DATA PROCESSING GUIDE
I. GENERAL INFORMATION, THE CONTROLLER
I.1. Business activities related to data processing
Present Data Protection Guide (hereinafter: ‘Guide) refers to data processing executed within the franchise network of Duna House. Duna House franchise network offers property sales, real estate agencies services for persons contacting them (for example: property sales, rental, other uses: seeking property for the purpose of buying or renting, etc.), and helps to avail and mediate other services in connection with it (for example: loan, energy certificate, value appraisal, etc.) Detailed information about the offered services of Duna House is available on www.dh.hu Website. (hereinafter: ‘Website’) or in any Duna House office.
In Duna House franchise network, the actual services are performed by Franchise and Sub-Franchise partners (hereinafter: “Partners”) in contractual relationship with the franchise owner (DUNA HOUSE FRANCHISE Kft.). The franchise partners are independent companies in contractual relationship with the owner, and they are members of the Duna House franchise network due to that contract. Sub-Franchise partners are independent companies in contractual relationship with the owner, and they are members of the Duna House franchise network due to this contract. Franchise and Sub-Franchise partners make actual business activity and provide services together.
1.2. Identity of the Controllers
Considering that in accordance with section 1.1 above those activities related to data processing can be carried out by several people, data processing in connection with certain activities can have several controllers. Therefore, the personal data of the Data Subjects are processed by the following controllers according to the present Guide:
DUNA HOUSE FRANCHISE Ltd.as the owner of the Duna House franchise and the operator of the Duna House franchise network (seat: 1016 Budapest, Gellérthegy utca 17, company registration number: 01-09-727540; e-mail: adatkezeles@dh.hu ; telefon: +36-1/555-2222; hereinafter: „DUNA HOUSE”). Duna House maintains this Website independently, without the contribution of the following controllers.
Franchise partner: The member of Duna House franchise network operating an agency and varies on real estate activity due to the concluded franchise contract with DUNA HOUSE. Franchise partner’s data can be found in the management contract as well as in every document concluded for contacting between the Franchise partner and Data Subject, or which contains data given by Data Subject, furthermore they are also available in the agency operated by the concerning Franchise Partner.
Sub-Franchise partner: The member of Duna House franchise network who carries out real estate activity due to the contractual relationship with DUNA HOUSE franchise partner in Duna House agency operated by the Franchise Partner. Sub-Franchise partner’s data can be found in the management contract as well as in every document concluded for contacting between the Sub-Franchise partner and Data Subject.
Where the present Guide uses ’Controllers’ expression, it means both DUNA HOUSE, Franchise Partner and Sub-Franchise partner.
Where the present Guide uses ’Partners’ expression, it means both Franchise Partner and Sub-Franchise partner.
1.3. Relationship and connection between DUNA HOUSE, Partners and real estate agent
Duna House franchise network is owned and operated by DUNA HOUSE as the owner of the franchise. DUNA HOUSE develops and operates the IT system used for taking assignments, service supplies, surveys on service demands. DUNA HOUSE defines printed matters to be applied during data processing, contracts, distribution processes, breach of contract procedures to be followed.
Partners in all cases record data in DUNA HOUSE IT system. Taking into account the fact that DUNA HOUSE provides the systems, documents, printed matters, procedurals for the Partners which define data processing, in addition it contributes to compliance, DUNA HOUSE shall also be considered a controller.
Franchise partner operates the agency under a franchise agreement concluded with DUNA HOUSE in all cases. On the basis of the franchise agreement the Partner uses the IT system, printed matters of DUNA HOUSE.
Franchise and Sub-Franchise partners contact the Data Subject; Partners provide services for Data Subject so Partners shall be considered controllers as well.
On the basis of the above DUNA HOUSE defines the purposes, instruments and rules of Data processing. Given that the Partners are in direct connection with Data Subject, Partners are processing data on the basis of the concluded contract with Data Subject or the Data Subject’ consent. With reference to the fact that the purposes and instruments of data processing are not defined together with the controllers, they are not constituted as common controllers. Thus, each processing of the controllers is independent, in the meantime most data processing activity is materialized by the common activity of the controllers, so both DUNA HOUSE and the Partners are considered as controllers.
Real estate agent is the person who acts in the name and representation of Sub-Franchise Partner due to legal relationship with Sub-Franchise Partner in the course of the management contract.
Real estate agent can be the self-employed Sub-Franchise partner, or the executive, employee, subcontractor of the Sub-Franchise Partner. Real estate agent does not act independently during the provision of services. Real estate agents carry out their activity in the name of Sub-Franchise partner and in the favor of DUNA HOUSE and the Partners, in accordance with their instructions, in all cases. The process and tasks of real estate agents are specified in detail by DUNA HOUSE and the Partners, real estate agents are controlled by DUNA HOUSE and the Partners. Real estate agents are not authorized to conclude a contract with Data Subject independently, to act and benefit on his own or to supply services for them. Real estate agents, in all cases record data in DUNA HOUSE IT system and in it’s forms. If the real estate agent is a subcontractor of the Sub-Franchise partner, he/she shall be considered a data processor. (hereinafter: ‘Data processor’).
1.4. Data processing of the individual Data processors
Taking into account that DUNA HOUSE is the owner and operator of the whole Duna House franchise network, DUNA HOUSE processes all data of persons contacting Duna House franchise network. Partners process strictly data of Data Subjects, who concluded a contract with them.
The www.dh.hu Website is exclusively maintained by DUNA HOUSE, so regarding to the Website the data processor is only DUNA HOUSE.
Franchise and Sub-Franchise Partner contacting the Data Subject (who concludes management contract, signs a Memorandum of Visit, asks for property presentation) process data of Data Subject, as well as DUNA HOUSE processes data of Data Subject every time.
1.5. The Data Subject
The person concerned with data processing is the client, who contacts Controllers and Data processors and in the course of this gives their personal data for concluding a contract and for receiving services. Data Subject is also the person whose data is received by the Controllers in any other way (from other concerned, from a client, from public sources).
