Introduction
Dear New Client,
Those stipulated in this privacy notice (hereinafter: Notice) are accepted by Flatco Real Estate Korlátolt Felelősségű Társaság (registered office: H-1097 Budapest, Nádasdy utca 15/B. fszt. 7.) as data controller (hereinafter jointly: Controller) as binding to itself and it states that its data processing complies with those stipulated herein and in the relevant legislation.
The Controller stipulates that it is a business association registered in Hungary and as a main activity, it, on the one hand, leases real properties in its own possession or use, and on the other hand, mediates lease rights of properties owned by third parties.
The purpose of this Notice is to describe the principles and purposes of the data processing and other rights and obligations in line with the applicable laws that set out the purpose of the processing of your personal data, the duration and the methods of the processing and also your enforcement rights and remedies concerning the data processing.
The security and adequate processing of your personal data submitted to us is extremely important for us, therefore, please read this Notice carefully and attentively. Should you have any questions or remarks concerning this Notice, then please do not hesitate to contact us at any time before accepting the Notice at the e-mail address info@flatco.hu and our colleagues are ready to assist you.
Terms and definitions
Please find below a summary of the most important terms used in this Notice.
- Personal data: any information relating to the Data Subject, based on which the Data Subject may be identified or identifiable. The identifiable natural person means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, cultural or social identity of that natural person. The Controller collects personal data of the Data Subject highlighted in this Notice, each specified by different purposes of data processing.
- Data Subject: the natural person party to the lease contract with Controller or with third persons represented by the Controller.
- Data processing: any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use.
- Technical data processing: any activity conducted on personal data in connection with the data processing activities which are executed according in the name of the Controller, regardless of the methods and tools applied for the purpose of executing the processes, and regardless of the place of processing, given that the activity is conducted on the data. In accordance with the above, processor means a natural or legal person, or an organisation not having legal personality which acts according to a mandate or instructions given by the controller, processes personal data.
- Áfatv.: Act CXXVII of 2007 on value-added tax.
- Supervising Authority: the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, address: 1055 Budapest, Falk Miksa u. 9-11.; e-mail: ugyfelszolgalat@naih.hu; Website: http://naih.hu; phone: +36 (1) 391-1400).
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Commission on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- : Act CCII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
- : Act C of 2000 on accountancy.
- : Act LIII of 2017 on the prevention and combatting of money laundering and financing of terrorism.
- Contract: Lease contract regarding the real properties offered to be leased by Controller, concluded by and between the Data Subject and the Controller or a third person.
Data of the Data Controller
- The Controller means a natural or legal person, administrative organ, agency or any other organisation which determines the purposes and means of processing personal data by itself or jointly with others.
This Chapter declares the contact data of the Controller and the representative of Controller.
Data of the Controller:
Company name: Flatco Real Estate Korlátolt Felelősségű Társaság
Seat and postal address: 1097 Budapest, Nádasdy utca 15/B. fszt. 7.
Company registry number: 01-09-981578 (registered by the Metropolitan Tribunal Court of Companies)
Represented by: Jacoby Márta managing director (mailing address: H-1097 Budapest, Nádasdy utca 15/B. fszt. 7.)
Tax number: 23855997-2-43
E-mail: info@flatco.hu
Phone: +361/919-3-261
The lessor in the lease contracts shall be data controller.
The following companies also pursue lessor activity, considering the present Notice as applicable and binding on them (therefore, the Controller means the companies below as well in this Notice, when concluding a contract with any of them):
Company name: Flatmosphere Korlátolt Felelősségű Társaság
Registered seat: 1095 Budapest, Mester utca 83/A. fszt. AÜ3.
Company registry number: 01-09-334162
Tax number: 26596631-2-43
Represented by: Jacoby Márta managing director (mailing address: 1095 Budapest, Mester utca 83/A. fszt. AÜ3.)
E-mail: info@flatco.hu
Company name: Karissa Korlátolt Felelősségű Társaság
Registered seat: 1095 Budapest, Mester utca 83/C. fszt. CÜ3.
