1/18

Data Privacy Policy

(effective from 01.02.2025)

VEMOCO Telematics Ltd and its subsidiaries, VEMOCO Telematics LLC in the USA (EIN: 37-

2108171), VEMOCO Telematics Canada Inc in Canada (Business Number: 710267154)

hereinafter referred together as the Data Controller) hereby publishes this Privacy Notice in

compliance with Regulation 2016/679 of the European Parliament and Council (GDPR), enabling

all Users to be informed about the purpose, scope, and methods of data processing carried out by

the Data Controller. This Notice is made available on the Data Controller's website at

www.vemoco.com at Data Privacy Policy (hereinafter referred to as the Website).

1. Data Controller Information

Data Controller: Vemoco Telematics Ltd (when providing services to its own direct clients,

otherwise acting as a Data Processor in indirect services)

Office: Hungary, 9027 Gyor, Budai ut 5/a

Email Address: info@vemoco.com

Registration number: 08-09-026452

VAT Nr: 24881151-2-08

2. Legal Basis, Purpose, Duration, Scope of Processed Data, and Authorized Parties for

Data Access

The Data Controller processes personal data based on the legal grounds, purposes, and durations

outlined below. Personal data processed by the Data Controller may also be accessed by Data

Processors to the extent necessary to achieve the specified data processing purposes.

The Data Controller processes data based on the following legal grounds:

• Consent of the User: Without consent, data processing does not occur. Consent for the

application registration process. The consent may be withdrawn at any time by deleting the

User in the User Profile menu in the VEMOCO mobile applications which terminates all

data processed for that User in the past and also disables any data processing capabilities

for the future, although the lawfulness of the data processing before withdrawal remains

unaffected. Certain legal obligations may apply to data processing performed under

consent, for which statutory obligations take precedence.

• Contract Formation and Fulfillment: Providing data is a prerequisite for contract

formation from the User's side. Without data, the contract cannot be finalized. Following the

conclusion of the contract, statutory obligations may regulate further data processing.

• Legal Obligation: The User is required to provide personal data; failure to do so may

prevent the Data Controller from fulfilling legal obligations, potentially affecting the legal

relationship with the User or resulting in the transfer of any adverse legal consequences to

the User.

The Data Controller informs Users that, in addition to legal obligations, data transfers to third

countries are conducted only if explicit consent has been given by the User or if it is necessary to

fulfill contractual obligations (e.g., employment contract, service contract, business contract). Data

transfers may be occasional or related to the establishment, performance, or enforcement of

contracts, or in connection with legal claims.

2/18

Data Controller collects and processes Users’ personal data, including location data to provide

route tracking functionality. This data is used exclusively to enable and enhance the core features

of the app, such as recording and displaying user routes. The location data is securely stored and

not shared with third parties. Users have full control over location permissions, and the app will

only collect location data when explicitly allowed by the user in the mobile application. The list of

collected personal data and the data processing policy details are available in Section 5 of this

document.

Data Transfer to Government Bodies:

The Data Controller only shares the personal data of the User with government bodies in

exceptional cases, specifically when a legal or regulatory proceeding involving the User is initiated,

and the relevant authorities request the submission of documents or information containing

personal data, including electronically stored documents, after proving their legal authority to

request such data.

In the case of enforcing legal claims, the Data Controller may share data with the relevant

authorities, courts, prosecution offices, or the opposing party, limited to the scope required by the

nature of the proceeding.

The Data Controller also fulfills its obligations to provide data to legally authorized entities as

required by law.

Use of Cookies:

Vemoco Telematics LLC. does not use Google Adwords or Analytics services for its own purposes

on its website, www.vemoco.com.

Data Processing Details:

• Name of Data Processing: Contact through the "Contact" menu on the www.vemoco.com

website, or via the webchat.

• Data Controllers: Vemoco Telematics Ltd, Ltd, 9027 Győr, Budai út 5/a, as the owner of

the website.

• Purpose of Data Processing: To maintain contact and provide information upon the

request of the User.

• Legal Basis for Data Processing: GDPR Article 6 (1)(a) – Consent of the User.

• Legitimate Interest: When acting on behalf of companies, other businesses, or

organizations, the rules governing the organization’s representatives and contact persons

apply to them as well.

• Source of Data: The User.

• Scope of Users:

o Natural persons (individuals)

o Representatives acting on behalf of companies, other businesses, or organizations

on any legal basis.

