s computer, which are generated during the use of the service and which are recorded as the automatic result of the technical processes. The data which are automatically recorded are logged without the separate declaration or activity of the User upon login or logout. These data - except in cases made obligatory by law - must not be connected to any other personal data. The data can only be accessed by the data controller. The purpose of the data automatically recorded in the provision of services available via the data controller’s internet sites, the display of tailored content and ads, preparation statistics, the technical development of the IT system, the protection of the User’s rights and the general analysis of the user habits. The data made available by the Users during the use of the service may be used by the data controller to create User groups and display targeted content and/or ads on the data controller’s web pages for the User groups.

The data technically recorded automatically during the operation of the system are being stored in the system for the duration justified by the provision of the system operation from the time of their generation. The Company provides that these automatically recorded data - except in cases made obligatory by law - must not be connected to any other personal data. If the User canceled his/her consent to the processing of his/her personal data or unsubscribed from the service, then following this, his/her person will not be identifiable from the technical data.

9. Recording of telephone conversations

Purpose of data processing: ticket purchase, program offers, quality improvement, documenting, and more effective handling of the user needs and problems. Legal basis of data management: consent of data subject. Scope of the data processed: telephone conversation of the customer and the Provider’s employee, the date and time of the conversation. Duration of data processing: 5 years

10. Web pages of the Provider

The HTML code of the portal contains links to and from third-party servers independent of Cooltix GmbH. The provider of these links, due to the direct connection to their servers, is capable of collecting users’ data.

Third-party provider assists in the independent measurement of the visit and other web analytics data of the website. Regarding the management of the measurement data, the data controller can provide detailed information and is available at:

11. Other data processing

Information on data processing not indicated in this notification is provided upon the recording of the data. We advise our visitors that the jury, the prosecutor, the investigating authority, the infraction authority, the administrative authority, the data protection officer, and, upon legal entitlement, other bodies for the purpose of information, data disclosure, transfer, and making documents available, may contact the data controller. The Provider - if the authority indicated the exact purpose and scope of the data - will provide personal data for the authorities only to the extent indispensable to fulfill the objective of the request.

12. The data controller does not inspect the personal data provided to it. For the appropriateness of the data provided, the person providing it is solely responsible. Any User, upon providing his/her e-mail address, takes the responsibility that from the e-mail address provided, the service is used exclusively by him/her. Regarding this responsibility, any liability concerning the logins from the e-mail address provided lies exclusively on the User having registered that e-mail address. If the User provides not his/her own personal data, then he/she is obliged to acquire the consent of the data subject.

13. Those entitled to know the personal data are colleagues in employment relationships or work contracts, the employees of the courier service collaborating in the delivery of the products (if delivery is requested by the user), and the data processors.

1. The Provider transfers data to third parties only upon the prior and informed consent of the User. This does not apply to the data transmission mandatory by law and to the transfers for the data processors indicated in this document.

2. With the use of the services, the User gives consent to the Provider to transfer the data for the partners below:

- For the organizer of the particular event for the purpose of direct and immediate notification about the cancellation, change of time of the event, or about any important circumstance concerning the visitor, and - in case of event cancellation - for the direct management of the redemption or exchange of the tickets.

- For the agent providing customer support, partner management, and marketing activities in countries

- For the providers providing the technical conditions of the billing, as data processors, which are the following: cooltix.at, operator: Cooltix GmbH,

- The tasks relating to sending e-mails to Users are done by the data controller itself and/or based on a contract made with the data controller as data processor.

- For the financial institutes participating in the purchase process and conducting the payment, the Provider transfers data required by the given financial institute for the payment process. The scope of the data is different for each financial institute. The personal data provided on the financial institution’s own data collection pages will not be known to the Provider.

If you choose to purchase with Simplepay, I acknowledge that my personal data is stored by the data manager of Cooltix Kft. (1084 Budapest, József utca 3. 3/27.) Stored in the user database of

https://cooltix.hu will be transferred to OTP Mobil Kft. (1143 Budapest, Hungária körút 17-19.) As a data processor. The range of data transmitted by the data controller is as follows: name, email address, billing address, and purchase ID. The nature and purpose of the data processing activity performed by the data processor can be viewed in the SimplePay Data Management Information at the following link:

http://simplepay.hu/vasarlo-aff

In case of Serbian purchase:

Prilikom unošenja podataka o platnoj kartici, poverljive informacija se prenose putem javne
mreže u zaštićenoj (kriptovanoj) formi upotrebom SSL protokola i PKI sistema, kao trenutno
najsavremenije kriptografske tehnologije.
Sigurnost podataka prilikom kupovine, garantuje procesor platnih kartica, Banca Intesa ad
Beograd, pa se tako kompletni proces naplate obavlja na stranicama banke. Niti jednog
trenutka podaci o platnoj kartici nisu dostupni našem sistemu.

