Budapest

Data Processing Notice

  1. NAME OF CONTROLLER

HIPA Hungarian Investment Promotion Agency Non-Profit Private Company Limited by Shares

Registered office: 1055 Budapest, Honvéd utca 20.
Company registration number: 01-10-140442
E-mail address: [email protected]
Telephone: +36 1 872 6520
Fax: +36 1 872 6699
Website www.hipa.hu

  1. PURPOSE OF THE DATA PROCESSING NOTICE

The purpose of this Data Protection Policy is to ensure that by becoming familiar with and complying with it, HIPA Hungarian Investment Promotion Agency Non-Profit Private Company Limited by Shares (hereinafter referred to as “Controller”) fully complies with the applicable legal requirements when processing the personal data of natural persons in the processes referred to in this Notice, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”).

  1. NATIONAL LEGISLATION SERVING AS THE BASIS FOR PROCESSING

Legislation applicable to the processing activities carried out by the Controller:

  • Act CXII of 2011 on the right of informational self-determination and on the freedom of information (hereinafter referred to as “Info Act”);
  • Act No. C of 2000 on Accounting;
  • Act LXVI of 1995 on public documents, public archives and the protection of private archives;
  • Government Decree No. 201/2019. (VIII. 15.) on the definition of the tasks of HIPA Hungarian Investment Promotion Agency Non-Profit Private Company Limited by Shares;
  • Government Decree No. 335/2005. (XII. 29.) on the general document management requirements of public sector bodies.
  1. PERSONAL SCOPE OF THE DATA PROTECTION NOTICE

The Data Protection Notice covers all natural persons whose personal data are processed by the Controller, except for those in an employment relationship.

For the purposes of this Data Protection Notice, clients and partners that are private entrepreneurs or sole proprietorships are treated in accordance with the rules applicable to natural persons.

  1. TERMS AND DEFINITIONS

The terms and definitions used in this Data Protection Notice are set out in Article 4 of the GDPR.

  1. ATTENDING EVENTS
    1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Name of the person attending the event, which is necessary for identifying the natural person. Personal data is processed for the purposes of contacting and maintaining contact with the person attending the event and providing prior information to the data subject.

Position

The purpose of processing is to carry out protocol tasks during the event.

Phone number

Personal data is processed for the purposes of contacting and maintaining contact with the person attending the event and providing prior information to the data subject. Providing a telephone number is optional.

E-mail address

Personal data is processed for the purposes of contacting and maintaining contact with the person attending the event and providing prior information to the data subject.

Food allergies

Ensuring that the catering service is appropriate to the specific needs of the attending data subjects. Providing personal data is optional.

Likeness

The processing of personal data is optional when making image and sound recordings of events. The image and sound recordings made at the events will be optionally broadcast to the public on the Controller’s website and other public communication channels (in particular, YouTube, LinkedIn).

 

E-mail addresses do not need to contain personal data (e.g. the name of the data subject). Data subjects may decide whether to provide an e-mail address that contains information revealing their identity.

    1. Legal basis of processing

In regard to registration for events, the legal basis for the processing of personal data processed by the Controller, as referred to in point 6(a), is the data subject’s consent.

    1. Duration of processing

Personal data provided during registration for events, as well as image and sound recordings made at events, will be processed by the Controller as long as the data subject’s consent is not withdrawn. The prior registration for events and the consent to the processing of the personal data provided at the same time, including the consent to the broadcasting of images and sound recordings to the public, may be withdrawn by the data subject at any time, and the deletion of the personal data may be initiated at the [email protected] e-mail address.

    1. Data transfer

In the case of the organisation of an event by the Controller with the assistance of another public body or market operator, for the purposes of registration for the event, arranging the event, the travelling of persons attending the event in connection with the event, if necessary.

  1. MAINTAINING A DATABASE OF SUPPLIERS AND SITES
    1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Name of the data subject, which is necessary for the identification of natural persons. The processing of personal data is necessary for contacting and communication.

Position

Necessary for mediation to investors.

Telephone number

Processing of the telephone number as contact information is used for contacting and communication.

E-mail address

The processing of the e-mail address as contact information is used for contacting and communication.

 

    1. Legal basis for processing

The legal basis for the processing of personal data processed in connection with the operation of the database of suppliers or sites is the consent of the data subject.