• Scope of Data Processed:

o Company name (for communication purposes)

o Number of vehicles (optional for communication)

o Contact person (optional for communication)

o Phone number (for communication)

o Email address (for communication)

o Subject of inquiry (necessary for preparing a quote)

3/18

o Any other data voluntarily provided by the User.

• Data Transfer/Disclosure, Categories of Recipients: No data transfers occur.

• Data Retention Period: Vemoco Telematics Ltd., as the Data Controller:

o The User has the right to withdraw their consent, but this does not affect the legality

of data processing carried out before the withdrawal. Withdrawal is done by the

User contacting Vemoco Telematics Ltd. again and requesting the deletion of their

data.

o In the case of a one-time inquiry that does not have legal effects, the personal data

will be deleted after providing the requested information. If further action is required,

data will be processed for the time specified in the notice, depending on the nature

of the inquiry.

o For individuals acting on behalf of companies, other businesses, or organizations,

data processing is carried out according to the rules applicable to the legal

relationship.

• Method of Data Processing:

o Manual and electronic processing.

o Vemoco Telematics Ltd., as the owner of the website, provides an opportunity for

interested parties to ask questions related to its products directly. The User can

send a message to Vemoco Telematics Ltd. using the "Contact Us" module, where

they can initiate communication via email. Vemoco Telematics Ltd. will receive an

email notification of the inquiry, similar to the webchat function.

• Location of Data Storage:

o In the email storage system of Vemoco Telematics Ltd.

• Persons Authorized to Access the Data:

o The managing director of the Data Controller.

o Employees of the Data Controller with access rights.

Data Processing for Participation on the Facebook and LinkedIn Social Media Platform

Facebook, LinkedIn: Vemoco

Purpose of Data Processing:

The social media platform allows visitors (as Data Controllers) to view, like, follow the Data

Controller's page, news feed, or individual posts, comment on posts, and share them within the

system provided by the social media web portal. The system also enables the Users to initiate

contact and maintain communication with the Data Controller.

Legal Basis for Data Processing:

Participation on the page is voluntary and based on the User's own decision. All data processing

related to activities permitted by the social media platform and used by the User is based on

voluntary consent.

Consequence of Refusing Consent: The social media platform’s functions, including those

allowed by the Data Controller, cannot be utilized.

Voluntary consent is particularly indicated when the User clicks "like" on the Data Controller's feed,

giving the Data Controller permission to post news, business offers, articles, or other posts on the

User’s news feed.

The Data Controller informs Users that the social media platform allows them to receive

notifications via Messenger about the User's activities.

Source of Data:

4/18

The User.

Scope of Users:

• Natural persons who follow, share, comment on, like, or interact with the Data Controller's

social media page, content, or news feed;

• Employees involved in data processing;

• Administrators of the web portal.

Scope of Data Processed:

• Publicly available name or username used by the User on the social media platform;

• Any image posted by the User on the social media platform that is publicly accessible;

• The email address published by the User on the social media platform;

• Voluntary actions taken by the User on the social media platform: liking, following, rating

the Data Controller's page, news feed, or individual posts, commenting on posts, and

sharing posts.

Data Transfer/Disclosure, Categories of Recipients:

No data transfer occurs.

Data Retention Period:

The voluntary consent for data processing can be withdrawn at any time. Withdrawal does not

affect the legality of data processing carried out prior to the withdrawal. Unsubscribing is done the

same way as subscribing, by using the "unlike" link. The User also has the option to stop following

or delete posts through editing. Upon the User’s request, the Data Controller will delete their data

and stop data processing.

The Data Controller reserves the right to delete any posts, data, or information shared on its own

news feed at any time, or keep them visible along with comments and likes.

The Data Controller publishes moderation rules in the "About" section of its social media page,

which outline the reasons for blocking a User or deleting their post, resulting in the cessation of

data processing. Data processing can also be terminated by the web portal administrators in

accordance with their published rules. Data processing ends if the Data Controller deletes its social

media page.

Method of Data Processing:

Manually and electronically.

Location of Data Storage:

Stored on the social media platform as the Data Processor.

Authorized Persons with Access to Data:

Visitors and administrators of the social media platform.

Data Processing for Requests for Proposals (RFP) and Offers

Purpose of Data Processing:

The User can request an offer for products or services related to the Data Controller's activities by

providing their data.

