The aim of the present privacy notice is for the data processing of Kopaszi Gát Kft. and Property Market Kft. (hereinafter: Companies) will comply with the obligation to provide prior information and advise the data subjects of the principles of the processing and legal remedies.
When compiling this privacy notice, the Companies relied mainly on the following legislation:
- General Data Protection Regulation (EU) 679/2016 (“GDPR”)
- Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter as: “Info Act”),
- Act CVIII of 2001 on Electronic Commerce and on Information Society Services (hereinafter as: E-commerce Act),
- Act XLVIII of 2008 on Business Advertising Activity (hereinafter as: “Business Activity Act”),
- Act V of 2013 on the Civil Code (hereinafter as: “Civil Code”).
The present notice applies to the processing performed by the Companies in relation to dispatching newsletters and offers (“CRM Data Processing”) as well as to data processing performed during the visit of the website www.budapart.hu (“Webpage Data Processing”).
1. The Controller
1.1. The personal data will be jointly processed by Kopaszi Gát Kft. (company registration number: 01-09-270180, registered offices: 1117 Budapest, Kopaszi gát 5.), and Property Market Kft. (company registration number: 01-09-206694, registered offices: 1117 Budapest, Kopaszi gát 5.).
2. Principles of processing of personal data
2.1. Lawfulness, fairness and transparency: the Companies shall process the personal data only lawfully, fairly and in such a manner that it will be transparent and available for the clients.
2.2. Purpose limitation: the Companies shall process the data subjects’ personal data only for the purposes specified in Section 4 and in a manner that is compatible with said purposes.
2.3. Data minimisation: the Companies shall process only the personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
2.4. Accuracy: the Companies shall take all reasonable actions to ensure that they process only accurate and up-to-date personal data and they shall erase any inaccurate data without delay.
2.5. Storage limitation: the Companies shall store the personal data only for a period that is absolutely necessary to attain the purposes set out in Section 4.
2.6. Integrity and confidentiality: the Companies shall process the personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Legal grounds for data processing
3.1. In compliance with Article 6 (1) of GDPR, the legal grounds for data processing shall be the consent of the data subject and the provisions of the Info Act. In the case of CRM Data Processing, we have also taken into consideration Section 6 (1) of the Business Activity Act, according to which the Companies may process the personal data of their clients only if said clients have granted their explicit consent thereto.
3.2. The Companies shall not make personal data public. However, the law may prescribe – with the explicit description of the personal data – the publication of personal data of public interest. In any other case the publication is subject to the consent of the data subject. In the case of any doubt, it shall be presumed that the data subject has refused to grant his or her consent.
3.3. Unless provided for otherwise by law, the Central Statistical Office shall be entitled to receive for statistical purposes personal data processed within the framework of mandatory processing in a form which permits the identification of the data subject, and process said data in accordance with the relevant legislation.
4. Purpose of the data processing
4.1. Purpose of the data processing in respect of CRM: searching for services on websites operated by the Companies, including, in particular, making offers and sending quotations, contacts and satisfying the data subjects’ demands to the greatest possible extent. The personal data to be provided for the use of such services are contained in paragraph 5.2 of the present Notice.
4.3. The Companies shall not use the personal data provided by the data subject for any purposes other than those specified herein. The personal data may be disclosed to third parties or authorities – unless stipulated otherwise by the relevant law – only by the prior written consent of the data subject.
4.4. The Companies shall not verify the personal data provided by the data subject. Liability for adequacy of the personal data shall fall solely on the data subject providing them. However, this shall not affect the Companies’ obligation to process only accurate personal data. When giving his or her e-mail address, the data subject shall also guarantee that the specific service will be solely utilized from the e-mail address provided by the data subject. With regard to said commitment, in the course of the use of the specific e-mail address, all liabilities shall fall solely on the person who registered the e-mail address.
5. The range of processed data
5.1. Webpage Data Processing:
For the performance and monitoring of the service and for the prevention of misuses, the Companies shall record the following personal data of visitors during visits to the website/webpage: time of visit, visitor’s IP address, the address of the visited website and the website previously visited, type of the user’s browser.