    1. Duration of processing

Personal data contained in the supplier database may be processed by the Controller as long as the data subject’s consent is not withdrawn. Personal data contained in the supplier database may be deleted by the data subject at any time by logging into his/her user account or with the assistance of the Controller and, at the same time, the data subject may withdraw his/her consent to the processing of the personal data provided at any time.

  1. Sending newsletters
    1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

A name as personal data is necessary for the identification of the natural person and for contacting him/her when sending newsletters.

E-mail address

The purpose of processing an e-mail address as contact information is to send newsletters to the persons who subscribe to the newsletter.

 

If the data subject subscribes to the newsletter, the Controller may send him/her newsletters at a frequency of its discretion.

    1. Legal basis for processing

The legal basis for the processing of personal data related to the sending of newsletters is the consent of the person subscribing to the newsletter.

    1. Duration of processing

Personal data processed in connection with the sending of newsletters will be processed by the Controller as long as the data subject’s consent is not withdrawn. Newsletter subscribers can unsubscribe from the newsletter delivery service at any time by clicking on the link in the newsletter. Unsubscribing from the newsletter is not the same as withdrawing consent to the processing of personal data. Persons subscribing to the newsletter have the opportunity to request the deletion of their personal data at any time, which can be carried out at the [email protected] e-mail address.

  1. Webpage operation
    1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

The names of the Controller’s line managers and specific business partners as personal data are necessary for identifying the natural person.

Position

The processing of personal data relating to the position of line managers facilitates getting into contact.

The business partner’s position as personal data is processed to indicate it as a reference on the website.

Telephone number

The processing of the telephone number as contact details makes it possible to contact and communicate with the line managers listed on the website.

E-mail address

The e-mail addresses of the Controller’s line managers as contact details on the website makes it possible to contact the line managers.

Photo

Facilitates making contact with the Controller’s line managers concerned.

Helps identify business partners.

 

    1. Legal basis for processing

The legal basis for processing the personal data (name, e-mail address, telephone number, photo) collected and processed in relation to the line managers in the course of the operation of the website is the legitimate interest of the Controller, for which an interest balancing test has been carried out.

The legal basis for the processing of personal data (name, position, photo) of business partners during the operation of the website is the consent of the data subject.

    1. Duration of processing

In the course of the operation of the website, the duration of the processing of personal data for the purposes of point 9(a) in relation to the line managers is limited to the duration of the existence of that activity of the line manager, and will automatically cease on the date of its termination for the purposes of subpoint a).

In regard to the operation of the website, the Controller processes personal data relating to business partners as long as the consent of the data subject is not withdrawn. Business partners appearing on the website may request the deletion of personal data at any time by contacting the [email protected] e-mail address.

  1. Processing related to contracts

10.1.    Processing of data of contact persons and representatives

      1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Establishing and maintaining contact with contracting partners, suppliers, consultants, professional partners, investors, owners of real estate or natural persons appointed by them in the case of the sites, as well as clients, and exercising the rights and obligations arising from contracts.

Position

Telephone number

E-mail address

 

      1. Legal basis for processing

The Controller collects and processes contact details on the basis of its legitimate interest. The Controller has balanced the impact of the processing of contact details on the data subjects and determined that such processing does not constitute a disproportionate and unnecessary restriction on the interests, fundamental rights and freedoms of the data subjects.

In the case of a contractual relationship, processing is also lawful if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract.

Personal data may be transferred to a postal or courier service provider for processing for mailing or delivery.

      1. Duration of processing

The Controller processes the contact details, should they not be included in the contract, for as long as strictly necessary for the performance of the contract, but for a maximum of 5 years from the termination of the contract or 8 years after the termination of the contract if they are part of the contract.

    1. Contract registry
      1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Management and registration of contracts involving a financial commitment.

 

      1. Legal basis for processing

The Controller processes personal data in the contract registry system on the basis for its legitimate interest. The Controller has balanced the impact of the processing of data in its contract registry system on the data subjects and determined that such processing does not constitute a disproportionate and unnecessary restriction on the interests, fundamental rights and freedoms of the data subjects.

      1. Duration of processing

The Controller processes the personal data in the contract registry for 8 years from the termination of the contract.