- If the User makes a purchase using a special allowance providing discount (e.g., Supershop card), then the data controller transfers the buyer’s data required by the company to the company providing allowance. The User may request information about the data processing rules concerned directly at the company providing it. The data controller does the automated processing of the identifiers of such devices or other data only to the extent that is required by the provider company for the realization of the purchase and to provide discounts.

3. The Provider, as Data controller, is entitled and obliged to transmit any personal data available to and properly stored by it to the competent authorities, the transmission of which is obligatory by legislation or binding authority obligation. For such data transmission and the consequences resulting from it, the data controller cannot be held responsible.

1. In processing and storing personal data, the Provider proceeds with the maximum care possible. In the field of IT security, the Provider applies the most efficient, state-of-art devices and processes reasonably available.

2. The data controller must plan and execute the data processing operations to ensure the privacy of the data subjects.

3. The data processor and, in its scope of activities, the data controller must ensure the security of the data, and additionally must do the technical and organizational measures and establish those procedural rules which are required for the application of the Avtv and the other data protection secrecy rules.

4. The data are to be protected with the appropriate measures, particularly against unauthorized access, modification, transmission, disclosure, deletion, or destruction, and accidental destruction and damage, furthermore, against becoming inaccessible due to the changes in the applied technology.

5. For the protection of the data files processed electronically in various records, it must be ensured with an appropriate technical solution that - except if made possible by law - the data stored in the records be not directly connectable and assigned to the data subjects.

6. During the automated processing of the personal data, the data controller and the data processor ensures, with additional measures,

a) the prevention of unauthorized data entry;

b) the prevention of unauthorized use of the automatic data processing systems by unauthorized persons with data transmission equipment;

c) the inspectability and determinability that the personal data were or can be transmitted by data transmission equipment to which organizations;

d) the inspectability and determinability of which personal data were entered into the automatic data processing systems by whom and when;

e) the storability of the installed system after malfunction and

f) to ensure that a report is generated about the errors occurring during the automated processing.

7. The data controller and the data processor shall consider the actual level of technology when defining and applying the data security measures. From multiple possible data processing solutions, the one to be chosen is the one that provides the higher level of personal data protection, except if it poses disproportionate difficulties for the data controller.

8. The Provider chooses and operates the IT devices used for the personal data processing during the provision of service so that the data processed:

a) is accessible for those authorized (availability);

b) is ensured to be authentic and to be authenticated (authenticity of the data processing);

c) can be proved to be unchanged (data integrity);

d) is protected against unauthorized access (data confidentiality).

9. The Provider ensures the security of the data processing with such technical, organizational, and organizational measures, which provide a protection level adequate to the risks occurring in relation to the data processing.

10. The Provider, during data processing, preserves

a) secrecy: protects the information so that only those authorized may access it;

b) integrity: protects the accuracy and completeness of the information and the processing method;

c) availability: ensures that if the authorized user needs to, he/she can access the required information and the related devices be available.

11. The IT system and network of the Provider are protected both against computer-assisted fraud, spying, sabotage, vandalism, fire, and flood, and additionally against computer viruses, intrusion, and denial-of-service attacks. The Provider ensures the security with server-level and application-level protection measures.

12. Electronic messages, regardless of the protocol (e-mail, web, FTP, etc.), are vulnerable to network threats that may lead to unauthorized activity or the disclosure or modification of the information. For the protection against such threats, the Provider does all reasonable protective measures. It monitors the systems in order to record any security deviation and serve evidence in case of all security events. However, the internet is well known – and so known for the Users – to be not hundred percent secure. For the possible damages caused by unavoidable attacks occurring despite reasonable maximum care, the Provider is not responsible.

VII. Rights of data subjects and their application, objection against personal data processing, the judicial exercise of rights and compensation

1. The request for change in personal data and the deletion of personal data can be indicated by sending a written statement expressed in a private document providing full evidence from the registered e-mail address or via post. Additionally, certain personal details can also be modified by modification on the page containing the personal profile. Following the completion of a request for deletion or modification of personal data, the former (deleted) data cannot be restored any longer.

Users may request information about the processing of their personal data. Inquiry sent via e-mail is considered by the data controller to be authentic if it is sent from the registered e-mail address of the User. Upon the data subject’s request, the data controller provides information about the data processed by it or by the data processor entrusted by it, their source, the purpose, legal basis and duration of the data processing, the name and the address of the data processor and about its activities relating to the data processing, furthermore - in case of the transmission of the data subject’s personal data - the legal basis and the recipient of the transmission. The inquiry request is to be sent via e-mail to the address [email protected]. The Provider is to provide the information within the shortest possible time but in a maximum of 30 days from the receipt of the inquiry in a clear and understandable form, in writing, upon this request of the data subject.

