Data Privacy Policy of
KÉSZ Csoport

This Data Privacy Policy (“Policy”) is prepared for information of the Data Subjects relating to the personal data processed by companies that are part of KÉSZ Csoport (hereinafter referred to as “Company/Controller”) during their business-related or administrative activities based on Regulation No. 2016/679/EU of the European Parliament and of the Council (“GDPR” or “Regulation”), in particular Articles 13 and 14 thereof.

The principle of fair and transparent processing requires that the Data Subject be informed of the existence of the processing operation and its purposes. The information related to the processing of personal data relating to the Data Subject should be given to him or her at the time of collection from the Data Subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the Data Subject should be informed when the personal data are first disclosed to the recipient. If the controller is unable to provide the Data Subject with information on the origin of the personal data, as they come from different sources, general information should be provided.

1. The Data Controller and their Contact Information

The companies of KÉSZ Csoport follow a uniform data processing practice, with regard to which the contents of this Policy shall be applicable to all companies of the KÉSZ Csoport.

In the case of a contractual relationship, given that the Company enters into individual contracts on its own behalf, the data of the particular controller is identical to those of the Company which has established the legal relationship on which the data processing is based. The Company’s particulars are available in the documents establishing the legal relationship (e.g. offer, contract) and the Company’s currently effective data are available at www.e-cegjegyzek.hu, a free and certified public register after the Company’s name and other identification data (company registration number, VAT number) were provided.

If you would like to know more about the data processing of KÉSZ Csoport or any Company, or if you wish to exercise the rights contained in this Policy, you may do so by contacting us below:

  • postal address: KÉSZ Csoport, H-1095 Budapest, Mester u. 87.;
  • e-mail address: adatvedelem [at] kesz.hu ();
  • home page: http://kesz.hu

2. Processing of the Data Subject’s data

2.1. Data Subjects

The Controller may process the personal data of the following natural persons (“Data Subject(s)”) during the processing related to contractual partners:

  • contracting parties (for private individuals, private entrepreneurs);
  • the contracting party’s (for companies, organizations, the partner’s) legal representatives, employees, contacts, authorized agents, other fulfillment partners (e.g. subcontractors, employees, temporary agency workers);
  • for partners using a service, the employee personally responsible for the subject of the service(s), other authorized persons (e.g. users of rented cars);
  • newsletter recipient;
  • person participating in an event, contest, program, promotional game, sponsorship or other program.

Detailed information on each type of Data Subjects is included in Annex 1 of this Policy.

2.2. Access to Personal Data, Types of Personal Data Processed

The Personal Data managed is provided by the Data Subject himself/herself or through a business partner (e.g., contractor, service partner), on the basis of a legal relationship or a document issued (e.g., contract, statement of consent, etc.) to the Data Controller.

The Data Controller assumes that any person (natural or legal entity) who transmits personal data to it will at all times make the relevant personal data available to them in accordance with applicable law, and in particular have appropriate and informed consent or other legal basis for the transfer of personal data.

The Data Controller – in accordance with objectives and legal basis detailed in Annex 1 of the Policy – also collects personal information from certified and public databases operated by courts, the National Tax and Customs Administration (NAV) or other public organizations.

The types of personal data handled in relation to the Data Subject and the period for which the data will be stored are detailed in Annex 1 of this Policy.

2.3. Certain Data Processing Objectives and Legal Bases

Performance of the Contract

The personal data are processed for the purposes of compliance with the Controller’s contractual obligations.

The detailed terms and conditions for the provision of services under the contract are set out in the contract governing the given legal relationship and its annexes.

The duration of this data processing is the same as the duration of the contract.

Given that without the provision of the above-mentioned personal data (data provision), the Data Controller or the Partner will not be able to fulfill its contractual obligations, the Partner or the Data Subject shall personally provide the personal data to the Data Controller. Failure to provide the data may result in the performance of the Contract being impossible and the Data Controller becoming entitled to withdraw from the contract.

If the legal basis of specific processing is performance of a contract, the Controller shall process the Data Subject’s data even after termination of the contract for the purposes of establishment, exercise or defense of legal claims.

The Controller shall keep the Data Subject’s personal data not erased after failure of conclusion or after termination of the contract for a period of five years after failure of conclusion or after termination of the contract according to the general rules for limitation set out in Act V of 2013 on the Civil Code. In the case of certain special-purpose contracts (e.g., construction contracts, public contracts), this period may be longer than 5 years by the provisions of contract or a legislative act.