1.6. Governing legislation
Controllers carry out their activity under European Union and Hungarian legislation. Primarily the General Data Protection Regulation of the European Union relates to data processing. (Regulation of the European Parliament and the Council (EU) 2016/679, (27/04/2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (in the following: GDPR). The text of GDPR is available in the http://eur-lex.europa.eu/legal-content/HU/TXT/?uri=CELEX:32016R0679 website.
Additional relevant laws and regulations:
• Law CXII of 2011 on the right to self-determination as regards information and freedom of information,
• Law LIII of 2017 on the prevention of money laundering and the financing of terrorism. (concerning to identification, reporting, registration data laid down by law, in the following:’Pmt’),
• Under article 169§ law C of 2000 on accounting (as regards the supporting of documents),
• Law XLVIII of 2008 on the basis requirements and certain restrictions of commercial advertising. Access to relevant legislations: http://net.jogtar.hu/
1.7. Scope of the Information
The present Guide only covers processing on the scope of GDPR.
On the basis of GDPR personal data is any relevant information on identified and identifiable natural person (hereinafter: “Data Subject”), Identifiable natural person should be identified according to direct or indirect manner, on the basis of one or more factors, especially by an identification (for example: name, number, location data, online identifier) or by means of the physical, physiological, genetic, mental, economic, cultural or social identity.
Thus the scope of present Guide does not cover data concerning non-natural persons (e. g.: data of companies) or which do not have any connection with natural persons (e. g.: statistical information, anonymized data). The scope of this Guide strictly covers the processing of Controllers.
II. PRINCIPLE, PURPOSE, LEGAL BASE OF DATA PROCESSING
2.1. Principles of data processing
Data shall be processed legally, fairly and in a transparent manner for the Data Subject by the Controllers. Controllers shall endeavor to process correct and up to date data. The rights of Data Subject are ensured by the Controllers and they shall take the necessary measures to keep processing legally in any phase of data processing.
2.2 Purpose of data processing
The primary purpose of data processing is the provision of the Controller’s services, and the carry out of related business activity. The purposes of data processing within shall include:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Registry of the Data Subject’s property for sale or rent in the IT system, sale transaction support;
-
Publication of the property’s advertisement, search for potential buyers (tenants);
-
Identification of the needs of the Data Subject looking for real estate;
-
Establishing contact between clients offering and looking for real estate, support of the transaction in relation of the real estate;
-
Intermediation between the parties in connection with the real estate;
-
Establishment and fulfillment of the assignment contract between the Data Subject and Data Controllers;
-
Provision of related services (such as energy certificate, value appraisal, setting of the property for client visit), as well as the support of establishing contact with the persons providing the services;
-
Execution of rights arising from the contract, fulfillment of undertakings.
-
Assessment of loan needs when required, establishing contact with the financial expert;
-
Establishment and fulfillment of the assignment contract between the Data Subject and Data Controllers;
-
Provision of related services (such as energy certificate, value appraisal, setting of the property for client visit), as well as the support of establishing contact with the persons providing the services;
-
Execution of rights arising from the contract, fulfillment of undertakings;
-
Enforcement of claims in cases of breach of contract (such as circumvention);
-
Compliance with relevant regulations;
-
Complaint management, customer protection;
-
Promotion upon the Data Subject’s prior consent;
2.3. Legal base of data processing
Given that, Controllers process personal data for several purposes, the legal base of the process can also be diverse. The main legal bases are the following, whereas the actual legal bases related to each processing are noted in paragraph IV of the Guide.
Data subject’s consent (GDPR article 6 1/a)
The legal base of processing is primarily the Data Subject’s consent. Data Subject can give their consent by contacting the Controllers and initiate to consume services. When one of the Controllers records data of the Data Subject, the consent of the Data Subject is given by the acceptance of the processing information. In case of online registration, the request of consent is given by accepting a check-box.
The consent is voluntary in all cases. Controllers’ services are available elsewhere, and are replaceable, these are conditional services in the substantial part of the cases, so to establish contact with the Controllers and to receive services or to enquire about receiving services are based on the voluntary decision of Data Subject.
Controllers inform Data Subject about the processing in all cases. Information in the form for data recording contains the abridged, the principal information defined in GDPR, and the present Guide is also available for Data Subject (via online platform as well as at the Franchise partners and the Sub-Franchise partners).
Contract concluded between Controllers and Data Subject (GDPR Article 6 1/b)
If Data Subject concludes contract with Controllers and gives data in the contract, and in the related forms necessary for the performance of the contract. The contract contains information for the Data Subject about processing in any cases.
If data Subject gives their data before concluding the contract in order to prepare and conclude the contract, to assess needs, Controllers process data of Data Subject in order to carry out these steps, in line with informing the Data Subject.
Conclusion of the contract is voluntary in all cases. Data Subject can make a ruling on the bases of the servicing and processing information whether to conclude the contract or not. Under this paragraph processing is carried out in the interest of Data Subject performance of the contract and the initiated actions of Data Subject, based on the referred section of the GDPR.
If Data Subject has not given his consent to the insisted or to the procession of indicated data in the contract it has the right to refuse data. If the processing of data is compulsory under legislation or the contract is not feasible in the absence of data, the contract has not been reached since the absence of data. Data Subject should be informed from this in all cases.
Compliance with a legal obligation (GDPR Article 6 1/c)
In certain cases, the legal base of processing are legal provisions. The main legislation with related provisions on data processing are regulations specified in Article 1.4.