Data to be recorded technically during the operation of the system: the personal data of the computer of the user logging in which are generated when using the service and which are recorded as an automatic result of technical processes. Upon login and log out, the system shall automatically log the personal data to be recoded automatically without any additional statement or action of the data subject. The system shall not connect the data in the log file to any other personal data. The data shall be accessed solely by the data controller.
5.2. CRM Data Processing:
Personal data to be recorded during the registration process: user name, password, password reminder, e-mail address, country, address, telephone number, consent on receiving newsletters, date of registration, number of logins, time of the last login, login IP address, services used by the data subject on the webpage/website and the data of such services.
The Companies shall record personal data in the electronic system serving the systematization and operation of customer relationship management (“CRM system”). Apart from the above-mentioned data, the CRM system shall store the activity of the customer, the contact, its content and time. If the data subject intends to enter into contract regarding the services provided by the Company, additional data shall also be transferred into the CRM system: banking data, personal identification data of the data subject (tax number, identification card number, mother’s name, place and date of birth), data of the selected real property, specifications, design and construction data.
Insofar as the persons showing interest enter into contract in relation to the selected apartments, the Companies shall continue to store their personal data so as to inform them of additional business offers and to maintain the contacts with their existing clients. Upon granting consent, clients shall agree that the Companies may process their personal data even after the execution of the contract on the purchase of the apartment.
6. Duration of the data processing
6.1. The electronic mail addresses (e-mail addresses) processed by the Companies mainly serve for the purpose of communication. In the case of change to the services provided by the Companies, the Companies shall send the information related to said changes via e-mail. The Companies shall use the mailing addresses for sending advertisements as follows: in certain cases the Companies shall dispatch them to stakeholders by electronic means in compliance with legislation.
6.2. The Companies, or in the case of a hyperlink to an external server, the external provider of the hyperlink shall place or identify small packages (so-called cookies) on the computer of the user. When the browser returns a previously saved cookie, the service provider managing the cookie may connect the user’s data saved during his current visits with the previous data, yet only in respect to the service provider’s own content. The user shall be able to delete or block the application of cookies in his or her own browser. In most cases, cookies can be managed under the ‘privacy settings menu item in the menu tools/settings by clicking on ‘cookie’.
7. Duration of the data processing
7.1. In respect of CRM Data Processing, the Companies shall process the personal data for a period of 5 years subsequent to their disclosure. This rule shall not apply to cases where the continuation of processing or retention of the personal data is prescribed by law (e.g. financial or accounting rules in the case of performed services). Apart from this, the data subject may request the erasure of his or her personal data at any time. In case the individuals making enquiries conclude the purchase agreement for the apartment, the Companies shall process the data subjects’ personal data specified under paragraph 5.2. for an additional period of 5 years dating from the conclusion of the purchase agreement, excluding communication-related data (name, e-mail address, telephone number), as they shall continue to process said data until the apartment purchased in BudaPart Project is owned or used by the data subject.
7.2. Should the data subject request the erasure of their data or withdraw his or her consent of processing, the deadline for the erasure shall be 10 working days from the receipt of the withdrawal of the consent unless a longer period is prescribed for the processing or retention of personal data by law, in which case the personal data shall be erased on the day subsequent to the expiry of the time limit required by law.
7.3. The personal data recorded automatically or technically in the course of the operation of the system and webpage shall be stored in the system for a reasonable period for the assurance of the operation of the system, yet for no longer than 10 years. The Companies shall ensure that such automatically recorded data will not be linked to other personal data of the user, with the exception of cases specified by law as being mandatory. If the data subject has withdrawn their consent to the processing of their personal data, it shall be impossible to identify such individuals based on the technical data.
7.4. In the case of unlawful or misleading use of personal data, crimes committed or attacks against the system, the Companies shall be entitled to erase the personal data of the data subject simultaneously with the suspension of the registration, and at the same time, in the case of reasonable grounds of alleged criminal activities or civil law liability, the Companies may retain the data in question for the period of the proceedings to be conducted.