5/18

Legal Basis for Data Processing:

Article 6(1)(a) of the GDPR – the User's consent.

Source of Data:

The User.

Scope of Users:

All natural persons requesting an offer from the Data Controller.

Data Processed:

• Name of the User (for identification);

• Email address and phone number of the User (for communication);

• Contents and conditions of the request for offer/offer (information necessary to provide an

offer);

• Any other data, conditions, or requests deemed relevant by the User.

Data Transfer/Disclosure, Categories of Recipients:

In addition to the general rules, data may be shared with subcontractors on a case-by-case basis

for acquiring an offer, provided the User is informed beforehand.

Data Retention Period:

• If the User does not respond to the offer within its validity period, the Data Controller will

retain the data until the offer's expiration.

• If the User rejects the offer, the data will be retained until the end of the next business day

following the receipt of the rejection.

• If the User accepts the offer, the data will be retained until the statute of limitations for rights

and obligations arising from the contractual relationship based on the offer.

Method of Data Processing:

Manually, on paper, and electronically.

Location of Data Storage:

At the Data Controller's branch office, in its archives, or in its IT systems.

Authorized Persons with Access to Data:

• The Data Controller's executive;

• Employees of the Data Controller with authorized access.

Data Processing for Orders

Purpose of Data Processing:

By providing their data, the User orders products or services related to the Data Controller's

activities.

Legal Basis for Data Processing:

Article 6(1)(b) of the GDPR – contract formation and execution.

Source of Data:

The User.

6/18

Scope of Users:

All natural persons who order any product or service from the Data Controller.

Data Processed:

• Name of the User (for identification);

• Email address and phone number of the User (for communication);

• Selected service or product (contractual content);

• Price, payment terms, and other requirements (contractual terms).

Data Transfer/Disclosure, Categories of Recipients:

In addition to general rules, data may be shared on a case-by-case basis with data processors for

the purpose of fulfilling the contract. The Data Controller informs the User of any subcontractors

involved.

Data Retention Period:

After the order is placed or sent, data retention aligns with the established contract's statute of

limitations (5 years) as per Articles 202 and 203 of the Tax Code.

Method of Data Processing:

Manually, on paper, and electronically.

Location of Data Storage:

At the Data Controller's branch office, in its archives, or in its IT systems.

Authorized Persons with Access to Data:

• The Data Controller's executive;

• Employees of the Data Controller with authorized access.

Data Processing for Appointment Booking

Purpose of Data Processing:

The User provides their data to arrange an in-person appointment with the Data Controller.

Legal Basis for Data Processing:

Article 6(1)(a) of the GDPR – the User's consent.

Source of Data:

The User.

Scope of Users:

All natural persons who request or receive an appointment from the Data Controller.

Purpose of Data Processing:

The User provides their data to schedule an in-person meeting with the Data Controller.

Legal Basis for Data Processing:

Article 6(1)(a) of the GDPR – the User's consent.

Source of Data:

The User.

7/18

Scope of Users:

All natural persons who request or receive an appointment from the Data Controller.

Data Processed:

• Name of the User (for identification);

• Names of participants (for identification);

• Email address and phone number of the User (for communication);

• Scheduled time of the meeting (for achieving the purpose);

• Subject and location of the meeting (for achieving the purpose).

Data Transfer/Disclosure, Categories of Recipients:

In addition to the general rules, if a third party is also interested in attending the meeting, their

participation is possible only if the User is informed and consents to it. If accepted by the User, the

data will be shared with the third party.

Data Retention Period:

• The User may withdraw consent at any time before the scheduled meeting. Withdrawal

does not affect the lawfulness of the data processing conducted before the withdrawal.

• Until the purpose is fulfilled. If the meeting does not require further action or does not result

in any legal effect, the data of the User and any involved third party will be deleted after the

meeting time passes.

Method of Data Processing:

Manually, on paper, and electronically.

Location of Data Storage:

At the Data Controller's branch office, in its archives, or in its IT systems.

Authorized Persons with Access to Data:

• The Data Controller's executive;

• Employees of the Data Controller with authorized access.

Data Processing for Work Completion Confirmation/Work Sheet

Purpose of Data Processing:

To confirm that the work has been completed, protecting the interests of both the client and the

service provider. It helps the service provider defend against future client objections and allows the

client to demonstrate the legitimacy of costs to tax authorities. Issuing a signed work completion

confirmation/work sheet by both parties is a condition for invoicing after service delivery.

