Privacy Notice

Download in pdf

THE PROTECTION OF NATURAL PERSONS RIGHTS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

INTRODUCTION

Why is this privacy notice made?

During its operation, the Data Controller handles personal data for several purposes, while respecting the rights of the data subjects and fulfilling legal obligations. The Data Controller also considers it important to present to the data subject the handling and the most important characteristics of the personal data that came to the controller’s knowledge during the data processing activities.

What is the legal basis of processing the data subjects’ personal data?

Personal data is only processed for a specific purpose and on an appropriate legal basis. These purposes and legal bases are presented individually, in relation to specific data processing.

What external assistance is used to process your personal data?

Personal data is mostly processed by the Data Controller at own premises. However, there are operations for which a data processor’s external help is necessary. The data processor may change according to the characteristics of each data processing.

Who is processing your personal data?

The data subject may receive information about the data processors employed by the Data Controller and their contact details in section II of this privacy notice.

SECTION I.
NAME OF THE DATA CONTROLLER

The issuer of this privacy notice and the Data Controller:
COMPANY NAME: PropertyCode Hungary Kft. (LTD.)
REGISTERED SEAT: 1214 Budapest, Erdősor utca 34. ground floor 2.
COMPANY REGISTRATION NUMBER: 01-09-974845
TAX NUMBER: 23714041-2-43
REPRESENTS: Attila Márk Tündik, Executive Manager
CONTACT: https://unitederasmushousing.com/ under „Contact”

(hereinafter: Company)

SECTION II
NAME OF THE DATA PROCESSORS

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Regulation 2016/679 Article 4 8.)

To use a data processor, prior consent from the data subject is not required, but he or she must be notified. Accordingly, the following information is provided:

IT Services:
COMPANY NAME: Google LLC
REGISTERED SEAT: Mountain View, California, USA
CONTACT: https://mail.google.com/

COMPANY NAME: Facebook, Inc.
REGISTERED SEAT: Menlo Park, California, USA
CONTACT: https://www.facebook.com/

Hosting Provider:
COMPANY NAME: Closte, LLC
REGISTERED SEAT: 1603 Capitol Ave. Suite 310 A546 Cheyenne, Wyoming 82001
CONTACT: https://closte.com/

Data processor for web development:
COMPANY NAME: Gábor Bánkuti Individual Entrepreneur
REGISTERED SEAT: 2800 Tatabánya, Panoráma utca 30.
REGISTRATION NUMBER: 54235003
TAX NUMBER: 55539252-1-31

Data processor performing invoicing:
COMPANY NAME: Kulcs-Soft Public Limited Company
REGISTERED SEAT: 1016 Budapest, Mészáros utca 13.
COMPANY REGISTRATION NUMBER: 01-10-045531
TAX NUMBER: 13812203-2-41

Data processor performing invoicing:
COMPANY NAME: Billingo Technologies Private Limited Company
REGISTERED SEAT: 1133 Budapest, Árbóc utca 6.
COMPANY REGISTRATION NUMBER: 01-10-140802
TAX NUMBER: 27926309-2-41

Data processor performing invoicing:
COMPANY NAME: Barion Payment Private Limited Company
REGISTERED SEAT: 1117 Budapest, Irinyi József utca 4-20. 2nd floor
COMPANY REGISTRATION NUMBER: 01-10-048552
TAX NUMBER: 25353192-2-43

Data processor performing invoicing:
COMPANY NAME: OTP Bank Public Limited Company
REGISTERED SEAT: 1051 Budapest, Nádor utca 16.
COMPANY REGISTRATION NUMBER: 01-10-041585
TAX NUMBER: 10537914-4-44

Data processor performing invoicing:
COMPANY NAME: Kereskedelmi és Hitelbank Private Limited Company
REGISTERED SEAT: 1095 Budapest, Lechner Ödön fasor 9.
COMPANY REGISTRATION NUMBER: 01-10-041043
TAX NUMBER: 10195664-4-44

Data Processor performing accounting and payroll tasks:
COMPANY NAME: Bergmann Könyvelő Iroda Pénzügyi Szolgáltató LLC.
REGISTERED SEAT: 1138 Budapest, Váci út 186.
COMPANY REGISTRATION NUMBER: 01-09-736645
TAX NUMBER: 13466022-4-41

SECTION III.
LAWFULNESS OF PROCESSING

1. Data processing based on the data subject’s consent 

1.1. Where the Company intends to carry out data processing based on consent, the data subject’s consent to the processing of his or her personal data shall be obtained by means of the data request form and information as set out in the Data Processing Policy. 

1.2. Consent shall also be deemed to be given if the data subject ticks a box when viewing the Company’s website, makes the relevant technical settings when using information society services, or makes any other statement or takes any other action which clearly indicates the data subject’s consent to the intended processing of his or her personal data in the relevant context. Silence, ticking a box or inaction therefore does not constitute consent.  The continuation of a telephone call after having been duly informed shall constitute consent.