8. Individuals with access to the personal data, data transfer and processing
8.1. The personal data may be obtained primarily by the Companies or the colleagues thereof who are responsible for operating the CRM system the delivery of the services advertised by the Company yet without publishing said data.
8.2. The Companies may hire a data processor (system operator) for the operating of the IT system, performance of the service and settlement of accounts. The Companies guarantee that the data processors shall ensure the lawful and secure processing of the personal data and enable the data subjects to exercise the rights provided by law. The Companies shall employ the services of the following processors:
- Veronika Braun, independent entrepreneur (registered offices: 1038 Budapest, Zsírai Miklós utca 11. /18., registration number: 51419097), who shall perform advisory and marketing activities for the Companies.
- CCG Art Kiadói Private Limited Company (registered offices: 1118 Budapest, Menedékes u. 1. F2 2/8; company registration number: 01-09-360183), which shall perform advisory and marketing activities for the Companies.
- Zsuzsa Kriston-Katona, independent entrepreneur (registered offices: 2089 Telki, Árnyas utca 38; tax number: 64532617-1-33), who shall perform advisory and marketing activities for the Companies.
- Macette Plc. (registered offices: 2100 Gödöllő, Ibolya u 56; tax number: 14694488-2-13), who shall provide virtual infrastructure service for the Companies.
8.3. During the performance of the processing activity, other processors may be hired according to the instructions of the Controller. The processor may not make pivotal decisions related to the processing and shall process the obtained personal data only according to the orders of the Controller; they shall not perform data processing for their own purposes, and shall store and retain the personal data according to the instructions of the Controller.
8.4. The Companies may provide third parties with access to the personal data of the data subject in certain cases, including official requests by courts or police, legal proceedings due to substantiated grounds of the violation of copyrights, property- or other rights, violation of the Companies’ interests, threatening the provision of their services, enforcement of the Companies’ claims, etc.
8.5. As joint Controllers, the Companies are entitled and required to transfer any available personal data duly stored by them to the competent authorities if the data must be rendered in order to comply with laws or official requests (e.g. demands, resolutions, rulings, etc.). The Companies shall not be held liable for such data transfer or consequences arising therefrom. In such cases, the Companies shall check without exception whether the request has been received from the court or authority, and they shall transfer them in a secure manner, precluding data leakage.
8.6. In case the data subjects intend to conclude the contract for the services offered by the Companies, the Companies may transfer the data subjects’ personal data required to the conclusion of the contract for the companies involved in the BudaPart Project. The Companies shall specifically notify the data subjects of the exact recipients and circumstances of the transfer.
8.7. The Companies shall promptly notify the data subject in all cases when they intend to use the data for purposes deviating from that of the data collection, obtaining the prior, explicit consent of the data subject and enabling the data subject to forbid the use of said data.
8.8. The Companies shall adhere to the restriction without exception during the collection, recording and processing of the personal data and shall inform the data subject of their activities via e-mail.
8.9. The Companies’ system may collect data on the data subject’s activities, which cannot be linked by the users to the data generated when using other web pages or services.
9. Security of personal data
9.1. The Companies shall plan and carry out the processing operations in such a way that it will ensure the protection of the data subject’s privacy during the application of the GDPR and other relevant laws.
9.2. The Companies shall provide for the security of the personal data, and shall take all technical and organizational measures and develop procedural rules which are required for the enforcement of the GDPR and other relevant laws.
9.3. The Companies shall protect the personal data by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that the data stored cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
10. The users’ rights in relation to their personal data processed by the controller:
10.1. The data subject may request from the Companies (a) information when their personal data is being processed, b) the rectification of their personal data, and (c) erasure or blocking of their personal data, with the exception of mandatory processing.
10.2. At the data subject’s request, the data Controller shall provide information concerning the data related to them, including those processed by a data processor hired by the data Controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and its activities related to data processing, futhermore - if the personal data of the data subject is made available to others - the legal basis and the recipients.
10.3. The Companies shall provide said information in writing, in easily intelligible form within the shortest possible time, yet no later than within 25 days of the receipt of the request.