Company registry number: 01-09-738516
Tax number: 13501099-2-43
Represented by: Nyárai Attila Zsolt managing director (mailing address: 1095 Budapest, Mester utca 83/C. fszt. CÜ3.)
E-mail: info@metrodom.hu
Company name: MTDM Korlátolt Felelősségű Társaság
Registered seat: 1095 Budapest, Mester utca 83/C. fszt. CÜ3.
Company registry number: 01-09-957503
Tax number: 23196627-2-43
Represented by: Kricsfalussy Tamás managing director (mailing address: 1095 Budapest, Mester utca 83/C. fszt. CÜ3.)
E-mail: mtdm.management@gmail.com / info@metrodom.hu
Company name: Flatco Ingatlanok 2020 Korlátolt Felelősségű Társaság
Registered seat: 1097 Budapest, Nádasdy utca 15/B. fszt. 7.
Company registry number: 01-09-375751
Tax number: 28828778-2-43
Represented by: Nyárai Attila Zsolt managing director (mailing address: 1097 Budapest, Nádasdy utca 15/B. fszt. 7.)
E-mail: info@flatco.hu
Contracting process
- The Controller means a natural or legal person, administrative organ, agency or any other organisation which determines the purposes and means of processing personal data by itself or jointly with others.
Data processing principles
Please find below a summary of the data processing principles that Controller undertakes to fully comply with throughout the duration of the data processing.
- Lawfulness, fairness and transparency: Regarding the data processing purposes, the Controller collects the personal data directly from the Data Subject. The processing of the Data Subject’s personal data takes place in a lawful and fair manner that is transparent for the Data Subject. Controller makes the Notice, as amended from time to time available free of any charge or obligation, continuously, in such way that it is accessible for the public. Controller does not process the personal data in any unlawful way or for purposes beyond this Notice and they will carry out the data processing activities always in line with this Notice and the applicable laws.
- Purpose limitation: Controller may process the personal data only for the clear and lawful purposes detailed in the Notice. For the comprehensibility of the specific data processing purposes Controller provides information in this Notice about the purpose, duration and legal basis of the processing of the specific personal data. Controller implements these rules mandatorily.
- Storage limitation: Controller provides the storage of the personal data of the Data Subject in such way that the data are kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed. This Notice determines the for each data processing purpose the term after the data shall be erased.
- Data minimisation: Controller intends to process only the most necessary and relevant personal data for the purpose of pursuing its activities. These are personal data that are indeed necessary for reaching the purpose of personal data processing.
- Accuracy: Controller intends to ensure that the personal data recorded to exercise rights arising from the Contract and to carry out duties are up-to-date and accurate, and Controller takes all reasonable steps for this purpose. The Data Subjects may contribute to the up-to-date nature of the data by reporting changes in the data or correcting the submitted data.
- Data security / integrity and confidentiality: Controller considers data security as being extremely important, therefore it takes all necessary, expected and state-of-the-art technical and organizational measures and steps. Controller stores the submitted personal data primarily electronically and also in hard copy where the recording took place on paper. In order to prevent or eliminate personal data breaches, the Controller:
- shall prevent unauthorized access to personal data and unauthorized data entry, modification, erasure by means of passwords and encryption procedures;
- shall store the personal data in hard copy and the computers processing data digitally in a closed room secured with an alarm;
- shall exclusively apply licensed software controlled from time to time in their internal computer systems;
- documents containing personal data processed digitally by Controller shall be available exclusively in a digital system with proper right of access;
- the Controller shall always provide virus protection of their digital systems;
- the Controller wishes to ensure to avoid the loss of documents processed digitally containing personal data with backups.
Data processing purposes and data processing process
In this chapter the data processing purposes and cases are described where the personal data of the Data Subject are processed in practice.
- Recording lessor’s inquiries
Given that an enquiry is submitted to the Controller concerning a flat with the intention of renting it, the Controller records it.
- Purpose of processing: continuous communication with the clients, keeping statistics and evaluation regarding the flat and the project.
