Privacy Policy

Introduction

Dear New Client,

Those stipulated in this privacy policy (hereinafter: Policy) are accepted by TFCB Korlátolt Felelősségű Társaság (registered office: H-1097 Budapest, Nádasdy utca 15/B. fszt. 7.) as data controller (hereinafter jointly: Data controller) as binding to itself and it states that its data processing complies with those stipulated herein and in the relevant legislation.

The Data controller stipulates that it is a business association registered in Hungary and as a main activity, it, on the one hand, leases real properties in its own possession or use, and on the other hand mediates lease rights of properties owned by third parties.

The purpose of this Policy is to describe the principles and purposes of the data processing and other rights and obligations in line with the applicable laws that set out the purpose of the processing of your personal data, the duration and the methods of the processing and also your enforcement rights and remedies concerning the data processing.

The security and adequate processing of your personal data submitted to us is extremely important for us, therefore please read this Policy carefully and attentively. Should you have any questions or remarks concerning this Policy, then please do not hesitate to contact us before accepting the Policy at the e-mail address info@flatco.hu and our colleagues are ready to assist you.

Terms and definitions

Please find below a summary of the most important terms used in this Policy.

  1. Activities of the data processor: any activities on personal data concerning data processing actions that are carried out on behalf of the Data controller, irrespective of the method or tool used for the execution and irrespective of the location of the application provided that these activities are performed on personal data. Accordingly, data processors are such natural or legal persons, authorities, agency and other bodies that process personal data on behalf of data controller.

  2. Data processing: any operation or set of operations on personal data, irrespective of the method, including especially collection, recording, organization, storage, alteration, use, query, transfer, publication, alignment or combination, blocking, erasure or deletion and the hindering of the further use of the data.

  3. Data controller: data provided by the Data subject is processed by TFCB Korlátolt Felelősségű Társaság, namely exclusively this company may make and implement decisions related to the personal data of the Data subjects. Data of the Data controller:
    a) Seat and postal address: 1097 Budapest, Nádasdy utca 15/B. fszt. 7.
    b) Registration no: 01-09-981578 (registered by the Metropolitan Tribunal Court of Companies)
    c) Tax no: 23855997-2-43
    d) E-mail: info@flatco.hu
    e) Phone no: ………………………..

  4. Áfatv.: Act no. CXXVII of 2007 on value-added tax.

  5. Supervising authority: the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, address: 1125  Budapest, Szilágyi Erzsébet fasor 22/c.; e-mail: ugyfelszolgalat@naih.hu; Website: http://naih.hu; phone: +36 (1) 391-1400).

  6. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Commission on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  7. Infotv: Act CCII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

  8. Personal data: personal data submitted by the Data subject. It includes data that relates to the Data subject, furthermore the conclusion that can be drawn regarding the Data subject based on the data. Information requested during the communication between Data subject and the Data controller qualify as personal data.

  9. Szt.: Act no. C of 2000 on accountancy.

  10. Data subject: a natural person establishing tenancy with Data controller or a third person through Data controller.

  11. Pmt.: Act no. LIII of 2017 on the prevention and combatting of money laundering and financing of terrorism.

  12. Contract: Lease contract regarding the real properties offered to be leased by Data controller, concluded by and between the Data subject and the Data controller or a third person.

Contracting process

  1. The purpose of the Data controller is to summarize the steps of the contracting process in this chapter. The specific legal grounds for the data processing activities may vary from step to step as follows.
    a) The contracting process is commenced exclusively based on the initiative of the Data subject. This initiation may take place via phone, e-mail or personally during which the Data controller calls the attention of the Data subject in its response to the fact that – as the Data subject itself initiated, requested contact with the Data controller for contracting purposes– during the initiation its certain personal data (name, e-mail address, phone number) are recorded for the purpose of subsequent contact necessary for the conclusion of the Contract.
    b) As the second step of the contracting process the Data controller contacts the Data subject via any of the provided contact channels for the purpose of further consultation.
    c) Prior to contracting the Data controller requests the personal data of the Data subject indicated herein for the purpose of concluding the Contract and – if the mediation of lease rights of a third person occurs – requests further personal data in order to perform the Customer due diligence obligation according to § 6 of the Pmt. for establishing business contact.

  2. The Data controller stipulates that during the steps set out in Sections a-b) of the above process certain personal data (name, e-mail address, phone number) are already processed regarding the Data subject the legal ground of which is the initiation of the Data subject occurring prior to contracting to take the necessary steps according to Article 6 (1) Item b) of the GDPR. Accordingly, these personal data are processed by Data controller exclusively for the purpose of implementing the contracting process with regard to the steps of concluding the contract as a legal basis. If the Contract is not concluded between the parties within 1 month from the provision of the personal data, the Data controller shall delete the personal data.

  3. Data controller enables the Data subject already prior to the contracting process to become familiar with this Policy. For this purpose, Data controller undertakes to publish this Policy, as amended from time to time.

Data processing principles

Please find below a summary of the data processing principles that Data controller undertakes to fully comply with throughout the duration of the data processing.

  1. Lawfulness, fairness and transparency: Regarding the data processing purposes, the Data controller collects the personal data directly from the Data subject. The processing of the Data subject’s personal data takes place in a lawful and fair manner that is transparent for the Data subject. Data controller makes the Policy, as amended from time to time available free of any charge or obligation, continuously, in such way that it is accessible for the public. Data controller does not process the personal data in any unlawful way or for purposes beyond this policy and they will carry out the data processing activities always in line with this policy and the applicable laws.

  2. Purpose limitation: Data controller processes the personal data only for the clear and lawful purposes detailed in the Policy. Processing of the submitted personal data for other purposes require that Data controller comprehensively informs the Data subject about this in advance (primarily through e-mail). For the comprehensibility of the specific data processing purposes Data controller provides information in this policy about the purpose, duration and legal ground of the processing of the specific personal data. Data controller implements these rules mandatorily. Personal data collected and processed according to this Policy may only be used for Data controller’s lawful purpose other than the original purpose if the original purpose and the secondary purpose are closely connected and if it is allowed by the GDPR or the other governing legislation.
  1. Storage limitation: Data controller provides the storage of the personal data of the Data subject in such way that enable the identification of the data subjects only for the period of time necessary for the fulfilment of the purposes of the processing.
    During the mediation by way of business of the lease right of a third person’s real property, the Data controller shall in every case retain the personal data recorded based on § 7 of the Pmt. for 8 years following the termination of the business relationship according to § 1(1) Item f) of the Pmt., established between the Data subject and the Data controller based on § 56(1) of the Pmt., with regard to the following.
    a) Regarding Data controller, business relationship shall mean the legal relationship between the Data controller and the Data subject for the services professionally provided by the Data controller (namely activities concerning real property transactions as detailed in § 1(1) Item f) ).
    b) Data controller may have to retain the personal data in line with § 28(1) Pmt. at the request of the tax authority, the financial supervising authority, the investigating authority, the prosecutor’s office or of the courts for the period set out in the request but up to 10 years at the most (§ 58(1) Pmt.).
    The 8-year retention period may only be extended at the request of the authorities if the data or document is necessary for a pending or a future proceeding of the authority. After the final completion of this proceeding of the authority or after the frustration of the planned proceeding, Data controller is to delete the personal data from their records (§ 58(2)-(3) Pmt.)Any other personal data processed for other reasons, falling outside the scope of § 7 of the Pmt. are processed by the Data controller for a time specified separately for the following individual data control purposes.If no Contract was concluded between the Data subject and the Data controller during the steps of the chapter „Contracting process”, then the Data controller processes the submitted personal data for a period of 1 years from the first date of contact, in accordance with the above section 14.

  2. Data minimisation: Data controller intends to restrict the scope of data to the most relevant and crucial personal data concerning its activity. These are personal data that are necessary for the conclusion, performance of a Contract and for the related cooperation. Data controller will act in line with this policy if more data is requested from the Data subject than detailed in this Policy.

  3. Accuracy: Data controller intends to ensure that the personal data recorded to exercise rights arising from the Contract and to carry out duties are up-to-date and accurate and Data controller takes all reasonable steps for this purpose. This purpose is necessary because of the following: e.g. the Data subject will not receive a newsletter sent to a non-existing e-mail address so there is no point sending the newsletter. The Data subjects can contribute to the up-to-date nature of the data by reporting changes in the data or correcting the submitted data.

  4. Data security principle: Data controller considers data security as being extremely important, therefore it takes all necessary, expected and state-of-the-art technical and organizational measures and steps. Data controller stores the submitted personal data primarily electronically and also in hard copy where the recording took place on paper. In order to prevent or remedy data breaches, the Data controller:
    a) shall prevent unauthorized access to personal data and the unauthorized data entry, data modification, data erasure by means of passwords and encryption procedures;
    b) shall store the personal data in hard copy and the computers processing data digitally in a closed room secured with an alarm;
    c) shall exclusively apply licensed software controlled from time to time in their internal computer systems;
    d) documents containing personal data processed digitally by Data controller shall be available exclusively in a digital system with proper right of access;
    e) the Data controller shall always provide virus protection of their digital systems;
    f) the Data controller wishes to ensure to avoid the loss of documents processed digitally containing personal data with backups.

Data processing purposes and data processing process

In this chapter the data processing purposes and cases are described where the personal data of the Data subject are actually processed in practice.

  1. Database concerning contracting steps and contracting: The Data subject can initiate the contracting steps in accordance with the steps detailed in the chapter „Contracting process” and the Contract will be concluded as detailed therein. As long as the Contract is not concluded between the Data subject and the Data controller regarding steps a-b) detailed in chapter „Contracting process”, the Data controller processes the following personal data for communication purposes: name, e-mail address, phone number.
    The purpose of this processing is to maintain contact with the Data subject regarding the steps of contracting, the sending of draft contracts and other documents, and – if the mediation of lease rights of the real property of any third person occurs – the sending of processed personal data to the owner.
    The legal ground of the data processing is Article 6(1) Item b) GDPR, i.e. the steps towards contracting at the request of the Data subject. If no Contract is concluded within 1 years from the submission of the personal data of the Data subject, then the Data controller stops processing the personal data for this data processing purpose.

    If the Contract is concluded between the Data subject as lessee and the Data controller as lessor, the Data controller processes the personal data necessary for the conclusion of the Contract on the legal ground of performing the Contract for the purpose of exercising and fulfilling the rights and obligations under the Contract.
    The legal ground of this data processing is the performance of the Contract according to Article 6(1) Item b) of the GDPR, these personal data will be processed for 5 years after the termination of the Contract.
    Personal data processed according to this legal ground and for this purpose are the following: name, mother’s name, home address, place and date of birth, tax identification number, bank account number, identity card number and if it is justified and necessary, the passport number and place of residence of the Data subject.
    As a precondition of contracting Data controller – to ensure to avoid previous damages and non-performance on a level as high as possible – may request documents proving the financial stability, employment or student status of the Data subject. The purpose of data processing is to provide the obligations deriving from the concluded Contract and to be able to minimise the damage to the material interests of the Data controller.
    Data controller is entitled to request the following documents for this purpose of data processing: certificate of employment, certificate of social security coverage, certificate of student status/certificate of school attendance.
    The legal ground of the data processing is the legitimate interest of the Data controller based on Article 6 (1) Item f) of the GDPR. Data subject becomes familiar with the balance of interests assessment related to the data processing of the Data controller based on the legitimate interest in a separate document simultaneously with this policy.

  2. Customer due diligence: If the Data controller carries out an activity related to the mediation by way of business of the lease rights of a third person’s real property and as a result it possesses personal data, the Customer due diligence of the Data subject according to § 7 of the Pmt. means further data processing activity. The purpose of this data processing is to carry out Customer due diligence measures in accordance with those set out in § 7 of the Pmt. In this regard the Data controller processes the following personal data upon the establishment of a business relationship according to § 6(1) of the Pmt. as a legal obligation based on Article 6 (1) Item c) of the GDPR in order to comply with their legal obligations and within the framework of mandatory data processing. Accordingly, the basis of the data processing is the performance of the legal obligation.
    Data controller processes the following personal data pursuant to § 7 Pmt.: given name and surname; place and date of birth; maiden name of mother; home address (or temporary residence in lack thereof); nationality; type and number of identification document; Hungarian place of residence in the case of foreign Data subjects (§ 7(2) Item a) Pmt.).
    Further to the above, the Data controller shall verify the identity within the framework of the Customer due diligence legal obligation and in this regard the Company shall request and process the following personal data [§ 7(3) of the Pmt.]:
    – in the case of a Hungarian citizen the official card proving identity and the official card proving the home address,
    – in the case of a foreign citizen the passport or the identity card, provided that it authorises the person to reside in Hungary, the document proving the right of residence or the document authorising residence.


    The Company requests a copy of the documents presented within the framework of the above identity verification due to its legal obligation and processes them [§ 7(8); § 17(1) of the Pmt.].

    Data controller retains the above data collected pursuant to § 7 Pmt. from the start of legal obligation for 8 years from the termination of the business relationship with the Data subject.

  3. Client relations: The purpose of the Data controller regarding the data processing with the purpose of client relation is that in the legal relationship established between the Data controller and the Data subject, the performance of data requests, notifications, administrations and the maintenance of contacts between the Data controller and the Data subject (in particular the technical consultations, claims management, administration at the authorities and public utility services) preceding the contracting or following thereof for the conclusion, preparation, performance and the carrying out of the Contract is provided.
    The scope of personal data processed for client communication: name; home address; e-mail address; phone number.
    The processing of the above personal data is based on Article 6(1) Item b) GDPR for the exercising of rights and fulfilment of obligations deriving from the Contract. The retention period depends on the period of the statute of limitation of the respective contractual obligations, but it lasts at most for 5 years from the termination of the Contract.

  4. Invoicing data: Regarding the lease payment obligation deriving from the Contract the Data controller shall issue the accounting document in accordance with the stipulations of § 165 of the Szt. For the filling of the so-issued invoice the Data controller uses an electronic invoicing system into which certain personal data of the Data subject – due to legal obligation– are recorded according to the provisions of § 169 of the Áfatv. The invoice shall be issued based on these data, one copy shall be provided to the Data subject by the Data controller, the other copies shall be recorded in its own accounting system due to its legal obligation.

    The processed personal data: Name, home address
    The legal ground of the data processing regarding the name and address of the Data subject is the legal obligation based on § 169 Item e) of the Áfatv. [Article 6(1) Item c) of the GDPR]. The duration of the personal data processed this way is determined in the above mentioned § 169(1) and (2) of the Szt. and its duration is 8 years.

Data transfer

  1. The Data controller may transfer personal data processed for the purposes mentioned above exclusively to the persons indicated in this chapter to the extent set out herein.

  2. If the Data controller proceeds with the mediation of the lease right of a third-party owner’s real property, then the Data controller is entitled to transfer the personal data used for keeping contact and processed related to the performance of the Contract to the owner of the relevant real property. The purpose of data transfer is for the owner as direct lessor to exercise its rights deriving from the Contract and to perform its obligations and maintain contact with the lessee.

  3. The Data controller is entitled to transfer the personal data processed according to the policy for the provision of the legal processes related to the preparation of the Contract and the performance thereof to the Szabó, Kocsis és Társa Law Firm (registered office: H-1095 Budapest, Mester utca 83/A. IX. em. 4. a.) representing both parties in the transaction related to the Contract. Similarly, the Data controller is entitled to hand over the Contract and the related accounting documents for performing the accounting processes to Karissa Kft. performing the accounting activity.

