Privacy Policy for Video Surveillance
(Regarding the Use of a Camera Surveillance System at Electric Vehicle Charging Stations)
- Purpose and Scope of this Privacy Notice
E.ON Drive Infrastructure Hungary Kft. (registered office: Alíz u. 1., H-1117 Budapest, Hungary; company registration number: 01-09-420322; email: office.hu@edri.com; website: https://www.edri.com/hu/; hereinafter referred to as the “Controller” or “EDRI”), acting as data controller, processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), the European Data Protection Board Guidelines 3/2019 (“Guidelines”), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Info Act”), Act V of 2013 on the Civil Code (“Civil Code”), and all other applicable laws and regulations. The Controller acknowledges this Privacy Notice (“Privacy Notice” or “Notice”) as binding upon itself.
Terms not otherwise defined herein shall have the meaning assigned to them under the GDPR, the Guidelines, the Info Act, and the Civil Code.
The Controller has decided to operate digital recording devices (“cameras” or “camera system”) for the monitoring of electric vehicle charging stations installed and operated by the Controller within the territory of Hungary, based on the purposes described in Section 4 of this Notice. Through the operation of the camera system, personal data of individuals entering the camera’s field of view may be recorded. For the purposes of this Notice, personal data means any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly).
If you enter the area of an electric vehicle charging station operated by the Controller, you become a data subject (“Data Subject”) under this Notice and may be recorded by the camera system as described above.
The Controller respects the Data Subject’s rights relating to the protection of personal data.
The purpose of this Privacy Notice is to comprehensively regulate the processing, storage, transfer, retention and deletion of recordings constituting personal data and created through the operation of the camera system installed at electric vehicle charging stations. It also sets out the Data Subject’s rights and available legal remedies relating to data protection.
The Controller undertakes to ensure compliance with data protection principles and information security requirements, to prevent unauthorized access to personal data and its unauthorized alteration, loss, or disclosure. The Controller processes only those personal data specified in this Notice, in the manner, for the purpose and for the duration defined herein, and only where a lawful basis under the GDPR exists. The Controller treats all personal data confidentially and implements technical measures to ensure the security of personal data.
This Privacy Notice constitutes information provided to Data Subjects. The current version of the Notice is available at: https://www.edri.com/hu-hu/privacy-policy-cctv
The Controller reserves the right to amend this Privacy Notice and to modify it in accordance with changes in European Union or Hungarian legislation.
- Identity and Contact Details of the Controller
The data controller is the legal entity that determines the purposes and means of the processing of personal data, either alone or jointly with others.
For the purposes of this Privacy Notice, the Controller is:
E.ON Drive Infrastructure Hungary Kft.
Registered office: Alíz u. 1., H-1117 Budapest, Hungary
Company registration number: 01-09-420322
Tax number: 32364998-2-43
Email: office.hu@edri.com
Website: https://www.edri.com/hu-hu/privacy-policy/
- Principles and Legal Basis of Data Processing
In processing personal data, the Controller observes the principles set out in Article 5 of the GDPR, including:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability
- Legal Basis and Purpose of Processing
The Controller operates a camera surveillance system at electric vehicle charging stations on the basis of Article 6(1)(f) GDPR, namely the Controller’s legitimate interest.
The Controller’s legitimate interest, which also constitutes the purpose of the processing, is to ensure through the monitoring of individuals’ movements and activities:
• the protection of valuable assets owned or used by the Controller;
• the prevention and detection of unlawful acts affecting such assets;
• the prompt detection of malfunctions affecting equipment installed at charging stations;
• the prevention and detection of unauthorized parking;
• the availability of evidence in administrative, judicial or other proceedings related to such incidents; and
• the protection of the personal safety and property of Data Subjects.
Following a legitimate interest assessment conducted in accordance with the Guidelines, the Controller concluded that its legitimate interest is real and existing, and that the intended property protection objectives cannot reasonably be achieved through less intrusive means.
- Categories of Personal Data Processed
Through the operation of the camera system, the Controller records the image and visible activities of individuals entering monitored areas. Information signs are displayed to inform individuals about the operation of the surveillance system.
The cameras operate continuously, 24 hours a day, monitoring the electric vehicle charging stations.
The monitored areas are under the possession and control of the Controller and are monitored in accordance with applicable legislation and legal practice.
- Location and Method of Processing
Video recordings created by the camera system are stored locally at the respective site in encrypted form.
