PRIVACY POLICY CUSTOMER DATA PROCESSING
1. GENERAL INFORMATION
Data Controller: PD Real Estate Development Kft. (registered office: 1068 Budapest, Városligeti fasor 38.; registration number: 01-09-280605).
The Data Controller carries out the Duna Pearl real estate development project.
Joint Controllers:
- Polat Holding A.Ş. (Address: İmrahor Cad. No:23 B Blok 5. Kat 34440, Kağıthane, İstanbul, Turkey)
- Piyalepaşa Gayrimenkul Geliştirme Yatırımı ve Tic. A.Ş (Adress: İstiklal Mah. Piyalepasa Bulvarı 20/1A Beyoğlu, Istanbul, Turkey)
The Joint Controllers are related to the company groups of the direct owners the Data Controller. The Data Controller is primarily responsible for the obligations relating to the data processing. The Data Controller and the Joint Controllers are considered to be joint controllers and they concluded an agreement covering that.
Data Subject: shall mean the Data Controller’s Potential Client or Client, who is interested in purchasing one of Data Subject’s property (hereinafter: Property or Properties).
Potential Client shall mean a natural person, who provides personal data to request an offer or information from Data Controller.
Client shall mean Potential Client, who fills out the registration agreement and pays the registration fee.
Personal Data: means any information related to the Data Subject.
1.1. The purpose of this Privacy Policy is to supply essential information to the Data Subject about the data processing the Data Controller performs with respect to all the relevant data protection regulation.
1.2. The Data Controller is committed to the protection of the Data Subject’s personal data and particularly wishes to observe the Data Subject’s fundamental right to informational self-determination.
1.3. The Data Controller reserves the right to alter this Privacy Policy and commits to supply information about any such alteration in accordance with the relevant legal regulations as effective.
1.4. Data Controller:
- processes the personal data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collects personal data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- processes personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- processes accurate and up to date data (’accuracy’);
- keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processes the personal data in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality’).
1.5. Data Controller’s data processing principles are in harmony with the relevant data protection regulations as effective, including but not limited to the following:
- The Constitution of Hungary (Freedom and Responsibility, Article VI);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”)
- Act No. CXII of 2011 on the right to informational self-determination and on informational freedom (“Info Act”);
- Act No. V of 2013 on the Civil Code.
1.6. This Privacy Policy and information related to the Data Controller’s data processing are always available at the Office of the Data Controller’s property (1095 Budapest, Soroksári út 58.), and on Data Controller’s website dunapearl.hu (hereinafter: Website).
1.7. Should you have any question regarding the Privacy Policy or the Data Controller’s data processing, please contact our colleague on the [email protected] email address.
2. DATA PROCESSING
2.1. The Data Controller strives to limit its personal data processing activity to what is absolutely necessary. Nonetheless, the processing of some personal data is inevitable. The Data Controller processes the personal data that the Data Subject provides, as well as all the personal data related to the Data Subject and generated during the contractual relationship between the Data Controller and the Data Subject regarding Data Subject’s request, Data Controller’s offer and the purchase of the selected Property. Data Controller processes the following personal data for the purposes and on the legal basis detailed below:
2.1.1. General contact data
- Purpose of the data processing: Collecting personal data to contact the Potential Clients. Potential Client provides his/her personal data to the Controller via telephone, e-mail, Website, social media, other digital media channels, or personally to require further information on the available Properties. Ingatlan.com ujotthon.hu and költözzbe.hu website may send the Potential Client’s contact data upon the Potential Client’s request, in which case Ingatlan.com Zrt. and Költözzbe.hu Kft. is an independent service provider and data controller.
- List of processed personal data: full name, e-mail address, mobile phone number, written communication between the parties.
- Optional personal data: address, age (not exact number, 4 predetermined category), occupation, real estate preferences (purpose of real estate purchase, real estate type preference, payment preference, floor area preference, parking, storage, terrace, garden) source of information about Data Controller’s service.