The purpose of the legitimate interest pursued by the controller or by a third party (GDPR Article 6 1/f)
If processing is necessary for the purpose of the legitimate interest pursued by the controller or by a third party, data has been used by controllers to the purpose of interest pursued above. According to this paragraph, processing is exceptional, it can happen only on a basis of specific treatment (so called, balance of interest test), in the specified cases of this prospectus. Controllers identify exactly that interest which justifies procession and analyze the feasibility of processing in another manner (legal basis) during the balance of interest test, in any cases. During the balance of interest test the adversely effects of the rights of Data Subject is tested all cases and the possibility of those measures, which reduces the adverse effects of these rights, or assist Data Subject in pursuit of interests.
III. DESCRIPTION OF DATA PROCESSING, SCOPE OF PROCESSED DATA
3.1. Description of the data processing procedure
Data Controllers carry out their activity on several platforms, i.e through Duna House braches operated by Franchise partners, via the DUNA HOUSE operated Website, and the call centers operated by DUNA HOUSE.
When a data Subject is offering a real estate for sale (rent), an assignment is given for the sales, and the contract is concluded with the Partners in all cases. Partners provide their services as Assignees, by using the IT and operative system and documentation background operated by DUNA HOUSE. In this case, the Data Subject provides the required data in the contract and related forms. The employee of the Partner (real estate agent) records the data, prepares the advertisement of the given real estate and takes the photographs of the real estate to be posted on the advertisement. Data Controllers publish the finalized advertisement on the Website, certain real estate portals (such as ingatlan.com, otthonterkep.hu, etc.), internal materials and certain public platforms (brochures, agency portals). No personal data is indicated in the advertisement, only contact information in relation of the Partners and the real estate agent.
In case of a search for real estate, the Real estate agent registers the needs and personal data –in possession of a valid assignment- of the client in DUNA HOUSE’s IT system. When a real estate is presented to the Data Subject, their data and the data of the visited real estate are indicated on the Memorandum of Visit.
When related services are also provided (such as loan, energy certificate, value appraisal), the Real estate agent or the Partners forward the Data Subject’s data for the service provider. In case when the Data Subject register themselves on the Website and provide their personal data, by doing so they accept the present Guide. Afterwards, Data Subject is entitled to use the services on the Website, publish advertisements, sign up for a newsletter.
Upon the termination of the assignment contract (fulfillment, termination, expiry), or when the Data Subject is not provided the services of the Data Controllers anymore, the advertisement becomes inaccessible. When this happens, the Controllers delete the data, or store the data in a way and for a term in accordance with the present Guide.
3.2. Submission of data
Data Controllers obtain data primarily from the Data Subject. Data submission is carried out in the following ways:
Via the Website: When Data Subject contacts Data Controllers through the Website, their data is provided via the Website, on the designated platform. By doing so Data Subject accepts the present Guide, and gives their consent to data processing in accordance with the Guide. Data Subject shall declare to accept the data processing (by checking the relevant box).
Via the Partner: When Data Subject contacts the Partners, data is recorded by the Partners on special forms. Data Subject shall declare to accept the data processing in this case as well.
Data submission in other way: Data Controllers record the data (telephone number, email address) provided by the Data Subject (in an advertisement for example) with the purpose to establish contact. In other cases, Controllers take data from other sources exclusively when entitled by law. Controllers use data obtained from publicly available databases (especially from real estate register) when it is necessary for the fulfillment of the data processing purpose.
3.3. Scope of processed data
Data Controllers process the following data of natural persons:
-
data needed for identification:Surname and name, place and date of birth, mother’s name, permanent address, or address of residency, type and serial number of identification document of the Data Subject. The objective of the data processing is the identification of the Data Subject, the contact, and should it become necessary the enforcement of claims in relation of the Data Subject. data must be provided for the conclusion of a contract, or the establishment of any other legal relation (such as the signing of the Memorandum of Visit), in lack of which the contract cannot be concluded, with reference to the fact that without the referred data the fulfillment of the contract or the enforcement of claims is not possible.
-
Data related to regulatory client screening: in addition to the above data in section a., it includes the nationality of the Data Subject, the fact of acting in its own name or another actual owner –in the latter case, the surname and name, birth name, nationality, place and date of birth, permanent address or address of residency, information on being a publicly exposed person of the actual owner. In case when the client is not a natural person, the Controller processes the name, title of the legal representative, the identification information of the representative, as well as data in relation of the nature and volume of owner’s interest. The required data must be provided for the establishment of a business relation. Legal base of the data processing is the compliance with the AML law.
-
Data required for contact: name, address, telephone number, email address. Submission of the data supports the establishment and keeping of contact between the Data Controllers and the Data Subject. If the Data Subject fails to provide the necessary contact information, Controllers may be unable to contact them and provide the services. Therefore, should the Data Subject assign the Controllers for the provision of services, the required contact information shall be provided.
-
Data in relation of the real estate: address, topographical lot number, floorspace, other relevant information for the support of the sale, information in connection with the price (rental fee). When the Data Subject is a seller, submission of data is required as Controllers are unable to provide the services, advertise the real estate and offer it to potential buyers in the lack of data.
-
Photographs taken of the real estate: Real estate agent takes photographs of the real estate, which are to be attached to the advertisement of the real estate. All photos are taken with the consent of the Data Subject, in a way that personal belongings stay out of sight as much as possible. Taking photographs is not required, but without them, the sales of the real estate is more difficult. The taken photos are stored in the Controller’s IT system.
-
Data in relation of the searched real estate: When Data Subject is looking for a real estate Controllers process the data provided by the Data Subject in relation of the searched real estate (such as floorspace, price, and location).
-
Recorded telephone conversation: telephone conversations between the Data Subject and the Controllers may be recorded by the Controllers, should the nature of the conversation require so. Recording can be made only upon the prior consent of the Data Subject, with the Data Subject receiving relevant information. Should the Data Subject fail to give their consent, the activity can be carried out without recording. The purpose of recording is complaint management, consumer protection, and registry of the Data Subject’s declarations. Legal base of the data processing is the Date Subject’s consent, which is given by the act of the continued conversation following the receipt of the information on the fact of recording.