The Controller processed, and still processes partly, personal data under contracts concluded before entry into force of the Regulation (May 25, 2018). However, according to the Regulation, it is not necessary to impose the obligation to provide information where the provision of information to the Data Subject proves to be impossible or would involve a disproportionate effort of the Controller. In view of this, the Data Controller informs the Data Subject about the fact of legal processing based on the legal basis created before the entry into force of the Regulation, not by personal request, but by publishing this Policy on its website.

Fulfillment of a Legal Obligation

The Controller may process the Data Subject’s personal data also for the purposes of compliance with legal obligations. The list of legal obligations is included in Annex 1 of this Policy.

Considering that the processing under this clause is the Controller’s legal obligation, the personal data should be provided on a mandatory basis and if such data are not provided, performance of the Contract may become impossible and the Controller may become entitled to withdraw from conclusion of the contract or the Controller may refuse performance of the Contract.

Legitimate Interest of the Data Controller and / or a Third Party

The Controller may process the Data Subject’s personal data also on ground of his or her legitimate interests. If data processing is based on this legal basis, the Data Controller shall determine the necessary and proportionate level of data processing in the interest weighing test before commencing data processing.

Given that the processing of data under this section is in the legitimate interest of the Data Controller or a third party, the provision of personal data is mandatory, and failure to provide data may result in the refusal of the Data Controller to enter into or perform the contract, or to participate in the events detailed in Annex 1, Item 6.

Voluntary Consent of the Concerned Party

Personal data shall be processed based on the Data Subject’s consent (freely given, specific, informed and unambiguous indication of his or her wishes). Consent may be provided by the Data Subject

  • Separate from other statements, in a contract regarding the fulfillment of services, or
  • in a separate statement.

The consent is voluntary, and the Data Subject has the right to withdraw their consent at any time without notice to the Data Controller. The Data Subject may send the notice to any of the contact addresses in Section 1 of the Policy. In such notice the Data Subject shall indicate the processing operation in respect of which he or she intends to withdraw the consent in an identifiable manner.

If the Data Subject’s personal data are processed for promotional purposes or for other award games, the Controller shall inform the Data Subjects separately of the related processing.

Withdrawal of the consent will have no consequences for the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of the data processing prior to the withdrawal carried out on the basis of the consent.

4. Recipients of the Personal Data

The Controller may transfer the Data Subject’s personal data to the following persons or entities:

  • bodies entrusted by the Controller and engaged in health and safety and quality protection activities, which are regarded as joint controllers together with the Controller in respect of the personal data provided in this field. In the event the body engaged in health and safety and quality protection activities entrusts a third party with such activities, then that third party shall be regarded as a processor;
  • to the organization(s) providing back office services to the Data Controller (Finance and Accounting, HR, IT, Law), who are considered data processors for the data transmitted;
  • on the basis of statutory requirements, to the authority specified by legislation;
  • the partner providing services to the Data Controller, or 
  • for the service provider involved in the execution of events and programs, who shall be considered a data processor on the basis of this mandate.

The Controller does not transfer personal data to a third country.

5. Rights of the Data Subject

5.1. Your right to access

The Data subject shall have the right to receive feedback from the Data Controller that their personal data is being processed and, if such processing is in progress, to have access to the personal data and the following information:

  • the purposes of processing of the specific personal data,
  • categories of personal data of the Data Subject,
  • the categories of recipients to whom the Data Subject's personal data have been or will be disclosed, including, in particular, third country recipients; international organizations (in the case of transfers to third country recipients and international organizations, the Data Subject is entitled to request information if the data transfer is subject to appropriate safeguards),
  • the intended duration of storage of the Personal Data of the Data Subject, or, where this is not possible, the criteria for determining this time period,
  • the Data Subject's rights (right of rectification, erasure or limitation, right to data portability, and the right to object to the processing of such personal data),
  • the right to lodge a complaint with a supervisory authority,
  • if the data was not obtained by the Data Controller from the Data Subject, all the available information about the source,
  • the fact of making an automated decision on the Personal Data of the Data Subject, including profiling; if such data processing is carried out, the information shall include the logic used and the significance and likely consequences of such processing for the Data Subject.

Unless otherwise requested by the Data Subject, the information requested shall be provided in a widely used electronic format if the Data Subject has submitted the request electronically.

