Dear New Client,
We are in business relationship with you because you communicated with one of the following companies: SomeDeal Kft. (seat: 1027 Budapest, Varsányi Irén utca 8. fszt.;), Immobilie Best Kft. (seat: 1184 Budapest, Aranyeső utca 8.), Szitu Kft. (seat: 1097 Budapest, Nádasdy utca 10. 5. em. 505.), Credit Consilium Kft. (seat: 2000 Szentendre, Kondor Béla utca 28. B. lház. II. em. 14.), Ingatlan-Galéria Kft. (seat: 1149 Budapest, Róna u. 109. 4. em. 9.), Bent Ray Marketing és Pénzügyi Tanácsadó Kft. (seat: 1138 Budapest, Meder utca 8. B épület 5. em. 2.), KIPEX Kft. (seat: 1037 Budapest, Bécsi út 52.) (one or more of these companies respectively or jointly: Sales company or Sales companies) as realtors concerning the purchase of real properties presented on the metrodom.hu website (hereinafter: Website) of Metrodom Kft. (seat: 1095 Budapest, Mester utca 83/C fszt. CÜ3.) or of the affiliated project companies that are offering the real properties for sale (hereinafter jointly: Metrodom).
The Sales company as data controller states that it is a legal entity established in Hungary and acts as a realtor concerning the sale of the real properties and concerning the business activity of Metrodom. MTDM Kft. as data controller states that it is a legal entity established in Hungary and acts as a contact point concerning the sale and purchase contracts concluded or to be concluded concerning the real properties offered by Metrodom (hereinafter: Contract), furthermore based on a separate legal relationship it acts as a data processor of Metrodom.
The legal relationship between You and the Data controllers comes into existence when You indicate your interest for the conclusion of the Contract for the first time (by submitting your personal data detailed in this Policy. During the contracting process you provide your voluntary, explicit and definite consent based on proper information for the processing of your personal data after you became familiar with this Policy.
By accepting this Policy, you consent to the processing of your personal data and you verify this by signing a separate declaration. Upon the acceptance of the Policy and thereafter, the Data controller requires certain personal data. The data processing activities and the legal ground are detailed in this policy for each contracting step, however, the Data controllers are entitled to process some of your personal data already prior to the acceptance of this Policy for the purposes of contracting at your request.
The purpose of this Policy is to describe the principles and purposes of the data processing and other rights and obligations in line with the applicable laws that set out the purpose of the processing of your personal data, the duration and the methods of the processing and also your enforcement rights and remedies concerning the data processing.
The security and adequate processing of your personal data submitted to us is extremely important for us, therefore please read this Policy carefully and attentively. Should you have any questions or remarks concerning this Policy, then please do not hesitate to contact us before accepting the Policy at the e-mail address firstname.lastname@example.org and our colleagues are ready to assist you.
Terms and definitions
Please find below a summary of the most important terms used in this Policy.
1. Application: The Metrodom Sales 3D application that is made available by the Data controllers only on personal request (at events, promotions, personal consultations) through which Data subjects are able to view virtually the floor plan and 3D model of the concerned real property.
2. Activities of the data processor: any activities on personal data concerning data processing actions that are carried out on behalf of the Data controller, irrespective of the method or tool used for the execution and irrespective of the location of the application provided that these activities are performed on personal data. Accordingly, data processors are such natural or legal persons, authorities, agency and other bodies that process personal data on behalf of data controller.
3. Data processing: any operation or set of operations on personal data, irrespective of the method, including especially collection, recording, organization, storage, alteration, use, query, transfer, publication, alignment or combination, blocking, erasure or deletion and the hindering of the further use of the data.
4. Áfatv.: Act no. CXXVII of 2007 on value-added tax.
5. Data subject: each and every identified or identifiable natural person who enters into business relationship with the Data controllers in the course of which the Data subject provides his/her personal data detailed in this Policy.
6. Website: www.metrodom.hu operated by the Data controller.
7. Data controllers: the data provided by the Data subject are processed by the Data controllers, i.e. only the controllers are entitled to make decisions and execute same concerning the personal data of the Data subjects. Furthermore Data controllers act as the data processors of Metrodom as recipient.
Data controllers qualify as joint data controllers based on the liability scheme detailed in this Policy. The Data controllers are subject to Pmt., taking into consideration that they carry out activities for the intermediation of the transfer of real properties.
