Information on data processing
I. The appointment of the data controller
BSPL Tanácsadó Kft.
Registered office: 1131 Budapest, Madarász Viktor u. 13.
Correspondence address: 1131 Budapest, Madarász Viktor u. 13.
Corporate registration number: 01-09-922478
The controller has not appointed a data protection officer.
II. Legal provisions under which the data processing takes place
To the type of data processing described in this document, the following legal provisions apply:
Act No CXII of 2011 on the right to informational self-determination and freedom of information;
Regulation (EU) 2016/679 of European Parliament and of the Council;
Act No LIII of 2017 on prevention of money laundering and financing of terrorism.
1. “data subject”: a natural person identified or identifiable based on any information;
2. “personal data”: any information respective of the subject;
3. “data of public interest”: any information or knowledge recorded in any manner or form that is not considered personal data, and which is being processed by, relevant to the activities of, or arose in connection with the public function of any natural or legal person having public or municipal responsibilities or any other corresponding public duties or functions set out in the applicable legislation, irrespective of its manner of processing, its individual or collective nature, and thus especially of it being data relating to competencies, organisational structure, professional activities and the evaluation thereof that also covers effectiveness, the types of data held, the legislation governing operation, and data in connection with economic management and contracts concluded;
4. “data publicly available due to public interest”: any data that is not considered data of public interest, and to which access, or the availability or knowing thereof is ordered by the law as a matter of public interest;
5. “special categories of personal data (special data)”: personal relating to racial or ethnic origin, political ideas, religious or philosophical beliefs, and trade union membership, and genetic and biometric data used for the personal identification of natural persons, medical data, data concerning the sexual life or sexual orientation of natural persons, and personal data relating to criminal records;
6. “identifiable natural person”: a natural person is identifiable if his or her identify can be ascertained, either directly or indirectly, in particular by reference to an identifier such as name, number, location data, online identifier, or one or more factors relating to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity thereof;
7. “data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
8. “restriction on data processing”: flagging of personal data stored, with the intent of restricting their processing in the future;
9. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
10. “filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
11. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
12. “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
13. “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
14. “third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
15. “the data subject’s consent”: any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;
16. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
17. “enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
18. “group of undertakings”: a controlling undertaking and its controlled undertakings;
19. “supervisory authority”: an independent public authority created in accordance with Article 51 of the Regulation, which in Hungary is the Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information);
20. “processing of personal data across borders”:
a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
21. “information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
IV. Data processing on the website run by the controller, newsletter data processing, and processing of personal data with regards to the conclusion of contracts
1. Scope of data processed and the purpose of the processing
a) name: for identification of customers and other third parties for the purpose of being able to provide adequate information to the contact person sought; data processing also takes place regarding the conclusion of contracts, in order to comply with the obligation for identification set out by the law on money laundering;
b) date and place of birth: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
c) mother’s maiden name: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
d) nationality: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
e) address: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
f) person represented: it may allow more precise identification of the customers and other third parties;
g) phone number: it allows for easier contact, and after the conclusion of the contract is necessary for maintaining contact;
h) e-mail address: it allows for easier contact, and if consent is given, we will use it to send newsletters;
i) cookies: To be able to fully benefit of certain services of the website, we would like to recommend enabling cookies. A cookie is a small passage containing personalised information which the data subject’s browser stores on their computer. The purpose of cookies is to aid us in identifying recurring visitors, implementing customised visitor functions, and managing user logins (identification, verification). If you are seeking to learn more about our cookies, you can obtain additional information on the following website:
j) Data given by Google (Google Analytics service): data processing is carried out solely for statistical purposes, for the Controller to be able to improve user experience using the website’s traffic data;
l) all other information is given voluntarily.
2. Legal basis for data processing
The legal basis for data processing is the voluntary consent of the data subject, and it also takes place in order to comply with the obligation for identification set out by the law on money laundering; The data subject subscribes voluntarily to newsletters and enables the cookies freely.
In the event the requested data is not given, contacting or sending the newsletter can be hindered. In the event the data required by the provisions of the law on money laundering is not given, conclusion of contract will be rendered impossible.
If you are seeking to learn more about Google Analytics, you can obtain additional information on the following website:
You can also restrict the access of Google Analytics with the use of the application downloadable from the following website:
3. Period of data processing
Data given in relation to job application will be processed and erased by the Controller in accordance with Clause I.
The data required by the provisions of the law on money laundering may be processed for a period of 8 years following termination of customer relationship, after which it shall be erased.
Data given during call for proposal – in the event of a contract is not concluded – will be stored for a period of 3 years.
Data given during the conclusion of the contract will be erased 1 year after the 8 years of minimum retention period for accounting documents underlying the accounting records directly or indirectly, set out in Article 169(2) of Act No C of 2000 on accounting.
Data given in relation to subscription to newsletters will be erased when consent is withdrawn, but no later than a period of one year following the termination of that service.