- Legal basis of processing: the legitimate interests of the Controller [Article 6 (1) f) GDPR].
- Processed data: name, phone number, e-mail address, preferred type of real property, location, planned date of the move.
- Data subject: the inquiring person with the interest of renting a flat.
- Duration of processing: 2 years.
- Database concerning contracting steps and performing contracts:
If the data subject intends to conclude a lease contract with the Controller, the Controller requests the personal data necessary to conclude the contract and sends them to the contributing law firm for the purpose of preparing the contract.
- Purpose of processing: preparation of contracts.
- Legal basis of processing: processing is necessary for the performance of the contract prior to entering the contract [Article 6 (1) b) GDPR].
- Processed data: name, mother’s name, place and date of birth, address, tax number, bank account number, ID card number.
- Data Subject: the party with the intention of concluding a lease contract.
- Duration of processing: if the contract might not be concluded, the personal data shall not be processed by the Controller any longer.
If the data subject as lessee and Controller concludes the lease contract, the Controller may process the personal data of the data subject with the terms and conditions below:
- Purpose of processing: performing a contract.
- Legal basis of processing: processing is necessary for the performance of the contract [Article 6 (1) b) GDPR].
- Processed data: name, mother’s name, place and date of birth, address, tax number, bank account number, ID card number, signature.
- Data subject: lessee.
- Duration of processing: 8 years in accordance with Szt.
The Controller has the right to request certain certifications from the lessee as a precondition of the conclusion of the Contract:
- Income certificate: in order to certify the financial stability of the lessee.
- Certificate on school attendance / certificate of enrolment: in case of student lessees.
- Certificate on employment: in case of worker’s discounts.
In case a), the purpose of the processing is the performance of the obligations stemming from the concluded Contract, and to minimize the financial interests of Controller. In case b), the purpose is to preserve as potential lessors the persons who do not belong to categories a) or c), i.e. unemployed persons or persons without regular income, as these persons are supposedly dependants or receive student scholarships, consequently, the obligations based on the concluded Contract are secured and the damage of the financial interests of the Control may be kept at a minimum level. In case c), the Controller might provide discounts for the employees of certain companies (worker’s discount). In order to apply for the worker’s discount, it is necessary for the data subject to certify that he/she works at the company entitled to the discount.
The legal basis of the processing are the legitimate interests of the Controller based on Article 6 paragraph (1) point f) GDPR. The Controller has conducted a test of compatibility in connection with the processing of data based on these legitimate interests in a separate document.
The Controller request only to present the certification, it does not copy or keep the certificate.
- Customer due diligence:
If the Controller carries out an activity related to the mediation by way of business of the lease rights of a third person’s real property and as a result it possesses personal data, the Customer due diligence of the Data Subject according to § 7 of the Pmt. means further data processing activity in certain cases.
- Purpose of processing: to conduct customer due diligence.
- Legal basis of processing: compliance with legal obligations based on chapter 4 Pmt. [Article 6 GDPR (1) c)].
- Data subject: lessee.
- Duration of processing: 8 years in accordance with Pmt.
Controller processes the following personal data pursuant to Section 7 Pmt.: given name and surname; birth name; place and date of birth; name of mother; address (or temporary residence in lack thereof); nationality; type and number of identification document (Section 7 paragraph (2) point a) Pmt.).
Further to the above, the Controller shall verify the identity within the framework of the Customer due diligence legal obligation and in this regard the Company shall request the following documents [Section 7 paragraph (3) Pmt.]:
- in the case of a Hungarian citizen the official card proving identity and the official card proving the home address,
- in the case of a foreign citizen the passport or the identity card, provided that it authorises the person to reside in Hungary, the document proving the right of residence or the document authorising residence, official card proving Hungarian address (if the address/temporary residence is in Hungary).
The Company produces a copy of the document with the exception of the side of the official card proving address which proves the personal number.
In accordance with Section 9/A. paragraph (1) Pmt., the data subject shall declare whether he/she is a politically exposed person or a relative of a politically exposed person or closely connected with a politically exposed person.