-
Data in relation of fee payment: When Data Controllers issue an invoice, they process the data necessary for the issue (buyer’s name, address, title of service, expiration, exact fee).
-
Data in relation of the needs. Should a dispute arise between the Data Subject and the Controllers (with special reference to cases when the Data Subject fails to settle the fee, or sells the real estate to a buyer by circumventing the Partners), Controllers process data in connection with the dispute’s legal base, nature and volume, as well as proof behind the enforcement of the claim.
3.4. Place of the data processing
Paper based documents shall be kept by the Franchise partner in all cases. All the data shall be registered in the DUNA HOUSE system, and this is where the pictures, copies of the documents are uploaded, therefore the place of the data processing is the IT system of DUNA HOUSE and the seat, branch of DUNA HOUSE.
IV. DIFFERENT DATA PROCESSING ACTIVITIES
4.1. Data processing related to the sale, lease of real estate
Description of the data processing activity: The primary service of Data Controllers is real estate intermediation, and the support of real estate sales and lease activity. These services are provided by the Partners, based on an assignment concluded with the Data Subject, using the IT and procedure system of DUNA HOUSE. The data processing involves the conclusion of the contract, the registry of data, the advertising activity, the visit of the property, and the search for potential buyers.
Scope of processed data: Processed data is the data listed in the above 3.4 section.
Purpose of the data processing:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Registry of the Data Subject’s property for sale or rent in the IT system, sale transaction support;
-
Publication of the property’s advertisement, search for potential buyers (tenants);
-
Establishing contact between clients offering and looking for real estate, support of the transaction in relation of the real estate;
-
Intermediation between the parties in connection with the real estate;
-
Establishment and fulfillment of the assignment contract between the Data Subject and Data Controllers;
-
Provision of related services (such as energy certificate, value appraisal, setting of the property for client visit), as well as the support of establishing contact with the persons providing the services;
-
Execution of rights arising from the contract, fulfillment of undertakings.
Legal base of the data processing: The consent of the Data Subject serves as the legal base for the data processing, as well as the fulfillment of the contract between the Data Subject and Data Controllers, and the execution of actions initiated by the Data Subject.
Term of data processing: Term of data processing is eight years following the termination of the contract. The length of the term is reasoned by the fact that both parties may present claims following the termination of the contractual relation. In relation of data under the AML Act, the prevailing term for data preservation is also eight years.
4.2. Data processing connected to real estate search
Description of data processing: In cases whena Data Subject with the intention to buy (rent) property contacts the Data Controllers (primarily Partners), they register the Data Subject’s data, as well as data in relation of the desired property. When the Data Subject enters into a contract with the Partners, Data Controllers shall proceed during the search in accordance with the contract.
Scope of processed data: Data in accordance with sections c. and f. of the above 3.4 point, or when concluding a contract sections a-b.
Purpose of data processing:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Identification of the needs of the Data Subject looking for real estate;
-
Establishment and fulfillment of the assignment contract between the Data Subject and Data Controllers;
-
Intermediation between the parties in connection with the transaction;
-
Assessment of loan needs when required, establishing contact with the financial expert;
-
Establishment and fulfillment of the assignment contract between the Data Subject and Data Controllers;
-
Execution of rights arising from the contract, fulfillment of undertakings.
Legal base of the data processing: The consent of the Data Subject serves as the legal base for the data processing, as well as the fulfillment of the contract between the Data Subject and Data Controllers and the execution of actions initiated by the Data Subject.
Term of data processing: When no contract is concluded, the Data Controller shall delete the data, when the search is closed with no result and the data processing has no other purpose. In case of conclusion of a contract, the term for data processing is five years. The length of the term is reasoned by the fact that claims may be presented following the termination of the contractual relation.
4.3. Memorandum of Visit
Description of data processing: When the Partners are showing a real estate to the Data Subject, the identification of the visited real estate and the client shall be indicated on the Memorandum of Visit. Afterward, the purpose of the Memorandum of Visit is to prove that the given real estate had been introduced to the Data Subject by the Partners.
Scope of processed data: Data in accordance with sections a. and c. of the above 3.4 point, as well as the visited property’s address and topographical lot number.
Purpose of data processing:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Establishing contact between clients offering and looking for real estate, support of the transaction in relation of the real estate;
-
Intermediation between the parties in connection with the transaction;
-
Assessment of loan needs when required, establishing contact with the financial expert;
-
Execution of rights arising from the contract, fulfillment of undertakings.
Legal base of the data processing: The consent of the Data Subject serves as the legal base for the data processing, as well as the fulfillment of the contract between the Data Subject and Data Controllers and the execution of actions initiated by the Data Subject.
Term of data processing: Data Controller shall preserve data for five years following the termination of the contract. The length of the term is reasoned by the fact that claims may be presented following the termination of the contractual relation.
4.4. Enforcement of needs and claims
Description of data processing: Should a legal dispute arise between the Data Controllers and the Data Subject, and should any of the parties submit a claim towards the other party (financial or of other nature), the data required may be used during the process. Most common causes for claims on the side of Data Controllers: circumvention (when Data Subjects introduced to each other by the Controllers establish a legal relation by circumventing the Controllers with the definite purpose to avoid commission payment), refusal of payment obligation (when Data Subject fails or refuses to settle the due payment). When such happens, Controller process data with the purpose to provide proof for the claim, and –should it be necessary- proceed with the legal enforcement of the claim. Within the procedure, the claim may be proven and enforced legally.
DUNA HOUSE’s procedure during the enforcement of receivables: With reference to the relation between the Controllers, receivables are enforced by the Controllers jointly even in the case when Data Subject fails to fulfill its obligations towards the Partners. In this case partners may assign DUNA HOUSE to enforce the claim and handle the receivables; when DUNA HOUSE acts as the assignee. Should it happen so, DUNA HOUSE shall step in the place of the Partners and proceed as the entitled entity for the enforcement of the claim.