- Legal basis for the data processing: Data processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (GDPR 1. (b) of Article 6).
- Duration of data processing: The contact data will be deleted ten years after the end of the business relationship between the parties.
- Data transfer to a third country: If it is necessary, the Data Controller may transfer the personal data to the other Joint Controllers in Turkey. The purpose of the data transfer is day-to-day management, business support, corporate control, quality assurance and audit. The legal ground for the data transfer is the standard contract clauses in the agreement between the Data Controller and the Joint Controllers. The channels of the data transfer: access to the Data Controller’s CRM system, the Navision accounting system, access to the Data Controller’s file server, e-mails and paper documents.
2.1.2. Purchase process
- Purpose of the data processing: Collecting personal data to conclude the purchase agreement with the Clients. In case the Potential Client finds a suitable Property amongst Data Controller’s offers, he/she must sign a registration agreement to initiate the purchase process. The registration agreement contains every data that is necessary to conclude the final purchase agreement.
- List of processed personal data: name, email address, telephone number, birth name, address, place and date of birth, mother’s name, national ID number, ID card number, tax number, passport number, fax number, bank account data (bank name, bank account number), citizenship, chosen Property and its specifications, written communication between the parties.
- Legal basis for the data processing: Data processing is necessary in order to take steps at the request of the data subject prior to entering into a contract; or for the performance of a contract to which the data subject is party (after entering into a contract). (GDPR 1 (b) of Article 6)
- Duration of data processing: The contact data will be deleted 5 years after the end of the business relationship between the parties (general limitation period). The personal data incorporated in the agreements will be stored for 20 years, the personal data in the related databases will be deleted in 5 years (general limitation period).
- Provision of personal data: It is necessary to enter into the contract, Client is obliged to provide the personal data, otherwise the parties cannot conclude a contract.
- Data transfer to a third country: If it is necessary, the Data Controller may transfer the personal data to the other Joint Controllers in Turkey. The purpose of the data transfer is day-to-day management, business support, corporate control, quality assurance and audit. The legal ground for the data transfer is the standard contract clauses in the agreement between the Data Controller and the Joint Controllers. The channels of the data transfer: access to the Data Controller’s CRM system, the Navision accounting system, access to the Data Controller’s file server, e-mails and paper documents.
2.1.3. Marketing offers
- Purpose of the data processing: To send offers in the future to the Data Subject.
- List of processed personal data: name, email address, telephone number;
- Legal basis for the data processing: The Data Subject has given consent to the processing of his or her personal data (GDPR 1. (a) of Article 6).
- Duration of the data processing: The Data Controller processes the data until the withdrawal of the consent, but not more than 10 years.
- Data transfer to a third country: If it is necessary, the Data Controller may transfer the personal data to the other Joint Controllers in Turkey. The purpose of the data transfer is day-to-day management, business support, corporate control, quality assurance and audit. The legal ground for the data transfer is the standard contract clauses in the agreement between the Data Controller and the Joint Controllers. The channels of the data transfer: access to the Data Controller’s CRM system, access to the Data Controller’s file server, e-mail, paper documents.
2.2. Marketing offers
2.2.1. The Data Controller’s email server is operated by Polat Holding A.Ş. in Istanbul, Turkey. Therefore, all personal data sent via email to or from the Data Controller are also transferred to Turkey. The access is restricted, the data are secured. The legal ground for the data transfer is the standard contract clauses in the agreement between the Data Controller and the Joint Controllers.
2.2.2. If it is necessary, the Data Controller may transfer the personal data to APD Real Estate Kft., Polat Hungary Kft, Nerox International B.V., Nivoma Investment S.A., or HBRE International Investments B.V. which belong to the Data Controller’s group of companies. The purpose of this data transfer is day-to-day management, business support, corporate control, quality assurance and audit, and the legal ground is the consent of the Data Subject. The data transfer described in this section happens strictly between member states of the EEA, meaning this is not considered as data transfer to third countries.
