PRIVACY POLICY
Introduction
The purpose of this Privacy Policy (hereinafter referred to as Policy) is to provide information to people interested in, using or intending to use the activities and services of Shami Ingatlanforgalmazó és Építőipari Korlátolt Felelősségű Társaság (hereinafter referred to as Controller) (hereinafter referred to as Data Subject) in accordance with the applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR), on the data processing of their personal data relating to the real estate marketing activities of the Controller, the use of the website www.rubinresidence.hu, the purposes and legal basis of data processing, the identity and contact details of the Controller and processors, and basic information on the data processing.
The purpose of the Policy is also to inform the Data Subjects:
- about their rights in relation to data processing concerning them,
- about who and how they can contact with their requests and questions concerning the data processing of their personal data, from whom they can obtain the requested information and how long will it take to obtain the information requested,
- if they consider that their rights have been infringed in connection with data processing, for example, if they have not been adequately informed about or do not agree with the data processing or if they consider that the processing of their personal data is unlawful, in this case, to whom they can turn with their complaint and from which body they can seek legal protection.
We endeavour to summarise the above in this Policy in an understandable and clear format so that Data Subjects can understand how the collection, storage and other processing of their personal data when using our services, visiting our website, contacting us and other data processing operations may affect their right to information, self-determination and privacy.
I. General provisions
I.1. Identification of the Controller
Name: Shami Ingatlanforgalmazó és Építőipari Korlátolt Felelősségű Társaság
Abbreviated name: Shami Kft.
Court registration number: 01-09-884755
Tax identification number: 14013287-2-41
Registered seat: 1135 Budapest, Mohács utca 8/B. Fsz. Ü. ajtó
E-mail: sales@hay-group.hu
Telephone number:[VB1]
Representative of the Controller: Sárközy Mátyás managing director, elérhetőségei a fentiekkel megegyezően
I.2. Basic provisions governing the data processing
The Controller's service is directed to and provided from Hungary. Accordingly, the provision of the service and the Data Subjects in the course of using the service (including data processing) shall be governed by Hungarian law.
The scope of this Policy covers the processing of personal data in connection with the activities of the Controller related to the sale of properties (apartments) to be built in the Rubin Residence project (hereinafter referred to as Project) at 31 Dohány Street, 1074 Budapest, Hungary, in the course of using the interface of www. rubinresidence.hu (hereinafter referred to as Website), viewing the electronic content made available there, and using the service. The material scope of this Policy covers all processes that use the data collected on the Website to process personal data as defined in Article 4 (1) of the GDPR.
This Policy is valid from ** April 2023 [VB2] until its withdrawal.
The definitions in this Policy are the same as those set out in Article 4 of the GDPR, except that for the purposes of this Policy:
User: natural persons browsing the Website, regardless of which pages or sub-pages of the Website they visit;
Personal data: any information (such as name, email address) relating to an identified or identifiable natural person (Data Subject);
Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (See point I.1)
Processor: the natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. (See point III.)
I.3. The Controller is responsible for compliance with the following principles when processing your personal data:
- process personal data lawfully, fairly and transparently (“lawfulness, fairness and transparency")
- collect personal data only for specified, explicit and legitimate purposes and does not process them in a way incompatible with those purposes („purpose limitation”);
- the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed („data minimisation”);
- keep the personal data accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay („accuracy”);
- store the personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed („storage limitation”);
- process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures („integrity and confidentiality”).
I.4. Legislation governing data processing
The Controller shall carry out its data processing activities in accordance with the applicable European Union and national legislation in force, in particular the following legal provisions (including the applicable legislation when determining the legal basis and duration of each data processing operation):
- Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (The EU General Data Protection Regulation), (hereinafter referred to as: GDPR),
- Act CVIII of 2001 on certain aspects of electronic commerce and other information society services (Electronic Commerce Act) (hereinafter referred to as Ekertv.),
- Act CL of 2017 on the Rules of Taxation (hereinafter referred to as Art.)
- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (hereinafter referred to as Advertising Act)
- Act V of 2013 on the Civil Code (hereinafter referred to as Civil Code)
- Act C of 2000 on Accounting (hereinafter referred to as Sztv.)
I.5. Update and availability of the Policy
The Controller reserves the right to amend this Policy unilaterally, subject to the restrictions set out in the applicable legislation and, if necessary, by informing the Data Subjects in due time in advance. Such amendments may only be made after the amendment has entered into force. This Policy may be amended in particular in response to changes in legislation, official practices, new data processing purposes or feedback from Data Subjects. Specific data protection conditions may also apply to the provision and use of certain special services by the Data Subject, of which the Data Subject will be informed prior to using the service.
