I. INTRODUCTION
REM Property Services Kft. (seat: 1124 Budapest, Csörsz utca 49-51.; court registration number: Cg.01-09-905376; tax number: 14176937-2-43) as service provider and data manager (hereinafter “Data Controller”) is subject to this Data Protection Statement.
The Data Controller hereby provides the following information in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) (hereinafter: “GDPR“) and Act no CXII of 2011 on the Right to Informational Self-determination and Freedom of Information (hereinafter “Info tv.”).
This Data Protection Statement regulates the data protection rules of the Data Controller, including its website (“Website”). This Data Protection Statement also explains how the Data Controller protects visitors’ information gathered via the Website.
II. PERSON AND CONTACT INFORMATION OF THE DATA PROCESSOR
The Data Controller and its contact details:
REM Property Services Kft.
Office/postal address: 1124 Budapest, Csörsz utca 49-51.
Tax number: 14176937-2-43
E-mail: info@rem.co.hu
Court registration number: Cg.01-09-905376
Telephone: +36 202 878 780
The Data Controller does not have a data protection officer.
If you have any questions regarding this Data Protection Statement, or the collection and processing of your personal data while using the Website, please direct them to: info@rem.co.hu.
III. GOVERNING LAWS
In the course of its data management, the Data Controller shall act in accordance with the regulations as follows:
GDPR
⦁ Info tv.
⦁ Act no V of 2013 on the Civil Code (“Civil Code”)
⦁ Act no I of 2012 on the Labour Code (“Labour Code”).
IV. DEFINITIONS
The following terms and provisions shall apply in accordance with GDPR and Info tv.:
⦁ personal data: any information relating to an identified or identifiable natural person (“Data Subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.
⦁ data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making it available, coordinating or connecting, limiting, deleting or destroying.
⦁ data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law.
⦁ data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.
processing means any operation or set of operations on personal data (manual or automated) such as collection, recording, structuring, storage, use, disclosure, restriction, erasure or destruction (as further defined in the data protection legislation).
data protection legislation means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; and (c) any other similar national privacy law, including the Info.tv.
recipient: the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or member state law in the context of an individual investigation are not considered recipients; the handling of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the data management.
third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who have been authorized to process personal data under the direct control of the data controller or data processor .
registration system: a file of personal data divided in any way – centralized, decentralized or according to functional or geographical aspects – which is accessible based on specific criteria.
data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
representative: the natural or legal person with a place of business or residence in the European Union and designated in writing by the data controller or data processor on the basis of Article 27 of the GDPR, who represents the data controller or data processor the obligations of the data controller or data processor pursuant to the GDPR and this Data Protection Statement.
enterprise: a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.
data asset inventory: a document used to assess the scope and nature of personal data managed by the data controller.
technical and organizational measures: a properly defined procedure, taking into account the nature, scope, circumstances and purposes of the data management, as well as the varying probability and severity of the risk posed by the data controller to the rights and freedoms of natural persons, in order to ensure and prove that the processing of personal data complies with data protection legislation. These measures are regularly reviewed by the data controller and updated if necessary.
V. GENERAL LEGAL BASIS FOR DATA MANAGEMENT
The Data Controller processes personal data that is provided to it, that it may obtain from your employer or contractual partner, advisor or third party, that you explicitly made publicly available or is publicly available otherwise (e.g. online media).
This personal data may include:
- your name, surname and gender;
- your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number;
- history and details of your business contacts with the Data Controller;
- your bank account details;
- IP address;
- your personal data provided in connection with the execution of your rights in accordance with this Data Protection Statement;
For the purposes specified here-below we do not collect or process any ‘sensitive’ or ‘special categories’ of personal data as defined in the data protection legislation.
The processing of personal data is only lawful if and to the extent that at least one of the following legal bases is met:
⦁ The data subject has given his consent to the processing of his personal data for one or more specific purposes (hereinafter: data processing based on consent).
⦁ Data management is necessary for the fulfilment of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract (hereinafter: contract-based data management).
⦁ Data management is necessary to fulfil the legal obligation of the Data Controller (hereinafter: data management based on legal obligation).
⦁ Data management is necessary to protect the vital interests of the data subject or another natural person (hereinafter: data management based on vital interests).
⦁ Data management is in the public interest or is necessary for the execution of a task performed in the context of the exercise of a public authority delegated to the Data Controller (hereinafter: data management based on public authority authority).
⦁ Data management is necessary to enforce the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the child concerned (hereinafter: legitimate interest-based data management).