2.3. The Data Controller does not use automated decision-making, including profiling.
3. DATA PROCESSING
3.1. The Data Controller may occasionally perform other personal data processing. Information about any data processing not mentioned in this Privacy Policy will be supplied on the data collection.
3.2. The Data Subject is informed that the court, the public prosecutor, the criminal investigation authority, the infringements authority, the public administration authority, the National Data Protection and Informational Freedom Authority (“NAIH”), as well as other authorities authorized by legal regulation may request information, data and documents from the Data Controller, who will grant such requests to the extent it is required by the relevant legal regulations. The Data Controller will disclose personal data to the authorities only to the extent it is indispensable for the fulfilment of the authorities’ meticulously detailed request for information as regards the scope and purpose of information.
4. DATA PROCESSING
4.1. In order to analyse the use of the Website and thereby improve its services, the Data Controller may use small data packages (cookies), placed and read using the Data Subject’s browser. The reason behind this is if the Data Subject’s browser returns a previously saved cookie, the cookie provider has the option to link the Data Subject’s current visit to previous ones, but only for the content of its own website.
4.2. The Data Subject can delete cookies from their own computer or disable the use of cookies in their browser at any time. Cookies can usually be managed in the browser’s “Tools/Settings” menu under “Privacy” settings, called cookies. More detailed guidance can be found on the following secure online communication website:
4.3. Information about each cookie:
Name | Function | Data type | Time limit |
_ga(Google Analytics) | Tracking cookie for Google Analytics, tracks the time period of each visit | Text | End of session |
5. DATA PROCESSING
5.1. The Data Controller assigns the following data processor during its data processing activity:
5.1.1. IBM Magyarország Kft. (seat: 1117 Budapest, Neumann János u. 1.; registration number: 01-09-060028): providing file server services.
5.1.2. Experta Danışmanlık Limited (seat: Ataköy 7-8-9-10.Kısım Mah. H.Eli Çiçeği Sk. D/22A Apt. No:2 G/8 Bakırköy, Istanbul, Turkey): the regular internal audit of the Data Controller.
5.1.3. Tribal Worldwide Istanbul (seat: Ali Kaya Sok. No:3 Kat:4 No. 14-15-16-1734394 Apa Nef Plaza Şişli, Istanbul, Turkey): marketing support for the Data Controller.
5.1.4. SomeDeal Kft. (seat: 1027 Budapest, Varsányi Irén u. 8. fszt.) ): marketing support for the Data Controller.
5.1.5. Code5 Yazılım Donanım ve Otomasyon Sistemleri Ltd. Şti. (seat: Büyükşehir Mah. Cumhuriyet Cd. No: 1 Ekinoks Residence E1 Blok Kat: 7 No: 113 PK: 34520 – Beylikdüzü – İstanbul): the operation of the CRM system.
5.1.6. Racorg Kft. (seat: 1134 Budapest, Kassák L. u. 56.): payroll.
5.1.7. INVENTIS Kft. (seat: 1093 Budapest, Közraktár utca 20/A III/7.): operating the NAVISION accounting system.
5.1.8. MultiSoft Kft. (seat: 1115 Budapest, Bartók Béla út 105-113. – Bartók Udvar 2/A, 1. Emelet): operating the NAVISION accounting system.
5.1.9. ATP Ticari Bilgisayar Aþr ve Elektrik Güç Kaynaklan Üretim ve Pazarlama Ticaret A.Ş. (seat: Emirhan Cad. No: 109, Kat 9, Atakule, 34349 Balmumcu, Istanbul): operating the NAVISION accounting system.