  4. In the case of leasing a real property built by one of the companies of the Metrodom Group, the Data controller is entitled to transfer the personal data indicated in this section to the Metrodom Kivitelező Kft. carrying out the building works, and to Metrodom Építő Kft., to COPM Kft. providing technical consultation for the implementation and performance of the Contract in order to carry out the technical consultation regarding the Data subject as buyer and to proceed with the defect notifications covered by the warranty.
    The transferred personal data in this regard: name, e-mail address; phone number.

  5. The Data controller is entitled to transfer the personal data according to this policy towards the authorities and courts in the case of their request or if an adversarial or non-adversarial proceeding is initiated between the parties.

Data protection officer

Data controller appoints the Szabó, Kocsis and Partner Law Firm (address: 1095 Budapest, Mester utca 83/A. IX. em. 4. a.; e-mail: iroda@szkiroda.hu; phone: 06-1-878-0802) as joint data protection officer (DPO) for ensuring the legality of their data processing practice. This task is performed on the basis of a DPO service contract.

The DPO’s tasks include:

  1. a) supporting of Data controller concerning their data processing-related tasks;
  2. b) acting as a contact person between the Data controller and the supervising authority;
  3. c) providing professional advice, information concerning data subject rights.

Right enforcement and remedies

Please find below the rights of the Data subject that can be exercised in relation to the Data controller.

  1. Communication with the Data controller: The Data subject and the Data controller can communicate via phone, e-mail or postal mail. The Data subject is entitled to request information from the Data controller whether his/her personal data is processed and if yes, then the Data subject has a right to access the processed personal data in the following extent.
    Concerning the access, the information relating to the data processing that is provided by the Data controller includes especially the following:
    a) the source of the processed personal data,
    b) the purpose and legal ground of the data processing,
    c) processed personal data,
    d) in the case of transferring the processed personal data the recipients of the data transfer, including recipients of third countries and international organisations,
    e) the retention period of the processed personal data, the aspects of the determination of this period,
    f) the rights of the data subject according to this law and the description of the method of their enforcement,
    g) in the case of profiling its fact and
    h) the circumstances of the occurrence of persona data breach arising in connection with the processing of the data subject’s personal data, their effects and the measures taken.

    Data controller provides the requested information without undue delay but within 25 days from the receipt of the request at the latest.
    a) Data controller deals with and answer the e-mail of the Data subject concerning the data processing only if it was sent from the e-mail address (except when the Data subject makes reference to the change of his/her e-mail address or other contact information or if the person of the Data subject can be clearly identified).
    b) The Data controller shall inform the Data subject about every measure taken in relation to the personal data without delay but within 25 days from taking the measure the latest. If the Data controller fails to take measures based on the request of the Data subject, then the Data subject shall be informed without undue delay but within 25 days from the receipt of the request at the latest on the reasons for the lack of measures and on the right of the Data subject to file a complaint with the Supervising authority or to file a lawsuit with the competent court.

  2. Rectification: The Data subject is entitled to inform the Data controller on the changes of his/her personal data (in e-mail or postal mail as detailed above). Data controller registers the change within 8 days from the receipt of the notification. If the Data subject fails to report any changes to his/her personal data without delay, then the Data subject shall be liable for the consequences of this omission. If the submitted personal data is false and the correct data is available to the Data controller, then Data controller amends the data automatically.

  3. Erasure: The Data subject is entitled to request the deletion of the personal data pertaining to the Data subject from the Data controller without delay and the Data controller is obliged to delete the personal data pertaining to the Data subject without delay, especially if one of the below reasons is given:
    a) the personal data are not required anymore for the purpose for which they were collected or processed;
    b) the Data subject has withdrawn the consent given for the data processing and the data processing does not have any other legal ground (the withdrawal does not have a retrospective effect on the lawfulness of the data processing);
    c) the Data subject challenges the data processing based on legitimate interest;
    d) the Data controller processed the personal data unlawfully;
    e) the personal data shall be deleted for the fulfilment of a legal obligation set out in the laws of the European Union or of a member state.

