Privacy Policy

Data Management Notice

 

 

TABLE OF CONTENTS

 

1       The purpose of this Data Protection Notice. 3

2       Change management 3

3       General provisions. 3

4       Legal background. 3

5       Definitions. 4

6       The data controller’s details. 5

7       Data processors. 5

8       Managed personal data types and related information. 6

8.1          Cookies. 6

8.2          Curriculum vitae information. 7

8.3          Personal data used in sending newsletters. 7

8.4          Personal data provided during communication or request for offer by phone / e-mail 8

8.5          Personal data associated with online fault reports. 8

9       Data transfers. 8

10     The rights of data subjects and their options for enforcing such rights. 9

10.1       The right to transparent information. 9

10.2       Right of access. 9

10.3       Right to data portability. 9

10.4       Right to rectification. 9

10.5       Right to be forgotten. 9

10.6       Right to object 10

10.7       Right to restriction of data management 10

10.8       Automated individual decision-making, including profiling. 10

11     Recourse to the courts. 10

12     Procedures by the Authority. 11

13     Miscellaneous provisions. 11

 

 

  

1     The purpose of this Data Protection Notice

The purpose of this Data Protection Notice is to define the principles and rules applied by CD Hungary Ingatlanhasznosító, Forgalmazó és Szolgáltató Zrt. (hereinafter: CDH) in the course of its management of personal data other than the personal data of its employees in order to ensure compliance with the principles of data protection and the requirements for data security.

2     Change management

The data protection principles applicable to data management by CDH will be available at all times at the link http://cdhungary.com/adatvedelem.

CDH maintains the right to amend this Notice at any time.

3     General provisions

CDH manages personal data in accordance with the following principles:

  • CDH manages personal data confidentially, in compliance with the prevailing legislative provisions; it ensures their security and takes all the necessary administrative, logical and physical security and organisational measures and implements all the procedural rules that are necessary for complying with the applicable provisions in effective legislation.
  • In the course of its data management, CDH maintains secrecy: it protects the information so that only authorised parties can access it; it maintains integrity: it protects the accuracy and completeness of the information and the processing method; it maintains availability: it ensures that authorised users can access the required information whenever necessary and that the relevant means are available to enable them to do so.
  • As the controller of the data, CDH commits to ensuring that all data management associated with its activities shall comply with the provisions in this Data Protection Notice and the applicable effective legislation.

4     Legal background

CDH must comply with the legislative provisions applicable to the management of personal data in all phases of data management. Data management by CDH is governed primarily by the provisions set out in the following legislation:

  • Act V of 2013 on the Civil Code (hereinafter: Civil Code);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the management of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act).

 

 

5     Definitions

Term

Definition

data subject

Any specific natural person identified or – directly or indirectly – identifiable by personal data.

personal data

Any data relating to a data subject – in particular the data subject’s name, identifier and one or more pieces of information on the data subject’s physical, physiological, mental, economic, cultural or social identity, and conclusions derived from such data regarding the data subject.

consent

The freely given and definite declaration of the data subject’s wish, which is based on proper information and represents the data subject’s unambiguous agreement to the management of their personal data in general or as applicable to specific transactions.

objection

The data subject’s declaration contesting the management of their personal data and requesting the termination of data management and the erasure of the data managed.

data management

Regardless of the procedure employed, data management is defined as an operation or set of operations performed with the personal data, such as collection, capture, recording, organisation, storage, changing, use, transfer, disclosure, alignment or combination, blocking, erasing and destroying, and preventing the further use of the data, taking photos, audio or video recordings, and recording physical features identifying the person (e.g. fingerprint, palm print, DNS sample, iris scan)

data processing

This is the performance of technical tasks associated with the data management operations, regardless of the method or device used in performing the operations or the location of their use, provided that the technical task concerns the data.

data transfer

Making the data available to a specific third person.

public disclosure

Making the data available to anyone in the wider public.

data controller

A natural person, legal entity or non-incorporated organisation that defines the purposes of the management of the personal data on its own or jointly with others, adopts and implements the decisions regarding data management (including the devices to be used) or arranges for the same to be implemented by a data processor contracted by it.

data processor

A natural person, legal entity or non-incorporated organisation that processes data on contract (including contracts entered into pursuant to a provision of law).

erasure of data

Making data unrecognisable in such a way that their recovery is no longer possible.

set of personal data

The entirety of data managed in a single set of records.

third party

Any natural person, legal entity or non-incorporated organisation other than the data subject, the data controller and the data processor.