The Data Controller hereby undertakes to perform data management only and to the extent that at least one of the above legal basis in relation to the management of a specific personal data applies, as set forth in and in accordance with the data protection legislation. The legal basis for data processing may change during data processing.
VI. DATA SECURITY
The Data Controller selects and operates the IT tools used for the management of personal data during the provision of the service in such a way that the managed data:
⦁ accessible to those authorized to do so (availability);
⦁ its authenticity and authentication are ensured (authenticity of data management);
⦁ its immutability can be verified (data integrity);
⦁ be protected against unauthorized access (data confidentiality).
The Data Controller uses appropriate measures to protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction.
The Data Controller ensures the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.
During data management, the Data Controller preserves
⦁ confidentiality: it protects the information so that only those who are authorized to do so can access it;
⦁ integrity: protects the accuracy and completeness of the information and the method of processing;
⦁ availability: it ensures that when the authorized user needs it, he can really access the desired information and that the related tools are available.
VII. LEGAL BASIS, PURPOSE OF DATA PROCESSING, SCOPE OF PROCESSED DATA AND PERIOD OF DATA PROCESSING
The main services of the Data Controller are as follows: real estate investment and transaction advisory services, real estate asset management, real estate development management, property and facility management services.
| Managed data | Purpose of data management | Legal basis for data management | Duration of data management |
| By filling out the contact form displayed on the Website (if any), the Data Subject:
name (surname, first name) e-mail address |
Ensuring application, presentation of services, contact, communication. | The data management of the Data Controller is based on the Data Subject’s consent according to point b) of Article 6, paragraph 1, point a) of the GDPR. | Until consent is withdrawn or until it is necessary to fulfil the contract, but at most until the contractual relationship is concluded. |
| In case of subscribing to a newsletter (if any), the Data Subject: name (surname, first name) e-mail address Newsletters, offers and general information to potential clients, clients |
Marketing inquiries, sending information about conferences, maintaining the level of service. | Data processing by the Data Controller is subject to the Data Subject’s consent in accordance with Article 6 (1) point a) of the GDPR and Section
6(5) of Act no XLVIII of 2008 on the Requirements of Advertising. |
Until withdrawal of consent, i.e. until unsubscribing. |
| General contract administration: preparation of contracts, conclusion of contracts and performance of contract, financial, accounting (invoicing)
(“Data Management related to Contracts”)
|
contact,
provision of services, communication, contract fulfilment, |
Data processing by the Data Controller is subject to the Data Subject’s consent in accordance with Article 6 (1) point a) and 6 (1) point c) of the GDPR. | Until consent is withdrawn or until it
is necessary to fulfil the contract, but at most until the contractual relationship is concluded. As to invoicing documentation, 8 years apply in accordance with Section 169(2) of Act c of 2000 on Accounting. |
| Data management related to real estate investment and transaction advisory services, real estate asset management, real estate development management, property and facility management services
financial, accounting (invoicing) (“Data Management related to Services”) |
contact,
communication maintaining the level of services |
Data processing by the Data Controller is subject to the Data Subject’s consent in accordance with Article 6 (1) point a) and 6 (1) point c) of the GDPR. | Until consent is withdrawn or until it
is necessary to fulfil the contract, but at most until the contractual relationship is concluded. As to invoicing documentation, 8 years apply in accordance with Section 169(2) of Act c of 2000 on Accounting. |
| Data management related to the use of the (“Website (Website Data Management”)
Compliance with the applicable legal, regulatory or professional requirements (“Anti Money laundering related Data Management”) |
The preparation and maintenance of the Website and ensuring the working order and functions of the Website. Contact, communication,
compliance |
Data processing by the Data Controller is subject to the Data Subject’s consent in accordance with Article 6 (1) point a) and 6 (1) point f of the GDPR. Data processing by the Data Controller is subject to the Data Subject’s consent in accordance with Article 6 (1) point a) and 6 (1) point c) of the GDPR. | Until consent is withdrawn or until it is necessary to fulfil the contract, but at most until the contractual relationship is concluded. At least 8 years under national money laundering
legislation |
VIII. DATA PROCESSORS, NEWSLETTER
The Data Controller will not forward the personal data provided by the Data Subject to any other person, save for the transfer of data in the case of an official inquiry by any authority or court, or transfer of data required for book-keeping, auditing, accounting purposes.
In other cases, the data may only be forwarded after prior information and consent of the Data Subject.
When subscribing to any newsletter on the Website, the Data Subject grants its consent to inquiries for marketing purposes.