- Client relations: The purpose of the Controller regarding the data processing with the purpose of client relation is that in the legal relationship established between the Controller and the Data Subject, the performance of data requests, notifications, administrations and the maintenance of contacts between the Controller and the Data Subject (in particular the technical consultations, claims management, administration at the authorities and public utility services) preceding the contracting or following thereof for the conclusion, preparation, performance and the carrying out of the Contract is provided.
- Legal basis of processing: legitimate interests of the Controller [Article 6 (1) f) GDPR.
- Processed data: name, e-mail address, phone number.
- Data subject: lessee.
- Duration of processing: until the contract is effective.
- Invoicing data:
Regarding the lease payment obligation deriving from the Contract, the Controller shall issue the accounting document in accordance with the stipulations of Section 165 Szt. and shall receive and pay invoices from other contractual legal relationships.
- Purpose of processing: performing payments in accordance with the contract.
- Legal basis of processing: necessary to comply with legal obligations [Article 6 (1) c) GDPR] – the compulsory content of the invoice is determined by Section 169 Áfa tv.
- Processed data: in case of legal persons, a contact; in case of natural persons, name, address, tax number.
- Data subject: contracting party.
- Duration of processing: 8 years in accordance with Szt.
- Processing in connection with repairing defects
Throughout the term of the lease, defects might occur at the flat, which may be reported via e-mail or telephone by the lessee to the Controller. The Controller maintains a register of the reported defects and treating the defects.
- Purpose of processing: repairing and recording defects.
- Legal basis of processing: the report of the lessee constitutes consent [Article 6 (1) a) GDPR], then the legitimate interests of the Controller justify further storage of the data.
- Processed data: name, e-mail address, phone number, address of the flat, information on defects.
- Data subject: lessee.
- Duration of processing: 1 year.
- Sending newsletters
The Controller sends newsletters to the data subjects each month.
- Purpose of processing: sending newsletters, providing information frequently about the newest discounts, events, news of the Controller.
- Legal basis of processing: consent of the subscriber / lessor [Article 6 (1) a) GDPR]
- Data processed: name, e-mail address.
- Data subject: subscriber of the newsletter / lessee.
- Duration of processing: until the withdrawal of the consent.
- Data Processor: the Controller is aided by Campaign Monitor Pty Ltd. in sending newsletters.
Data transfer
- The Controller may transfer personal data processed for the purposes mentioned above exclusively to the persons indicated in this chapter to the extent set out herein.
- If the Controller proceeds with the mediation of the lease right of a third-party owner’s real property, then the Controller is entitled to transfer the personal data used for keeping contact and processed related to the performance of the Contract to the owner of the relevant real property. The purpose of data transfer is for the owner as direct lessor to exercise its rights deriving from the Contract and to perform its obligations and maintain contact with the lessee.
- The Controller is entitled to transfer the personal data processed according to the Notice for the provision of the legal processes related to the preparation of the Contract and the performance thereof to the Szabó, Kocsis és Hunya Law Firm (registered office: H-1095 Budapest, Mester utca 83/A. IX. em. 4. a.) representing both parties in the transaction related to the Contract. Similarly, the Controller is entitled to hand over the Contract and the related accounting documents for performing the accounting processes to Karissa Kft. performing the accounting activity.
- In the case of leasing a real property built by one of the companies of the Metrodom Group, the Controller is entitled to transfer the personal data indicated in this section to the Metrodom Kivitelező Kft. carrying out the building works, and to Metrodom Építő Kft., to COPM Kft. providing technical consultation for the implementation and performance of the Contract in order to carry out the technical consultation regarding the Data Subject as buyer and to proceed with the defect notifications covered by the warranty.
- The invoices and contracts are recorded by the Controller in the SAP business coordination system, and this system is maintained by IFSZ Kft. (company registry number: 09-09-000696; registered seat: 4026 Debrecen, Péterfia u. 4. III. em. 313).
- The hosting service provider of the website flatco.hu is …………………….. Kft. (company registry number: ………………; registered seat: ………………………………….).