 

 

 

6     The data controller’s details

  • Data controller’s company name: CD Hungary Ingatlanhasznosító, Forgalmazó és Szolgáltató Zrt.
  • Data controller’s registered seat: 1023 Budapest, Vérhalom u. 12-16.
  • Data controller’s postal address:    1023 Budapest, Vérhalom u. 12-16.
  • Company registration number:      01 10 044768
  • Tax number:                                       12856956-2-41
  • Contact:                                               Edit Hrabina
  • Data controller’s phone number:   +36-1 325-71-77
  • E-mail:                                                 cdhungary@cdhungary.com

7     Data processors

  • Data processor’s company name:   Versanus Informatikai és Szolgáltató Kft.
  • Data processor’s registered seat:   1023 Budapest, Bécsi út 3-5- 5.em. 56
  • Company registration number:      01 09 738703
  • Tax number:                                       13504786-2-41

 

 

8     Managed personal data types and related information

 

8.1         Cookies

The service provider places anonymous user identifiers (cookies) on the data subject’s computer; a cookie does not enable, by itself, the identification of the data subject in any way and it serves the sole purpose of recognising the data subject’s computer; when this solution is used, it is not necessary to supply name, e-mail or any other personal information because the user does not release to the service provider any personal data and data is exchanged only between the computers.

Users may set their browsers to prevent the placement of unique identifiers (cookies) on their computers. Users may block marketing cookies and other types of cookies in the pop-up window that appears when they visit a website.

The purpose of data management

The service provider manages cookies for the data management purpose of learning more about the data subjects’ website usage habits and to thus improve the quality of its services and to display customised pages and marketing (advertising) materials during their visits to the website.

The legal grounds for data management

The legal basis for the management of the data is the data subject’s freely given consent to the data management; when accessing the website, the data subject may determine in the pop-up window how the cookies should work.

The data managed

The personal data managed are the cookies used by Google Analytics; the cookies supporting the operation of the website and the marketing cookies.

Data subjects

All persons who come forward to establish contact and are data subjects in the data management process.

Data management duration

1 year from the time of the visit.

Revocability of consent

Consents may be revoked by e-mail or phone; nevertheless, the revocation of the consent will not detract from the legality of data management prior to the revocation of the consent.

Obligations if personal data are provided / Consequences if personal data are not provided

If the data subject does not consent to cookies, they will be able to browse the website ‘more slowly’.

 

 

 

8.2         Curriculum vitae information

In response to advertisements for jobs, CV’s (résumés) may be sent to the points of contact (e-mail addresses) provided on the website / other platforms.

The purpose of data management

To fill the job advertised by the service provider, to enter into an employment contract

The legal grounds for data management

The legal basis for the management of the data is the data subject’s freely given consent to the data management; by submitting the CV, the data subject freely gives their consent to the management of their data.

The data managed

The personal data managed are the data subject’s name, phone number, e-mail address, education and other information included in the CV.

Data subjects

Any person voluntarily applying for the job, whose data are managed

Data management duration

Data will be managed for the trial period of the hired employee but not longer than 6 months.

Revocability of consent

Consents may be revoked by e-mail or phone; nevertheless, the revocation of the consent will not detract from the legality of the data management prior to the revocation of the consent.

Obligations if personal data are provided / Consequences if personal data are not provided

The data subject has the obligation to provide the data as the recruitment process cannot start without them. If the data subject does not provide the personal data, the application will be automatically rejected.

 

8.3         Personal data used in sending newsletters

The purpose of data management

Contacting for marketing purposes, sending information regarding events

The legal grounds for data management

The legal basis for the management of the data is the data subject’s freely given consent

The data managed

The personal data provided when signing up for the newsletter (name, e-mail address)

Data subjects

All persons who come forward to establish contact and are the data subjects in the data management process

Data management duration

Until consent is revoked

Revocability of consent

Consents may be revoked at any time by sending an e-mail to hirlevel@cdhungary.com or clicking on the link in the newsletter.

Obligations if personal data are provided / Consequences if personal data are not provided

If the data subject withholds or revokes their consent to sending the newsletter, they will not receive the newsletter.

 

  

8.4         Personal data provided during communication or request for offer by phone / e-mail

 

The purpose of data management

Answering the questions of the data subjects, providing information, sending offers to the data subjects

The legal grounds for data management

The data subject’s freely given consent to data management; the capturing of the data is initiated by the data subject.

The data managed

The data subject’s name, phone number and personal e-mail address.

Data subjects

All persons who come forward to establish contact and are the data subjects in the data management process.

Data management duration

5 years

Revocability of consent

Consents may be revoked by e-mail or phone; nevertheless, the revocation of the consent will not detract from the legality of data management prior to the revocation of the consent.

Obligations if personal data are provided / Consequences if personal data are not provided

The data are provided on a voluntary basis.

 

8.5         Personal data associated with online fault reports

 

The purpose of data management

Serving the data subjects in a personalised manner and sending information to the data subjects upon their request

The legal grounds for data management

The legal basis for data management is the performance of the contract.

The data managed

User name, password

Data subjects

Person reporting the fault

Data management duration

5 years

Revocability of consent

The data subject’s consent is not the legal basis of the management of the data.

Obligations if personal data are provided / Consequences if personal data are not provided

If the data subject does not provide the personal data, online fault reporting will not be possible.

 

 

 

9     Data transfers

We have the right and the obligation to forward to the competent authorities any personal data available and stored by us in accordance with the regulations if we are forced to do so by law or a binding official order. The data controller shall not be held liable for such data transfers or its consequences.

