I.Designation of the Identity of the Controller and the purpose of this notice
GTC HBK Project Korlátolt Felelősségű Társaság (hereinafter as: Company or Controller) is the owner of the shopping centre with the proprietary name of Hegyvidék Shopping Center located at 1124 Budapest, Apor Vilmos tér 11-12 (“Hegyvidék Shopping Center”), while the Company also commissions the operation of the Hegyvidék Shopping Center website located at https://www.hegyvidekkozpont.hu (hereinafter as “Website”).
The Company processes personal data in the operation of Hegyvidék Shopping Center’s Website. The present Privacy Notice solely concerns data processing related to Hegyvidék Shopping Center’s Website, the data processing of the company is the subject of a separate notice.
The purpose of the present privacy notice is:
- so the Company’s data processing would comply with the provisions of Article 13 and 14 of the GDPR[1]furthermore,
- to present and make accessible the data processing of the Controller related to the Hegyvidék Shopping Center’s Website, and
- to provide information to data subjects on their processing-related rights.
II.Data processing performed in relation to the Company’s Website
Company performs the following data processing in relation to the operation of the Website.
II / I. Newsletter subscription
On a dedicated section of the Website, visitors on the Website (hereinafter as “Data subject”) have the option to subscribe to electronic newsletters – by acknowledging the contents of the Privacy Notice – detailing the promotions, operation and events of the Hegyvidék Shopping Center. Upon subscribing to the newsletter, Data subjects shall give their express and clear consent to sending direct correspondence to the addressed party of the promotions.
Subscribing to the newsletter or the failure to do so has no influence whatsoever on using the Website or visiting the Hegyalja Shopping Center.
Name of data processing: |
Newsletter subscription |
Purpose of data processing:
|
Insofar as Data subject subscribes to the newsletter, the data provided during subscription will be processed by the Company to inform the Data subject via e-mail on the products, services and promotions of the tenants of the Hegyvidék Shopping Center.
|
Scope of processed personal data: |
In relation to dispatching newsletters, the Company processes the following data of the Data subject: - the Data subject’s name, - The Data subject’s e-mail address
The Data subject’s subscription to the newsletter is not possible without providing said data.
|
Legal grounds for processing:
|
The legal grounds for processing is the data subject’s consent [item a) paragraph (1) section 6 of the GDPR] . The Data subject gives their consent by providing the above-listed data and clicking on the “Subscribe” button.
|
Duration of the data processing:
|
The data provided by the Data subject shall be processed by the Controller until the withdrawal of consent.
The Data subject’s data shall be erased from the database when - the Data subject requests their erasure - they revoke their consent to processing, or - they protest against their data being processed for the sake of the newsletter, or - they choose to unsubscribe from the newsletter.
Unsubscribing from the newsletter is possible at any time without justification or restriction, according to the following: - by clicking on the “Unsubscribe” link in the footer of the newsletters; - by dispatching a request via e-mail to the hegyvidek@gtc.hu e-mail address; - via post sent to the Controller’s address. |
Processors involved in the processing of newsletters:
|
FRANK Digital Kommunikációs Tanácsadó és Szolgáltató Korlátolt Felelősségű Társaság Seat: 1024 Budapest, Népfürdő utca 39. Company registration number: 01-09-189827 Tax number: 24927356-2-41
|
II / II. Use of Cookies in the operation of the Website
What are the function of “cookies” when visiting the Website?
Throughout the operation of the Website, Controller uses so-called “cookies” to enhance the user experience and to monitor and analyze browsing habits. Cookies are files that are created by websites visited by the Data subject. The saving of browser data facilitates online navigation – amongst other things – yet it also allows the Data subject to remain logged in, while saving the settings of the website and offering locally relevant data.
Upon visiting the Website, by clicking on the “Accept” button, the Data subject consents to using “cookies” supported by external service operators on the Website.
The data collected with the above-listed technologies are not suitable for the identification of the Data subject and can only be linked with other data suitable for identification if the Data subject accepts “cookies” and consents to the Company using “cookies” suitable for the identification of the Data subject.
The data created by the cookies can only be accessed by external service providers and the Company
What kind of cookies does the Controller employ?
On the Website, the Company solely uses the following “cookies” managed by external service providers (e.g. Google).
|
Name and type of cookie |
Service provider |
What data does it access? |
Function of cookie (purpose of data processing) |
Cookie duration |
1. |
Universal Analytics |
Google Analytics |
IP address, AdWords advertisement data |
Remarketing, advertisement results analysis |
26 months |
2. |
Facebook Pixel |
|
Facebook profile data |
Remarketing, advertisement results analysis |
540 months |
The Company’s promotions appear on the online platforms of various external service providers (Google, Facebook). Said external service providers (Google, Facebook) use cookies to store the previous visits of Data subjects on the Website and based on this data, they display – personalized – advertisements (i.e. perform remarketing activities).
More detailed information on Google Analytics “cookies”: (http://www.google.com/analytics). The data processing of the above-mentioned external service providers shall be governed by their respective data protection regulations.
Can cookies be switched off?
In relation to the usage of the Website, the use of cookies can be partly or fully turned off or the cookie message settings can be adjusted. The menu and function for managing cookies is available through the following links in the case of the following browsers:
The cookies of external service providers can be blocked via the Network Advertising Initiative website (http://www.networkadvertising.org/choices/).
The Website may contain information, particularly promotions that originate from third parties and advertisement service providers who have no relation to the Website. It is possible that said third parties may place cookies or web beacons on the user’s computer or apply similar technologies to collect data in order to dispatch targeted promotional messages to the user in relation to their services. In such cases, the data processing shall be regulated by the data protection provisions defined by said third parties in which case Controller assumes no liability whatsoever in relation to said data processing.
The cookies enumerated in items 1 and 2 above are so-called marketing and remarketing cookies: these are usually set for marketing, promotional and advertising purposes in order to monitor the Data subject’s main areas of interest and accordingly display relevant advertisements on the Website. Insofar as Data subject chooses to block said cookies, they will not receive targeted advertisements in the future.
Said cookies are processed by the Company based on consent pursuant to item a) paragraph (1) section 6 of the GDPR. In the case of data processing based on consent, the Data subject may revoke their consent at any time in the browser settings, in which case the Service provider shall not apply the cookie in question and no longer carry out the related collection and processing of data.
With the application of some cookies, the data automatically collected through the Website are used for profiling and the display of related promotions, i.e. we analyze the user’s personal characteristics and preferences and forecast the user’s behaviour and main areas of interest. Pursuant to item a) paragraph (1) section 6 of the GDPR, profiling is carried out for legitimate interests and the resulting profile features and data are used for the purpose of displaying targeted advertisements. Thanks to automated decision-making based profiling, users will receive electronic advertisements that better suit their personal characteristics, areas of interest, shopping habits and behaviour. In these cases, you are entitled to the following additional rights:
- you may request human intervention,
- you may express your standpoint
- and based on the resulting decision, you may state your objection to the Controller.
III. Data subjects’ processing-related rights
The Data subject may contact the Controller to request information on the processing of their personal data, may request the rectification of their personal data and their erasure – with the exception of instances of statutory processing – or may protest against the processing of their personal data and in the case of the infringement on their rights, may turn to a competent tribunal / authority.
Data subject’s rights and options of enforcement, i.e. what are your rights?
As the Data subject, you may request from the Controller access, rectification, erasure or the restriction of processing of your personal data and may object to such processing of your personal data, furthermore, your are entitled to the right to data portability.
In the case of data processing pursuant to item a) paragraph (1) section 6, or item a) paragraph (2) section 9 of the GDPR – i.e. data processing based on consent - you are entitled to the withdrawal of consent at any time, which shall not impact the legality of data processing carried out prior to said withdrawal.
In the case of data processing pursuant to item f) paragraph (1) section 6 of the GDPR – i.e. data processing for legitimate interests – you are entitled to the right to object at any time against the processing of your personal data, including profiling.
As the Data subject, you may validate certain rights pursuant to the GDPR and other relevant data protection regulations. The following section enumerates your rights as a Data subject pursuant to the GDRP.
Data subject’s right of access (GDPR Article 15)
You may request information from us at any time on the processing of your personal data. This includes the categories of personal data being processed, the purposes of the data processing, the source of the data when personal data are not collected from the Data subject, as well as the recipients to whom the personal data have been disclosed. You are entitled to a single free copy of the data concerned by the agreement. Should you require further copies, we retain the right to charge a reasonable fee based on the administrative costs for further copies. Our Company shall provide you with the requested information in writing within 30 days of submitting said request.