Scope of processed data: Scope of the processed data depends on the nature, legal base and type of the given claim. Any of the data identified in section 3.4 may be used, if required by the enforcement of the claim.
Purpose of data processing:
-
Execution of rights arising from the contract, fulfillment of undertakings;
-
Enforcement of claims in cases of breach of contract (such as circumvention).
Legal base of the data processing: The legal of data processing is partly governed by law, in accordance with regulations, the enforcement of which is possible within the legal relation between the parties. When the need is based on a contract, the legal base is the fulfillment of the concluded contract between the Data Subject and the Controllers. The legal base also involves the enforcement of the Controllers’ rightful interests.
Term of data processing: The data processing shall continue until the enforcement of the claim, or in lack of it, up to when the claim is enforceable in a legal way. Controllers shall delete the data when the claim becomes unenforceable, especially in cases of expiry of limitation, or unsuccessful claim enforcement.
Short introduction to the interest assessment test:
-
In accordance with the present section, the main interest of Data Controllers is to receive the compensation, due upon the fulfillment of the contract concluded between them and the Data Subject.
-
Data processing shall in all cases serve the enforcement of a claim that is based on a contract or the obligation of any of the parties (such as the potential buyer’s undertaking to acquire the visited real estate through the controllers); the conclusion of the contract or the undertaking is always based on the Data Subject’s free will and consent. That is, Data Subjects have undertaken to retrain from circumventing the Controllers, and to settle the due compensation as indicated in the contract when provided the services.
-
It is the Controllers’ rightful interest and right, based on a contract, to receive the compensation according to the contract.
-
Should the Data Subject fail to fulfill the Controller’s rightful claim, Controllers shall have no other choice than the way of legal enforcement, in accordance with the relevant regulations, i.e. there is no other option to reach the original purpose.
-
It is the condition for claim enforcement to use the data that is necessary for the support, proof of the claim, and to act in the necessary procedures; without using the above referred data the claim is unenforceable, as Controllers are unable to provide proof and proceed.
-
With reference to the fact that the reason behind this type of procedure is the Data Subject’s act against the law, and that the data processing is executed as defined by the lay (during the procedure), the data processing shall not be regarded as undue limitation.
Taking into account the parties’ co-partnership and equal treatment, should the Data Subject initiate claim enforcement against the Controllers, Controllers shall hand over the processed data.
4.5. Promotion
Description of data processing: With the Data Subject’s prior consent Controllers may send promotion materials. These promotion materials (newsletters) contain information on the Controllers’ services, or related products, services that are in close connection with the Controllers’ services. Promotion materials shall be sent only upon Data Subject’s prior consent in the form of a separate declaration or by checking a relevant box on an official form or through the Website. Controllers are not traders of promotion content, i.e. will not send materials compensated for by third parties.
Scope of processed data: Data in accordance with section c. of the above 3.4 point
Purpose of data processing:
-
Promotion upon the Data Subject’s prior consent
Legal base of the data processing: Data Subject’s consent is the legal base of data processing.
Term of data processing: Data processing may continue until the withdrawal of the consent by the Data Subject, or until the Data Subject’s objection in relation of further promotion purpose data processing, or objection in relation of promotion purpose data processing in general. When the Data Subject’s data is deleted, promotion purpose data processing is terminated as well.
4.6. Data processing in order to prevent money laundering and terrorist financing
Description of data processing: Controllers process Data Subject’s personal data with the purpose to comply with the customer due diligence related provisions of the AML (Act on Money Laundering). When establishing the business relationship, Partner shall register Data Subject’s data as defined in the AML, and should a related AML provision regulate so, provide the data for the entitled official body.
Scope of processed data:Data in accordance with section a-b. of the above 3.4 point
Purpose of data processing:
-
Compliance with the relevant law
Legal base of the data processing: Provisions in the AML defining control, data recording and registry.
Term of data processing: In accordance with § 56 of the AML, the term of data processing is eight years following the termination of the business assignment.
4.7. Data processing on the Website
Description of data processing: When Data Subject registers on the Website and provides data, those are processed by DUNA HOUSE, as the Website operator. The purpose of data processing is –depending on the services chosen by the Data Subject- the sending of newsletter or the advertisement of the real estate uploaded by the Data Subject. DUNA HOUSE indicates the data of the real estate uploaded by the Data Subject on the Website, and makes it searchable within the system for those searching. When Data Subject is offering a real estate for sale (rent), DUNA HOUSE forwards the provided data for the Partner whose agency is located closest to the given real estate. When Data Subject concludes a contract with the Controllers, data processing shall be executed in accordance with above 4.1 section. In connection with the Website, technical data is processed, and cookies are applied, in accordance with the below 5.4 section.
Scope of processed data: Data in accordance with section c-e. of the above 3.4 point
Purpose of data processing:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Registry of the real estate to be sold, or rented out in the IT system, promotion of the sale (rent);
-
Publication of advertisements related to the real estate, search for potential buyers (tenants);
-
Execution of rights arising from the contract, fulfillment of undertakings;
Legal base of the data processing: Data Subject’s consent is the legal base of data processing.
Term of data processing:Data processing may continue until the withdrawal of the consent by the Data Subject, or until the purpose of data processing ceases. When the Data Subject enters into a legal relation with the Controllers (for example concludes a contract), data processing thereafter is carried out based on the legal relation.
4.8. Data processing connected to invoicing
Description of data processing: When a payment obligation is due on the side of the Data Subject, the entitled Data Controller (primarily the Partner) prepares the relevant invoice and places it among book keeping data.
Scope of processed data:Data in accordance with section h. of the above 3.4 point
Purpose of data processing:
-
Compliance with the relevant law
Legal base of the data processing: Act C. of 2000 on Accounting is the legal base of data processing.
Term of data processing: Term of data processing is eight years following the issue date of the invoice.