II. Scope of data processed and purposes of data processing
The scope of personal data processed by the Controller, the purposes of the processing, the legal basis for the processing and the duration of the processing are set out in the table below.
The Controller informs the Data Subject that, where a data processing purpose is necessary for the purposes of the legitimate interests of the Controller or of a third party, the Controller will provide the applicant with the balance of interests test necessary to establish the legitimate interest as a legal basis for processing, upon request to the contact details set out above.
The Controller informs the Data Subject that, in the case of data processing based on his or her consent, he or she has the right to withdraw his or her consent at any time. Accordingly, you may withdraw your consent at any time by sending an e-mail to ...................., [VB3] without prejudice to the lawfulness of the processing that preceded it. If you withdraw your consent, you will no longer be entitled to the service (e.g. newsletter service) to which you have given your consent.
Name and purpose of the processing
|
Scope of personal data processed
|
Legal basis for data processing
|
Duration of data processing
|
Preparation of the (pre)contract for the sale of property between the Data Subject and the Controller as the seller of the property to be purchased, in particular the provision of information about the selected property
|
On the www.rubinresidence.hu (Website), the data provided during the request for an offer: name (surname and first name), e-mail address, telephone number, the purpose of the property purchase (private or investment), the size (number of rooms) of the apartment you are interested in, as well as any other messages and data provided by the Data Subject to the Controller in connection with the preparation of the pre-contract or final contract for the sale of property or the request for an offer.
|
Article 6 (1) b) GDPR – data processing is necessary for the performance of a contract to which the Data Subject (as a natural person) is a party and processing is necessary for the purposes of taking steps at the request of the Data Subject prior to entering into a contract.
Article 6 (1) c) GDPR - processing is necessary for compliance with a legal obligation to which the Controller is subject.
|
The Controller shall process the relevant data for 5 years from the date of termination of the contract (with reference to Article 6:22 of the Civil Code).
If no contract is concluded, the Controller shall delete the data provided in connection with the request for an offer on the 60th day after the date of the request for an offer on the Website.
The Data Controller shall retain the documents and records pursuant to Section 169 of Sztv. for 8 years.
In connection with the fulfilment of the tax obligation, the data retention period for the documents concerned is 5 years from the last day of the calendar year in which the tax should have been declared or reported or, in the absence thereof, the tax should have been paid (§ 78, § 202 Art.)
|
To send newsletters by e-mail containing informative information and direct marketing material related to the activities of the Controller, containing information about the properties on the Website, services related to the sales process of the properties, the activities/services of the Data Controller
|
Name (first and last name), e-mail address provided on www.rubinresidence.hu (Website)
|
Article 6 (1) a) GDPR – data processing is based on your explicit consent.
Consent can be given on
the Website by clicking
on the "Subscribe"
button after
voluntarily providing
the personal data
required to subscribe.[VB4]
|
The Controller shall process the Data Subject's personal data until the withdrawal of the consent, but not later than the last day of the 3rd year following the consent.
|
Survey on the services of the Controller (satisfaction measurement) by sending an e-mail questionnaire
|
Name (first and last name), e-mail address provided on www.rubinresidence.hu (Website)
|
Article 6 (1) a) GDPR – data processing is based on your explicit consent.
The consent form can
be given on the Website
by clicking on the button
"I will participate in a
survey (satisfaction
survey) on the services
of Shami Kft."
after voluntarily
providing the
required personal data.[VB5]
|
The Controller shall process the Data Subject's personal data until the withdrawal of the Data Subject's consent, but not later than the last day of the 3rd month following the end of the Project (the last day of the 3rd month following the date of obtaining the last occupancy permit for the property to be sold in the Project).
|
Informing the Data Subject about the progress of the Project in relation to the properties intended/sold by the Controller
|
Name (first and last name), e-mail address provided on www.rubinresidence.hu (Website)
|
Article 6 (1) a) GDPR – data processing is based on your explicit consent.
The consent form can
be given on the Website
by clicking on the "I want
to be informed about
the progress of the
Project" button,
after voluntarily
providing the
necessary personal data[VB6] .
|
The Controller shall process the Data Subject's personal data until the withdrawal of the Data Subject's consent, but not later than the end of the Project (on the basis of which the Controller will delete the data within 30 days of obtaining the last occupancy permit for the property to be sold in the Project).
|
The processing and transmission of data may be necessary for the direct (between the Data Subject and the service provider) coordination of the use of services, the installation and operation of equipment, in connection with the internal or external design of the property purchased by the Data Subject, to persons or companies involved in the processing.
|
Name (first and last name), e-mail address, telephone number, requirements related to the design of the apartment.