- If any of Controllers have concluded a loan agreement with a bank, the bank may request the lease contracts concluded by the Controller for the purpose of verifying the compliance of these lease contracts with the loan agreement and the indexes and information in it.
- The Controller is entitled to transfer the personal data according to this Notice towards the authorities and courts in the case of their request or if an adversarial or non-adversarial proceeding is initiated between the parties.
Data protection officer
Controller appoints the Szabó, Kocsis and Hunya Law Firm (address: 1095 Budapest, Mester utca 83/A. IX. em. 4. a.; e-mail: iroda@szkiroda.hu; phone: 06-1-878-0802) as joint data protection officer (DPO) for ensuring the legality of their data processing practice. This task is performed on the basis of a DPO service contract.
The DPO’s tasks include:
- a) supporting of Controller concerning their data processing-related tasks;
- b) acting as a contact person between the Controller and the Supervising Authority;
- c) providing professional advice, information concerning data subject rights.
Right enforcement and remedies
Please find below the rights of the Data Subject that can be exercised in relation to the Controller.
- Communication with the Controller: The Data Subject and the Controller can communicate via phone, e-mail or postal mail. The Data Subject is entitled to request information from the Controller whether his/her personal data is processed and if yes, then the Data Subject has a right to access the processed personal data in the following extent.
Concerning the access, the information relating to the data processing that is provided by the Controller includes especially the following:
- the source of the processed personal data,
- the purpose and legal basis of the data processing,
- processed personal data,
- in the case of transferring the processed personal data the recipients of the data transfer, including recipients of third countries and international organisations,
- the retention period of the processed personal data, the aspects of the determination of this period,
- the rights of the data subject according to this law and the description of the method of their enforcement,
- in the case of profiling its fact and
- the circumstances of the occurrence of persona data breach arising in connection with the processing of the data subject’s personal data, their effects and the measures taken.
Controller provides the requested information without undue delay but within 1 month from the receipt of the request at the latest.
- Controller deals with and answer the e-mail of the Data Subject concerning the data processing only if it was sent from the e-mail address (except when the Data Subject makes reference to the change of his/her e-mail address or other contact information or if the person of the Data Subject can be clearly identified).
- The Controller shall inform the Data Subject about every measure taken in relation to the personal data without delay but within 1 month from taking the measure the latest. If the Controller fails to take measures based on the request of the Data Subject, then the Data Subject shall be informed without undue delay but within 1 month from the receipt of the request at the latest on the reasons for the lack of measures and on the right of the Data Subject to file a complaint with the Supervising Authority or to file a lawsuit with the competent court.
- Rectification: The Data Subject is entitled to inform the Controller on the changes of his/her personal data (in e-mail or postal mail as detailed above). Controller registers the change within 8 days from the receipt of the notification. If the Data Subject fails to report any changes to his/her personal data without delay, then the Data Subject shall be liable for the consequences of this omission. If the submitted personal data is false and the correct data is available to the Controller, then Controller amends the data automatically.
- Erasure: The Data Subject is entitled to request the deletion of the personal data pertaining to the Data Subject from the Controller without delay and the Controller is obliged to delete the personal data pertaining to the Data Subject without delay, especially if one of the below reasons is given:
- the personal data are not required anymore for the purpose for which they were collected or processed;
- the Data Subject has withdrawn the consent given for the data processing and the data processing does not have any other legal basis (the withdrawal does not have a retrospective effect on the lawfulness of the data processing);
- the Data Subject challenges the data processing based on legitimate interest;
- the Controller processed the personal data unlawfully;
- the personal data shall be deleted for the fulfilment of a legal obligation set out in the laws of the European Union or of a member state.
Even if one of the above circumstances is given, Controller is not obliged to delete the processed personal data if the data processing is required for one of the following:
- exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the deletion is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
- Objection to the data processing: The Data Subject is entitled to object the processing of his/her personal data in line with this Notice, based on a legitimate interest on grounds relating to his or her particular situation. The Controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Right to restriction of the data processing: The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies.