Legal Basis for Data Processing:

Article 6(1)(b) of the GDPR – contract performance.

Source of Data:

The User, i.e., the client and service provider, or documents and forms provided by the User.

Scope of Users:

Natural persons who confirm the contract performance or natural persons acting on behalf of legal

entities in the fulfillment process.

8/18

Data Processed:

Work Completion Confirmation:

• Name, title, and signature of the client and service provider (for identification);

• Location and time of performance (contractual condition);

• Subject of performance, contract or order number (contractual condition);

• Statement of acceptance of performance (contractual condition);

• In case of subcontracted services, possibly the name of the subcontractor involved

(contractual condition).

Work Sheet:

• Name, company name, contact name, and phone number of the client, client’s signature

(for identification and communication);

• Name and signature of the service provider (for identification);

• Location and time of performance (contractual condition);

• Vehicle details: registration number, type, year of manufacture (contractual condition);

• Equipment details: SIM, ICC, device type, IMEI (for identification).

Data Transfer/Disclosure, Categories of Recipients:

No data transfer occurs.

Data Retention Period:

As the work completion confirmation is a prerequisite for invoicing, it is retained for 8 years

following invoice issuance, or 5 years in the case of KATA (small taxpayer) invoices.

Method of Data Processing:

Manually, on paper, and electronically.

Location of Data Storage:

At the Data Controller's branch office, in its archives, or in its IT systems.

Authorized Persons with Access to Data:

• The Data Controller's executive;

• Employees of the Data Controller with authorized access.

Data Processing for Invoices and Delivery Notes

Purpose of Data Processing:

To fulfill legal obligations.

Legal Basis for Data Processing:

Article 6(1)(c) of the GDPR – compliance with a legal obligation of the Data Controller.

Source of Data:

Natural persons involved in issuing and receiving invoices or contracting parties.

Scope of Users:

Natural persons who are contracting parties.

9/18

Data Processed:

a) For bank transfer invoices (electronic or printed):

• Name of the invoice issuer;

• Signature of the person authorized to issue the invoice;

• Registered address/home address;

• Bank account number;

• Tax number, community tax number;

• Name of the buyer;

• Registered address/home address;

• Bank account number;

• Tax number, community tax number.

b) For cash payment invoices (electronic or printed):

• Name of the invoice issuer;

• Signature of the person authorized to issue the invoice;

• Registered address/home address;

• Tax number, community tax number;

• Name of the buyer;

• Registered address/home address;

• Tax number, community tax number.

c) For delivery notes (electronic or printed):

• Name of the delivery note issuer, postal code, address, bank account, phone number, fax,

PO box, warehouse name, tax number, community tax number;

• Name of the buyer, address, bank account number, tax number, community tax number;

• Order number, date, administrator, delivery route number;

• Name of the receiver, postal code, address;

• Reception notes, signature of issuer, acknowledgment of receipt (stamp), signature.

Data Transfer/Disclosure, Categories of Recipients:

No data transfer occurs.

Data Retention Period:

Invoices are retained for 8 years following their issuance.

Method of Data Processing:

Manually, on paper (invoice booklet, printed forms), or electronically through automated systems,

with online data submission obligations for invoices and delivery notes.

Location of Data Storage:

At the Data Controller's branch office, in its archives, or in its IT systems.

Authorized Persons with Access to Data:

• The Data Controller's executive;

• Employees of the Data Controller with authorized access.

Data processing name: Handling of business cards, phone numbers, email addresses (for

individuals not acting as representatives of companies)

Purpose of data processing: Identifying the User, maintaining contact.

Legal basis for data processing: GDPR Article 6(1)(a) – the User’s consent

10/18

Source of the data: The User.

Users: Users who voluntarily provide their data.

Scope of the processed data:

a) Business card

• User's name;

• Registered office, residence of the natural person User;

• User's position;

• User's phone number;

• User's email address.

b) Phone number

• User's name;

• User's phone number;

• Profile picture provided by the User.

c) Email address

• User's name;

• User's position;

• User's email address;

• Profile picture provided by the User.

Data transfer/data disclosure, categories of recipients: No data transfer occurs.

Data processing period: Users have the right to withdraw their consent at any time. Upon

withdrawal, all provided data will be fully deleted, and business cards will be destroyed. The

data controller reserves the right to terminate the processing of data that are no longer

relevant at any time without further notice.