    1. Verification of performance
      1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Verification of performance

Position

Telephone number

(in some cases)

E-mail address

(in some cases)

 

      1. Legal basis for processing

Personal data processed within the context of verifying the performance of contracts are processed by the Controller on the basis of its legitimate interest. The Controller has considered the impact of the processing on the data subjects in the context of the verification of performance and concluded that the processing does not constitute a disproportionate and unnecessary restriction on the interests, fundamental rights and freedoms of the data subjects.

      1. Duration of processing

Personal data processed in the context of performance verification will be kept by the Controller for 8 years from the termination of the contract.

  1. SELECTION PROCEDURE
  1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Application, evaluation of tenders. Data subjects concerned must be informed if the employer has not chosen them for the job.

Place and date of birth

Home address

Education, qualifications (name of the educational institution, including the faculty, the area of study, the duration of the studying, date of graduation)

Foreign language skills (level, type)

IT skills

Likeness

Telephone number

E-mail address

Professional experience (name of employer, field of activity, responsibilities/job held, duration)

Contents of CV

 

  1. Legal basis for processing

The legal basis for the processing of the data subjects’ data in the selection procedure is the data subject’s consent.

  1. Duration of processing

The Controller processes the data provided during the selection procedure and contained in the CV until the closing of the selection procedure, after which the applications and application materials received will be destroyed, unless an employment relationship is established. At the express written request of the data subject sent in writing, the Controller will keep the application documents for one year after the closing of the selection procedure concerned.

  1. OPERATION OF A CAMERA SYSTEM, ENTERING THE BUILDING
      1. Scope of data processed and purpose of processing

Image recording cameras are installed at the Controller’s headquarters solely for security and property protection purposes, and are not intended to monitor and control the activities and work of employees. The cameras monitor the rented parking spaces, as well as the corridors, lobbies, lifts and the garage. No cameras monitor the areas designated for spending the employees’ mid-day breaks or the toilets. The cameras only record images.

The camera system is provided by the lessor of the building and the Controller does not have direct access to it and, with the exception of the camera monitoring the rented parking spaces in public areas, the displays showing live images are not visible to the Controller’s staff or contracted partners. The Controller may access the camera recordings upon request (e.g., in the case of a crime committed against persons or property), in which case it must act in full compliance with the applicable legislation in force.

When entering the building, the name of the person concerned is recorded.

Personal data

Purpose of processing

Name

Entering the building.

Image capture

In exceptional cases, as set out above, to deal with incidents involving the Controller (as well) in the context of ensuring the security and protection of the building.

 

      1. Legal basis for processing

The Controller processes personal data processed by it in connection with entering the building on the basis of its legitimate interest. In relation to entering the building, the Controller has assessed the impact thereof on the data subjects and concluded that it does not constitute a disproportionate and unnecessary restriction of their interests, fundamental rights and freedoms.

      1. Duration of processing

The Controller will delete the personal data processed in connection with entering within 3 working days from the date of data collection (entry) if the retention of the personal data is otherwise not justified due to a breach of law or suspicion of a criminal offence.

      1. Data transfer

In the event of proceedings for a suspected misdemeanour or offence, the image may be transmitted to the Controller by the lessor of the building on request and sent by the Controller to the competent authorities if necessary.

  1. Receiving third parties
      1. Scope of data processed and purpose of processing

Personal data

Purpose of processing

Name

Receiving third parties, optionally assisting in the organisation of travel.

Position

Place and date of birth

Passport data

 

      1. Legal basis for processing

The personal data collected and processed in regard to the reception of business and professional partners as third parties is processed by the Controller on the basis of its legitimate interest. The Controller has considered the impact of the processing of personal data of third parties on the data subjects and has determined that the processing does not constitute a disproportionate and unnecessary restriction on the interests, fundamental rights and freedoms of the data subjects.

      1. Duration of processing

The Controller will retain personal data provided to it in connection with the reception of third parties in accordance with the applicable rules set out in its records management policy.

  1. Access to data and data security measures
    1. Access to data and data transfer

Personal data provided by the data subject may be accessed by the employees of the Controller on the basis of the relevant authorisation, for the performance of their tasks, subject to appropriate data protection measures.

The Controller will only exceptionally transfer the personal data of the data subject to other public bodies or market operators, in particular if it is necessary for the purposes of registration for an event organised by the Controller with the involvement of another public body or market operator, for arranging the event or the transport of persons participating in the event in connection with the event.