The details of the Data controllers:
A) On one hand one of the following data controllers regarding the Sales company:
if your realtor is Viktor Nyárondi:
Seat and mailing address: 1027 Budapest, Varsányi Irén utca 8. fszt.
Company registry number: 01-09-186613
Tax number: 24865511-2-41
if your realtor is Szilvia Lipták:
Immobilie Best Kft.
Seat and mailing address: 1184 Budapest, Aranyeső u. 8.
Company registry number: 01-09-204455
Tax number: 25180013-2-43
if your realtor is Barbara Sziráki:
Seat and mailing address: 1097 Budapest, Nádasdy utca 10. 5. em. 505.
Company registry number: 01-09-278228
Tax number: 12694004-2-43
if your realtor is Tibor Kaiser:
Credit Consilium Kft.
Seat and mailing address: 2000 Szentendre, Kondor Béla utca 28. B. lház. II. em. 14.
Company registry number: 01-09-208214
Tax number: 25319958-2-41
if your realtor is Zsuzsa Tukovits:
Seat and mailing address: 1149 Budapest, Róna u. 109. 4. em. 9.
Company registry number: 01-09-734387
Tax number: 13422840-2-42
if your realtor is Sándor Konrád:
Bent Ray Marketing és Pénzügyi Tanácsadó Kft.
Seat and mailing address: 1138 Budapest, Meder utca 8. B épület 5. em. 2.
Company registry number: 01-09-194774
Tax number: 14173769-2-41
Phone: 06-30- 942-0864
if your realtor is Zoltán Plagány:
Seat and mailing address: 1037 Budapest, Bécsi út 52.
Company registry number: 01-09-936805
Tax number: 22635277-2-41
B) On the other hand:
Seat and mailing address: 1095 Budapest, Mester utca 83/C Cü3.
Company registry number: 01-09-957503 (registered by the Court of Registry of the Regional Court of Budapest-Capital)
Tax number: 23196627-2-43
8. Supervising authority: the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; e-mail: email@example.com; Website: http://naih.hu; phone: +36 (1) 391-1400).
9. Inytv.: Act no. CXLI of 1997 on the real estate registry.
10. Pmt.: Act no. LIII of 2017 on the prevention and combatting of money laundering and financing of terrorism.
11. Grt.: Act no. XLVIII of 2008 on the basic conditions and certain limitations of advertising.
12. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Commission on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
13. Personal data: personal data submitted by the Data subject. It includes data that relates to the Data subject, furthermore the conclusion that can be drawn regarding the Data subject based on the data. Information requested during the communication between Data subject and the Data controllers qualify as personal data.
14. Szt.: Act no. C of 2000 on accountancy.
16. Shop premises: Any office of the Data controller open for the public for personal enquiries.
17. Contract: A sale and purchase contract concluded by the Data subject and one of Metrodom’s affiliated project companies regarding the real properties offered by Metrodom for sale (including sale and purchase pre-contracts, as well).
Joint data processing
19. Data controllers distributed their joint liability concerning the rights and obligations deriving from this Policy among themselves in their separate joint data controller agreement. The most important stipulations of this agreement are summarized in this chapter. This way the Data controllers have properly informed the Data subjects. By accepting this Policy the Data subject acknowledges and recognizes that the contents of the agreement between the Data controllers was made available to the Data subject.
20. The Data subject is entitled to exercise the rights deriving from the laws or from this Policy concerning the data processing in relation to any of the Data controllers and any of the Data controllers is entitled to exercise the rights set out in this Policy. An exception to the above is when some of the rights and obligations pertains specifically to one of the data controllers according to this Policy.
21. Data controllers state that they are jointly and severally entitled to exercise their rights and obliged to fulfil their obligations deriving from this Policy, unless otherwise stipulated in this Policy.