The provision of the data is a precondition for the preparation, conclusion, and performance of the contracts necessary for the use of the service related to the property.
|
Article 6 (1) b) GDPR – data processing is necessary for the performance of a contract to which the Data Subject (as a natural person) is a party and processing is necessary for the purposes of taking steps at the request of the Data Subject prior to entering into a contract (in connection with the contract for the service in question).
The companies involved in the provision of the services, as controllers independent of the Controller, act under their own responsibility and may have their own data processing conditions.
|
The Controller shall process the Data Subject's personal data until the end of the Project (on the basis of which your data will be deleted within 90 days of obtaining the last occupancy permit for the property to be sold in the Project).
|
Contact-related processing of personal data - informing persons who contact the Controller in any way and providing them with the requested/necessary information
Continuous and effective communication with contractual partners
|
Name, position, notification address, telephone number, e-mail address
|
Article 6 (1) a) GDPR – data processing is based on your explicit consent.
Article 6 (1) b) GDPR – data processing is necessary for the performance of a contract to which the Data Subject (as a natural person) is a party and processing is necessary for the purposes of taking steps at the request of the Data Subject prior to entering into a contract.
For contractual partners, the legitimate interest of the Controller and the contractual partners [Article 6 (1) f) GDPR]. The legitimate interest is to perform and execute contracts, to exercise contractual rights and obligations and to facilitate and organise economic cooperation between the parties.
|
The Controller shall process the personal data of the Data Subject until the withdrawal of
consent, but for a maximum period of 3 months after the consent has been given.
In the case of contractual partners: the Controller shall process the data for 5 years after the existence of the legal relationship in question, or for 5 years after the termination of the Data Subject's mandate as a representative (with reference to Section 6:22 of the Civil Code).
|
III. Data processors processing the data[VB7]
Name
|
Registered seat
|
Scope of data transmitted for data processing
|
Data processing task
|
|
|
|
web hosting service
|
|
|
|
website management
|
|
|
|
website development/maintenance
|
|
|
|
newsletter service
|
Nógrádi Law Office
|
H-1037 Budapest, Montevideo utca 3/A.
|
Name (first and last name), telephone number, e-mail address
|
preparation of (pre)sales contracts
|
Active Invest Ingatlanforgalmazó Korlátolt Felelősségű Társaság (Otthon Centrum partner)
|
H-1085 Budapest, József körút 77-79.
|
Name (first and last name), telephone number, e-mail address
|
property sales activities, customer relationship management tasks
|
IV. Management of cookies on the Website[VB8]
Anyone may access the Website without revealing their identity or revealing their personal data and may access the information displayed on the Website and on the websites linked to it freely and without restriction. The Website may collect non-personally identifiable information about Users, some parts of the Website use so-called "cookies". The purpose of the data processing is to measure the number of visits to the Website in connection with the use of cookies (cookie determines), the legal basis for the data processing is the consent of the Data Subject pursuant to Article 6 (1) a) GDPR. The deadline for storing the data is the deletion of the cookie by the User.
IV.1. What is a cookie?
Cookies are small data files that are stored by the browser on the User's computer at the request of the Website with a unique identifier, thus enabling the Website to distinguish between computers and other devices that load the Website. The data and settings stored by cookies are used by the Controller to maintain and improve the services of the Website and to enhance the user experience. Internet browsers give Users the possibility to set the browser to reject certain types of cookies or even a specific cookie, but the User can also delete them manually or automatically.
IV.2. What cookies are used on the Website?
Only statistical, session and usage cookies are used on the Website.
Session cookies: temporary cookies, stored on the computer only during the current visit, and automatically deleted from the computer at the end of the session and when the browser is closed. Their use is essential for navigating the Website and for the proper functioning of the Website. Session cookies do not collect any personally identifiable information. Applied session cookies: XSRF-TOKEN, validity: 2 hours / Laravel session, validity: 2 hours.
Performance cookies (analytics): Google Analytics cookies are used to collect information about Users' activity on the Website. These will help us to make the Website more transparent and easier to use in the future. These cookies cannot identify the User personally, the data is stored in aggregate and anonymised.
Applied statistical cookies: _gid Google Analytics, validity: 1 day / _ga Google Analytics, validity: 2 years / _gat Google Analytics, validity: 1 minute.
The information collected by cookies is not sold, rented or otherwise distributed by the Website to third parties, except to the extent necessary to provide the services for which you have given your prior and voluntary consent to this information. The Website may contain links to independent sites controlled and maintained by third parties. Since the Website does not control the use of information by such third parties, in all such cases, the third party's privacy policy will govern, for which the Website assumes no responsibility and cannot be held legally liable.