1.3. Consent covers all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out. 

1.4. Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, such as the conclusion of a sales or service contract, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject which is in breach of the Regulation shall not be binding.

1.5. The Company shall not make the conclusion or performance of a contract conditional on the giving of consent to the processing of personal data which are not necessary for the performance of the contract.

1.6. The data subject may withdraw his/her consent at any time by sending an e-mail to the e-mail address indicated in Chapter I.

1.7. If the data subject withdraws his/her consent, the controller may no longer process his/her data. Where consent is withdrawn, the controller must ensure that the data are erased, unless another legal basis allows for the processing of those data (e.g. storage requirements or the need to perform a contract). Where processing has been carried out for more than one purpose, the controller may not use the personal data for the purpose for which the data subject has withdrawn consent.

2. Data processing based on performing legal obligations 

2.1. In the case of data processing based on performing legal obligations, the scope of the data that can be processed, the purpose of the data processing, the duration of data storage and the recipients are governed by the provisions of the underlying legislation.

2.2. The processing of personal data for compliance with a legal obligation is based on the regulation, regardless of the consent of the data subject.

In this case, prior to the processing of the data, the data subject shall be informed that the data processing is obligatory and shall be clearly and in detail informed of all facts concerning the processing, in particular the purpose and legal basis of the data processing, the person authorized to handle and process the data, the duration of the data processing, whether the personal data of the data subject are processed by the Data Controller on the basis of the legal obligation applicable to him or her, and who can get access to the data. The information shall include the rights and remedies available to the data subject. In the case of mandatory data processing, the information may also take place with the publication of a reference to the legislative provisions which contain the foregoing information.

3. Data processing based on legitimate interests

3.1. The legitimate interests of the Company or a third party may provide a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. The reasonable expectations of the data subject based on his or her relationship with the controller should be taken into account, so that the processing of personal data for contact purposes, even for direct marketing purposes, may be considered to be based on legitimate interests.

3.2. The processing based on legitimate interests requires a balancing of interests test, in which the Company will always take into account the current circumstances and the situation of the controller and the data subjects. In the case of processing in the interest of the Company, the balancing of interests tests carried out separately have led to the following result: in the balancing of interests test, the Company has concluded, taking into account the conditions described for the processing in question, that the processing is justified subject to the appropriate safeguards, as set out in this Policy, without which the Company would not be able to operate competitively. In this light, the emotional impact on data subjects and the harm to their right to privacy can be considered proportionate. 

4. Data processing for the protection of the vital interests of the data subject or other natural person

4.1. The protection of the vital interests of the data subject or of another natural person may also provide a legal basis for processing, given that the right to data protection is fundamental but not exclusive, and that the right to the protection of personal data is naturally overridden by the right to life in a life and death context.

5. Data processing based on contractual interests

5.1. Data processing may also be based on a contractual interest if it is necessary for the performance of a contract in which the data subject is a party or if it is requested by the data subject in order to prepare the contract.

6. Promoting the rights of the data subject

6.1. The Company is obliged to ensure the exercise of the rights of the data subject during all data processing.

SECTION IV.
INFORMATION ABOUT DATA PROCESSING BY THE COMPANY

Customer data: managing data of contracting partners, contacts – registering customers, suppliers

(1) The Company may process the name, name at birth, date of birth, mother’s name and address of the natural person who has a contractual relationship with it for the purposes of preparing, concluding, performing, terminating or granting a contractual benefit, in summary, supporting economic processes in the common interest, for the purpose of the performance of a contract, tax identification number, tax number, entrepreneur’s or self-employed person’s identity card number, personal identity card number, address, address of registered office, address of premises, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, frequent buyer lists), medical fitness documents, certificate. This processing is also lawful if it is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: the Company’s employees performing customer service tasks, employees performing accounting, tax, business, invoicing tasks and data processors. The period of storage of personal data is 6 years after the termination of the contract in view of the long-term business relationship of the Company. 

(2) The legal basis for the processing of the data of the natural person contracting party provided in the contract for accounting and taxation purposes is the fulfilment of a legal obligation, in this context the storage period is 8 years.

(3) The Company shall process the personal data of the natural person acting on behalf of the legal person contracting with it – the person signing the contract – provided in the contract, as well as his/her address, e-mail address and telephone number, online identification number for the purposes of contract preparation, contact, exercise of rights and obligations arising from the contract – in summary, support of economic processes arising in the common interest – for the legal title of contract performance. The storage period of these data is 6 years after the termination of the contract. In the case of processing based on legitimate interest, the data subject has the specific right to object to the processing.