22. The purpose of the Data controllers is to summarize the steps of the contracting process in this chapter. The specific legal grounds for the data processing activities may vary from step to step as follows.
a) The contracting process commences upon the enquiry of the Data subject. The enquiry may take place on the phone, in e-mail or by booking an appointment through the “Interested” link on the Website. In their reply the Data controllers bring the attention of the Data subject to the fact that certain personal data (name, e-mail address, phone number) are recorded to ensure their availability in the database as the Data subject initiated the contact with the Data controllers towards the conclusion of the Contract.
b) The second step of the contracting process is that the Data controllers contact the Data subject at one of his/her contact details for further discussion, if the Data subject requested this.
c) Prior to the conclusion of the Contract the Data controllers require the Data subject to submit a form containing the personal data detailed in this Policy for the purpose of contracting and for the carrying out of the customer due diligence measures regulated in § 6 of Pmt. with a view to the established legal relationship.
23. Data controllers state that during steps a-b) of the above process certain personal data (name, e-mail, phone number) are processed in relation to the Data subject. The legal ground of this data processing is the Data subject’s request that takes place prior to the conclusion of the Contract and that is necessary for further steps in line with Article 6(1) Item b) GDPR.
24. Data controllers enable the Data subject already prior to the contracting process to become familiar with this Policy. For this purpose Data controllers undertake to publish this Policy, as amended from time to time, on the Website.
Data processing principles
Please find below a summary of the data processing principles that Data controllers undertake to fully comply with throughout the duration of the data processing.
25. Lawfulness, fairness and transparency: Regarding the data processing purposes, the Data controllers collect the personal data directly from the Data subject. The processing of the Data subject’s personal data takes place in a lawful and fair manner that is transparent for the Data subject. Data controllers make the Policy, as amended from time to time, (and the earlier versions) available free of any charge or obligation, continuously, in such way that it is accessible for the public (downloadable in PDF format) on the Website and in the Shop premises for review. Data controllers do not process the personal data in any unlawful way or for purposes beyond this policy and they will carry out the data processing activities always in line with this policy and the applicable laws.
26. Purpose limitation: Data controllers process the personal data only for the clear and lawful purposes detailed in the Policy. Processing of the submitted personal data for other purposes require that Data controllers comprehensively inform the Data subject about this in advance (primarily through e-mail). For the comprehensibility of the specific data processing purposes Data controllers provide information in this policy about the purpose, duration and legal ground of the processing of the specific personal data. Data controllers implement these rules mandatorily.
27. Storage limitation: Data controllers provide the storage of the personal data of the Data subject in such way that enable the identification of the data subjects only for the period of time necessary for the fulfilment of the purposes of the processing. Pursuant to Article 6(1) Item a) GDPR the personal data processed on the basis of the explicit and voluntary consent of the Data subject will be kept by the Data controllers until the revocation of the consent by the Data subject or until his/her request for deletion.
Data controllers are obliged to keep the collected personal data pursuant to § 7 of Pmt. for a period of 8 years from the termination of the business relationship detailed in § 1(1) Item f) Pmt. between the Data subject and the Data controller in line with § 56(1) Pmt. All other personal data beyond the scope of § 7 Pmt., the processing of which takes place for a different purpose, may be retained by Data controllers for the following periods of time determined specifically for each data processing purpose.
a) Regarding Data controllers, business relationship shall mean the legal relationship between the Data controllers and the Data subject for the services professionally provided by the Data controller (namely activities concerning real property transactions as detailed in § 1(1) Item f) Pmt.).
b) Data controllers may have to retain the personal data in line with § 28(1) Pmt. at the request of the tax authority, the financial supervising authority, the investigating authority, the prosecutor’s office or of the courts for the period set out in the request but up to 10 years at the most (§ 58(1) Pmt.).
The 8-year retention period may only be extended at the request of the authorities if the data or document is necessary for a pending or a future proceeding of the authority. After the final completion of this proceeding of the authority or after the frustration of the planned proceeding, Data controllers are to delete the personal data from their records (§ 58(2)-(3) Pmt.).
If no Contract was concluded between the Data subject and the Data controller during the steps of the chapter „Contracting process”, then the Data controller processes the submitted personal data for a period of 2 years from the first date of contact.
28. Data minimisation: Data controllers intend to restrict the scope of data to the most relevant and crucial personal data concerning each data processing purpose. These are personal data that are necessary for the specific data processing purposes as follows. Data controllers will act in line with this policy if more data is requested from the Data subject than detailed in this Policy.