 

10 The rights of data subjects and their options for

enforcing such rights

10.1    The right to transparent information

The right to appropriate and transparent information is a basic right of the data subjects, imposing an obligation on the data controller. The data controller must provide data subjects with succinct, transparent, comprehensible information on the circumstances of data management and the rights of data subjects, in an easily accessible, clear and easy-to-understand manner.

If information is requested from us, we will provide it without undue delay but in no more than 30 days.

10.2    Right of access

Data subjects shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, they shall have the right to access the personal data and the following information: the purposes of data management; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the planned duration of storing the personal data; the right to rectification, to erasure, to the restriction of data management and to objection; the right to lodge a complaint with a supervisory authority; information on the sources of data; the existence of automated decision-making, including profiling, and information on the logic involved as well as the significance of the data management and its envisaged consequences for the data subject. The data controller shall supply such information within maximum one month from the request being lodged.

10.3    Right to data portability

The data subject shall have the right to receive their personal data, which they had provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller.

10.4    Right to rectification

Data subjects shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.

10.5    Right to be forgotten

 

The data controller shall erase their personal data without undue delay if any one of the following reasons applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws the consent underlying the data management and there are no other legal grounds for the data management;
  • the data subject objects to the management of the data and there are no overriding legitimate grounds for the data management;
  • the personal data have been unlawfully managed;
  • the personal data have to be erased in order to comply with a legal obligation in EU or Member State law;
  • the personal data have been collected in relation to the offering of information society services.

If the managed data is necessary for exercising rights or in settlements with official bodies for instance, the data management may be continued on the grounds of compliance with a legal obligation or by virtue of a rightful interest.

In the case of erasure, the obligation to erase shall apply to the data processors involved as well.

10.6    Right to object

The data subject shall have the right to object at any time, for reasons relating to their particular situation, to the management of their personal data on the grounds of processing for the public interest or within the framework of exercising the official powers assigned to the data controller or on the grounds of the enforcement of the rightful interests of the data controller or a third party, including profiling based on the provisions referred to. In the event of such objection, the controller shall no longer manage the personal data unless the controller demonstrates compelling legitimate grounds for the data management which override the interests, rights and freedoms of the data subject or concern the establishment, exercise or defence of legal claims.

 

10.7    Right to restriction of data management

In the event of restriction, the personal data may only be stored and any other forms of data management shall require the consent of the data subject and serve the purpose of lodging a legal claim or serve the public interest. The data subject shall have the right to obtain from the controller a restriction of the management of the data where one of the following applies.

  • the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data;
  • the data management is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the data management, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to the data management; in such cases, the restriction shall apply to the period until it is verified whether the legitimate grounds of the controller override those of the data subject.

 

10.8     Automated individual decision-making, including profiling

CDH does not perform profiling.

11 Recourse to the courts

We inform our users that they may seek redress from the courts against the data controller if their rights as data subjects are breached. The court will conduct an expedited proceeding in the matter. Adjudicating in lawsuits is the competence of the regional courts. Lawsuits may be brought before the court competent in the locality of the data controller’s registered seat or, if preferred by the data subject, at a regional court competent in the locality of the data subject’s permanent or temporary place of residence. Persons who have no legal standing otherwise may also be a party to such lawsuit.

If the data controller causes damage to others through the unlawful management of the data subject’s data or the breaching of data security requirements, it shall compensate for such damage. If the data controller violates the data subject’s personality rights through the unlawful management of the data subject’s data or the breaching of data security requirements, the data subject may demand pain and suffering damages from the data controller. The data controller shall be relieved of the liability for the damage caused and from the obligation to pay pain and suffering damages if it can prove that the damage or the violation of the data subject’s personality rights was due to circumstances beyond its control and beyond the scope of its data management. Damage shall not be compensated and pain and suffering damages may not be demanded to the extent that the damage or the violation of the personal rights was attributable to wilful or seriously careless behaviour on the part of the aggrieved party or the data subject, respectively.

 

 

12 Procedures by the Authority

Data subjects may also lodge complaints with, and request information from, the Authority:

  • Name: National Authority for Data Protection and Freedom of Information
  • Registered seat: 1125 Budapest Szilágyi Erzsébet fasor 22/c.
  • Postal address: 1530 Budapest, Pf.: 5.
  • Correspondence address: 1530 Budapest, Pf.: 5.
  • Phone: +36 (1) 391-1400
  • Fax: +36 (1) 391-1410
  • E-mail: ugyfelszolgalat@naih.hu
  • Website: http://naih.hu

 

13 Miscellaneous provisions

Regarding data management not listed in this Data Protection Notice, we will provide the relevant information when collecting the data. We kindly inform our clients that the courts, the public prosecutor, the law enforcement agencies, the administrative offences authority, the public administration authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary and, pursuant to their relevant legislative authorisations, other bodies may contact the data controller with requests to disclose and reveal information and data and to supply documents.

CDH shall disclose to the authorities the personal data only in the amount and to the extent essential for achieving the purpose of the request and only if the authority has specified the exact purpose of the request and the range of data concerned.


23 May 2018