    1. Data security measures

The Controller stores the personal data provided by the data subjects on devices under its control. In order to protect the personal data of data subjects, the Controller applies a number of technical and organisational security measures in connection with data storage and processing, which are intended to prevent access to the data by unauthorised persons. The Controller protects the personal data it processes by using both software and hardware tools, as well as modern IT methods and a high level of encryption and protection.

  1. Rights relating to processing
    1. Right to be informed

The data subject may request information in writing from the Controller, via the contact details provided in point 1, on

  • which of his/her personal data are processed by the Controller,
  • on what legal basis,
  • for what purpose of processing,
  • from what source,
  • for how long,
  • to whom, when, under what legal regulation, to which personal data and to whom has it granted access to or to whom it has transferred his/her personal data.

The Controller will comply with the data subject’s request for information within the shortest possible time limit, but not later than 30 days, using one of the contact details provided by the data subject.

    1. Right to rectification

The data subject may request, in writing, through the contact details provided in point 1, that the Controller rectify any of his/her personal data (e.g., change his/her e-mail address at any time). The Controller will comply with the request for modification within the shortest possible period of time, but not more than 30 days, and inform the data subject thereof using one of the contact details provided to him/her.

    1. Right to deletion

The data subject may at any time request in writing the deletion of his/her personal data processed by the Controller, using the contact details provided in point 1.

If the Controller is not allowed to delete the personal data processed by it due to a legal obligation, the data subject’s request for deletion will be rejected, stating the reasons. Unless there is a legal impediment to the deletion of the data subject’s personal data by the Controller, the Controller will grant the data subject’s request for deletion and his/her personal data will be permanently deleted within 30 days of receipt of the request by the Controller and it will inform the data subject thereof using one of the contact details provided to the Controller.

    1. Right to restriction of processing (blocking)

The data subject may request in writing, through the contact details provided in point 1, that his/her personal data be blocked by the Controller. The blocking lasts as long as the reason indicated by the data subject makes it necessary to block the data.

The data subject may request the blocking of his/her data, for example, if he/she believes that personal data have been unlawfully processed by the Controller, but it is necessary for the purposes of official or judicial proceedings initiated by the data subject that the personal data are not deleted. In this case, the Controller will store the personal data (or the document containing it) until requested by the authority or court, after which the data will be deleted.

    1. Right to object

The data subject has the right to object in writing to the processing of his/her personal data through the contact details provided in point 1, if he/she considers that the Controller would transfer or use his/her personal data for purposes other than those set out in this Data Protection Notice without the data subject’s prior consent. For example, the data subject may object to the Controller using his/her personal data for direct marketing purposes without his/her consent. The data subject may also object to processing where the processing by the Controller is necessary for the purposes of the legitimate interests pursued by the Controller, except for processing based on a legal authorisation.

  1. Enforcement OPPORTUNITY related to processing

In addition to exercising the rights set out in point 14, the data subject has the following remedies.

    1. Filing a complaint to the data protection officer

If the data subject wishes to lodge a complaint regarding the processing of his/her personal data, he/she may contact the Controller’s Data Protection Officer at one of the following contact details:

Dr Dombi Ügyvédi Iroda

Registered office:        1055 Budapest, Falk Miksa utca 4., 4. em. 1.
E-mail address:           [email protected]
Telephone:                 +36 1 786 1771
Website:                      drdombi.hu

    1. Initiation of court proceedings

Within the context of the exercise of the data subject’s rights or in the event of a breach of the law in the processing of his/her personal data, the data subject may bring a civil action against the Controller. Hearing such cases falls within the competence of the regional court. The action may be brought before the regional court in whose jurisdiction the data subject’s home address or place of stay is located. Such court proceedings are conducted as a priority. In the event of finding an infringement, the data subject may claim damages and compensation, and the court may order the Data Controller to exercise the data subject’s rights.

Further information and the contact details for the regional courts can be found at the following link: http://birosag.hu/torvenyszekek

    1. Submitting a complaint to the supervisory authority

In the event an offence related to the processing of personal data is suffered, the data subject may contact the supervisory authority using one of the following contact details.

National Authority for Data Protection and Freedom of Information

Registered office: 1055 Budapest, Falk Miksa utca 9–11.
E-mail address: [email protected]
Telephone: +36 1 391 1400
Website: www.naih.hu

Budapest, September 2022