Prior to completing the request, the Data Controller may request the Data Subject to specify the content of the request and to specify the requested information or data processing activities.

If the Data Subject’s right for access adversely affects the rights and freedoms of others, so in particular others’ trade secrets or intellectual property, the Controller will be entitled to refuse to meet the Data Subject’s request to the extent necessary and proportionate.

In the event that the Data Subject requests the above information in multiple copies, the Data Controller shall be entitled to charge a reasonable and proportionate fee in proportion to the administrative costs of producing the additional copies.

If the Personal Data indicated by the Data Subject are not managed by the Data Controller, they shall also inform the Data Subject in writing.  

5.2. Right to Rectification

The Data Subject has the right to request the rectification of personal data concerning him or her. If the personal data concerning the Data Subject are incomplete, the Data subject has the right to request the personal data to be supplemented.

In the exercise of the right to rectification / addition, the Data Subject shall indicate which pieces of data are inaccurate or incomplete and shall also inform the Data Controller of the exact and complete data. In justified cases, the Controller shall be entitled to invite the Data Subject to demonstrate the clarified data appropriately, first of all, by means of documents to the Controller.

The Data Subject shall correct the data without any undue delay.

After having complied with the Data Subject’s request for exercising his or her right to rectification, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

5.3. Right to Erasure ("The Right to Forget")

The Data Subject shall have the right to propose that the Data Controller delete his or her personal data or pieces of personal data, without undue delay if any of the following reasons exist:

  • the personal data provided by the Data Subject is not required for the purpose for which it was collected or otherwise processed by the Data Controller,
  • the Controller processed the personal data (including also special data) based on the Data Subject’s consent and the Data Subject has withdrawn such consent and there is no other legal basis for the processing,
  • the Data Subject objects to the processing based on the Controller’s legitimate interest and there are no compelling legitimate grounds for the processing by the Controller which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims,
  • the Data Controller has unlawfully processed the personal data,
  • the data managed by the Data Controller must be deleted in order to comply with any legal obligation under EU or national law applicable to the Data Controller,
  • the Data Subject protests against the data processing, and there is no overriding reason for the data processing.

The Data Subject shall submit their request for deletion in writing and indicate the reason for which they wish to have the personal data deleted.

Where the Controller adopts the Data Subject’s motion for erasure, it will erase the personal data processed in all registers and will inform the Data Subject thereof in an appropriate manner.

In the event the Controller shall erase the Data Subject’s personal data, the Controller shall take all reasonable actions, including application of technical measures, that are necessary for informing also the controllers who have become aware of the Data Subject’s personal data as a result of publication of such data about the mandatory erasure of the personal data. In the course of providing such information, the Controller shall inform the other controllers that erasure of links, copies or replicates of the Data Subject’s personal data has been initiated by the Data Subject.

After having complied with the Data Subject’s request for exercising his or her right of rectification, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

The Data Controller shall not be obliged to delete personal data if such data processing is necessary for the following:

  • for the exercise of the right to freedom of expression and information,
  • to comply with any obligation of the Data Controller under Hungarian or European Union law to process personal data,
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
  • for the pursuit of a general interest in the field of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the Data Subject’s right to be forgotten is likely to render impossible or seriously impair the achievement of the objectives of that processing,
  • for the filing, enforcement or defense of legal claims.

5.4. Right to Restrict Data Processing

The Data Subject shall have the right to propose that the Data Controller restrict the processing and use of his or her personal data or pieces of personal data, without undue delay if any of the following reasons exist:

  • the Data Subject disputes the accuracy of the personal data (in which case the restriction will continue until the Data Controller verifies the accuracy of the data),
  • the Controller’s processing was unlawful, but the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • the purpose of the data processing for the Data Controller has ceased to exist, but the Data Subject requires them for the purpose of submitting, asserting or defending legal claims,
  • the Data Subject objects to processing in respect of that based on the Controller’s legitimate interest and there are no compelling legitimate grounds for the processing by the Controller which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims; in such a case restriction will exist until it is established pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of an EU Member State.

The Data Controller shall inform the Data Subject in advance of the lifting of the restriction of data processing.