5.1.10. Polat Hungary Kft. (seat: 1068 Budapest, Városligeti fasor 38.): HR, marketing and IT support.
5.1.11. AIAHOUSE Korlátolt Felelősségű Társaság (Seat: 1071 Budapest, Lövölde tér 7. 3/Ü) sales agency support
5.1.12. Feng Shui House Korlátolt Felelősségű Társaság (registered seat: 1033 Budapest, Polgár u. 5. 9em. 48) Sales agency support
5.1.13. HINLE Ingatlan Kft. (registered seat: 1101 Budapest Hungária krt. 5-7. 5. épület 1. lépcsőház 6.emelet/3. registration number: 01-09-336501 Sales agency support
6. PROCESSING OF THIRD PARTIES’ DATA
6.1. If the Data Subject provides personal data from third parties, Data Subject must have the required consent or other legal basis to share the personal data with the Data Controller and informs Data Controller of any change or update relating to them. All Data Subjects should refrain from providing third parties’ data, unless it is necessary to comply with the contract with the Data Controller. Data Subject is fully liable for these third parties’ personal data processing.
7. DATA SECURITY
The Data Controller treats the Data Subject’s personal data confidentially, therefore Data Controller has adopted the technical and organizational measures necessary to ensure the security of personal data and avoid their accidental or unlawful destruction, loss, alteration, processing or unauthorized access, given the state of the technology, the nature of the stored data and the risks to which they are exposed, whether they come from human action or from the physical or natural environment. The Data Controller selects and operates the IT equipment used to process personal data with respect to the contractual relationship in such a way that the processed data:
- (a) is available to authorized persons (availability);
- (b) authenticity and authentication are ensured (authenticity of data processing);
- (c) integrity can be proven (integrity of data); and
- (d) is protected against unauthorized access (confidentiality of data).
8. DATA SECURITY
8.1. The Data Subject has a right to:
- access the personal data: Upon the Data Subject’s request, the Data Controller supplies information about the Data Subject’s data processed by the Data Controller as data controller and/or processed by a data processor on the Data Controller’s behalf if any of the conditions stipulated in Article 15 of GDPR is fulfilled.
- request the rectification of the personal data: The Data Controller rectifies the Data Subject’s personal data if such data is inaccurate or incomplete while the correct personal data is available to the Data Controller.
- request the erasure of the personal data (right to be forgotten): The Data Controller erases any and all personal data if any of the conditions stipulated in Article 17 of GDPR is fulfilled.
- restriction of processing: The Data Subject obtains from the Data Controller the limitation of the data processing if any of the conditions stipulated in Article 18 of GDPR is fulfilled.
- data portability: The Data Subject receives the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format, if the processing is based on a consent or contract and it is carried out by automated means.
8.2. The Data Subject has a right to:
The Data Controller provides information on action taken on the Data Subject’s request sent to the contract person specified in Section 2.7. without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The Data Controller informs the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic means, the information will be provided by electronic means where possible, unless otherwise requested by the Data Subject. If the Data Controller does not act on the Data Subject’s request, the Data Controller will inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
8.3. Data Subject’s right to remedy:
- filing a complaint with the authority: Without prejudice to any other administrative or judicial remedy, Data Subject may, in the event of an infringement of his or her rights, file a complaint with the data protection authority (Nemzeti Adatvédelmi és Információszabadság Hatóság: address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; Tel.: +36 1 391 1400, Fax: +36 1 391 1410, email: [email protected]; website: https://naih.hu/index.html).
- filing a complaint with the court: Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, Data Subjects have the right to an effective judicial remedy where he or she considers that his or her rights have been infringed as a result of the processing of his or her personal data in non-compliance with the data protection regulation. The Data Controller is liable for any loss or damage caused by the unlawful processing of the Data Subject’s data or by any violation of applicable data-security requirements. The Data Controller will be exempted from such liability if the loss or damage was caused by circumstances beyond its control and outside the scope of data processing. No compensation shall be paid to the extent that the loss or damage was caused by the Data Subject’s wilful or grossly negligent conduct.