    Even if one of the above circumstances is given, Data controller is not obliged to delete the processed personal data if the data processing is required for one of the following:
    a) exercising the right of freedom of expression and information;
    b) for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
    c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the deletion is likely to render impossible or seriously impair the achievement of the objectives of that processing;
    d) for the establishment, exercise or defence of legal claims.

  4. Objection to the data processing: The Data subject is entitled to object the processing of his/her personal data in line with this Policy, based on a legitimate interest on grounds relating to his or her particular situation. The Data controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  5. Right to restriction of the data processing: The Data subject shall have the right to obtain from the Data controller restriction of processing where one of the following applies.
    a) the accuracy of the personal data is contested by the Data subject, for a period enabling the Data controller to verify the accuracy of the personal data;
    b) the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    c) the Data controller no longer needs the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims;
    d) the Data subject has objected to processing, pending the verification whether the legitimate grounds of the Data controller overrides those of the Data subject.

    Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The Data subject who has obtained restriction of processing, shall be informed by the Data controller before the restriction of processing is lifted.

  6. Complaint to the Supervising authority: The Data subject is entitled to file a complaint with the Supervising authority with reference to the breach of laws concerning the processing of his/her personal data or if there is an imminent risk thereto. The investigation of the Supervising authority is free of charge and the expenses of the investigation are advanced and covered by the Supervising authority. No one should be subject to retaliation due to a complaint filed with the Supervising authority. The Supervising authority may disclose the person of the complainant if the investigation could not be carried out without this. The Data subject may initiate the procedure of the Authority for the examination of the lawfulness of Data controller’s measure if the Data controller limits the enforcement of the Data subject’s rights indicated above or if it refuses the Data subject’s request for the enforcement of such rights;
    and it can initiate a procedure of the data protection authority if according to it, during the processing of its personal data, the Data controller or the data processor commissioned by it or who proceeds on its request breaches the legal rules pertaining to the processing of the personal data.

  7. Judicial route: Data subject may turn to the courts against the Data controller if his/her rights are breached. The lawsuit belongs to the competence of the regional courts. As a main rule the lawsuit shall be heard by the regional court with geographical jurisdiction over the case according to the seat of the data controller but the Data subject can also opt for the regional court with geographical jurisdiction based on his/her home address or temporary residence. The geographical jurisdiction of the courts can be checked on the court website with the search application “Court search” at birosag.hu . The regional court handle the matters with urgency. During the procedure, the Data controller or the concerned data processor shall prove that it has not breached the legislation pertaining to the processing of the personal data.

  8. Damages and non-pecuniary restitution: If, through the unlawful processing of the personal data of the Data subject or through breaching the data security requirements, the Data controller:
    a) causes damages to the Data subject or to third persons, then they shall be liable for the compensation (compensation of damages);
    b) breaches the personality rights of the Data subject, then the Data subject can claim non-pecuniary restitution from the Data controller.

    The Data controller shall be set free from their liability for the compensation of damages and non-pecuniary restitution, if they prove that the damages or the breach of the personality rights of the Data subject was caused by an unavertable cause outside of the scope of the data processing. The damages are not to be compensated and no non-pecuniary restitution can be claimed if the breach resulting from the damages or the breach of personality rights resulted from the wilful or grossly negligent conduct of the Data subject (injured person).

Miscellaneous stipulations

  1. In the case of a Data subject under 16 years of age, the submission of his/her personal data require the consent of his/her legal guardians (parents).

  2. The Data controller maintains the right to modify this Policy unilaterally at any time.

  3. This Policy is governed by the Hungarian laws.

  4. This Policy shall be in effect from 15 April 2019.