Right to rectification (GDPR Article 16)
You may request the rectification of your data. Based on the principles of accuracy and data efficiency, we take all the necessary measures to use the latest information to store and process the most appropriate, comprehensive, up-to-date and relevant data on your person. You may personally rectify your various data through the Website.
Right to erasure (Article 17)
You are entitled to the erasure of your personal data, when required by law. Pursuant to Article 17 of the GDPR, this includes cases when:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You withdraw your consent on which the processing is based and where there are no other legal grounds for the processing;
- You object to the processing and there are no overriding legitimate grounds for the processing, or when you object to processing carried out for direct marketing purposes;
- Your personal data have been unlawfully processed
Assuming that the processing is not carried out for the following purpose:
- In compliance with a legal obligation that requires the processing of your data;
- Particularly, in observance of the legally required retention periods;
- for the establishment, exercise or defence of legal claims;
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation in Union or Member State law to which the Controller is subject, as well as in the public interest or when necessary for the performance of a task in the exercise of official authority vested in the Controller;
- for archiving, scientific or historical research purposes in the public interest; or for the establishment, exercise or defence of legal claims;
The Company shall erase the data within 3 working days of the receipt of the request for their erasure, in which case they cannot be restored.
Right to restriction of processing (GDPR Article 18)
You shall have the right to obtain the restriction of processing where one of the following applies:
- You contest the accuracy of the personal data; in such cases, the restriction is for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer require the personal data for the purposes of data processing, but you require the data for the establishment, exercise or defence of legal claims;
- You have obtained restriction of processing and shall be informed whether our legitimate interests override your interests.
Where processing has been restricted, with the exception of storage, personal data shall only be processed with the consent of the Data subject, or for the establishment, exercise or defence of legal claims, for the protection or defence of other natural or legal persons or for important Union or Member State public interests.
Right to data portability (GDPR Article 20)
At your request, when technically feasible, your data shall be transmitted to another responsible party. You may exercise said right when the processing is based on your consent or for the fulfilment of a contract. Instead of receiving a copy of the data, you shall have the right to have the personal data transmitted directly to another designated Controller.
Right to object (GDPR Article 21)
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data when the processing is based on your consent or for our legitimate interests or those of a third party, particularly against profiling, pursuant to Article 22 of the GDPR. In such cases, we shall no longer process your personal data. This shall not apply in cases when the processing is verifiably required by compelling legitimate grounds that override the interests, rights and freedoms of the data subject or when your data is required for the establishment, exercise or defence of legal claims.
Delivery times in regards to the fulfilment of the Data subject’s rights
In all cases, we will do our best to fulfil requests no later than within 1 month. However, this duration may be extended by no more than 2 months for any reason related to a specific right tied to the data processing or the complexity of your request.
Restriction of information throughout the fulfilment of the Data subject’s rights.
The obligation on providing information pursuant to Article 14 of the GDPR shall not apply where and insofar as:
- You are already in possession of the information;
- the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or insofar as the obligation referred to in Article 14 (1) of the GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing.
- obtaining or disclosure of the data is expressly laid down by Union or Member State law to which the Controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
The Client shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or were otherwise processed;
- the Data subject withdraws consent on which the processing is based and where there are no other legal grounds for the processing;
- the Data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation in European Union or Member State law;
- the personal data has been collected in relation to offering information society services (e.g. newsletters dispatched by e-mail).
Erasure shall not apply in the case of data processing required by law (e.g. accounting policies); said data shall be retained for a duration required by law.
IV. Options for legal remedies:
In relation to the processing of personal data, Data subject may contact the Controller through the contact information listed above.
In the case of the infringement of their rights, Data subject may bring the case before a court of law. The court shall resolve such matters in an expedited trial. The adjudication of the proceedings falls under the competence of a tribunal, in the case of Budapest, the Budapest-Capital Regional Court. Proceedings may be filed as per the data subject’s habitual place of residence or abode.
In the case of complaints related to the processing of personal data, the Data subject may turn to the Hungarian National Authority for Data Protection and Freedom (mail address: 1363 Budapest, Pf.: 9., address: 1055 Budapest, Falk Miksa utca 9-11., Telephone: +3613911400; Fax: +3613911410; E-mail: ugyfelszolgalat@naih.hu; honlap: www.naih.hu).
Date: Budapest, July 2021
GTC HBK Project KFT.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”)