I. GENERAL INFORMATION, THE DATA CONTROLLER
In this Guide ("Guide") the controller in respect of the processing of the data controller in this Privacy Policy is MUZAMEL és TÁRSA Bt. (Located at: 1213 Budapest, Veréb u. 1.; company registration number: 01-06-759929; e-mail: muzamel@muzamel.hu; phone: +36302512519; Representative: Muzamel István Managing Director; hereafter: "Data Controller"). The Data Controller is a company registered in Hungary and engaged in commercial, engineering and construction activities of real estate agents.
1.2. Governing law
The Data Controller's processing is primarily subject to the general (European Parliament and Council (EU) 2016/679 Regulation of 27 April 2016 on the protection of personal data of natural persons with regard to the processing of personal data processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC; hereinafter "GDPR"). In addition, the processing is governed by the Hungarian legislation that regulates the the activities of the Controller, the legal relationship between the Controller and the data subject In particular, the Civil Code and the Building and Construction Act, as well as the Data Protection Act, shall govern the law applicable to the data controller and the data subject and the relationship between the data controller and the data controller. (VI. 30.) of the Government Decree 176/2008. (hereafter: "Regulation").
1.3. Scope of the Prospectus, the person concerned
The scope of this Notice covers the Data Controller's processing. The scope of this Notice is limited to the processing covered by the GDPR data subject to the GDPR.
Under the GDPR, personal data means any information relating to an identified or identifiable natural person (data subject) .An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the processing covered by this Notice, the data subject is the person who has, has had, or is seeking to have a legal relationship with the Controller. In particular, the data subjects are the customers of the energy performance certificates, the owners of the real estate covered by the certificate. On this basis, this Notice does not cover data which do not relate to natural persons (e.g. company data) or which cannot be linked to natural persons (e.g. statistical data, data which are anonymised). This Notice only covers the processing of data by the Data Controller.
II. THE PURPOSE, LEGAL BASIS, PROCESS AND SCOPE OF THE DATA PROCESSED
2.1. Purpose of data processing
The primary purpose of the processing is the relationship between the data subject and the Data Controller. the establishment and maintenance of a legal relationship. The purposes of the processing are:
- Contacting the person concerned and maintaining contact;
- Establishment of a legal relationship, the legal relationship drawing up, signing and performing the contract establishing the relationship;
- Recording the property details;
- Billing, payment
- Rights arising from the legal relationship between the parties exercise of rights and obligations;
- Fulfil obligations imposed by law.
2.2. Legal basis for processing
Taking into account that the Data Controller processes personal data for several purposes, the legal basis for the processing may also be different. The main legal bases are the following.
Consent of the data subject (Article 6(1)(a) GDPR)
In some cases, the legal basis for processing is the consent of the data subject. The data subject gives his or her consent by contacting the Data and initiating the establishment of the legal relationship. In all cases, consent is given by voluntary, but failure to give consent may result in the the legal relationship between the data subject and the Data Controller is not established. The data subject may consent may also be given by the Data Controller's partner through whom the certificate.
The contract between the Data Controller and the data subject (Article 6(1) GDPR) point b))
Where the data subject enters into a contract with the controller or initiates a contract, he or she shall indicate in the contract and on the related forms data necessary for the performance of the contract. The information referred to in this point the processing is necessary for the performance of the contract and the processing of the data and for the purposes of the performance of the contract and the actions initiated by the contractor, in accordance with the provisions of the GDPR of the GDPR. The contract shall be concluded even if the data subject is the services of the Data Controller and pays the fee upon performance. In this case In this case, the parties shall enter into an oral contract.
Compliance with a legal obligation (Article 6(1)(c) GDPR) point c))
In some cases, the legal basis for processing is a legal provision.
2.3. Scope of the data processed
Data processed by the Data Controller: name, telephone number, address of the data subject, address of the property, land register number.
2.4. Process of data processing
If the property is an intermediary or product, the need for construction directly to the Data Controller or to the Data Controller's partners (contracted The Data Controller or the Data Controller's partner shall record the data subject's data provided above. The purpose of processing the data is to maintain contact (telephone number, name) for the purpose of making an appointment, preparing a survey. The website The Data Controller shall transmit the data to the surveyor under contract with the Data Controller. contracted sales agent, who will use the data to carry out the survey. for the purposes of the survey. The contact with the data subject is made by the trader, so that the the data subject is informed of the identity of the trader. With the principal activity The company that deals with the main activity issues the invoice. The Data Controller will process the data of those eight years from the date of its recording, taking into account the fact that period within which the enforcement of rights may take place and within which the data subject may request a copy.