The Website operator will not remember any identifier or password even if cookies are enabled. The User can use the electronic services of the Website in complete safety even if he or she accepts cookies.
IV.3. Checking, managing and disabling cookies
Modern browsers allow you to change cookie settings. Some browsers automatically accept cookies by default, but you can change this setting to prevent automatic acceptance in the future. In case of a switch, the browser will offer you the option to set cookies each time you do so.
Given that the purpose of cookies is to support and facilitate the usability and processes of the Website, if cookies are disabled, the Controller cannot guarantee that the User will be able to use all the functions of the Website to their full extent. The Website may then function differently than intended in the browser.
More detailed information on cookie settings for the following browsers is available at the following URLs:
In order to prevent the collection of personal information by anonymous Google Analytics cookies, you as Data Subject must install a Google Analytics plug-in in your browser. More information on this can be found at the links below:
V. Data security measures[VB9]
V.1. Ensuring basic conditions for data security
The Controller shall fully comply with the data and confidentiality protection, information security and access regulations for the security of data and shall ensure appropriate data protection by operating an IT system that meets the technical standards of the time and by taking organisational measures.
We select and operate the computing tools used for data processing in such a way that the data processed is always secure for you and other Data Subjects:
- access (availability),
- authenticity,
- the integrity of the data,
- protection against unauthorised access (confidentiality of data).
In processing the data, we ensure the information system’s:
- privacy (taking into account the potential threats to data processing),
- complete protection (all elements of the IT system are protected),
- continuity of protection (continuous protection over time),
- proportionality to the potential risks.
V.2. People entitled to access the data
We ensure that your personal data is always protected from unauthorised access.
We may be approached by a court, prosecutor's office, investigating authority, infringement authority, administrative authority, the National Authority for Data Protection and Freedom of Information, and other authority(ies) authorised by law to transfer or transmit personal data in connection with data processing. In such cases, we will only disclose information that we are legally required to disclose and to the extent that it is strictly necessary to fulfil the request.
VI. Your rights and means of enforcement as a Data Subject
In any case, we allow the Data Subjects, including you, to exercise the rights granted by the Regulation, subject to the limitations set out therein.
- Do you, as a Data Subject, need to justify the legal basis for your request?
You do not need to justify the legal basis for your request, as data protection rights are fundamental rights of data subjects.
- Do you, as a Data Subject, need to identify yourself?
Yes, lack of identification may lead to a refusal of the application. Identification can be done when the application is submitted in person (or when the data is received): by presenting an official document proving your identity /the document will not be copied/; if the application is submitted online, we will prepare the application, but the data will only be given to the applicant after identification has been completed. (Please do not send us a copy of an official document proving your identity, as sending this document by electronic mail does not identify the Data Subject, but results in unnecessary data processing.)
- Do you, as a Data Subject, need to rely on your relationship with the data subject of the request?
Yes, you need to refer to your relationship with the data subject to the request. Without a clear and precise relationship, your request may be refused.
- Place and method of application:
You, as a Data Subject, may submit your request by sending a letter to our postal address indicated in this Policy or by sending an electronic (e-mail) message to the e-mail address provided.
VI.1. As a Data Subject, you are entitled to:
- prior information, and may request information about the processing of your personal data and/or access to your data - in which case you will be informed whether a controller is processing personal data concerning you and, if so, the exact purposes, legal basis, scope of the data processed and the main rules of the processing (as set out in this Policy) and, upon request, we will provide you with a copy of the personal data processed;
If your request is manifestly unfounded or excessive, in particular because of its repetitive nature, a reasonable fee may be charged, considering the administrative costs of providing the information or information requested or of taking the action requested, or action may be refused on the basis of the request. The burden of proving that the request is manifestly unfounded or excessive shall lie with the Controller.
- rectification of your data, i.e. the correction or rectification of inaccurate personal data concerning you, or the completion of incomplete data;
- deletion of your data, i.e. rendering the data unrecognisable in such a way that it is no longer possible to recover it;
A request for cancellation may be granted if one of the following grounds applies:
a) the personal data are no longer necessary for the purposes for which they are processed;
b) you withdraw your consent on which the data processing is based and there is no other legal basis for the data processing;
c) you object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to the processing of your data for commercial purposes;
d) we process your personal data unlawfully;
e) the personal data must be deleted in order to comply with a legal obligation under EU or Member State law applicable to us;
f) the personal data has been collected in connection with the provision of information society services referred to in Article 8 (1) of the Regulation.
