for S IMMO APM Hungary Kft. Concerning the Sending of Quotes
This Privacy Notice (hereinafter: ‘Notice’) provides information about the processing activities of S IMMO APM Hungary Vagyon és Ingatlankezelő Korlátolt Felelősségű Társaság (hereinafter: ‘Controller’) in relation to the quotes sent to customers interested in rental properties using the website https://www.simmoag.hu/.
The Notice has been prepared taking into account the GDPR, the Infotv. and other legislation relevant to the core activities of the Controller. A list of the legal regulations is set out in Annex 1 to the Notice and a definition of the most important terms is set out in Annex 2.
The Notice is valid from 19.04.2022 until its withdrawal. The printed version of the Notice is available at the Controller’s registered office and is also available at the following URL: https://www.simmoag.hu/adatvedelem.html
The Controller reserves the right to unilaterally amend this Notice at any time.
S IMMO APM Hungary Kft.
- DETAILS OF THE CONTROLLER
Name of Controller: S IMMO APM Hungary Vagyon és Ingatlankezelő Korlátolt Felelősségű Társaság
Abbreviated name: S IMMO APM Hungary Kft.
Registered office: 1051 Budapest, Bajcsy-Zsilinszky út 12
Company registration number: 01-09-719491 (Metropolitan Court as the Court of Registration)
Tax number: 13116552-2-41
Phone number:+36 1 429 5050
II.1. PROCESSING RELATING TO REQUESTS FOR QUOTES
The Controller processes personal data in relation to requests for quotes received in connection with its activity of letting and operating its own and rented real estate for the purpose of providing quotes. The Controller processes only the personal data necessary for the successful preparation of the quote. The Controller processes the personal data that it becomes aware of in connection with quotes received by it as follows:
- The scope of personal data processed: first name and surname, e-mail address, other data provided in the request for a quote (e.g. office size).
- Purpose of processing: preliminary consultation, sending of quotes.
- Legal ground for processing: consent of the data subject pursuant to Article 6(1)a) of the GDPR.
- Duration of processing: The Controller retains the personal data for the purpose of quotation for 2 years after the request for a quote. After that period, the personal data is erased immediately and irretrievably.
- The source of the personal data is the data subject.
The Controller may contact the data subject by e-mail or by telephone at the contact details provided within the retention period in order to provide a quote. The data subject may withdraw his or her consent to the processing at any time.
Personal data processed for the purpose of a request for a quote may be accessed primarily by the Controller. In addition, the following Processors are involved in the processing (see Annex 3 for details):
- contracted sales representatives of the Controller for the purposes of communication and contracting
- Websupport Magyarország Kft. (registered office: 1132 Budapest,
Victor Hugo utca 18-22.) as hosting service provider
- MITTE Communications Kft. (registered office: 1137 Budapest, Jászai Mari tér 5-6) as web interface developer
- Rocket Science Group LLC (675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, US) for the sending of e-mails, Mailchimp service
The Controller does not transfer the personal data processed to persons established in Hungary, Europe or third countries. If proceedings are brought before a court or other authority which require the transfer of personal data to the court or authority, the court or authority may also have access to the personal data.
II.2. Data processing in relation to visits to www.simmoag.hu
II.2.1. What are Cookies?
A Cookie is a file or piece of information that is downloaded from a website by an web browser and stored on the computer of the data subject. These Cookies are used by the server that stores the content of the given website to recognise, when you return to the website, that you have already visited the site.
Like almost every company with a website, S IMMO APM Hungary Kft. uses such Cookie files, either to provide certain functions or for convenience only. The Cookies used by S IMMO APM Hungary Kft do not overload, slow down or harm your computer.
Third party Cookies are also used on the website.
II.2.2. Cookie types
- Session Cookies:
These Cookies are activated temporarily while browsing is in progress. That is, from the moment the user opens the browser window until the moment the browser window is closed. Once the browser is closed, all session Cookies are erased.
- Persistent Cookies:
These Cookies remain on the user’s device for the period of time specified in the Cookie. They are activated each time the user visits the website.
- Own Cookies:
These Cookies are created by the website that the user is visiting at a particular time.
- Third Party Cookies: When a user visits a page, a Cookie is activated by another party through the website. If you are browsing a website that offers embedded content from, for example, Facebook or YouTube, you may also receive Cookies from these sites.
II.2.3. User data processing for visitors to www.simmoag.hu
We use the following cookies on our website, which process the following data:
This website uses InnoCraft Ltd’s web analytics tool, the open source Matomo software.
Objective: To analyse visitor behaviour on our website (details below).
Processed data: IP address, date and time of your visit to our website, title and URL of the page visited, URL of the page previously visited (reference URL), screen resolution, clicking behaviour on our website, time of page download in your browser, country, language setting used in your browser.
In addition to rejecting the cookie used for the above purpose when you visit the website, or disabling it in your browser, you can also prevent the use of Matamo cookies by clicking on the following link to download and install the browser extension (plugin): https://matomo.org/privacy-policy/#optout
You can prevent the storage of cookies by configuring your browser accordingly.