29. Accuracy: Data controller intend to ensure that the personal data recorded concerning the data processing purposes are up-to-date and accurate and Data controllers take all reasonable steps for this purpose. This purpose is necessary because of the following: e.g. the Data subject will not receive a newsletter sent to a non-existing e-mail address so there is no point sending the newsletter. The Data subjects can contribute to the up-to-date nature of the data by reporting changes in the data or correcting the submitted data.
30. Data security principle: Data controllers consider data security as being extremely important, therefore they take all necessary, expected and state-of-the-art technical and organizational measures and steps. Data controllers store the submitted personal data primarily electronically and also in hard copy where the recording took place on paper. In order to prevent or remedy data breaches, the Data controllers:
a) prevent unauthorized access to the personal data and the unauthorized entry of data, data modification and erasure;
b) ensure that data in the database (registry) of Data controllers should not be able to be combined or to be assigned to the Data subject;
c) ensure the data recovery in the case of an incidental loss of data;
d) if data are recorded on paper documents, then the data shall be stored in such places closed to the public where unauthorized persons cannot access the data.
Data processing purposes and data processing process
In this chapter the data processing purposes and cases are described where the personal data of the Data subject are actually processed in practice. Data controllers act jointly with joint and severe liability concerning the following data processing activities with common infrastructure, unless otherwise contained in this Policy.
31. Database concerning contracting steps and contracting: The Data subject can initiate the contracting steps in accordance with the steps detailed in the chapter „Contracting process” and the Contract will be concluded as detailed therein. As long as the Contract is not concluded between the Data subject and the Data controllers regarding steps a-b) detailed in chapter „Contracting process”, the Data controllers process the following personal data for communication purposes: name, e-mail address, phone number.
The purpose of this data processing on one hand is the communication with the Data subject for the contracting, the sending of the requested offers and the registration of the Data subject who already requested an offer in the database, so that the Data subjects can be assigned to the competent Sales company.
The legal ground of the data processing is Article 6(1) Item b) GDPR, i.e. the steps towards contracting at the request of the Data subject. If no Contract is concluded within 2 years from the submission of the personal data of the Data subject, then the Data controllers stop processing the personal data for this data processing purpose.
Data controllers act jointly concerning the above data processing prior to the conclusion of the Contract.
If the Contract is entered into by Data subject as buyer and Metrodom as seller, then the Data controllers as the data processors of Metrodom process the personal data on one hand for the preparation of the Contract and for the fulfilment of the full-scope management and data storage obligations after the conclusion of the Contract, based on the legal ground of the legal obligation or the fulfilment of the Contract. Data controllers process the personal data submitted by the Data subjects during the contracting for the preparation, execution of the sale and purchase contracts concluded between Metrodom and the Data subject and for additional formal activities (e.g. report of warranty claims) for the purpose of database creation by Data controllers.
The legal ground of this data processing is Article 6(1) Item b) GDPR (contracting) on one hand and on the other hand Article 6(1) Item c) GDPR - legal obligation, with a view that according to § 32(1) Inytv. the Contract and the request concerning changes in the land registry must contain the following personal data: personal particulars of the Data subject (name, birth name, maiden name of mother, place and date of birth, home address, tax identification number, ID card/passport number, personal number), data of the real property (municipality name, lot number), nationality.
For the purposes of the fulfilment of the Contract, Data controllers may process further pieces of information depending on the requests and services ordered by the Data subject that might be the following: bank account number; notification address; e-mail address, name of statutory representatives, information and conclusions from the concluded Contract, workplace, data of another real property sold within 1-3 years, e-mail address, phone number, notification address.
The legal ground of the processing of these personal data is the fulfilment of the Contract (Article 6(1) Item b) GDPR.
Furthermore, Data controllers process the name and home address of the Data subject according to Article 6(1) Item c) GDPR, based on a legal obligation for invoicing purposes concerning the transaction that is prescribed by § 169 Item e) Áfatv.
The retention period of these personal data shall be 8 years pursuant to § 169 (1) and (2).
MTDM Management Kft. acts as a data processor of Metrodom concerning this data processing after the contracting.
