Középülettervező Zrt. (hereinafter: Controller), as the operator of the website accessible at the domain name of www.kozti.hu (hereinafter: Website) hereby publishes the information relevant to the Web Site and to data controlled in conjunction with the services related to the Website.
Controller’s name: Középülettervező Zártkörűen Működő Részvénytársaság
Registered office: 1023 Budapest, Lublói utca 2.
E-mail address: firstname.lastname@example.org
The User can provide his or her data on the page specifically designed for the purpose so that he or she can contact the Controller and receive information about the Controller’s products and services. The following personal data are requested (data marked by * are obligatory):
Only persons at least 18 years of age are entitled to provide data.
The purpose of data processing is to enable the Controller to provide information on its services and activities, to contact Users that are interested in the Controller’s services, to provide general information to Users, and to handle comments regarding the Controller’s activities.
Personal data are processed whilst the purpose of processing prevails; in cases of contacting, data are controlled up to no more than 30 days from the termination of bilateral communication between the Controller and the User or until such time that the User requests erasure of his or her data or revoke his or her consent to the control of his or her personal data.
Once the purpose of data controlling ceases or when the User so requests, the personal data will be erased without delay.
After contact has been made, the User consents for the Controller to control the User’s personal data as described in this Guide. The legal basis for the controlling of personal data is the User’s voluntary consent given in awareness of the information provided in this Guide.
The User may only provide his or her own personal data. In case the User provides data other than his or her own, it is the duty of the data provider to obtain the consent of the person concerned.
The Controller is entitled to access Users’ personal data in accordance with the relevant effective statutory provisions.
The Controller retains the right to involve a data processor in future and shall inform Users to that effect by modifying this Guide.
Unless expressly provided otherwise by law, the Controller may only transfer data suitable for personal identification with the User’s express consent.
The User has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the User, the Controller may charge a reasonable fee based on administrative costs. Where the User makes the request by electronic means, and unless otherwise requested by the User, the information shall be provided in a commonly used electronic form.
The Controller shall provide the User with information, in an easy-to-understand format, without undue delay and in any event within one month from submitting the application. The User can submit his or her application for access at the contact addresses specified in Point 1.) above.
The User may submit a request, at the contact addresses specified in Point 1.) above, that the Controller rectify the User’s incorrect or incomplete personal data, taking the purpose of data processing into consideration. The Controller shall make the rectification without undue delay.
The User is entitled to request the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
Where the Controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the User has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
Personal data do not have to be erased to the extent that processing is necessary:
The User is entitled to obtain from the Controller restriction of processing where one of the following applies:
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a member state.
A User who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the User about those recipients if the User so requests.
The data subject shall have the right to object to processing of personal data concerning him or her if processing is
In cases where the User objects, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims.
The Controller shall provide information on action taken in response to the User’s request regarding access, rectification, erasure, restriction, objection or transfer without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the User submitted the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the User.
If the Controller does not take action on the request of the data subject, the Controller shall inform the User without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information requested by Users and any communication and any actions taken in response must be provided free of charge. Where requests from a User are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Any event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Controller constitutes a personal data breach.
The controller should notify the personal data breach to the National Authority for Data Protection and Freedom of Information without undue delay but not later than 72 hours after having become aware of it, unless the Controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay. Notifications to the National Authority for Data Protection and Freedom of Information must include at least the following information:
When the personal data breach is likely to result in a high risk, the Controller shall communicate, through its Website, the personal data breach to the User within 72 hours from becoming aware of the breach. The notification must include at least the details listed herein
The Controller shall keep records of any and all personal data breach in order to ensure supervision of the measures taken and to inform those concerned. The record must contain the following data:
The Controller shall keep the data of the personal data breach on record for five years from becoming aware of the breach.
The Controller undertakes to ensure the security of personal data, and shall implement appropriate technical and organisational measures and shall develop appropriate procedures to ensure the security of the personal data recorded, stored and processed, and to prevent their destruction and unauthorised use and alteration. The controller also undertakes to call on third parties to whom personal data are transferred or who are involved in processing based on Users’ consent to comply with the requirements of the security of personal data.
The controller shall ensure that the data processes are not subject to access, disclosure, transfer, alteration or modification and erasure by unauthorised persons. The data processed shall be known only to the Controller, the Controller’s employees, and the data processors involved by the Controller, and shall not be transferred to third parties who are not authorised to know such data.
The Controller shall do its best to avoid accidental damage or destruction of the data processed. The Controller shall require its employees involved in data processing to comply with the above obligation.
The User understands and accepts that while Controller implements up-to-date security technology and means to prevent unauthorised access, interception and penetration, the security of personal data provided via the Website cannot be fully guaranteed. If despite all of the Controller’s efforts unauthorised interception of or access to personal data occurs, the Controller shall not be liable for any damage suffered by the User from such access or interception. Furthermore, it is also possible that the User gives his or her personal data to third parties that may use such data in an unlawful manner or for unlawful purposes.
The controller shall do its best to process personal data in compliance with the law; however, if despite the Controller’s best efforts the User feels that the Controller is not in compliance, the User is free to make a complaint using the contact details provided in Point 1.) above.
If the User feels that his or her right to privacy and the protection of personal data have been violated, the User may seek remedy from the competent authorities as provided for by the governing law:
This Guide is governed by the Hungarian law, specifically Act CXII of 2011 on the right to informational self-determination and on the freedom of information, and Regulation (EU) of the 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Budapest, 9 March 2020