You can find detailed information on internet browser settings at the links below:
III. DATA SECURITY
The Controller and the processors are entitled to access your personal data only to the extent necessary for the performance of their tasks. The Controller takes all security, technical and organisational measures necessary to ensure the security of the data.
III.1. Organisational measures
The Controller allows access to its IT systems by means of personalised access rights. The principle of ‘necessary and sufficient rights’ applies to the allocation of access rights, i.e. each user may use the IT systems and services of the Controller only to the extent necessary for the performance of their task, with the corresponding rights and for the necessary duration. Access rights to IT systems and services may be granted only to persons who are not restricted for security or other reasons (e.g. conflict of interest) and who have the necessary professional, business and information security skills to use them safely.
The Controller and processors undertake in a written declaration to observe strict confidentiality rules and to act in accordance with these confidentiality rules in the course of their activities.
III.2. Technical measures
The Controller stores the data on its own equipment, in a data centre, with the exception of data stored by its processors. The Controller stores the IT equipment storing the data in a separate, locked server room, protected by a multi-level entry system with access verification.
The Controller protects its internal network with a multi-level firewall. In all cases, hardware firewalls (border protection devices) are always installed at the access points to the public networks used. The Controller stores data redundantly, i.e. in multiple locations, to protect them from destruction, loss, damage or unlawful destruction due to IT equipment failure.
It protects its internal networks from external attacks with multi-layered, active, complex malware protection (e.g. virus protection). The Controller provides the necessary external access to the IT systems and databases operated by the Controller via an encrypted data connection (VPN).
The Controller takes the utmost care to ensure that its IT equipment and software comply with the technological solutions generally accepted in the market.
In the course of the development, the Controller sets up systems in which, through logging, it is possible to control and monitor the operations performed and to detect incidents that have occurred, such as unauthorised access. The Controller’s server is located in a secure and locked environment.
- YOUR RIGHTS
It is important for the Controller that its processing complies with the requirements of fairness, lawfulness and transparency. To this end, you may request information about the processing of your personal data, request the rectification or erasure of your personal data, except for mandatory processing, withdraw your consent, exercise the right to data portability and exercise your right to object. To ensure that you are aware of your rights and the conditions for exercising them, we provide you with the following information.
You have the right to obtain access to your personal data processed by the Controller upon request made in person to the Controller. As part of this service, you will be informed of the following:
- whether your personal data are being processed;
- the purposes of the processing;
- the categories of the personal data concerned;
- the recipients or categories of recipients to whom or which the personal data have been or will be disclosed;
- the intended duration of the personal data storage;
- your rights;
- your legal remedy options;
- information on the data sources.
You may also request the Controller to provide you with a copy of your personal data which is the subject of the processing. In this case, the Controller provides the personal data in a structured, commonly used, computer-readable format (PDF/XML) or in a printed paper version. You can request a copy free of charge.
Based on a request submitted in person to the Controller, you have the right to request the rectification of inaccurate personal data concerning you processed by the Controller and the supplementation of incomplete data. Where the information necessary to clarify or supplement the inaccurate information is not available to the Controller, the Controller may request the submission of such additional data and the verification of the accuracy of the data. As long as the clarification or supplementation of the data, in the absence of the additional information, cannot be performed, the Controller shall restrict the processing of the personal data concerned and temporarily suspend the operations performed on them, with the exception of storage.
Based on a request submitted in person to the Controller, you have the right to request the erasure of personal data relating to you processed by the Controller if one of the following conditions applies:
- we no longer have a need for the given data;
- you have a concern about the lawfulness of our processing of your data.
If, following your request, the Controller determines that it is under an obligation to erase the personal data it processes, it will cease processing the data and will destroy the personal data previously processed. In addition, the obligation to erase personal data may also exist on the basis of withdrawal of consent, the exercise of the right to object or legal obligations.
IV.4. Restriction of processing
Based on a request made in person to the Controller, you have the right to request the restriction of the processing of personal data relating to you processed by the Controller in the following cases:
- you are concerned about the lawfulness of the processing of personal data relating to you processed by the Controller and you request the restriction instead of the erasure of the data;
- the Controller no longer has a need for the data but you require them for the submission, enforcement or defence of legal claims.
The Controller automatically restricts the processing of personal data when you contest the accuracy of the personal data. In such a case, the restriction applies for the period of time necessary to allow the accuracy of the personal data to be verified.
During the period of restriction, no processing operations may be performed on the personal data concerned, only storage of the data. Personal data may be processed in the event of a restriction of processing only in the following cases:
- based on the consent of the data subject (you);
- for the submission, enforcement or defence of legal claims;
- for defending the rights of another natural person or legal person;
- important public interest.
The Controller will inform you in advance of the lifting of the restriction.
IV.5. Data portability
Based on a request submitted through the Controller’s contact details, you have the right to request the provision of personal data concerning you processed by the Controller for further use in accordance with your wishes. You may also request the Controller to transfer your personal data to another controller designated by you.
This right is limited only to the personal data that you have provided to us, that we process on the basis of your consent or for the performance of a contract. No other data portability is possible. The Controller provides the personal data in a structured, commonly used, computer-readable format (PDF/XML) or in a hard copy printout.