32. Customer due diligence: The purpose of the data processing, in line with § 7 Pmt. is the customer due diligence. Data controllers process the following personal data for the fulfilment of their legal obligations upon the creation of the business relationship described in § 6(1) Pmt. pursuant to Article 6(1) Item c) GDPR as mandatory data processing.
a) Data controllers process the following personal data pursuant to § 7 Pmt.:
i. in the case of natural persons: given name and surname; birth name; place and date of birth; maiden name of mother; home address (or temporary residence in lack thereof); nationality; type and number of identification document; Hungarian place of residence in the case of foreign Data subjects (§ 7(2) Item a) Pmt.).
ii. in the case of legal persons: name; short name; seat; address of the Hungarian branch in the case of a foreign undertaking; company registry number for entities registered in the court registry, in the case of other entities the number of the founding decision (registration, establishment) or its registry number; main business activity; names and positions of the signatories; identification data of the delivery proxies (§ 7(2) Item b) Pmt.).
Data controllers retain the above data collected pursuant to § 7 Pmt. from the start of legal obligation for 8 years from the termination of the business relationship between the Data subject and Metrodom.
33. Client relations: The purpose of the Data controllers concerning the data processing for client relations is to ensure the following: data collection prior or after the contracting, necessary for the creation, preparation, fulfilment and execution of the Contract, notifications, administration and the communication (especially technical discussions, credit administration, administration concerning the authorities and public utility service providers) among the Data controllers or Recipients and the Data subject concerning the business relationship between the Data subject and the Data controllers, furthermore the fulfilment of certain legal obligations (especially guarantee obligations).
The scope of personal data processed for client communication: name; home address; notification address; e-mail address; phone number.
The processing of the above personal data is based on Article 6(1) Item b) GDPR for the exercising of rights and fulfilment of obligations deriving from the Contract. The retention period depends on the period of the statute of limitation of the respective contractual obligations.
Data controllers are entitled to carry out this kind of data processing jointly.
34. Application: The Data subject may use the Application during the personal meeting with the Sales company the Data subject contacted for contracting purposes, on the device operated by the Sales company. The Data subject can view the floor plan and rooms of the chosen real property virtually. If the Data subject so wishes, s/he can request the sending of the virtual floor plan by providing his/her e-mail address. In this case the Application sends the floor plan directly to the e-mail address.
The scope of personal data processed concerning this data processing purpose: e-mail address.
The legal ground of the data processing is Article 6(1) Item b) GDPR, namely the preparation of the contracting steps at the request of the Data subject.
The personal data will be processed by the Sales companies only for the above purpose.
35. Database processed for newsletter sending: The Data subject, pursuant to § 6 Grt. may consent in an explicit statement that the Data controllers contact the Data subject directly in electronic newsletters for advertising purposes and with a catalogue after the conclusion of the Contract. Data controllers may send newsletters only to those Data subjects who provided the additional consent. The specific consent may be given in person in the Shop premises or on the Website by clicking the checkbox.
The purpose of the Data controllers concerning the sending of the newsletter and the catalogue is to inform the Data subjects about Metrodom’s services and new investments and to promote these. The Data subject may revoke the specific consent at any time without restriction or reasoning, free of charge by sending an e-mail to firstname.lastname@example.org. After the receipt of the revocation, Data controllers are not entitled to send more newsletters. Personal data to be given concerning the newsletter as a specific data processing purpose: name; e-mail address; mailing address.
The Data subject provides a specific consent for data processing purpose, therefore the legal ground for this data processing is Article 6(1) Item a) GDPR and will last until the revocation of the consent.
Regarding this data processing purpose, only the Sales companies are entitled to carry out the processing among the Data controllers.
36. Data controllers may transfer the below detailed Personal data based on the consent of the Data subject concerning this Policy and only in the extent and for the persons detailed in this chapter. Data controllers keep a registry of the data transfers.
37. Data controllers are entitled to transfer Personal data to the project companies affiliated to Metrodom with which Data subject intends to conclude the Contract. The purpose of the data transfer is to enable the company affiliated to Metrodom as Recipient to receive the personal data that the Contract to be concluded with the Data subject should contain.
The scope of the personal data is as follows: name; birth name; maiden name of mother; place and date of birth; home address; personal identification number, nationality, ID card number; tax identification number; bank account number; notification address; e-mail address; communication with the contracting party and its representative, if any, information concerning the concluded Contract, workplace, information on other real property sold within 1-3 years.