The information described above is free of charge if the enquirer had not submitted an inquiry for the same range of data in the actual year. Otherwise, costs may be applied. The cost already paid must be reimbursed if the data was processed illegally or the request for information leads to a correction.

The information for the data subject can only be denied by the data controller in cases defined in Avtv. In case of the denial of information, the data controller informs the data subject in writing about which provision of this law resulted in the denial of information. In case of the denial of information, the data controller informs the data subject about the possibility of judicial remedy and contact with the National Authority for Data Protection and Freedom of Information (hereinafter: Authority). The data controller notifies the Authority about the rejected inquiries until 31st January of the year following the year concerned.

2. The data subject may request the correction of his/her personal data at the data controller and the deletion or blocking of his/her personal data except for the mandatory data processing.

3. The data controller, for the purpose of checking the legality of data transmission and for the purpose of informing the data subject, keeps a data transmission register that contains the time of transmission of the personal data processed by it, the legal basis, and the recipient of the transmission, the definition of the scope of personal data transmitted and other data specified in the legislation regulating the data processing.

4. If the personal data is incorrect and there is correct data available for the data controller, the data controller corrects the personal data. 5. Personal data must be deleted if

a) its processing is illegitimate;

b) the data subject requests it – according to the contents of Avtv;

c) it is defective or wrong – and this state is not legally remediable – provided that the deletion is not excluded by law;

d) the purpose of data processing is ceased or the duration determined by law for the storage of data is expired; e) it is ordered by jury or the Authority.

In the case of point d) of the paragraph above, the deletion obligation does not apply to such personal data, the medium of which is to be submitted to archives according to the legislation on the protection of archival material.

5. Instead of deletion, the data controller blocks the personal data if the data subject requests so, or it can be assumed according to the information available, that the deletion may infringe on the legitimate interests of the data subject. The personal data blocked this way can only be processed while the data processing purpose excluding the deletion of personal data, exists.

6. The data controller marks the personal data processed if the data subject debates its correctness or accuracy but the incorrectness or inaccuracy of the debated personal data cannot be clearly determined.

7. It is required to notify the data subject and anyone to whom the data was transmitted for data processing about the correction, blocking, marking, and deletion. The notification may be omitted if it does not infringe on the legitimate interest of the data subject regarding the purpose of data processing.

8. If the data controller does not complete the request of the data subject for correction, blocking, or deletion, describe in writing, within 30 days from the receipt of the request, the factual and legal reasons for the denial of the request. In case of the denial of correction, deletion, or blocking, the data controller informs the data subject about the possibility of judicial remedy and contact with the Authority.

9. The data subject must be informed prior to the beginning of data processing whether the data processing is based on consent or it is mandatory.

10. The data subject must be informed clearly and in detail prior to the beginning of data processing about all facts related to the processing of his/her data, in particular about the purpose and legal basis of data processing, the person authorized for data processing, the duration of the data processing and whether the personal data of the data subject is processed by the data controller according to Avtv § 6. Paragraph (5) and about who may know the data. The information shall cover the data subject’s rights related to the data processing and the possible legal remedies. In the case of mandatory data processing, the notification may be done by the disclosure of the reference to the legal provisions containing the information according to the paragraph above.

11. The data subject may object to the processing of his/her personal data,

a) if the processing or transmission of personal data is required exclusively for the completion of legal obligation related to the data controller or for the application of the legitimate interest of the data controller, data importer, or third person, except in case of mandatory data processing;

b) if the use or transmission of the personal data is done for the purpose of direct marketing, public opinion survey, or scientific research; and

c) in other cases defined by law.

The data controller assesses the objection in the shortest possible time but maximum within 15 days from the receipt of the submittal of the request, make a decision regarding its justification and notifies the requester about its decision.

If the data controller determines the objection of the data subject to be justified, it will stop the data processing – including data collection and transmission –, blocks the data and sends notification about the objection and the actions done based on it to all to whom the data related to the objection had been transmitted and who are to act in order to apply the right to objection.

If the data subject disagrees with the decision made by the data controller or the data controller fails to act within the applicable deadline, the data subject – within 30 days from the notification about the decision or the last day of the deadline – may apply to court in a way as determined by applicable local law.

If the data importer cannot receive the data required for the application of its rights due to the objection of the data subject, then in order to acquire the data, it may apply to court – in a way as determined by applicable local law – against the data controller within 15 days from the notification. The data controller may involve the data subject in the suit.

If the data controller fails to notify, the data importer may request information from the data controller about the circumstances related to the failure of the data transmission, which information must be provided by the data controller within eight days following the delivery of the request of the data importer. In case of requesting information, the data importer may apply to court against the data controller within 15 days from the provision of information or at the latest from the deadline for it. The data controller may involve the data subject in the suit.