4.9. Cooperation of real estate market players independent from DUNA HOUSE (Property Sharing System (PSS), Otthon Centrum, Smart Ingatlan)
Description of data processing:Duna House Franchise network operates in cooperation with other real estate agency networks and market players with the joint goal of successful sales activity. Within the framework of the cooperation, data provided within exclusive assignment contract, registered as exclusive assignment is made available in the Property Sharing System (PSS)by the Controllers for the other participants of the PSS. PSS does not contain personal data, only data normally indicated in the advertisement of the real estate. When an interested person arrives through another real estate agency participating in the PSS, the real estate agent contacts the agent of the Partners representing the given property. The other agent signing in through the PSS does not have access to Data Subject’s personal data. The introduction of the given real estate shall take place in the presence of the Partner’s real estate agent in all cases.
Duna House Franchise network operates in cooperation with other real estate agency networks and market players with the joint goal of successful sales activity. Within the framework of the cooperation, data provided within exclusive assignment contract, registered as exclusive assignment are forwarded by the Controller for the cooperating network’s (Otthon Centrum, Smart Ingatlan)system for the other participants of the cooperating network. The partner network’s system contains only data normally indicated in the advertisement of the real estate, and the topographical lot number of the real estate. When an interested person arrives through a cooperating real estate agency, the real estate agent contacts the agent of the Partners representing the given property. The other agent signing in through the cooperating system does not have access to Data Subject’s personal data. The introduction of the given real estate shall take place in the presence of the Partner’s real estate agent in all cases.
Scope of processed data: Data in accordance with section d-e. of the above 3.4 point.
Purpose of data processing:
-
Registry of the real estate to be sold, or rented out in the IT system, promotion of the sale (rent);
-
Publication of advertisements related to the real estate, search for potential buyers (tenants);
-
In case of a Data Subject looking for a real estate, assessment of the needs;
-
Establishing contact between clients offering and looking for real estate, support of the transaction in relation of the real estate;
Legal base of the data processing: The legal base of data processing is the concluded contract with the Data Subject. When the Data Subject concludes a contract according to section 4.1 and signs an exclusive assignment, data of the real estate are uploaded in the PSS, or forwarded in the cooperating network’s systems.
Term of data processing:Upon the withdrawal of the exclusivity by the Data Subject, or the termination of the assignment, the data processing in the cooperation ceases.
4.10. Data processing connected to financial products intermediation
Description of data processing: When Data Subject is planning to apply for a loan for the real estate acquisition, the Partner registers their needs and forwards the data to the financial expert (HITELCENTRUM) in contact with the Controllers. The financial expert then contacts the Data Subject.
Scope of processed data: Data in accordance with section c. of the above 3.4 point, as well as the amount of the desired loan.
Purpose of data processing:
-
Assessment of the loan application, and establishing contact with the financial experts when required.
Legal base of the data processing: Data Subject’s consent is the legal base of data processing.
Term of data processing:Data processing in this case means a non-recurring data provision, during which the Partner hands over the data necessary for the establishment of contact to the financial expert.
4.1. Recording of telephone calls
Description of data processing:Controllers are entitled to record the telephone conversations with the Data Subject. Recording can be made only upon the prior consent of the Data Subject, and should the consent be denied, Data Subject is entitled to proceed in person, via email or postal mail. Data Subject is also entitled to require information regarding the recoding, its circumstances and the use of the recorded phone calls. Upon request Controllers shall enable the listening to the recorded conversation, or hand over the written copy of the conversation, or make a copy of it, and shall deliver it for the client in a usable form.
Scope of processed data: Data in accordance with section g. of the above 3.4 point.
Purpose of data processing:
-
Complaint management, consumer protection;
-
Execution of rights arising from the contract, fulfillment of undertakings;
Legal base of the data processing: Data Subject’s consent is the legal base of data processing, given by the act of the continued conversation following the receipt of the information on the fact of recording.
Term of data processing: Controllers shall store the recorded phone calls for the maximum of three months.
4.12. Data processing within Duna House franchise network
Description of data processing:Duna House franchise network – in line with the above- is a countrywide network including several Franchise and Sub-Franchise partners. With the purpose to exploit the advantages of a countrywide network, data on the real estates are uploaded in the IT system owned and operated by DUNA HOUSE, which system is accessed by every Partner. When a Data Subject looking for a real estate contacts a real estate agent connected to one of the Partners, and is planning to buy a real estate registered in the IT system by another Partner, the real estate agent contacted by the Data Subject contacts the Partners registering the named real estate. Personal data of the client concluding the contract is accessed by only the Partners who conclude the contract and registered the real estate. All other partners have access to data normally indicated in the advertisement of the real estate, or in the case of a potential buyer, they get access to the client’s name and telephone number. The IT system records the Partners and agents downloading the telephone number of a client.
Scope of processed data: Data in accordance with section d-e. of the above 3.4 point, and in case of a visit, the telephone number of the Data Subject.
Purpose of data processing:
-
Registry of the real estate to be sold, or rented out in the IT system, promotion of the sale (rent);
-
Publication of advertisements related to the real estate, search for potential buyers (tenants);
-
In case of a Data Subject looking for a real estate, assessment of the needs;
-
Establishing contact between clients offering and looking for real estate, support of the transaction in relation of the real estate;
Legal base of the data processing: The legal base of data processing is the Data Subject’s consent, the concluded contract between the Data Subject and the Controllers, and the execution of acts initiated by the Data Subject.
Term of data processing:data is stored in the IT system until the termination of the assignment contract.
4.13.Data processing in case of termination of the legal relationship between DUNA HOUSE, the Franchise partner and the Sub-Franchise partner
Description of data processing:Should the legal relationship between DUNA HOUSE and Franchise partner terminate, and should Franchise partner step out of Duna House franchise network, registered data shall be used exclusively by DUNA HOUSE. When a new Franchise partner starts to operate on the given territory, the new Franchise partner shall have access to the data of the real estate and the Data Subject’s telephone number. In this case, the new Franchise partner is entitled to call the Data Subject with the purpose to conclude an assignment.