The Controller informs you that the exercise of this right does not automatically entail the erasure of personal data from the Controller’s systems. You also have the right to contact or communicate with the Controller again after data portability.
You may object to the processing of your personal data by the Controller at any time on the basis of a request made through the contact details of the Controller. In this case, the Controller will examine whether there are compelling legitimate grounds or interests (e.g. the submission, enforcement or defence of legal claims) which override the interests, rights and freedoms of the data subject. Where such grounds or interests can be identified, the Controller shall continue to process the personal data. Otherwise, the personal data may no longer be used.
IV.7. Withdrawal of consent
In the case of processing based on consent, you have the right to withdraw your consent at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. However, the Controller will no longer perform any operations using your personal data and will erase them. You may give your consent by contacting the Controller at one of the contact details above.
IV.8. Our procedure regarding your request to exercise your rights
The Controller will inform you of the action taken in response to your request to exercise your rights without undue delay and within a maximum of 1 month of receipt of the request. This deadline may, however, be extended by 2 months if warranted by the complexity of the request or the number of requests. The Controller shall notify the you of any such extension within 1 month of receiving the request; such a notification shall include the reason of the extension.
If the Controller does not take action on your request, it will inform you without delay and at the latest within 1 month of receipt of the request of the reasons for the lack of action and of the possibility for you to lodge a complaint with a supervisory authority and exercise your right to judicial remedy.
The Controller shall provide the information on the action or failure to act in the form you have indicated. If you have submitted your request by electronic means, the information will be provided by electronic means unless you request otherwise. The Controller will provide the requested information and communications free of charge as a general rule, but may charge a reasonable fee based on administrative costs for additional copies requested by you.
The Controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing performed by it, unless this proves impossible or involves a disproportionate effort. Upon your request, the Controller will inform you of these recipients.
In order to comply with the request, the Controller shall ensure that it is truly the data subject who intends to exercise his or her rights. This may also require, where appropriate, that you appear in person at the Controller’s registered office for identification purposes.
- YOUR LEGAL REMEDY OPTIONS
If the Controller processes your personal data in an inappropriate manner, contrary to the law, or if the Controller has not complied with your request to exercise your rights or has not complied with them in an appropriate manner, you have a number of legal remedy options.
V.1. Complaint submission to the National Authority for Data Protection and Freedom of Information
If you object to the activities of the Controller, you have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information at one of the following contact details:
- Registered office: 1055 Budapest, Falk Miksa u. 9-11
- Correspondence address: 1363 Budapest, P.O. Box: 9
- Phone: +36-1-391-1400
- Fax: +36-1-391-1410
- E-mail: firstname.lastname@example.org
- Website: http://www.naih.hu
V.2. Enforcement before the courts
In addition to the administrative remedies, you also have the right to bring an action against the Controller before a court. The GDPR, the Infotv. and the rules of the Civil Code and the Code of Civil Procedure apply to the lawsuit. The case falls within the competence of the general court. The lawsuit may also be brought, at the option of the data subject, before the general court in whose jurisdiction the data subject’s home address is located (for a list of courts and their contact details, please see the following link: http://birosag.hu/torvenyszekek).
Applicable legal regulations
In drafting this Notice, the Controller has taken into account the applicable legislation in force and the main international recommendations, in particular the following:
- Regulation of the European Parliament and of the Council (EU) 2016/679 (27 April 2016) on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (hereinafter: ‘GDPR’);
- Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter: ‘Infotv.);
- Act V of 2013 on the Civil Code (hereinafter: ‘Civil Code’);
- Act CXXX of 2016 on the Code of Civil Procedure (hereinafter: ‘Code of Civil Procedure’);
- Government Decree 181/2003 (5 November) on Mandatory Warranty Relating to Home Construction
Terms relating to the processing of personal data
- controller: a legal person, which defines the purpose and means of processing of personal data;
- processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data transfer: ensuring open access to the data to specific third parties;
- data erasure: making data unrecognisable in a way that it can never again be restored;
- tagging data: marking data with a special ID tag in order to differentiate it;
- restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future;
- data destruction: complete physical destruction of the data carrier recording the data;
- processor: a legal person, which processes personal data on behalf of the Controller;
- recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
- data subject: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by means of identifiers such as name, identification number, location data, online identifier, or one or more natural, physical, physiological, genetic, mental, economic, cultural or community-based or personality feature.
- third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- personal data: any information relating to the data subject;
- objection: a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the erasure of the data processed.
Names and details of processors
Name of the Processors: Websupport Magyarország Kft.
Company registration number: 01-09-381419
Tax number: 25138205-2-41
Registered office: 1132 Budapest,
Victor Hugo utca 18-22.
Performed activity: hosting service
Name of the Processors: Rocket Science Group LLC
Registered office: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
Performed activity: Operation of Mailchimp service
Name of the Processors: Mitte Communications Korlátolt Felelősségű Társaság
Registered office: 1061 Budapest, Paulay Ede utca 55
Company registration number: 01-09-179304
Tax number: 24730763-2-42
Performed activity: marketing and PR activities, web design
The current sales representatives can be found on the S IMMO AG website: