Data management policy

PREAMBULUM

The personal data of our owners (hereinafter: Company) and its customers is collected and treated confidentially in accordance with the laws and the requirements contained in this data protection policy (hereinafter: Policy). The Company ensures the security of the data it receives, establishes the procedural rules, and takes the technical, organizational, and security measures necessary to enforce the data protection provisions of the applicable laws.

The purpose of these Regulations is for the Company to inform its Customers in accordance with the law about the scope of their personal data managed by the Company, the purpose and method of data management and all other facts related to data management, as well as to ensure the enforcement of data protection principles and data security requirements, and prevents unauthorized access, alteration, unauthorized disclosure or use of Customer data.

I. GENERAL PROVISIONS

1.1. Legal foundations

The legal basis of the Regulation is the following legislation:

• Basic Law of Hungary, VI. article;;
• a Act V of 2013 on the Civil Code (new Civil Code);
• az CXII of 2011 on the right to information self-determination and freedom of information. law (Info law);
• a EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and the free flow of such data (GDPR – General Data Protection Regulation).

1.2. Interpretative provisions

personal data: any data that can be associated with any specific (identified or identifiable) natural person (hereinafter: data subject), the conclusion that can be drawn from the data regarding the data subject. During data processing, personal data will retain its quality as long as the relationship with the data subject can be restored. A person can be considered identifiable in particular if he can be identified – directly or indirectly – on the basis of a name, identification mark, or one or more factors characteristic of his physical, physiological, mental, economic, cultural or social identity;

customer: a natural or legal person, or an unincorporated business company who is interested in entering into a contract with the Company, as well as who is already in a contractual relationship with the Company;

contribution: the voluntary and firm declaration of the data subject's wishes, based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data – in full or covering certain operations;

protest: the statement of the data subject objecting to the processing of their personal data and requesting the termination of data processing or the deletion of processed data;

data manager: the natural or legal person or organization without legal personality who or which determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented by the data processor commissioned by it;

data management: regardless of the procedure used, any operation or set of operations performed on personal data, such as, for example, their collection, recording, recording, organization, storage, alteration, use, transmission, disclosure, alignment or connection, blocking, deletion and destruction of the data, as well as preventing its further use, so the taking of photographs, sound or images, as well as the recording of physical characteristics suitable for the identification of the person, are considered data processing;

data transfer: if the data is made available to a specific third party;

disclosure: if the data is made available to anyone;

data deletion: rendering the data unrecognizable in such a way that their recovery is no longer possible;

data destruction: complete physical destruction of the data or the data carrier containing it;

data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;

data processor: the natural or legal person who processes personal data based on the contract concluded with the data controller;

dataset: the totality of data managed in a registry system;

third person: a natural or legal person, or an organization without legal personality, which is or is not the same as the data subject, the data controller or the data processor;

portal: the Company's public website.

II. MANAGEMENT OF PERSONAL DATA

2.1. The legal basis and principles of data management

2.1.1. The Company is entitled to manage the Customer's personal data upon access by the Customer concerned.

2.1.2. Personal data may only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. All stages of data management must comply with this purpose.

2.1.3. Only such personal data can be processed that is essential for the realization of the purpose of data management, is suitable for achieving the purpose, and only to the extent and for the time necessary for the realization of the purpose.

2.1.4. The Customer must be informed – clearly and in detail – about all the facts related to the management of his data, in particular the purpose and legal basis of data management, the person entitled to data management and data processing, the duration of data management, and who can see the data. The information must also cover the Customer's rights and legal remedies related to data management. The Company fulfills this obligation by publishing these regulations.

2.1.5. The processed personal data must meet the following requirements:

• their admission and treatment must be fair and lawful;
• they must be accurate, complete and, if necessary, timely;
• the way they are stored must be suitable so that the Customer can be identified only for the time necessary for the purpose of storage.

2.1.6. The data manager is obliged to plan and implement data management operations in such a way as to ensure the protection of the privacy of the Customers.

2.1.7. As part of the data manager's or activity's scope, the data processor is obliged to ensure the security of the data, and is also obliged to take the technical and organizational measures and establish the procedural rules that are necessary to enforce this law and other data and privacy protection rules.

2.1.8. The data must be protected with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.

2.1.9. The customer may object to the handling of his personal data, in which case the Company will terminate the data processing, including further data collection and transmission, and block the data, and notify all those to whom the personal data affected by the objection were notified of the objection and the measures taken based on it. forwarded earlier, and who are obliged to take measures to enforce the right to protest.

2.2. The purpose of the data management and the scope of the managed data

2.2.1. In the case of Customers interested in entering into a contract, the Customer's identification or in the case of customers entering into a contract, the Company manages the following data for the purpose of establishing and defining the content of the contract:

• Customer's name, address, place of residence or registered office, notification address, telephone number and e-mail address;
• In the case of a natural person, the Customer's birth name, mother's birth name, place and time of birth (bank account number in the case of payment by bank transfer);
• In the case of a non-natural person, the Customer's company registration number or other registration number, as well as its payment reference number;
• Time of phone calls and visits;
• The nature, location, accessibility, area of the property you are looking for, the type of activity you wish to perform on the property.

Based on the express consent or request of the Customer, the Company is entitled to process other personal data of the Customer that may facilitate contact.

2.3. Duration of data management

2.3.1 The Company manages or stores its Clients' data for 1 year after the termination of the legal relationship. If no legal relationship is established between the Company and the Customer, the data will be managed for one year after their creation or stored by the Company, the 2.3.2. with the exceptions contained in point If the Customer submits a written request to this effect, the processed data will be deleted and the data management will cease.

2.3.2 If the Company records a call to the Company's telephone customer service, a complaint, error report, or other request, it will keep the audio recording for 5 (five) years. The Company informs the Customer about this at the start of the telephone transaction.

2.4. Knowledgeability and transmission of data

2.4.1. The Company's employees and agents are entitled to access and manage the personal data available to the Company in accordance with their data protection and confidentiality obligations in accordance with these Regulations.

2.4.2. The Customer's personal data may be forwarded to the Company's registered real estate advertisers and companies belonging to the ownership circle.

2.4.3. At the request of the court, the prosecutor, the investigative authority, the state administrative authority, the data protection commissioner, the Company may release personal data to the authority. This can only be done if the requesting authority has specified the exact purpose of the data communication and the scope of the data. The Company discloses personal data only to the extent and to the extent that is absolutely necessary to fulfill the purpose of the request.

Customer data managed by the Company can be transferred:

• for those who carry out invoicing, claims management and customer information on the basis of the Company's mandate;
• for bodies authorized by law to settle legal disputes arising from invoicing and distribution issues;
• to the executor based on the provisions of § 47 of Act LIII of 1994 on judicial enforcement.

2.4.4. The personal data managed by the Company can be transferred if the conditions of data management are also met for each personal data in the case of data transfer.

2.4.5. Those who receive Customer data according to the above are subject to the same confidentiality and data protection obligations as the Company.

III. RULES RELATING TO ASSETS OPERATED BY THE COMPANY

3.1. Rules for the Portal

3.1.1. Access to certain parts of the Portal is subject to registration by the Company, during which the Company may acquire the user's personal data (name, phone number, e-mail address, etc.), but the provision of data on the Portal is voluntary in all cases.

3.1.2. The Company uses software that sends automatic electronic reply letters to customers who provide their e-mail address on the Portal in certain cases (e.g. a letter thanking you for registration).

3.1.3. The Company uses Google tools for traffic measurement (e.g. Google Analytics, Google Webmaster Tools, Google Adwords) in order to analyze user registrations and page visits on the Portal. Through these, certain data and IP addresses of the computers of users visiting the Portal are logged in order to record the users' visits. The Company uses this data exclusively to prepare statistics, for example to determine which part of the Portal is visited by users and how much time they spend there. The Company does not associate IP addresses with any other data on the basis of which the user can be personally identified, however, in certain cases these addresses and log files are considered personal data. When certain parts of the Portal are downloaded, as well as when the user accesses the advertising servers available from the Portal – including the marketing advertisements published by the Company under the heading "sponsored links" using Google Adwords in the Google system – the Company collects small, possibly personal installs data files (cookie) containing data on the user's computer for the purpose of recording data, identifying the user and facilitating further visits.

3.1.4. The user can set the browser used to access the Internet to receive a notification if the Company wants to place a cookie on their computer and can prohibit the sending of cookies at any time. At the same time, if cookies are not accepted, some pages will not work perfectly, or the user may not be authorized to access certain data.

3.1.5. By viewing the Portal, the user and the Company establish a relationship with each other via a telecommunications device, the information is provided on an open network (Internet). This requires compliance with increased control and security requirements on the part of the Company. Accordingly, the Company strives to ensure that its service is considered secure from a technical point of view, according to the data protection legislation in force. The same applies to the service provider that makes the Portal available, who is obliged to treat the personal data and other information in their possession as a business secret. The Company disclaims all responsibility for the information published on the Internet by the user using the Portal.

3.1.6. If the Company becomes aware that during registration the user provides other personal data in violation of the rights of a third party or the laws; uses publicly available or unlawfully obtained personal or non-personal data on the Portal in a manner that violates the rights of third parties or the law; or otherwise violated these data protection rules, or caused damage while using the Portal, the Company will take the necessary legal measures to hold the person responsible for the above behaviors legally responsible. In such cases, the Company will provide all possible assistance to the acting authorities in order to establish the identity of the person violating the law and hold them accountable.

IV. RIGHTS OF CUSTOMERS AND THEIR ENFORCEMENT

4.1. The Customer's rights that can be requested from the Company

• information on the management of personal data,
• correcting personal data,
• limiting the scope of processed data,
• deletion or blocking of personal data – with the exception of mandatory data management –,
• transfer of processed data.

4.2. Provision of information

4.2.1 At the Customer's request, the Company provides information on the data it manages, or processed by the processor commissioned by it, the purpose of the data processing, the legal basis, the duration, the name, address (headquarters) of the data processor and its activities related to the data processing, as well as who receives it and for what purpose or have received the data, as well as whether the Customer's data is being processed and, if so, which data is being processed.

4.2.2 The Company maintains a data transfer register for the purpose of checking the legality of the data transfer and informing the Customer, which includes the date of transfer of the personal data managed by it, the legal basis and recipient of the data transfer, the definition of the scope of the transferred personal data, as well as other data specified in the law that prescribes data management. The duration of the record of data transfer – and the obligation to provide information based on it – may be limited by the legislation governing data management. In the case of personal data, the limitation period cannot be shorter than five years.

4.2.3 The data controller is obliged to provide the information in writing in an understandable form as soon as possible, but no later than 30 days after the submission of the request.

4.2.4 The data controller is obliged to inform the Customer of the reason for the refusal to provide information. In case of refusal to provide information, the Company informs the Customer of the possibility of a judicial remedy, as well as the possibility of turning to the National Data Protection and Freedom of Information Authority (hereinafter: Authority).

4.3. Right to rectification

Personal data that do not correspond to reality must be corrected by the data controller.

4.4. Right to deletion

Personal data must be deleted if

• handling is illegal;
• the Customer requests;
• is incomplete or incorrect – and this state cannot be legally corrected – provided that deletion is not precluded by law;
• the purpose of data management has ceased, or the statutory period for data storage has expired;
• it was ordered by the court or the Authority.