III. OTHER INFORMATION RELATING TO DATA PROCESSING
3.1. Data transfer
The Data Controller will only transfer personal data to third parties third party, if the data subject has clearly given his or her consent - in accordance with the scope of the data transferred and the the recipient of the data, and the transfer is subject to the consent of the controller and the a contract between the controller and the data subject provides an appropriate legal basis, or the transfer is authorised by law. The data shall be processed by the Data Controller to the certifier who carries out the certification and, for this purpose, to the contact the data subject for this purpose. The certifier shall process the data in the same way as this purposes and in the same manner as the present data controller.
3.2. Data processing
The Data Controller is entitled to use a data processor for the performance of its activities. to process the data. The processors do not take independent decisions, and in the course of processing the data, the on the basis of a written contract with the Data Controller, as specified in the contract. The Data Processors shall act on behalf of the Data Controller in accordance with the contract and the instructions of the Data Controller. The Controller shall monitor the work of the processors. The data processors shall further processor only with the consent of the Data Controller. The Data Controller shall use as processors the services of certification companies and individual contractors as data processors.
3.3. Data security, access to data
The Data Controller shall ensure the security of the data, take the necessary measures to technical and organisational measures and establish the procedural rules which ensure the application of the requirement of data security ensure the security of the data. The Controller shall process the data processed by it in accordance with the applicable legislation, ensuring that the data are only employees and other persons acting in the interests of the Controller who are required to do so for the performance of their duties and tasks necessary for the performance of their duties. The personal data of the data subjects within the organisation of the Data Controller only the following persons within the Data Controller's organisation who have the right to access the data for the performance of their duties. Confidentiality of data shall be ensured for all staff members obligation of all staff. The Data Controller shall, in the context of its IT security responsibilities ensure in particular:
- Protection against unauthorised access measures, including the protection of software and hardware devices, and physical protection (access protection, network protection);
- The possibility of restoring data files measures, including regular back-ups and the separate secure management of copies (mirroring, backup);
- On protecting data files against viruses (virus protection);
- The data files and the media that hold them physical protection, including fire, water, lightning, other physical damage and the protection against damage resulting from such events recoverability of damage caused by such events (archiving, fire protection).
In order to protect paper records, the Data Controller shall take the following measures. necessary measures, in particular physical security and fire protection fire protection. The employees, agents and other persons acting on behalf of the Controller shall personal data used by them or in their possession shall also personal data, regardless of the means of recording them, shall keep and protect them securely.
3.4. Duration of data management
The Data Controller shall, by establishing and complying with the rules on erasure. ensure that the duration of the processing of personal data does not exceed necessary and lawful. Data shall be erased in the following cases The data will be deleted when:
a. Bizonyossá válik, hogy az adatok kezelése jogellenes. If the processing is unlawful, azt az Adatkezelő minden esetben törli, mihelyt a jogellenes adatkezelés ténye nyilvánvalóvá válik.
b. The data subject requests the deletion of the data. If the deletion of the data is requested by the data subject, the Data Controller shall in each case examine whether the law compulsory processing under the law. If so, the request for erasure shall be shall refuse the request. If the processing of the data is not mandatory but the Controller has a legitimate interest legal basis and the processing is necessary for the establishment of legal claims, enforce or defend a legal claim, the Controller shall examine whether the data may be deleted. If the processing of the data is not required by law, the data shall be deleted the Controller has no legal basis for processing the data other than consent, or the processing of the data is not justified despite the legal basis, the controller shall, at the request of the data subject, disclose the data to the Data Controller shall delete the data at the request of the data subject. If the request for erasure is made by the Data Controller refuses the request for erasure, it shall in any case inform the data subject accordingly, indicating precisely the legal basis for refusing the request for erasure and the legal remedies available to the data subject. possibilities.
c. The purpose of the processing has ceased or the data are no longer stored in advance, the time limit laid down by law or in the consent has expired. If the purpose of the processing has ceased, and the processing of the data is not required by law, the Data Controller shall delete the data. If the duration of the processing is required by law, the Data Controller shall delete the data for the Data Controller shall delete the data after the period specified by law.
d. The erasure has been ordered by a court or public authority. If the cancellation is ordered by a court or public authority and the order is final, the Data Controller shall erase the data. In the event of erasure, the Controller shall render the data unidentifiable. identifiable. Where required by law, the Controller shall delete the personal data data carrier containing the personal data shall be destroyed.
3.5. Handling data protection incidents
A data breach is a breach of security that results in the transmission of, stored or otherwise processed personal data inadvertently or unlawfully destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data or unauthorised access to it. The Data Controller is responsible for the protection of personal data The Data Controller shall immediately notify the competent authority of the Data Protection Incident, unless the the data protection incident is unlikely to pose a risk to the data subjects rights and freedoms of the data subject. The Data Controller shall report data breaches shall keep a record of the data breaches, together with the measures taken in relation to the data breach. If the the incident is serious (i.e. likely to result in a high risk to the rights and freedoms of the data subject), the data subject shall be protected rights and freedoms), the Data Controller shall inform without undue delay the data subject of the personal data breach.