(4) The Company shall process the name, address, telephone number, e-mail address, online identifier of the natural person – not a signatory – designated as a contact person in a contract concluded with it for the purpose of maintaining contact and exercising rights and obligations arising from the contract – in summary, to support economic processes in the common interest – for the performance of the contract, taking into account that the contact person is in an employment relationship with the contracting party, so that this processing does not adversely affect the rights of the data subject. The Contracting Party declares that it has informed the contact person concerned of the processing relating to his capacity as contact person. The storage period of this data shall be 6 years after the contact has been established.

(5) With regard to all data subjects, the recipients of personal data are: the Company’s senior management, employees performing customer service tasks, contact persons, the Company’s data processors, in particular employees performing accounting, tax and business processing tasks, and data processors.

(6) Personal data may be transferred for data processing to the accounting office appointed by the Company for taxation and accounting purposes, to the Hungarian Postal Service or the appointed courier service for postal delivery, to the Company’s security agent for asset protection purposes, to the Company’s data processors.

(7) The processing shall be considered lawful if it is necessary in the context of a contract or the intention to conclude a contract (Preamble 44) if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract (Article 6 (1) b.). Thus, personal data collected in the context of contractual offers may also be processed for the purposes of the performance of a contract as described in this point. When making or receiving an offer, the Company is obliged to inform the offeror or the offeree of the offer. 

(8) The data processing clauses and information to be applied in the contracts to be concluded by the Company are set out in Annex 5 to these Rules. It is the duty and obligation of the Company’s employees to ensure that these data processing clauses are included in the text of the contract.

Sending messages, registering on the Company’s website

(1) A natural person who sends a message on the website can give his or her consent to the processing of his or her personal data by ticking the relevant box. It is prohibited to tick the box in advance. 

(2) The scope of the personal data that may be processed: name (surname, first name), nationality, address, telephone number, e-mail address, university, bank account details of the natural person

(3) Purpose of the processing of personal data: 

Request for information or offer

(4) The legal basis for the processing is the consent of the data subject.

(5) The recipients or categories of recipients of personal data: employees of the Company performing tasks related to customer service, marketing activities, data processors of the Company as data processors, in particular the IT, Marketing service provider of the Company.

(6) Duration of storage of personal data: 5 years or until the withdrawal of the data subject’s consent (request for erasure).

(7) The data subject acknowledges that the provision of data is not a prerequisite for the conclusion of a contract and is not obliged to provide his/her personal data. The possible consequence of not providing the data is the failure to provide information or to conclude a contract.

Data management in relation to social media (Facebook, Instagram)

(1) Our Company has only limited influence on the data processing of social media platform operators. In those places where we can influence and parameterize it, we will facilitate its data processing in a manner that is appropriate from a data protection point of view within the range of possibilities available to us. In most cases, however, we have no control over the operator’s activities, so we have no information about exactly what data is processed.

Facebook’s privacy policy can be found at: 

https://www.facebook.com/privacy/explanation/

Instagram’s privacy policy can be found at: 

https://help.instagram.com/519522125107875

(2) The Controller manages its own page on Facebook. The data subject can subscribe to the news feeds published on the Facebook page’s message board by clicking on the “like” or “like” link on the pages. To be able to contact the Data Controller via Facebook, you must be logged in. For this purpose, Facebook also requests, stores and processes personal data. The Controller has no control over the type, scope and processing of these data and does not receive personal data from the Facebook operator. On Facebook pages, the Data Controller processes the personal data of followers on the basis of the voluntary consent of the followers, which is deemed to have been given by the fact that the person concerned likes, follows or comments on the page or posts. The data subject declares that he/she is over 16 years of age when requesting services on the Facebook page of the Controller. A person under the age of 16 requires the consent of his or her legal representative in order for his or her declaration of consent to the processing to be valid pursuant to Article 8(1) of the GDPR. The controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided is accurate.

(3) Purpose of processing: to provide information on current information, news concerning the Data Controller, advertising on social media, presentation and promotion of services. The Facebook page is used by the Data Controller for marketing purposes in order to inform interested parties about its services and to enable them to contact the Data Controller.

(4) Legal basis for processing: voluntary consent of the data subject (in accordance with Facebook and Instagram policies)

(5) Data subject: name of the data subject; data subjects: users of the social media platform

(6) Duration of data processing: the data subject can unsubscribe from the Facebook page of the Data Controller by clicking on the “dislike” or “do not like” button or delete unwanted content by using the settings on the message board. The active status of the service

(7) Recipients: the employees of the data controller performing tasks related to customer service and marketing, the Company’s data processors as data processors, in particular the Company’s IT service provider.

(8) The data subject acknowledges that the provision of data is not a prerequisite for the conclusion of a contract and is not obliged to provide his/her personal data. The possible consequence of not providing the data is the failure to inform the Data Controller about current news and services concerning the Data Controller.