Method of data processing: Manually, on paper and/or electronically.

Location of data storage: At the data controller’s branch office in the archive, in the IT

system.

Individuals entitled to access the data:

• The managing director of the data controller;

• Employees of the data controller with authorized access rights.

Data processing name: Data processing for individuals acting in any capacity as representatives

of companies or other organizations

Purpose of data processing: Handling the personal data of representatives, contacts, or

individuals fulfilling other tasks as designated by legal entities, partners, or other organizations for

the conclusion and fulfillment of contracts.

Legal basis for data processing: GDPR Article 6(1)(f) – the data controller's legitimate interest –

legal entity.

Users: Natural persons designated or delegated by partners or organizations with a particular

status.

Scope of the processed data:

• User's name;

• User's position;

• User's email address;

• User's phone number.

Data transfer/data disclosure, categories of recipients: No data transfer occurs.

Data processing period: Users acting as representatives of legal entities or contacts have

the right to object to data processing. In such cases, data processing will be terminated in

accordance with Article 21(1) of the GDPR, unless compelling legitimate grounds justify the

11/18

processing, or if the personal data are required for the establishment or defense of legal

claims.

Method of data processing: Manually, on paper and/or electronically.

In accordance with GDPR Article 21(4), Users will be informed at the latest during the first

contact.

Location of data storage: At the data controller’s branch office in the archive, in the IT

system.

Individuals entitled to access the data:

• The managing director of the data controller;

• Employees of the data controller with authorized access rights.

Legitimate interest test for balancing interests: When processing the data of contact

persons designated by contracting partners or individual entrepreneurs, the data controller

ensures that the necessity of processing for the specified purpose is proportionate to the

restriction of the rights of the Users. This makes the data processing acceptable to the

Users, who are not subject to any disproportionate harm, and in fact, the data processing

also serves the proper performance of their professional duties.

Data processing name: Data processing for marketing-based communications

Purpose of data processing: Expanding the circle of business partners.

Legal basis for data processing: GDPR Article 6(1)(f) – the legitimate interest of the data

controller.

Source of the data:

• Legally purchased databases;

• Companies, organizations.

Users: Natural persons, sole proprietors, and representatives of legal entities targeted by

marketing communications.

Scope of the processed data:

• Name and contact details of the sole proprietors contacted;

• In the case of legal entities, the name and contact details of the managing director or

contact person.

Data transfer/data disclosure, categories of recipients: No data transfer occurs.

Data processing period: Following the marketing approach, personal data are processed

according to the rules applicable to business partners if a contract is established. If no

business relationship is established, the data controller deletes all personal data of the

contacted company.

Method of data processing: Manually, on paper, electronically.

Location of data storage: At the data controller’s branch office in the archive, in the IT

system.

Individuals entitled to access the data:

• The managing director of the data controller;

• Employees of the data controller with authorized access rights.

Legitimate interest test for balancing interests: Contained in the Data Processing and

Data Protection Regulation.

The detailed rules regarding further data processing by the Data Controller are contained in the

Data Processing and Data Protection Regulation.

3. A) Data Processors

The Data Controller hereby informs the Users that certain tasks related to its activities are not

12/18

carried out within its own organization, but instead, it engages a separate legal entity Data

Processor for the performance of these outsourced activities. In this case, the Data Processor

performs the data processing on behalf of the Data Controller.

The Data Processor may only perform precisely defined data processing operations according to

the contract concluded for data processing. The limitations of the Data Processor include: it does

not make substantive decisions about the purpose and means of data processing, it may not make

copies, it may not transfer data to third parties—except when explicitly stipulated in its contract—it

may not compare the data received with any database, etc.

Purpose of Data Processing: The Data Controller's storage of corporate electronic

communications and email accounts.

Name and Address of the Data Processor: T-Systems Hungary Ltd., 1097 Budapest, Könyves

Kálmán krt. 36.

Scope of Data Processed:

• Email address,

• Names associated with the email address,

• Profile pictures associated with the email address,

• Personal data contained in the email itself.

Method of Data Processing: Automated, electronic.

Data Security Guarantees: The data protection and privacy regulations of T-Systems

Hungary Ltd. and its IT regulations.

Purpose of Data Processing: The Data Controller's storage of digitized corporate documents and

electronic documents.

Name and Address of the Data Processor: T-Systems Hungary Ltd., 1097 Budapest, Könyves

Kálmán krt. 36.

Scope of Data Processed: Personal data appearing in documentation related to the Data

Controller’s data processing activities.

Method of Data Processing: Automated, electronic.

Data Security Guarantees: The data protection and privacy regulations of T-Systems Hungary

Ltd. and its IT regulations.

Purpose of Data Processing: Backup of the data held on the Data Controller's server.

Name and Address of the Data Processor: T-Systems Hungary Ltd., 1097 Budapest, Könyves

Kálmán krt. 36.

Scope of Personal Data Processed: Software used during the Data Controller’s data processing

activities, and the personal data managed by them.

Method of Data Processing: Automated, electronic.

Data Security Guarantees: The data protection and privacy regulations of T-Systems Hungary

Ltd. and its IT regulations.

Purpose of Data Processing: Transfer of payroll and fulfillment of financial obligations.

Name and Address of the Data Processor: MKB Bank Plc., 1056 Budapest, Váci utca 38.

Categories of Data Processed:

• Name of account holder (identification)

• Bank account number (identification, transfer)

• Communication (identification)

• Amount (identification)

Method of Data Processing: Manually, on paper, electronically.

Data Security Guarantees: The data protection notice of Budapest Bank Plc.:

https://www.mkb.hu/adatvedelmi-iranyelvek

13/18

Purpose of Data Processing: Electronic accounting program

Name and Address of the Data Processor: KBOSS.hu Ltd., 1031 Budapest, Záhony utca 7.

Categories of Data Processed: Personal data related to customer orders, delivery notes,

inventory records, cash registers, incoming invoice records, bank documents, double-entry

bookkeeping, balance sheets, income statements, and quotes.

Method of Data Processing: Manually, on paper, electronically.

Data Security Guarantees: The data protection notice of KBoss.hu Ltd.:

https://www.szamlazz.hu/adatvedelem/

Purpose of Data Processing: Legal representation

Name and Address of the Data Processor: Winkler, Barna and Partners Law Firm, 1012

Budapest, Logodi u. 30.

Categories of Data Processed: Personal data contained in supplier and customer contracts.

Method of Data Processing: Manually, on paper, electronically.

Data Security Guarantees: The data protection notice of Winkler, Barna and Partners Law Firm:

https://wblaw.hu/adatkezeles

4. Profiling

The Data Controller does not perform automated decision-making, including profiling.

5. Data Processing

VEMOCO Telematics Ltd., in connection with its services provided directly to its partners—i.e., to

Users/clients in a contractual relationship with it—acts as a Data Controller, as it handles the

personal data of the Users/clients. During this activity, it defines the purpose and means of data

processing. In cases where VEMOCO Telematics Ltd. provides services indirectly to other third-

party Users/clients through its contracted partners, VEMOCO Telematics Ltd. qualifies only as a

Data Processor concerning these Users/clients. In this case, the contracted partners of VEMOCO

Telematics Ltd. and the Users/clients in contractual relationships with them act as Data Controllers,

determining the purposes and means of processing personal data.

VEMOCO Telematics Ltd. commits to and provides adequate guarantees for compliance with the

requirements set forth in the GDPR and to implement the necessary technical and organizational

measures to protect the rights of the Users during the data processing activities it undertakes as a

Data Processor.

As a Data Processor, VEMOCO Telematics Ltd:

• Processes data according to the instructions of the Data Controller, in accordance with data

protection regulations and principles, and is required to consider the contractual obligations

of the Data Controller known to it as the Data Processor;

• May not modify, delete, copy, or link the data transferred to it by the Data Controller with

other databases, nor use the data for purposes other than those outlined in the contract

underlying the data processing, nor disclose it to third parties, except to the extent explicitly

authorized by the Data Controller and necessary for data processing purposes;

• Is not entitled to represent the Data Controller or make legal declarations on behalf of the

Data Controller, except if expressly authorized by an agreement or other document;

• Declares that the Data Controller retains exclusive rights to determine the purpose and

method of processing the data provided to the Data Processor;

14/18

• Is responsible for the security of the data and must take all necessary technical and

organizational measures to enforce data protection rules, including measures against

unauthorized access, alteration, transfer, disclosure, deletion, or destruction of data, as well

as preventing accidental destruction or damage and ensuring access in case of technical

changes;

• Provides access to the data only to employees and contractual partners who need it for the

performance of data processing activities and ensures that those with access are informed

of the security requirements and confidentiality obligations. It also ensures that these

individuals undertake confidentiality obligations;

• Commits to cooperating with the Data Controller to ensure that the Data Controller can

comply with its legal obligations. This cooperation specifically covers fulfilling requests

related to the Users' rights, such as access, deletion, or correction, within the legal

deadline;

• Commits to modifying, supplementing, correcting, locking, or deleting the processed data

according to the Data Controller’s instructions;

• Must immediately notify the Data Controller of any event or risk concerning the security of

the data, take appropriate measures, and fully cooperate with the Data Controller;

• Commits to fully cooperating with the Data Controller during any audit, inspection, or

investigation concerning its systems, records, data, information, and procedures related to

data processing;

• After the termination of the service that forms the basis of data processing, deletes

personal data that are not required to be stored or retained by this notice or by law.

The Company reserves the right to engage additional Data Processors for the data processing

activities defined in this section, with a modification of this notice, which the Users expressly

accept.

VEMOCO Telematics Ltd. hereby informs the Users that it acts as a Data Controller in the case of

the following activities when providing services directly to its customers.

Data Processing Name:

Telematics services provided within the Vemoco system.

Data Controller Name:

Vemoco Telematics Ltd.

Purpose of Data Processing:

Fulfillment of contracts related to telematics services provided by Vemoco Telematics Ltd.

Legality of Data Processing:

The legality of data processing and the recording of data management for the monitored vehicles,

i.e., the employees and the database installed in the system by the Data Controller, are the

responsibility of the Data Controller. The consequences of failure or improper use fall on the Data

Controller.

Users can exercise their rights related to data management and processing with the Data

Controller.

Data Source:

Devices involved in the service:

• On-board units installed in vehicles (OBD device with GPS transmitter);

• Applications installed on mobile devices.

Users:

• All individuals who use the devices involved in the service;

15/18

• Persons to be notified;

• Administrators involved in data management and processing.

Data Processed

"Tracking" module:

• Vehicle license plate number;

• Vehicle OBD identifier (terminal ID);

• Driver's name;

• Last known location and time;

• Distance traveled in a month (km);

• Monthly fuel consumption (l/100km);

• Current mileage;

• Road condition information (offline/standby/online);

"Trip log" and "Private use accounting" modules:

• Vehicle license plate number;

• Vehicle OBD identifier (terminal ID);

• GPS coordinates of the vehicle equipped with the OBD unit;

• Status information (offline/standby/online), theft and alarm function data;

• Distance traveled;

• Departure and arrival addresses;

• Query start date;

• Query end date;

• Road type (Unknown, Private, Business, To work, To home);

• Car make, year, model, type;

• Distance traveled in km;

• Driver;

• Starting point;

• Departure time (hours, minutes);

• Starting km;

• Arrival point;

• Arrival time (hours, minutes);

• Arrival km;

• Distance traveled in km;

• Waiting time (hours);

• Fuel consumption data;

• Driver's email address;

• Geofence stays, time; waiting time (minutes).

"Reports" module:

• Vehicle license plate number;

• Vehicle OBD identifier (terminal ID);

• GPS coordinates of the vehicle equipped with the OBU unit;

• Vehicle speed, average speed;

• Geofence boundary, alarm function data;

• Fuel consumption data;

• Driver's name;

• Daily reports from any of the previously mentioned data for the entire vehicle fleet.

"Maintenance" module:

16/18

• Odometer reading;

• Maintenance data: dates, planned maintenance;

• Detected vehicle faults.

"Device Manager" task management module:

• Employee's name;

• Username;

• Last login date;

• Locked?

• Group;

• Mobile phone number;

• Email;

• Address;

• Preferred language;

• Time zone;

• Mobile device SIM ICC ID.

"Tracking" module:

• Names of employees involved in the module;

• Vehicle assigned to the employee;

• Vehicle license plate number;

• OBD terminal ID;

• OBD GPS coordinates.

Data Transfer/Disclosure, Categories of Recipients:

No data transfer occurs.

Duration of Data Processing:

The Data Controller can delete the data at any time. Normally, data is stored for 3 years, unless

the vehicle owner or operator requests or an employee's data is personally deleted upon their

departure.