38. Data controllers are entitled to transfer the Personal data during the contracting process in which the Data subject is involved, to the credit institute chosen for the financing of the purchase price to ensure the smooth arrangement of the fulfilment of the Contract by the Data subject with the inclusion of the bank or other external resources. This includes especially the data transfers necessary for credit administration, for the requesting of the Home Founding Allowance for Families (CSOK) and for other banking services.
Data controllers may transfer the following personal data concerning the data transfer detailed in this paragraph to third persons: name; birth name; maiden name of mother; place and date of birth; home address; personal identification number; ID card number; tax identification number; bank account number; notification address; e-mail address; the real property chosen by the Data subject.
39. Data controllers are entitled to transfer the personal data of the Data subject detailed in this paragraph to the third persons that are entitled to manage the condominium house in which the Data subject purchases the real property pursuant to the Contract.
With this data transfer the Data controllers hand over the list of residents to the person managing the house that contains the following personal data of the Data subject: name; home address; real property purchased with the Contract; e-mail contact, notification address.
40. Data controllers are entitled to transfer the following personal data for the arrangement of the legal tasks concerning the preparation and execution of the Contract to the Szabó, Kocsis and Partner Law Firm (seat: 1095 Budapest, Mester utca 83/A. IX. em. 4. a.) representing both parties in the transaction: name; birth name; maiden name of mother; place and date of birth; home address; personal identification number; ID card number; tax identification number; bank account number; notification address; e-mail address; the real property chosen by the Data subject; communication with the contracting party and their representative, if any concerning the Contract, phone.
41. Data controllers are entitled to transfer the personal data of the Data subject detailed in this paragraph to the Sales companies detailed in Section 2 of this Policy that do not qualify as data controllers in respect to the Data subject in the given legal relationship. The purpose of this data transfer is to enable the Sales companies detailed in this paragraph to view the database of the clients of the Data controller that acted as a sale company concerning a Contract when using the joint database.
The scope of transferred personal data if no Contract is concluded: name, phone number, e-mail.
The scope of transferred personal data after the conclusion of the Contract: name; birth name; maiden name of mother; place and date of birth; home address; personal identification number, nationality, ID card number; tax identification number; bank account number; passport number; notification address; e-mail address; information and conclusions from the concluded Contract, workplace, information on other real property sold within 1-3 years.
42. Data controllers are entitled to transfer the personal data detailed in this paragraph to the Metrodom Kivitelező Kft. and to Metrodom Építő Kft. carrying out the realization of the real property sold by Metrodom, to COPM Kft. that is responsible for technical consultation for the purposes of the fulfilment of the Contract, including the arrangement of the technical consultations, reporting of guarantee claims, performance of additional work and the enforcement of guarantee rights, furthermore the delivery process of the real property to the Data subject as buyer.
The scope of transferred Personal data: name; e-mail; phone; mailing address; bank account number; address of the real property purchased from Metrodom with the Contract.
43. Any of the Data controllers is entitled to make these data transfers detailed in this chapter.
Camera surveillance in the Shop premises
44. Data controllers record video for the protection of the persons and assets of the Data subjects and for the protection of the Shop premises by applying a surveillance camera system. The recording as a data processing purpose is justified by the legitimate interests of the Data controller and of the Data subjects concerning the protection of the persons and assets. The ground for the application of the surveillance system is to ensure the protection of the assets in the Shop premises, the valuables of the Data subjects, the monitoring of the real property for asset protection purposes and for the security of the persons in the Shop premises. For these security purposes the Data controller placed warning signs in prominent places, at the entrance of the Shop and also inside the Shop premises in the concerned rooms about the camera recording. The cameras are set in such angles that only such persons are recorded with whom the Data controller has a relevant business relationship regarding its services (including persons requesting offers or interested in a transaction). Thanks to the signs, the Data subjects can expect in which areas video recordings are made and can be familiar with the purposes. Data controller provides the rights and guarantees detailed in the chapter “right enforcement and remedies” concerning this data processing for the Data subjects.
The camera recordings are stored for the period set out by Szvtv. and the recordings may be used only in the case of events threatening the security of persons or assets, in the extent necessary for the proceedings of the authorities or courts. Otherwise the recordings will be deleted after the expiry of the period detailed in Szvtv. Data controller stores the recordings only for the duration detailed in Szvtv. and only in digital format and then the recordings are deleted. The cameras may record only such areas that are in line with the given security purpose and the camera recording shall not breach human dignity. No cameras are installed in the bathrooms and no hidden cameras are used. Data controller does not transfer the recordings to third persons (except for cases regulated in the laws).
The legal ground for the camera recoding as a specific data processing action shall be the legitimate interest of the Data controller and of the Data subject with a view to the security of persons and assets [Article 6(1) Item f) GDPR]. The detailed rules and guarantees of data protection concerning the camera surveillance are described in a separate policy and Data controller controls such activities based on this separate policy.
Recording of technical information (cookies) on the Website
45. During the use of the Website, beyond the personal data of the Data subject, certain information concerning the computer of the Data subject (cookies) are recorded that are generated during the use of the Website and that are recorded upon the opening and closing of the Website (without a specific action or statement of the Data subject) (logging). The purpose of this is to create statistics concerning the visitor numbers and use of the Website and the development of the IT system of the Website. The Data controller does not combine the cookies with the personal data of the Data subject (unless prescribed by the laws) and only the Data controller may access same. The Data subjects can delete the cookies from their own computers anytime (through the appropriate menu items of the browser) or may set the browser (mostly through the “Help” function) to ban cookies. However, by banning cookies the Data subject acknowledges that the Website may not provide the same user experience.
Data protection officer
Data controllers appoint the Szabó, Kocsis and Partner Law Firm (address: 1095 Budapest, Mester utca 83/A. IX. em. 4. a.; e-mail: email@example.com; phone: 06-1-878-0802) as joint data protection officer (DPO) for ensuring the legality of their data processing practice. This task is performed on the basis of a DPO service contract.
The DPO’s tasks include:
a) supporting of Data controllers concerning their data processing-related tasks;
b) acting as a contact person between the Data controllers and the supervising authority;
c) providing professional advice, information concerning data subject rights.
Right enforcement and remedies
Please find below the rights of the Data subject that can be exercised in relation to the Data controllers. Data controllers are jointly and severally responsible for fulfilling the below detailed obligations, i.e. the Data subject may exercise his/her rights in relation to any of the data controllers, except when one specific data controller acts concerning a certain data processing activity.
46. Communication with the Data controller: The Data subject and the Data controllers can communicate via phone, e-mail or postal mail. Data controllers’ e-mail address for this purpose: firstname.lastname@example.org; mailing address: 1095 Budapest, Mester utca 83/C Cü3. The Data subject is entitled to request information from the Data controllers whether his/her personal data is processed and if yes, then the Data subject has a right to access the processed personal data in the following extent.
Concerning the access, the information relating to the data processing that is provided by the Data controllers include especially the following:
a) data processing purposes;
b) processed personal data;
c) recipients of the data transfer;
d) foreseeable duration of the data processing or if it is not possible to establish same, then the aspects for the determination of the retention period;
e) rights of the Data subject;
f) right to file a complaint with the Supervising authority;
g) source of the data collected by the Data controllers and legal ground of the processing.
Data controllers provide the requested information without undue delay but within one month from the receipt of the request at the latest. If necessary, with a view to the complexity and number of the requests, this deadline may be extended with an additional period of two months. Data controllers shall inform the Data subject on the deadline extension and the reasons for the delay within one month from the receipt of the request. Data controllers provide a copy of the personal data being the subject-matter of the data processing to the Data subject at his/her request. Data controllers may charge a reasonable administrative fee for further copies requested by the Data subject.
a) Data controllers deal with and answer the e-mail of the Data subject concerning the data processing only if it was sent from the e-mail address or other contact that the Data subject communicated to the Data controllers earlier (except when the Data subject makes reference to the change of his/her e-mail address or other contact information or if the person of the Data subject can be clearly identified).
b) If the Data controllers fail to take measures based on the request of the Data subject, then the Data subject shall be informed without undue delay but within one month from the receipt of the request at the latest on the reasons for the lack of measures and on the right of the Data subject to file a complaint with the Supervising authority or to file a lawsuit with the competent court.
47. Rectification: The Data subject is entitled to inform the Data controllers on the changes of his/her personal data (in e-mail or postal mail as detailed above). Data controllers register the change within 8 days from the receipt of the notification. If the Data subject fails to report any changes to his/her personal data without delay, then the Data subject shall be liable for the consequences of this omission. If the submitted personal data is false and the correct data is available to the Data controllers, then Data controllers amend the data automatically.
48. Erasure: The Data subject is entitled to request the deletion of the personal data pertaining to the Data subject from the Data controllers without delay and the Data controllers are obliged to delete the personal data pertaining to the Data subject without delay, especially if one of the below reasons is given:
a) the personal data are not required anymore for the purpose for which they were collected or processed;
b) the Data subject has withdrawn the consent given for the data processing and the data processing does not have any other legal ground (the withdrawal does not have a retrospective effect on the lawfulness of the data processing);
c) the Data subject challenges the data processing based on legitimate interest;
d) the Data controllers processed the personal data unlawfully;
e) the personal data shall be deleted for the fulfilment of a legal obligation set out in the laws of the European Union or of a member state.
Even if one of the above circumstances is given, Data controllers are not obliged to delete the processed personal data if the data processing is required for one of the following:
a) exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the deletion is likely to render impossible or seriously impair the achievement of the objectives of that processing;
d) for the establishment, exercise or defence of legal claims.
49. Objection to the data processing: The Data subject is entitled to object the processing of his/her personal data in line with this Policy, based on a legitimate interest on grounds relating to his or her particular situation. The Data controllers shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
50. Right to restriction of the data processing: The Data subject shall have the right to obtain from the Data controllers restriction of processing where one of the following applies.
a) the accuracy of the personal data is contested by the Data subject, for a period enabling the Data controllers to verify the accuracy of the personal data;
b) the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Data controllers no longer need the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims;
d) the Data subject has objected to processing, pending the verification whether the legitimate grounds of the Data controllers override those of the Data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The Data subject who has obtained restriction of processing, shall be informed by the Data controllers before the restriction of processing is lifted.
51. Right to data portability: Regarding personal data processed on the basis of the consent of the Data subject or for the fulfilment of the Contract the Data subject shall have the right to receive the personal data concerning him/her, which s/he has provided to the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data controllers. This right may be exercised only concerning personal data that are processed on the legal grounds of consent or the fulfilment of a contract and pertain only to digital data.
52. Complaint to the Supervising authority: The Data subject is entitled to file a complaint with the Supervising authority with reference to the breach of laws concerning the processing of his/her personal data or if there is an imminent risk thereto. The investigation of the Supervising authority is free of charge and the expenses of the investigation are advanced and covered by the Supervising authority. No one should be subject to retaliation due to a complaint filed with the Supervising authority. The Supervising authority may disclose the person of the complainant if the investigation could not be carried out without this. If the complainant requests so, the Supervising authority is not entitled to disclose his/her person even if this leads to the frustration of the investigation.
53. Judicial route: the Data subject may turn to the courts against the Data controllers if his/her rights are breached. The lawsuit belongs to the competence of the regional courts. As a main rule the lawsuit shall be heard by the regional court with geographical jurisdiction over the case according to the seat of the data controller but the Data subject can also opt for the regional court with geographical jurisdiction based on his/her home address or temporary residence. The geographical jurisdiction of the courts can be checked on the court website with the search application “Court search” at www.birosag.hu . The regional court handle the matters with urgency.
54. Damages and non-pecuniary restitution: If, through the unlawful processing of the personal data of the Data subject or through breaching the data security requirements, the Data controllers:
a) cause damages to the Data subject or to third persons, then they shall be liable for the compensation (compensation of damages);
b) breach the personality rights of the Data subject, then the Data subject can claim non-pecuniary restitution from the Data controllers.
The Data controllers shall be set free from their liability for the compensation of damages and non-pecuniary restitution, if they prove that the damages or the breach of the personality rights of the Data subject was caused by an unavertable cause outside of the scope of the data processing. The damages are not to be compensated and no non-pecuniary restitution can be claimed if the breach resulting from the damages or the breach of personality rights resulted from the wilful or grossly negligent conduct of the Data subject (injured person).
55. In the case of a Data subject under 16 years of age, the submission of his/her personal data require the consent of his/her legal guardians (parents).
56. The Data controllers maintain the right to modify this Policy unilaterally at any time.
57. This Policy is governed by the Hungarian laws.
58. This Policy shall be in effect from 25 May 2018. You can find the Policy at https://metrodom.hu/en/privacy-policy.