The Controller may access the recordings exclusively through its own servers using an encrypted data connection, as described in Section 8(b) of this Notice.
- Retention Period
The Controller retains recordings for 30 days.
This retention period is considered necessary because incidents relevant to asset protection and property security, including equipment malfunctions or damage caused by vandalism, are often detected only after some time. Furthermore, the retention period ensures the availability of recordings for administrative, judicial or data subject claims procedures.
After the expiry of the retention period, recordings are automatically deleted.
The Controller further informs Data Subjects that where a Data Subject exercises the rights provided under Article 17 GDPR, the Controller may retain the relevant recordings for a shorter period, in accordance with applicable legal requirements.
- Data Processing
A processor is a natural or legal person that processes personal data on behalf of the Controller.
The following entity acts as a processor with respect to your personal data:
(a) E.ON Drive Infrastructure GmbH
Registered office: Alfredstrasse 81, 45128 Essen, Germany
Commercial Register: Essen Local Court, HRB 29338
The Controller engages E.ON Drive Infrastructure GmbH as processor for the operation of the electronic surveillance system. The processor also provides legal support and operates internal audit and compliance functions. In performing these central functions, the processor may access all personal data processed by the Controller.
The Controller may engage additional service providers and processors where necessary to achieve the purposes set out in Section 4.
Through contractual arrangements with its processors, the Controller ensures that all processors process personal data in compliance with applicable data protection laws, in particular the GDPR and this Privacy Notice, while maintaining the highest possible standards of data protection and information security.
Except where required by law, personal data are not transferred to third parties. Where legally required, data may be disclosed to competent authorities acting as independent controllers.
The identity of processors may change due to business decisions of the Controller.
In accordance with the principle of data minimization, the Controller transfers only such personal data as are strictly necessary for its operations, legal obligations, or the performance of contracts concluded with processors or third-party service providers.
The Controller does not transfer personal data to third countries.
- Data Security
The Controller takes all measures reasonably expected of it under the GDPR and the Hungarian Info Act to ensure the security of personal data. The Controller implements appropriate technical and organizational measures and establishes procedures necessary to enforce applicable data protection and confidentiality requirements.
Access to personal data stored in the Controller’s systems is restricted exclusively to authorized employees.
Taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the varying likelihood and severity of risks to individuals’ rights and freedoms, the Controller implements appropriate technical and organizational measures designed both to effectively implement data protection principles, including data minimization, and to ensure compliance with GDPR requirements.
To ensure system and data security, including protection against intentional or accidental interference, the Controller applies the following measures:
• protection of the entire camera surveillance infrastructure against physical tampering and theft;
• encryption of data;
• use of hardware- and software-based security solutions such as firewalls, antivirus systems and intrusion detection systems;
• detection of failures affecting components, software and connections;
• tools and procedures to restore system availability and accessibility in the event of a physical or technical incident.
- Data Subject Rights and Remedies
In accordance with Chapters III and Articles 12–21 GDPR, Data Subjects may:
• request information about the processing of their personal data;
• exercise their right of access;
• request rectification or erasure of personal data;
• request restriction of processing; and
• object to the processing of their personal data.
In the event of an alleged infringement of privacy rights or in circumstances provided for by the GDPR, Data Subjects may contact the Controller or lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
National Authority for Data Protection and Freedom of Information (NAIH)
Postal address: H-1363 Budapest, P.O. Box 9
Address: Falk Miksa utca 9–11, H-1055 Budapest, Hungary
Telephone: +36 (30) 683-5969; +36 (30) 549-6838; +36 (1) 391 1400
Website: https://www.naih.hu/
Email: ugyfelszolgalat@naih.hu
The Controller shall facilitate the exercise of Data Subject rights.
The Controller shall provide information on actions taken in response to a request under Articles 15–22 GDPR without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity and number of requests, this period may be extended by a further two months.
Where the Controller does not take action on a request, it shall inform the Data Subject without delay, and at the latest within one month of receipt, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.
Where a request is manifestly unfounded or excessive, particularly because of its repetitive character, the Controller may either charge a reasonable fee reflecting administrative costs or refuse to act on the request.
The burden of demonstrating the manifestly unfounded or excessive nature of a request lies with the Controller.
Without prejudice to Article 11 GDPR, where the Controller has reasonable doubts concerning the identity of the individual making the request, it may request additional information necessary to confirm the identity of the Data Subject.
Budapest, 28 May 2026