IV. THE RIGHTS OF DATA SUBJECTS AND THEIR ENFORCEMENT
4.1. Rights of data subjects
Information (access). The data subject has the right to obtain information about the processing of his or her data. information on the processing of their data. The Data Controller shall inform the data subject, at the time of recording the data, of the following the processing of the data, and this Notice is available at any time to the data subject. The data subject shall be entitled to obtain full information at any time during the processing. information on the processing of his or her data at any time during the processing. The data subject may request that the Data Controller to provide him with a copy of the data.
Correction. The data subject may request the Controller to correct inaccurate data relating to him or her. correct or complete the incomplete data.
Deletion, withdrawal of consent. The data subject may at any time withdraw his or her consent to the processing of his or her data. consent to the processing of your data, or request the deletion of your data. The Data Controller may only erase the data the processing is based on law or the processing is unlawful, or necessary for the establishment, exercise or defence of legal claims.
Limitation. The data subject has the right to request the restriction of data processing by the. in the following cases:
a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data, and requests instead that the use of the data be restricted;
c) the controller no longer needs the personal data processing for the purposes of the processing, but the data subject requires it for the establishment of legal claims, assert or defend legal claims;
d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established that the the legitimate grounds of the controller prevail over the legitimate grounds of the data subject over the legitimate interests of the data subject.
If the processing is subject to restriction, such personal data may be processed by the except for storage, only with the consent of the data subject or for legal the establishment, exercise or defence of legal claims, or for the protection of another natural or legal person legal person, or for the protection of the rights of another person or of a important public interest of a Member State.
Protest. Where the processing is based on the legitimate interests of the Controller or a third party interest of a third party, the data subject shall have the right to exercise his or her to object at any time, on grounds relating to his or her own situation, to the processing of his or her personal data processing of his or her personal data. In this case, the controller shall not further process the personal data unless the controller proves that the processing is justified by compelling legitimate grounds which override the legitimate interests of the data subject interests, rights and freedoms of the data subject, or which are overriding legitimate reasons the establishment, exercise or defence of legal claims. Where the personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for processing of personal data concerning him or her for such purposes.
Data portability. The data subject has the right to have personal data relating to him or her disaggregated, in a commonly used, machine-readable format, and to receive to transmit these data to another controller, provided that the processing is carried out by automated means. The data subject shall have the right to have his or her personal data - where technically feasible, to request the transfer of personal data to another controller direct transfer to another data controller.
4.2. Ensuring the rights of the data subject, the data subject's the processing of requests
The Data Controller shall inform the data subject about the processing of the data at the time of contacting the data subject. The data subject may make a request to exercise his or her rights by any means (oral or written) to the Data Controller. The Data Controller shall examine the request without delay and decide whether to comply with it, and take the necessary measures. The Controller shall inform the applicant of the measures taken inform the data subject within one month. The information shall in all cases include the action taken by the Controller or the request made by the data subject information requested by the data subject. If the Controller refuses to comply with the request (fail to take the measures necessary to comply with the request), the the legal basis for the refusal, the reasons for the refusal and the legal remedies available to the data subject possibilities of the data subject. The Data Controller shall not make the execution of the request subject to the payment of a fee, the costs of which shall be reimbursement of costs. Where the circumstances or the manner in which the request was made make it uncertain whether, that the request originates from the data subject, the Controller may request that the applicant justify his or her entitlement or to present the request in such a way that the entitlement can be clearly established. The Controller shall inform all recipients of the rectification, erasure or restriction of processing to whom or with which the personal data have been processed, or to whom or with which the personal data have been processed. data have been disclosed to, unless this proves impossible or involves a disproportionate effort. requires a disproportionate effort. The data subject shall, at his or her request, be informed by the controller of the recipients.
4.3. Legal remedies
Where the rights of the data subject have been infringed, the data subject may request the controller to. unlawful processing, to stop the processing, at the request of the data subject the refusal of the data subject's request. The Data Controller shall address the data subject's complaint in this regard shall in any case investigate the complaint and inform the data subject of the outcome. The data subject may lodge a complaint directly with the National Data Protection and Privacy Authority. Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor, 1125 Budapest, Hungary). 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu ). The data subject has the right to take legal action if his or her rights are infringed. The The Data Controller shall provide the data subject, upon request, with details of the procedure for the the court having jurisdiction and competence to hear the case, the the possibility of legal proceedings.