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Controller overrides those of the Data Subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The Data Subject who has obtained restriction of processing, shall be informed by the Controller before the restriction of processing is lifted.
- Right to data portability:
Based on the consent of the Data Subject, or with regards to the personal data processed with the purpose of performing the contract, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right may be exercised exclusively with regards to digitally processed personal data with the legal basis of consent or performance of contract.
- Complaint to the Supervising Authority: The Data Subject is entitled to file a complaint with the Supervising Authority with reference to the breach of laws concerning the processing of his/her personal data or if there is an imminent risk thereto. The investigation of the Supervising Authority is free of charge and the expenses of the investigation are advanced and covered by the Supervising Authority. No one should be subject to retaliation due to a complaint filed with the Supervising Authority. The Supervising Authority may disclose the person of the complainant if the investigation could not be carried out without this. The Data Subject may initiate the procedure of the Authority for the examination of the lawfulness of Controller’s measure if the Controller limits the enforcement of the Data Subject’s rights indicated above or if it refuses the Data Subject’s request for the enforcement of such rights;
and it can initiate a procedure of the data protection authority if according to it, during the processing of its personal data, the Controller or the data processor commissioned by it or who proceeds on its request breaches the legal rules pertaining to the processing of the personal data.
- Judicial route: Data Subject may turn to the courts against the Controller if his/her rights are breached. The lawsuit belongs to the competence of the regional courts. As a main rule the lawsuit shall be heard by the regional court with geographical jurisdiction over the case according to the seat of the data controller but the Data Subject can also opt for the regional court with geographical jurisdiction based on his/her home address or temporary residence. The geographical jurisdiction of the courts can be checked on the court website with the search application “Court search” at birosag.hu . The regional court handle the matters with urgency. During the procedure, the Controller or the concerned data processor shall prove that it has not breached the legislation pertaining to the processing of the personal data.
- Damages and non-pecuniary restitution: If, through the unlawful processing of the personal data of the Data Subject or through breaching the data security requirements, the Controller:
- causes damages to the Data Subject or to third persons, then they shall be liable for the compensation (compensation of damages);
- breaches the personality rights of the Data Subject, then the Data Subject can claim non-pecuniary restitution from the Controller.
The Controller shall be set free from their liability for the compensation of damages and non-pecuniary restitution, if they prove that the damages or the breach of the personality rights of the Data Subject was caused by an unavertable cause outside of the scope of the data processing. The damages are not to be compensated and no non-pecuniary restitution can be claimed if the breach resulting from the damages or the breach of personality rights resulted from the wilful or grossly negligent conduct of the Data Subject (injured person).
The Controller ensures data security and takes the necessary and appropriate technical and organisational measures. It ensures the confidentiality of personal data (e.g. access to the public, unauthorized access), integrity (alteration, modification, erasure), and availability (restorability).
The above requirement performed in accordance with the below:
- it ensures – through means of hardware and software – that the tools used for processing (hereinafter: data processing system) may not be accessed by unauthorised persons;
- the electronic data shall be stored in closed computer systems protected by password;
- prevents unauthorized entry of personal data in the data processing system and the possibility of accessing, modifying, erasing the personal data stored in it, furthermore, prevents the use of data processing systems by means of data transmitting devices by unauthorized persons;
- ensures confidentiality of the data by means of inner policies and orders: the employees shall use the data in their possession exclusively for the purpose of the data processing and to the necessary extent in a manner that any other person, for whom it is not necessary to process data for their work, shall be excluded from accessing the data;
- transfers personal data exclusively when it has a legal basis to do so;
- processes personal data only for the necessary term;
- ensures protection against viruses; the physical protection of storage devices;
- frequently reviews the appropriateness of computer systems and – if necessary – develops it.
Miscellaneous stipulations
- In the case of a Data Subject under 16 years of age, the submission of his/her personal data require the consent of his/her legal guardians (parents).
- The Controller maintains the right to modify this Notice unilaterally at any time.
- This Notice is governed by the Hungarian laws.