The data may not be deleted if the processing is necessary for the establishment, exercise or defence of our legal claims.
- restriction of the processing of your data, on the basis of which we will restrict the data processing at your request if one of the following conditions is met:
a) if you, as a Data Subject, contest the accuracy of your personal data, in which case the restriction applies for the period of time that allows us to verify the accuracy of your personal data;
- if the data processing is unlawful and you, as a Data Subject, oppose the deletion of the data and instead request the restriction of their use;
- where the personal data are no longer necessary for the purposes of processing, but you, as a Data Subject, require them for the establishment, exercise or defence of legal claims.
If the processing is restricted, such personal data may be processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.
If a restriction is imposed, you will be informed in advance of the lifting of the restriction on data processing in accordance with the applicable regulations.
The restriction of data processing may also take place independently of your request, in particular, but not exclusively, in the following cases:
- if the supervisory authority (National Authority for Data Protection and Freedom of Information) orders so,
- if the Controller is ordered by the competent authority or court to comply with the restriction,
- at our own discretion, where we consider that the deletion of the data would harm your legitimate interests as Data Subject or the legitimate interests of third parties (in particular, where it is necessary to preserve the data as evidence /e.g. pending the outcome of an investigation or proceeding/).
- in the event of a data breach, if it is likely to result in a high risk to your rights and freedoms, we will provide you with information about the circumstances of the data breach, its effects and the measures taken to respond to it.
- if the transfer is made outside the exceptions provided for by law, we will provide information on the legal basis and recipient(s) of the transfer upon request.
VI.2. Withdrawal of consent:
In the case of processing based on your consent, you may withdraw your consent at any time, but such withdrawal shall not affect the lawfulness of processing based on your consent prior to that time.
VI.3. Procedure for the exercise of rights relating to data processing
The Controller shall inform you of the action taken on your request under Articles 15-22 of the GDPR within one month of receipt of your request at the latest, which may be extended by two months if necessary (taking into account the complexity of the request and the number of requests, pursuant to Article 12 (3) of the GDPR). The extension will be notified within the time limit for the procedure, stating the reason for the extension.
VII. LEGAL REMEDIES
Submitting a complaint: we recommend that you make use of the possibility to submit a request, complaint, objection (and all related consultations) directly to us before initiating any official or judicial procedure. Our telephone number, e-mail and postal address for these purposes are given in the first part of this Policy.
Initiating a public authority procedure: You may, at your discretion, file a data protection notification and initiate a data protection authority procedure if you believe that we have breached our obligations regarding the processing of your personal data.
The competent authority: National Authority for Data Protection and Freedom of Information
address: H-1055 Budapest, Falk Miksa u. 9-11.
postal address: 1363 Budapest, Pf.: 9.
telephone number: +36 (1) 391-1400,
e-mail address: ugyfelszolgalat@naih.hu,
address of its website: http://naih.hu
Initiating a court procedure: If you, as a Data Subject, do not agree with our decision regarding your request or objection, or if we fail to comply with the mandatory deadline for replying, you may turn to court within 30 days of notification of the decision or of the last day of the deadline. You – at your choice - may also bring the action before the court competent for your address or place of residence.
In case you have any questions or comments about this Policy, please contact us at the telephone number or e-mail address indicated in the Introduction to this Policy, or by letter to our postal address.
Shami Ingatlanforgalmazó és Építőipari Korlátolt Felelősségű Társaság
Controller
[VB1]This section shall be filled in with the relevant information. We indicated the e-mail address which is recorded in the company register, in case this address is not in daily/regular use, we recommend to fill in with another e-mail address.
[VB2]This section shall be completed with the date of the Policy's publication on the website.
[VB3]This section shall be completed with the relevant e-mail address (most preferably an address which is regularly checked).
[VB4]This section should be modified/defined depending on the actual design and wording of the website.
[VB5]This section should be modified/defined depending on the actual design and wording of the website.
[VB6]This section should be modified/defined depending on the actual design and wording of the website.
[VB7]This section should be filled in with the data of the known data processors (those who process personal data on behalf of the controller).
[VB8]This part of the Policy is designed for the most commonly used cookies, therefore it should be adapted to the actually used technical solution.
To enable cookies, a separate acceptance section must be included on the website, with the following or similar wording: 'To ensure the proper operation of the website and to provide you with the best user experience and support the session, we use cookies to provide us with information about your browsing habits, although no personal data is stored in connection with using such cookies. Link of the Policy + I accept the cokkies / I reject the cookies button
[VB9]This part of the Policy contains provisions of a more general nature, which may be supplemented by more specific data security measures.