After having complied with the Data Subject’s request for exercising his or her right to restriction, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

​​​​​​​​​​​​​​5.5. Right to Protest

If the processing of the data of the Data Subject is based on a legitimate interest, an important guarantee provision is that the Data Subject shall be provided with appropriate information and the right to object in relation to the data processing. This right must be expressly brought to your attention at the latest when you first contact the Data Subject.

The Data Subject shall be entitled to object to the processing of his or her personal data and, in such a case, the Controller shall no longer process the Data Subject’s personal data unless it can be demonstrated that

  • the processing by the Controller is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject, or
  • the processing is related to the filing, validation or defense of the Data Controller's legal needs.

5.6. Right to Data Portability

The Data Subject shall have the right to receive personal data relating to him or her, processed by the Data Controller, in a structured, widely used, machine-readable format, and to transmit such data to another Data Controller without being hindered by the Data Controller.

The right to data portability shall be exercised with respect to the personal data provided to the Data Controller by the Data Subject, and

  • the data processing is based on the consent of the data subject or on a contractual basis, and
  • Data processing is automated.

If it is otherwise technically feasible, the Data Controller shall, at the request of the Data Subject, forward the personal data directly to another data controller indicated in the Data Subject's application. The right to data portability under this section does not create an obligation for data controllers to install or maintain technically compatible data processing systems.

In the field of data portability, the Data Controller shall make the data file available to the Data Subject free of charge.

If the data subject's right to data portability adversely affects the rights and freedoms of others, so in particular others’ trade secrets or intellectual property, the Controller will be entitled to refuse to meet the Data Subject’s request to the extent necessary.

The Data Controller's measure taken in the field of data portability does not mean the deletion of the data, and it shall be recorded by the Data Controller for as long as the Data Controller has a proper purpose or legal basis for the processing of the data.

​​​​​​​5.7. The Right to Decide on Automated Decision-Making in Individual Cases, Including Profiling

The Data Controller informs the Data Subject that he or she is not in a position to exercise his or her right to decide on automated decision-making, including profiling, in Individual Cases, as set out in Article 22 of the GDPR, as the Data Controller does not carry out automated decisions, including profiling.

​​​​​​​​​​​​​​5.8. Right to Legal Remedies

Right to Complain

If the Data Subject considers that the processing of personal data by the Data Controller violates the prevailing data protection laws, in particular the GDPR, he has the right to lodge a complaint to the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság).

Contact Details of the National Data Protection and Freedom of Information Authority:

  • Home page: http://naih.hu/
  • Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
  • Mail address: 1530 Budapest, Pf.: 5.
  • Phone: +36-1-391-1400
  • Fax: +36-1-391-1410
  • E-mail: ugyfelszolgalat [at] naih.hu ()

The data subject has the right to lodge a complaint with another supervisory authority, in particular in the Member State in which he / she has habitual residence, is employed, or the alleged infringement took place.

Right to Apply to the Courts (Right of Action)

Irrespective of his or her right to lodge a complaint, the Data Subject may access a court if his or her rights under the GDPR were infringed in the course of the processing of his or her personal data.

The Data Controller, as a data controller with a domicile in Hungary, may be sued before a Hungarian court.

According to the current Act on the right to information and self-determination, Section 22, Paragraph (1), the Data Subject may file a suit before the court in his / her country of residence. The contact details of the Hungarian courts can be found on the following link: http://birosag.hu/torvenyszekek.

Considering that the Controller is not a public authority of a Member State acting in the exercise of its public powers, the Data Subject may bring the action also before courts having competence and jurisdiction in the Member State of his or her habitual residence provided that the Data Subject’s habitual residence is in another Member State of the European Union.

Other Claim Options

The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly constituted in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of Data Subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to carry out the judicial review of the decision of the supervisory authority, to bring an action and to exercise the right to receive compensation.

6. Data security

Data Controller undertakes to provide the security of Personal Data, and also takes all necessary technical measures to ensure the protection of Personal Data from unauthorized acquisition, deletion, modification, and use. Furthermore, Data Controller undertakes to advise any third party (e.g., Data Processor) to whom they forward Personal Data about the necessity of such obligations.

7. Miscellaneous

In the event that the Data Controller has a reasonable doubt as to the identity of the person making the request under sections 5.1 to 5.7 of the Policy, the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

The Data Controller reserves the right to unilaterally modify this Policy with effect from the time of the modification, subject to any applicable legal restrictions and prior notice to the Data Subject.

Annex 1

* * *

Budapest, 15 April, 2019