Should the legal relationship between DUNA HOUSE and the Sub-Franchise partner terminate, and should Sub-Franchise partner step out of Duna House franchise network, registered data shall be used exclusively by Franchise partner and DUNA HOUSE. Franchise partner has access to data of the real estate and the Data Subject’s telephone number, and may, based on the assignment contract, forward it to a designated other Franchise partner. In this case, the new Sub-Franchise partner is entitled to call the Data Subject with the purpose to conclude an assignment.
Scope of processed data: Data in accordance with section d-e. of the above 3.4 point, and the telephone number of the Data Subject.
Purpose of data processing:
-
Identification of the Data Subject, establishing and keeping contact with the Data Subject;
-
Registry of the real estate to be sold, or rented out in the IT system, promotion of the sale (rent);
-
Publication of advertisements related to the real estate, search for potential buyers (tenants);
-
Conclusion and execution of the contract between the Data Subject and the Controllers;
-
Execution of rights arising from the contract, fulfillment of undertakings;
Legal base of the data processing: The legal base of data processing is the Data Subject’s consent, the concluded contract between the Data Subject and the Controllers, and the execution of acts initiated by the Data Subject.
Term of data processing:Term of data processing shall take place in accordance with section 4.1.
V. OTHER INFORMATION RELATED TO DATA PROCESSING
5.1. Data forwarding
Data controllers are entitled to forward personal data to third parties only in possession of an unambiguous consent –with information on the scope and recipient of the data- of the Data Subject, or when entitled to forward data by law.
5.2. Data processors
Controllers are entitled to use data processors when carrying out their activities. Data processors are not entitled to make decisions, and must proceed based on a written contract with the Controllers during their activity, in accordance with the provisions in the contract and the Controllers’ guidelines, in the Controllers’ name. Data Controllers carry out control over the data processors’ activity. Data processors are entitled to involve other data processors only upon the Controllers approval. Controllers use real estate agents in contractual relationship with them for data processing activities.
5.3. Data security
Data Controllers shall provide for the security of data, i.e. take the necessary technical and organizational measures and develop the procedures and regulations which enable the fulfillment of data security requirements. Data Controllers shall store the processed data in compliance with the prevailing legal regulation, making sure that the data is accessible only to those employees and other persons acting in the Controllers interest, whose scope of activity or work requires so.
Data Controller shall, within the framework of their data security related tasks, especially provide for the following:
-
Measures for protection against unauthorized access, including the protection of software and hardware devices, as well as physical protection (physical access, network protection)
-
Measures for enabling data restoration, including regular back-up, separate and secure storage of the back-up, secure handling (mirror, back-up);
-
Anti-virus protection of databases (anti-virus protection);
-
Physical protection of databases and data storage devices, including protection against fire, water, thunder and other elemental damages, as well as the restoration plans for such damages (archives, fire protection);
Data Controllers shall, in order to protect paper-based documentation, shall take the necessary measures, especially regarding physical security and fire-protection.
Employees, assignees, as well as other persons acting in Controllers’ interest must keep, store and protect the data storage devices used by them or belonging to them, where personal data is stored, irrelevant of the method of data registry.
5.4. Technical data and cookie management
When Data Subject visits the Website, the system behind the Website automatically records the IP address of the user, the time of visit, and in certain cases –depending on the settings on the computer- the type of the search and operation system. Data registered as such shall not be connected with other personal data. The storage of these data is for statistical purposes only.
Cookies enable the Website to recognize returning visitors. Cookies help DUNA HOUSE, as the Website operator in the optimization of the Website, and in developing the services of the Website in line with user practices. Furthermore, cookies are useful for:
-
remembering the settings for the user, which do not have to be given again when clicking on another page,
-
remembering data given earlier, which do not have to be given again,
-
analyzing Website use in order to provide relevant information for the most customer-friendly development of the Website, and support users in finding the needed information,
-
monitoring the efficiency of advertisements.
When DUNA HOUSE presents different types of content on the Website using external web-based services, it may result in the storage of certain cookies which are not monitored by DUNA HOUSE, therefore in relation of which DUNA HOUSE is not able to influence the data collected by external domains. Information on these cookies are found in the relevant regulation of the given services.
DUNA HOUSE uses the cookies to present advertisement for the Data Subjects via Google and Facebook. Data processing in this case is executed without humane involvement.
Users can chose a setting option of their computers to accept all cookies, or to reject all, or to inform the user when a cookie enters the device. Relevant setting options are generally found in the “Options” or “Settings” menu.
For more information on cookie settings, the www.aboutcookies.orgEnglish language Website offers detailed information.
5.5. Term of data processing
Data Controllers ensure the term of data processing staying within the necessary and regulated term by the development and implementation of relevant rules for deleting data. Data is deleted in the following cases:
-
Personal data is no longer needed for the purpose it had originally been collected or processed for. When the purpose of the data processing ceases, and data processing is not required by law, Controllers delete the data.
-
Data Subject withdraws their consent. When Data Subject withdraws their consent, or requests the deleting of the data, Controllers will check whether a relevant regulation requires obligatory data processing. When there is a provision as such, Controllers will reject the deleting of data. When data processing is not obligatory, but Controllers have the legal base and the data may be needed for the preparation of legal proposals, enforcement or data protection, Controllers will assess the request for the deleting. When data processing is not obligatory by law, and Controllers have no other legal base than the Data Subject’s consent, or despite an existing legal base data procession is not justified, Controllers will delete the data upon the Data Subject’s request. Should the Controllers reject the request for deleting the data, the Data Subject shall be notified in all cases, together with the indication of the legal base for the rejection, as well as the options for legal remedy.
-
Data Subject objects against data processing. When the base of data processing is the rightful interest of the Controller, Data Subject has the right to object. In this case, Controllers delete the data, unless it is proven that data processing is reasoned by constraining legal facts which have priority over Data Subject’s interests, rights and freedom, or which are connected to legal proposals, enforcement or data protection. When Data Subject object against promotion purpose data processing, Controllers will delete the data.