Method of Data Processing:

The modules used by the Data Controller (OBD, GPS transmitter, applications) transmit the data

within the Vemoco system. The Vemoco system processes these data automatically, and the Data

Controller can access the data and perform further operations (within the scope defined in the

service). The Data Controller makes all decisions regarding the data in the Vemoco system, and

Vemoco Telematics Ltd., as the Data Processor, considers the return of the data to be immediate

after their submission or upload. Most of the devices (OBD, GPS transmitters, applications) are

installed by the clients themselves, unless the client requests otherwise.

Vemoco Telematics Ltd. Data Processors:

For the operation of the Vemoco system, additional Data Processors are used:

Server Hosting Service:

• Name: T-Systems Hungary Ltd. - Data Park Budapest

• Address: 1087 Budapest, Asztalos Sándor Street 13,

• Stored Data: Entire Vemoco data set,

• Operations: Rack cabinet service, Internet connection provision, power supply.

Email and Document Management, Calendar, Phone Contacts:

17/18

• Name: Google LLC

• Address: 1 Hacker Way, Menlo Park, California 94025

• Phone: N/A

• Email: N/A

• Website: https://www.google.com

• Stored Data: Website visit data, correspondence, individual contracts and offers, calendar

entries, phone contacts,

• Operations: Email service, document management, calendar service, phone contact

synchronization between devices.

Online Map Service:

• Name: Here Technologies B.V.

• Address: Kennedyplein 222-226, 5611 ZT Eindhoven, Netherlands

• Stored Data: None,

• Operations: Reverse geocoding, provision of mandatory speed data.

Data Storage Location for Data Processed by Vemoco Telematics Ltd.:

• On the Vemoco Telematics Ltd.'s own server.

Individuals Authorized to Access the Data:

The Data Controller, Vemoco Telematics Ltd., and employees authorized for operations related to

data processing.

6. Rights of the User and Legal Remedies

• Right to Information and Access to Personal Data

• Right to Rectification

• Right to Erasure ("Right to be Forgotten")

• Right to Restrict Data Processing

• Right to Data Portability

• Right to Object

• Right to Judicial Remedy

The User may turn to the court against the Data Controller if their rights are violated. The

court will act with priority in the case. The User may choose the competent court based on

their residence, outside the competence of the defendant.

• Right to Lodge a Complaint with the Data Protection Authority

The User can file a complaint with the National Authority for Data Protection and Freedom

of Information:

o Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C

o Mailing Address: 1530 Budapest, P.O. Box 5

o Phone: +36 1/391-1400

o Fax: +36 1/391-1410

o Email: ugyfelszolgalat@naih.hu

o Website: http://www.naih.hu

7. Data Security

The Data Controller ensures the protection of the Users' privacy throughout the entire process of

data management and processing. The detailed rules of data protection are provided by the IT

Policy. The Data Controller protects the data especially against unauthorized access, modification,

18/18

transfer, disclosure, deletion or destruction, as well as accidental destruction or damage, and the

loss of accessibility due to changes in the applied technology. The personal data provided during

data processing are stored in separate datasets by the Data Controller, distinct from other provided

data. The Data Controller transfers or communicates individual data or the entire dataset to third

parties only within the scope defined in the Data Processing and Data Protection Policy and takes

all measures to ensure that unauthorized persons do not gain access to them.

LEGAL DISCLAIMER

We inform the visitors of the website that the information published on the website aims to provide

general information, but it is not intended to cover the entire scope of the topic. Accordingly, these

do not constitute services in the fields of data protection, accounting, taxation, law, investment, or

any other professional service. This information should not be the sole basis for the business

decisions of website visitors, and they should consult a well-prepared professional advisor in the

relevant field.

The articles, documents, and information published on the website are for informational purposes

only and may contain errors, for which the website operator assumes no express or implied

responsibility. The Data Controller does not assume responsibility for any damages resulting from

the use of the website.

We explicitly draw the attention of website visitors to the fact that they use the articles, documents,

and information published on the website only at their own risk and assume full responsibility for

the consequences, including any potential losses or disadvantages.

The website operator excludes liability for all adverse consequences, whether direct, indirect,

incidental, consequential, punitive, administrative, or any other kind of damage, or other

disadvantages, arising from the use of the articles, documents, and information published on the

website, whether these consequences are contractual, legal, or civil.

The content of the Data Controller's website is protected by copyright, and any visual or textual

elements may only be used with the prior written consent of the Data Controller.