10.4. The Companies may refuse to provide information to the data subject only in cases defined in the GDPR. When information is withheld, the Companies shall inform the data subject in writing as to the provisions of the GDPR serving as grounds for the refusal of their request. When information is withheld or no action is taken, the Companies shall inform the data subject of the possibilities for seeking legal remedy or lodging a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: “Authority”).
10.5. When personal data is deemed to be inaccurate, and the correct personal data is at the Company’s disposal, the data controllers shall rectify the personal data in question.
10.6. Personal data shall be erased if: (a) it is processed unlawfully; (b) when requested by the data subject; (c) the data is incomplete or inaccurate and cannot be lawfully rectified, provided that the erasure is not disallowed by statutory provisions; (d) the purpose of the processing no longer exists or the legal time limit for storage has expired; (e) when instructed by court order or the Authority.
10.7. Personal data shall be blocked instead of erased when requested by the data subject, or if there are reasonable grounds to believe that the erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose which prevented their erasure.
10.8. When data is rectified, blocked, marked or erased, the data subject to whom it pertains and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interests of the data subject in light of the purpose of processing.
10.9. If the Company refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing, or electronically with the data subject’s consent, within 25 days of receipt of the request. When rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking legal remedy or lodging a complaint with the Authority.
10.10. The data subject shall have the right to object to the processing of data relating to them.
10.11. In the event of an objection, the Companies shall investigate the cause of objection within the shortest possible time, yet no later than within 15 days, adopt a decision as to its merits and shall notify the data subject in writing of the decision.
10.12. If, according to the findings of the Companies, the data subject’s objection is justified, they shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, based on which said recipients shall also take measures regarding the enforcement of the objection.
10.13. Insofar as the data subject contests the decision taken by the Companies, or they fail to meet the above-mentioned deadline, the data subject shall have the right to take action in a court of law within 30 days of the date of delivery of the decision or from the last day of the time limit.
10.14. The data subject may withdraw his or her consent to the processing of the data in question at any time without limitation and object to the further processing by sending his or her relevant statement to the contact address specified in paragraph 12.3: to e-mail address email@example.com or to the postal address 1117 Budapest, Kopaszi gát 5; in such cases, the Companies shall erase the data within 10 working days of the receipt of the statement on the withdrawal of the consent.
11. Binding force and amendment of the privacy notice
11.1. The Companies undertake to act in the course of the processing of the personal data in accordance with the provisions of the present notice.
11.2. The Companies reserve the right to amend the prsent privacy notice at their sole discretion at any time.
11.3. Subsequent to the amendment hereto, the Companies shall inform the data subject by appropriate means (e.g. via newsletter, by displaying it on the website or by other means). Through the continued use of the service, the data subject shall acknowledge the amended privacy rules, and the Companies shall not be obliged to obtain additional consent.
11.4. Should the Companies amend the present notice in such a way that it affects the purpose and duration of the processing or the extent and type of the processed data, the Companies shall specifically request the data subject’s consent to the further processing.
12. Legal remedies
12.1. The Companies shall use their best efforts to process the personal data of the data subjects in compliance with the law and normative data protection principles. In the unforeseen case where the data subject believes certain problems have arisen in connection with the processing of their personal data, he or she may contact the Companies or their representatives by using the following contact information, should they have any questions or observations.
Property Market Kft.
firstname.lastname@example.org 1117 Budapest, Kopaszi gát 5.
Kopaszi Gát Kit.
1117 Budapest, Kopaszi gát 5.
12.2. All individuals shall have the right to notify the Authority and request an investigation alleging an infringement relating to his or her personal data or concerning the exercise of the rights of access to public information or information of public interest, or if there is imminent danger of such infringement:
the Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Registered offices: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest, Pf.: 5.
Telephone: 36 (1) 391-1400
Fax: 36 (1) 391-1410
12.3. The data subject may seek remedy for enforcement his or her rights under the GDPR or Civil Code, or lodge a complaint before the court in the case of the violation of his or her rights.
If the user has provided the personal data of any third party at the registration for the use of the service or caused any damage in the course of the use of the website/webpage, the Companies may file a claim for damages. In such cases, the Companies shall use their best efforts to assist the proceeding authorities to identify the offender.
Budapest, 27 June 2018