4.5. Right to protest

4.5.1. The Customer may object to the processing of his personal data,

• if the processing or transmission of personal data is necessary solely to fulfill a legal obligation relating to the Company or to enforce the legitimate interests of the Company, the data recipient or a third party, except in the case of mandatory data processing;
• if the personal data is used or transmitted for the purpose of direct business acquisition, public opinion polls or scientific research; as well as
• in other cases specified by law.

4.5.2. The Company examines the objection as soon as possible, but no later than 15 days after the submission of the application, makes a decision on its merits, and informs the applicant of its decision in writing.

4.5.3. If the Company determines that the Customer's protest is well-founded, it will terminate the data management and block the data, as well as notify all those to whom the personal data affected by the protest was previously forwarded, and who are obliged to take measures to enforce the right to protest, about the protest and the measures taken based on it. . If the Customer does not agree with the Company's decision, or if the Company misses the deadline, the Customer may apply to the court as specified in § 22 of the Info Act.

4.5.4. The Company may not delete the Customer's data if the data management is mandated by law. However, the data may not be forwarded to the data recipient if the Company has agreed to the objection or the court has determined that the objection is justified.

4.6. Data transfer right

Anyone can request to receive the data processed about them in a readable format (e.g. .doc, .pdf, etc.), and they are also entitled to forward this data to another data controller without the Company, as the original data controller, hindering this.

4.7. Court enforcement

• In the event of a violation of his rights, the Customer may apply to the court against the data controller. The court acts out of sequence in the case.
• The data controller is obliged to prove that the data management complies with the provisions of the law.
• The adjudication of the lawsuit falls within the jurisdiction of the court. According to the Customer's choice, the lawsuit can also be initiated before the court of the Customer's place of residence or residence. A person who otherwise does not have legal capacity can be a party to the lawsuit. The Authority may intervene in the lawsuit in order to win the case for the Customer.
• If the court approves the request, it obliges the data controller to provide information, correct, block, delete the data, annul the decision made by automated data processing, take into account the Customer's right to object, and release the requested data to the benefit of the data recipient.
• The court may order the publication of its verdict – by publishing the identification data of the data controller – if it is required by the interests of data protection and the rights of a larger number of Customers protected by this law.

4.8. Compensation and damages

• The data controller is obliged to compensate the damage caused to others by the illegal handling of the Customer's data or by violating the requirements of technical data protection. The data controller is also responsible for the damage caused by the data processor vis-à-vis the Customer. The data controller shall be released from responsibility for the damage and the obligation to pay damages if it proves that the damage was caused by an unavoidable cause outside the scope of data management.
• There is no need to compensate the damage and no damages can be claimed if it resulted from the intentional or grossly negligent behavior of the injured party.

ADDITIONAL PROVISIONS OF THE COMPANY RELATING TO DATA PROTECTION AND DATA SECURITY

• The Company's (employees, subcontractors and) agents are obliged to comply with data protection and confidentiality obligations in accordance with these Regulations.
• The Company does not allow third parties to access the data without the Customer's verbal permission. An exception to this is the obligation to provide data based on legislation.
• The Company protects the Customer's personal data against unauthorized access, alteration, disclosure, deletion, damage, or destruction.
• In order to achieve data security, the Company guarantees that unauthorized persons cannot physically access any element of the paper-based or IT system.
• In the event of detection of a violation of personal data, the Company is obliged to notify the National Media and Communications Authority immediately.
• The Customer is obliged to do everything that can be expected of him in order to choose his personal data in a way that does not give rise to misuse.

The data controller

• participates and provides assistance in making decisions related to data management, as well as in ensuring the rights of Customers;
• checks compliance with the provisions of the Info Act and other legislation on data management, as well as internal data protection and data security regulations and data security requirements;
• investigates the reports received, and calls the data controller or the data processor to terminate it if unauthorized data processing is detected;
• prepares the internal data protection register;
• ensures the education of data protection knowledge [Article 24 (2) of the Info Act].

The Company makes this Data Management Policy available in electronic form on the website www.propertydeveloper.eu.