You can unsubscribe from the newsletter at any time free of charge, without restrictions or reasoning, via the unsubscribe link in the newsletters or by sending a cancellation request to the following email address: info@rem.co.hu. If you unsubscribe from newsletters, the personal data registered in connection with sending the newsletter will be deleted and you will no longer receive newsletters and notifications from us.
IX. STORAGE PROVIDER
We use the following company as hosting provider for the Website:
Name: Vieeye https://vieeye.hu/, address: Budapest, Karinthy Frigyes út 5, 1117 privacy policy: https://vieeye.hu/adatvedelmi-tajekoztato/ , which operates on its servers, from which backups are made to ensure data security.
Location of physical data storage: EU territory – Hungary
X. COOKIE RULES
We would like to inform you that currently we do not use small data files (“Cookie”) in order to identify the Data Subject on the Website. However, Cookies may be used by the Data Controller in the future, in which case the Website and this Privacy Policy Statement will be amended.
XI. RIGHTS OF DATA SUBJECTS IN RELATION TO DATA MANAGEMENT
The Data Subject may in particular exercise the following rights:
Right to access data: The Data Subject is entitled at any time to request access to its personal data (and request a copy of the personal data that is processed),
Right to rectification
The Data Subject is entitled at any time to request the correction of incorrectly recorded personal data managed by the Data Controller. The Data Subject is also entitled is entitled to request the completion of incomplete personal data. The Data Controller shall comply with such requests without undue delay.
Right to erasure
The Data Subject has the right to request the deletion of its personal data managed by the Data Controller, if its consent has been withdrawn, or the contractual relationship has ended. The deletion does not extend to documents that the Data Controller must keep according to legal requirements. In the latter case, personal data cannot be deleted.
Right to restriction of data processing
The Data Controller is obliged to limit the data management of personal data upon request of the Data Subject if it can be assumed that the deletion would harm the Data Subject’s legitimate interests based on available. In the case of restriction of data processing, the data must be treated as restricted data as long as the data management purpose or legitimate interest exists, which precluded the deletion of personal data.
Right to data portability
The Data Subject may request the Data Controller to view the data processed for it on a data medium or on paper.
The right to withdraw consent
The Data Subject has the right to withdraw consent to data management at any time, in which case the data provided will be deleted from our systems.
The Data Controller examines user complaints related to data management and makes a decision on the validity of the complaint, of which it notifies the applicant in writing within 30 (thirty) days at the latest. If the Data Controller does not comply with the Data Subject’s request, it will inform the Data Subject of the factual and legal reasons for rejecting the request.
XII. ENFORCEMENT OF RIGHTS
In case of the violation of a legal provision on data management, the National Data Protection and Freedom of Information Authority may initiate a procedure in order to terminate the alleged unlawful data management. Complaints in connection with unlawful data management may be submitted to:
National Data Protection and Freedom of Information Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
The Data Subject is also entitled to enforce its rights before the competent court.
XIII. DATA TRANSMISSION, DATA PROCESSING, PERSONS KNOWN TO THE DATA
Personal data received by the Data Controller in any form through the Website or otherwise can be accessed by employees and executive officers of the Data Controller who have the authorizations for use and legal basis.
Personal data may be disclosed/transferred to and processed by the following recipients for the purposes above:
The REM-group of entities: if applicable, personal data will be processed only to the extent allowed for the purposes above and in accordance with the data protection legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case data is transferred across country borders (including territories outside of the European Union), then such transfers will take place only in the case that the obligations as stipulated by the data protection legislation for when such transfers are fulfilled.
Audit services: Our approved auditor is: Temesváriné Béky Erzsébet, with address at 1196 Budapest, Kisfaludy utca 148.
Accounting, book-keeping services: Our approved accounting and book-keeping supplier Hazisz Consulting” Kft, with address at 8000 Székesfehérvár, Zobori út 41
Processors: Our approved administrative and IT service supplier: Office IT with address at 1124 Budapest, Hegyalja út.
XIV. OTHER PROVISIONS
We provide information on data management not listed in this information when the data is collected. We inform our customers that the court, the prosecutor, the investigative authority, the infringement authority, the public administrative authority, the National Data Protection and Freedom of Information Authority, the Hungarian National Bank, or other bodies based on the authorization of the law, provide information, communicate data, transfer documents, or they can contact the Data Controller to make it available.
If the authority has indicated the exact purpose and the scope of the data, the Data Controller will only release personal data to the authority to the extent that is absolutely necessary to achieve the purpose of the request.
The Data Controller reserves the right to unilaterally modify this Data Protection Statement if required by law or for the purpose of the data management and the data managed.
XV. EFFECTIVE FORCE
This Data Protection Statement is effective as of December, 2023.