Management of recruitment data, applications, CVs 

(1) The personal data that may be processed include: the name, date and place of birth, mother’s name, address, qualifications, photograph, telephone number, e-mail address of the natural person, employer’s record of the applicant (if any).

(2) Purpose of the processing of personal data: application, assessment of the application, conclusion of an employment contract with the selected person. The data subject must be informed if the employer has not chosen him/her for the job in question.

(3) Legal basis for the processing: the data subject’s consent (deemed to have been given at the time of sending the application). The legal consequence of withdrawing consent is non-recruitment.

(4) Recipients or categories of recipients of personal data: managers and employees performing labour-related tasks who are entitled to exercise employer rights at the Company. 

(5) Duration of storage of personal data. Personal data of applicants who are not selected shall be deleted. The data of those who withdraw their application or candidature shall also be deleted. 

Data processing for tax and accounting obligations 

(1) The Company shall process the data of natural persons who have come into contact with it for the purposes of fulfilling a legal obligation, tax and accounting obligations (bookkeeping, taxation) as provided for by law.  §-of the Act of 2000 on Accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on stock movement vouchers and cash management vouchers: signature of the recipient and on counterfoils: signature of the payer, and under Act CXVII of 1995 on Personal Income Tax: tax identification number. 

(2) Data processing related to the keeping of the driver’s logbook and the driver’s logbook (in relation to vehicles used by more than one holder): the Company processes the data specified by law (name of the driver, type of vehicle, registration number, date and purpose of the journey, route taken, name of the business partner visited) for the purposes of legal obligations, cost accounting, supporting documents, tax assessment and fuel saving. The relevant legislation is Act No. CXVII of 1995 (Tax Act), § 27/2/, Annex 3, item 6 and Annex 5, item 7.

(3) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(4) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security functions.

Payer data processing 

(1) The Company shall process the personal data of the data subjects – employees, their family members, workers, recipients of other benefits – with whom it has a relationship as a paying agent (Act 2017:CL. on the Order of Taxation (Art.), § 7.31.) for the purposes of fulfilling its legal obligations, tax and contribution obligations (tax, advance tax, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. Article 50 of the Act defines the data subject of the data subject, specifically highlighting: the natural person’s natural person identification data (including previous name and title), gender, nationality, tax identification number, social security number (social security number). If the tax laws impose a legal consequence, the Company may process data relating to employees’ membership of health (Section 40 of the Social Security Act) and trade unions (Section 47(2) b) of the Social Security Act) for the purposes of meeting tax and contribution obligations (payroll accounting, social security administration).

(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payroll) tasks. 

Processing of documents of lasting value under the Archives Act 

(1) The Company shall, in the performance of its legal obligation, process documents of permanent value pursuant to Act LXVI of 1995 on public records, public archives and the protection of private archival material (Archives Act), in order to ensure that the permanent value of the Company’s archival material is preserved intact and in a usable condition for future generations. Duration of storage: until the transfer to the public archives. 

(2) Recipients of the personal data: the head of the Company, employees of the Company who are responsible for the management and archiving of the records, employees of the public archives.

SECTION V.
COOKIE POLICY ON THE WEBSITE OF THE COMPANY

(1) Cookies are text files with small pieces of data, that are stored in the user’s computer or phone (HDD, SSD) until their expiration date, and if a user returns to that site in the future, the web browser returns that data to the web server. Their purpose is to store data regarding visiting the website, and personal adjustments, but these are not personal data of the user. Cookies help to create a user friendly website and to improve the user’s experience. If the user does not agree to use cookies, the use of the website will be intermitted. 

(2) Purpose of personal data processing: improvement in user’s internet experience, storage of personal adjustments

(3) Legal basis of data processing: the data subject’s freely given consent  

(4) Categories of processed personal data: the Data Controller stores every analytical information without name or any other personal data 

(5) Period for which the personal data are stored: The data subject can delete the cookies anytime on his or her computer or phone

SECTION VI.
INFORMATION ABOUT THE RIGHTS OF DATA SUBJECT

You can find further information about the rights of the data subject in General Data Protection Regulation (https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/uri=CELEX:32016R0679)

  • Information and access to personal data (Article 13 and 14)
  • Right of access by the data subject (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (‘right to be forgotten’ – Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to not be subject to automated individual decision-making, including profiling (Article 22),
  • Right for remedies (Article 77-82).

Right to lodge a complaint with a supervisory authority: 

(1) Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes General Data Protection Regulation. You can find further information about remedies under Article 77. 

(2) Contact of the supervisory authority: 

The National Authority for Data Protection and Freedom of Information
Registered seat: 1055 Budapest, Falk Miksa utca 9-11
Postal address: 1363 Budapest, Pf.: 9.
Phone number: +36 (1) 391-1400
E-mail address: [email protected] 

Budapest, 2022.08.24.
PropertyCode Hungary LTD.