-
It becomes obvious that data processing is against the law. Should the data processing be against the law, Controllers shall delete the data as soon as the fact of unlawful data processing becomes obvious.
-
Deleting of data in required for the fulfillment of a legal obligation, or it is provisioned by court or the Hungarian National Authority for Data Protection and Freedom of Information. When the deleting of data is required by law, or has been provisioned by a court or the Authority, and the decision is final, Controllers will delete the data.
-
The originally defined term for data storage in accordance with a law or consent expires.When the term of data processing is defined by law, Controllers shall delete the data following the expiry of the defined term. Data defined in the AML shall be deleted by the Controllers eight years following the termination of the business relationship in accordance with §56; documents and data regarded as accounting documents in Act C. of 2000 on Accounting, shall be deleted by the Controllers after eight years.
When deleting data, Controllers shall make the data unsuitable for personal identification. Should a regulation require so, Controllers shall destroy the data storage device containing the given data.
5.6. Handling of data protection incidents
A data protection incident is the security breach which causes the unintended or unlawful destruction, losing, amendment, unlawful disclosure of forwarded, stored data or data processed in any other way, or which results is unlawful access to data. Controllers shall report the data protection incident to the Hungarian National Authority for Data Protection and Freedom of Information immediately, unless the data protection incident means no potential threat to the Data Subject’s rights and freedom. Data Controllers register data protection incidents, as well as the related measures. When the incident is regarded as serious (i.e. potentially high risk for the Data Subject’s rights and freedom), Controllers shall inform the Data Subject about the data protection incident with no delay.
VI. RIGHTS OF THE DATA SUBJECT AND ENFORCEMENT
6.1. Rights of the data Subject
Information (access). Data Subject has the right to receive information on the data processing of their data. Controllers shall inform the Data Subject about the data processing when taking their data, in addition to which the present Information is available for the Data Subject any time. Data Subject has the right to request comprehensive information on the processing of their data. Data Subject may also request a copy of processed data.
Correction. Data Subject has the right to request the correction of inaccurate, or the completion of their data.
Deleting, withdrawal of consent. Data Subject has the right to withdraw their consent to data processing, or request the deleting of data any time. Controllers will reject the request only when the data processing is based on legal requirement, or the data processing is required for the preparation of legal proposals, enforcement or data protection.
Limitation: Data Subject has the right to request the limitation of data processing in the following cases:
-
Data Subject questions the accuracy of the data, in which case the limitation shall apply for the period during which Controllers can check the accuracy of personal data;
-
data processing is against the law, and Data Subject is against the deleting of data, but requests the limitation of the use of data instead;
-
Controllers don’t need the personal data for data processing anymore, but Data Subject needs the data for the preparation of legal proposals, enforcement or data protection
-
Data Subject objects against the data processing, in which case the limitation shall apply for the period during which it is defined whether the Controllers’ rightful reasons act as priority over the rightful reasons of the Data Subject.
When data processing is restricted by limitation, all personal data can be processed –except storage- only upon Data Subject’s consent, or for the preparation of legal proposals, enforcement or data protection, or the protection of rights of another natural person or legal entity, or the common interest of the European Union or a member state.
Objection. When the data processing is based on the enforcement of the rightful interest of the Data Subject, the Controllers or a third party, the Data Subject has the right to –for a reason in connection with their own position- object against the processing of their personal data. In this case, Controllers can no longer process the personal data, unless Controllers prove that data processing is reasoned by constraining legal facts which have priority over Data Subject’s interests, rights and freedom, or which are connected to legal proposals, enforcement or data protection. When data processing is executed with the purpose of direct marketing, Data Subject has the right to object against the use of their personal data for such reasons at any time. When Data Subject object against marketing purpose data processing, Controllers terminate marketing purpose data processing.
Data delivery. Data Subject is entitled to receive their personal data in a widely known and used, readable format, and is also entitled to forward these data to another Controller, provided that data processing is executed in an automatic way. Data Subject has the right to –when technically feasible- request the forwarding of their data to another controller.
6.2. Ensuring Data Subject’s rights, handling of requests
Data Controllers shall inform the Data Subject about data processing when establishing the contact. Data processing information is also found on the official form through which the Data Subject provides the data, in addition to which the present detailed Information is also available for the Data Subject – a fact that shall be pointed out when informing the Data Subject.
Data Subject can submit their request to the Controllers in relation of the execution of their right in any form (verbally or in writing). Controllers shall assess the request with no delay, make a decision, and the take the necessary measures, Controllers shall inform the Data Subject about the taken measures within one month. The notice shall include information on the taken measure, or the information requested by the Data Subject. Should Controllers reject the request (do not take the necessary measures needed for the fulfilment of the request), the notice shall include the legal base, reasons for the rejection, as well as the possibilities for legal remedy.
Controllers do not define a fee or compensation in relation of the fulfillment of the request.
When the circumstances of the submission of the request do not guarantee that the request is coming from the Data Subject, controllers have the right to request the proof of identity, or the presentation of the request in a form that allows the unquestionable definition of the rightfulness. Data Controllers shall inform every addressee about the correction, deleting or limitation towards whom any data had been disclosed to, unless it is impossible or means a disproportional effort. Controllers shall provide information about these addressees upon Data Subject’s request.
6.3. Legal remedy
Data Subject, in case of offending their rights, has the right to request the termination of unlawful data processing from the Controllers, or to evaluate the rejection of the Data Subject’s request. Controllers shall investigate such complaints of the Data Subject in all cases and inform the Data Subject about the outcome.
Data Subjects can turn directly to the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; tel: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; web: www.naih.hu) is.
Data Subject has the right to turn to court when their rights are breached.
Controllers shall, upon the request of the Data Subject- provide detailed information on the entitled court and the way and possibility of making appeal.