4. Access to data and data protection measurements
4.1. Access to data and transmission thereof
Personal data given by the data subject can be accessed to by the appointed personnel of the Controller, the personnel of the Financial Department and the executive officers of the Controller, and the personnel of the company appointed to supply IT services.
In instances other than the above, the Controller only shares personal data with other persons, public bodies or authorities if it is required by legal provisions. Thus, if, for instance
– a legal proceedings started in relation to the data subject, and the court seized requires (inter alia) documents containing the personal data of the data subject.
– an investigative authority contacts the Controller, and requests the forwarding of (inter alia) documents containing the personal data of the employee.
– another authority, when acting in its legal capacity, requests (inter alia) documents containing the personal data of the data subject.
The Controller employs a processor with regards to the processing of the following data:
a. matters that require legal assistance: V4 Legal Orbán Ügyvédi Iroda (registered office: 1054 Budapest, Szemere utca 8.);
b. Accounting services through subcontractor: BSPL Alpha Kft. (registered office: 2161 Csomád, Verebeshegy utca 11.)
4.2. Data protection measurements
The Controller stores all data given by the data subject on virtual servers that are operated by Infotipp Rendszerház Kft. (registered office: 1212 Budapest, Maros utca 32.), the files are located in the virtual servers and on the computers of the Controller. Data access is restricted by login credentials and encryption. For the processing of personal data, the Controller employs the services of Google (Analytics. If data given during the use of these services abroad, the location of data processing is the United States of America. The safety of the data processing is guaranteed by the Privacy Shield agreement with the United States of America. The Controller shall take appropriate measures to ensure the protection of personal data inter alia from unauthorised access or alteration. Thus, the server used to store personal data runs in encrypted and separated virtual environment, to which only the Controller’s personnel and subcontractors and the personnel of the company appointed to supply IT services have access with a unique identifier and password, and in the case of dedicated data, authorisation is also limited, e.g. only the dedicated personnel and the executive officers of the Controller are authorised to access to certain files on the server. Other than that, only the personnel of the IT company have access to digitally stored data, if necessary.
The IT company accesses the server occasionally in case of server related issue.
5. Rights related to data processing
5.1. The right to request information
The data subject can request information from the controller in writing, using the contact details given in Clause I, relating to:
– what personal data,
– on what legal basis,
– for what purpose of processing,
– from what source,
– and for what period the data is being processed,
– to whom, when, on what legal basis, and to what personal data did the controller give access to, or to whom did it forward their personal data.
The Controller shall adhere to the data subject’s request by sending the information in mail to the address given by the employee within 30 days.
5.2. The right of rectification
The data subject can request the alteration of personal data from the controller in writing, using the contact details given in Clause I (for instance, he or she can change his or her e-mail address anytime). Prior to adhering to the request, the Controller may request adequate proof of the change in personal data (for instance in the event of change of home address, or change of name). The Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.3. The right to erasure
The data subject can request the erasure of their personal data from the Controller in writing, using the contact details given in Clause I. The Controller refuses the request if it’s obligated by a legal provision or an internal policy to keep storing the personal data. If no such obligation exists, the Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.4. Right to have data blocked
The data subject can request in writing that the Controller blocks their personal data, using the contact details given in Clause I. The blocking shall be maintained until the reason given by the data subject makes it necessary to do store it. The data subject may request the blocking of the data if, for instance, he or she think that the Controller has processed it unlawfully, but it is necessary for the administrative or legal proceedings that the data subject initiated that the Controller does not erase the data. In this case Controller shall store personal data until the authority or the court requests, after which it shall erase said data.
5.5. Right to data portabilityThe data subject is entitled to receive the data he or she provided to a controller in a structured, widely used format, readable by computer; and is entitled to forward this data to another controller; so upon request the Controller provides the data subject with the data burned on a CD.
5.6. The right to object
The data subject can object to the data processing in writing, using the contact details given in Clause I, should the Controller use or forward personal data for the purposes of direct marketing, public opinion poll, or scientific research. Thus, for instance, the data subject can object to the Controller using his or her personal data for the purpose of scientific research without consent. The data subject may object to the data processing even if it is believed that the processing is only used to comply with a legal obligation, or to enforce a given right, except for data processing based on regulatory authorization. Thus, he or she cannot object to the Controller forwarding their request containing his or her personal data to the authorities.
6. Enforcement of rights related to data processing
6.1. Initiating legal proceedings
The data subject can initiate a civil lawsuit if he or she believes his or her personal data was processed in a way that is considered unlawful. The hearing of the case falls within the jurisdiction of the general court. The list and contact data of the general courts can be found on the following link:
6.2. Notification to the Supervisory Authority
The data subject may initiate investigations via notification, claiming that by the processing of his or her personal data he or she has suffered the impairment of a right, at:
Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information):
1530 Budapest, Mailbox. 5.
1125 Budapest, Szilágyi Erzsébet fasor 22/c