The data controller could not delete the data of the data subject if the data processing was ordered by law. However, the data cannot be transmitted to the data importer if the data controller agrees with the objection or if the court justifies the legality of the objection.

12. The data subject, in case of the infringement of his/her rights and in cases determined by applicable local law, the data importer may apply to court against the data controller. The court proceeds with priority in the case.

The fact whether the data processing complies with the legislation is to be proven by the data controller. In case, according to applicable local law, the data importer is to prove the legality of the data transmission to it.

The evaluation of the suit is in the competence of the general court. The suit – according to the choice of the data subject – may be commenced at the general court of the residence or dwelling of the data subject.

In the suit, one without legal capacity may also be a party. The Data Protection Authority may intervene in the suit for the court's success of the data subject.

If the court agrees with the request, it will oblige the data controller to provide information, the correction, blocking, and deletion of the data, the forfeiture of the decision made with automated data processing, the considering of the data subject’s right to objection and to the disclosure of the data requested by the data importer defined by applicable local law.

If the court, in cases defined by applicable local law, rejects the data importer’s requests, the data controller is obliged to delete the data subject’s personal data within 3 days from the disclosure of the judgment. The data controller is to delete the data even if the data importer does not apply to the court within the deadline determined by applicable local law.

The court may order the public disclosure of its judgment – with the disclosure of the identification data of the data controller – if it is required by the interest of data protection and the rights of the higher number of data subjects protected by this law.

13. The data controller must compensate for all damage caused to others by the illegitimate processing of the data subject’s data or the breach of the data security requirements. Against the data subject, the data controller is also responsible for the damage caused by the data processor The data controller is relieved from the responsibility if it can prove that the damage is caused by an unavoidable reason outside of the scope of data processing. The damage needs not to be compensated for if it resulted from the intentional or grossly negligent conduct of the claimant.

Should you have any questions or observations, contact the colleague of the Provider at the e-mail address [email protected]. The User may exercise his/her right enforcement options at the court according to the data protection law and the Civil Code.

Attachment

Definitions applied in this Privacy Notification

data file: the aggregate of data processed in one register;

data controller: a natural or legal entity or entity without legal personality which, on its own or together with others, defines the purpose for data processing, makes and executes the decisions related to data processing (including the means used), or has them executed by a data processor entrusted by it; data controller:

a. Cooltix GmbH (registered office: Vorgartenstraße 204, 1020 Wien) and Cooltix Kft (registered office: 1084 Budapest, József utca 3. 3/27);

b. during the performances and events, the Event Organizer for whose event the User purchased the passes; the name and data of the event organizer are available on the cooltix.com page and on the pass.

data processing: regardless of the procedure applied, any operation or batch of operations done on the data, thus, in particular the collection, registering, recording, classification, storage, modification, use, query, transmission, public disclosure, coordination, or connection, blocking, deletion and destruction of the personal data, and the prevention of the further use of the data;

data processing: execution of technical tasks related to the data management operations regardless of the method and the means applied to execute the operations and the location of the application, provided that the technical task is executed on the data;

data processor: a natural or legal entity or entity without legal personality which, according to its contract made with the data controller – including the contracting according to the provision of legislation – performs the processing of data; data marking: the marking of the data with an identification mark for the purpose of its differentiation; data destruction: the total physical destruction of the medium containing the data; data transmission: the making of the data available for a specific third person; data deletion: making of the data unrecognizable in a way that their restoration is no longer possible; data blocking: marking of the data with an identification mark to limit its further processing for an indefinite or definite period; automated data file: series of data to be processed automatically;

EEA state: EU Member State and other State Parties in the Agreement on the European Economic Area, and the state whose citizen is granted the same legal status as those of State Parties in the Agreement on the European Economic Area based on the international contract between the European Union and its Member States and a non-State Party of the Agreement on the European Economic Area;

data subject: any definite natural person identified or – directly or indirectly – identifiable based on personal data;

User: a natural person who registers on the Provider’s home page or makes a purchase without registration;

machine processing: contains the following operations if those are performed in part or whole with automated devices: data storage, logic or arithmetic operations performed on the data, modification, deletion, retrieval, and distribution of data; third country: any country which is not EEA state;

third person: a natural or legal entity or entity without legal personality which is not identical to the data subject, data controller, or data processor;

consent: the voluntary and definite expression of the data subject’s will, which is based on appropriate information and with which the data subject gives his/her unambiguous approval for the – complete or covering some operations – processing of personal data relating to him/her; public disclosure: the making of the personal data available for anyone;

personal data: data which can be related to the data subject – in particular, the name, identification mark of the data subject, and one or more pieces of physical, physiological, mental, economic, cultural, or social knowledge characteristic to his/her identity-, and the conclusion relating to the data subjects that can be drawn from the data;

objection: the statement of the data subject with which he/she objects to the processing of his/her personal data and requests the termination of data processing or the deletion of the data processed.