Privacy Policy

Privacy Policy

EU-FIRE Real Estate Development and Consulting Limited Liability Company (registered office: 1143 Budapest, Hungária körút 83.; company registration number: 01-09-699091; tax number: 12698352-2-42; hereinafter referred to as “Data Controller”) pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) in the following  informs customers (“Data Subject”) through the Data Controller’s online store regarding the processing of their personal data.

Company name and contact details of the Data Controller:

EU-FIRE Real Estate Development and Consulting Limited Liability Company (registered office: 1143 Budapest, Hungária körút 83.; company registration number: 01-09-699091; tax number: 12698352-2-42)

Email: info@eu-fire.hu

Website: www.eu-fire.hu

Concepts and definitions related to the Data Controller’s service and data management

“personal data” means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“controller” means a natural or legal person or an organization without legal personality who, alone or jointly with others, determines the purpose of data processing, makes and implements decisions concerning data management (including the means used) or has them executed by the data processor, within the framework defined by law or by a binding legal act of the European Union;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“processor” means a natural or legal person or an organization without legal personality who processes personal data on behalf of or on behalf of the controller, within the limits and under the conditions laid down by law or by a binding act of the European Union;

‘processing’ means all processing operations carried out by a processor acting on behalf of or at the behalf, at the behalf;

‘transfer’ means making data available to a specific third party;

‘disclosure’ means making information available to anyone;

‘erasure’ means making data unrecognizable in such a way that their recovery is no longer possible

‘profiling’ means any processing of personal data by automated means for the purpose of evaluating, analysing or predicting aspects of a data subject which are in particular concerning the data subject’s personal aspects concerning that data subject’s personality concerning that data subject’s personality concerning that particular person’s performance at work, economic situation, health, personal preferences or interests, reliability, behaviour, location or movements;

“recipient” means a natural or legal person, public authority, agency or any other body, to which personal data are disclosed, whether a third party or not. Public authorities which may have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Basic principles and basic provisions

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. (Article 5 (1) (a) GDPR)

Purpose limitation

Personal data shall only be collected for specified, explicit and legitimate purposes, in order to exercise a right and fulfil an obligation, and shall not be processed in a manner incompatible with those purposes. Only such personal data may be processed that is essential for the realization of the purpose of data management and suitable for achieving the purpose. Personal data may only be processed to the extent and for the time necessary to achieve the purpose. (Article 5 (1) (b) GDPR)

Data minimisation

Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. (Article 5 (1) (c) GDPR)

Accuracy

Personal data must be accurate and, where necessary, kept up to date; Every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. (Article 5(1)(d) GDPR)

Storage limitation

Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may only be stored for longer periods where the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with applicable law, subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of Data Subjects. (Article 5 (1) (e) GDPR)

Integrity and confidentiality

Personal data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (Article 5 (1) (f) GDPR)

Accountability

The Data Controller is responsible for compliance with the principles of data processing and must be able to demonstrate such compliance (Article 5 (2) GDPR)

Scope of personal data processed, legal basis of data processing, purpose and duration of data processing:

Scope of personal data processed          Legal basis of data processing         Purpose of data processing        Duration of data processing

In the case of a natural person:

  • Username;
  • Full name;
  • Your electronic notification address (email address);
  • Password.

In the case of a legal entity:

  • Username;
  • Contact person full name;
  • Your electronic notification address (email address);
  • Password.

Art. 6 para. 1 lit. a GDPR.

Creating and managing a user account in the Data Controller’s online store.      Until the withdrawal of consent.

In the case of a natural person:

  • Full name;
  • Your electronic notification address (email address),
  • Telephone number.

In the case of a legal entity:

  • Name of legal entity;
  • Seat;
  • Registration number;
  • VAT number;
  • Contact name;
  • Email address;
  • Telephone number.

Art. 6 para. 1 lit. b GDPR.

Electronic Request Act§ 13/A (3).

Ordering a product that can be purchased in the Data Controller’s online store.            The general limitation period after performance is 5 (five) years (Section 6:22 (1) of the Civil Code).

In the case of a natural person:

  • Full name;
  • Email address;
  • Telephone number;
  • Shipping name;
  • Delivery address.

In the case of a legal entity:

  • Name of legal entity;
  • Seat;
  • Registration number;
  • VAT number;
  • Contact name;
  • Telephone number.
  • Shipping name;
  • Delivery address.

Art. 6 para. 1 lit. b and c) GDPR.

Electronic Request Act§ 13/A (3).

Delivery, performance and issuing of invoices of products purchased in the Data Controller’s online store.  Until the limitation period after performance, which is 5 (five) years.

With regard to data processed under the Accounting Act for the purpose of issuing and keeping documents, the duration of data processing is 8 (eight) years after the termination of the contract (Section 169 (2) of the Accounting Act).

Management and retention of accounting documents until the right to assess tax expires, i.e. for 5 (five) years from the end of the year of the return based on the given document (Art. §§ 47(1), 164(1))

In the case of a natural person:

  • Full name;
  • Your electronic notification address (email address),
  • Telephone number.

In the case of a legal entity:

  • Name of legal entity;
  • Seat;
  • Registration number;
  • VAT number;
  • Contact name;
  • Email address;
  • Telephone number.

Art. 6 para. 1 lit. f GDPR. Enforcement of the Data Controller’s claims  arising from the above legal relationships (management, collection of receivables, enforcement of other claims)  The performance or, if a claim has been enforced by the Data Controller or against him or her in relation to the Data Subject, until the expiry of 5 (five) years after the final assessment of the claim enforcement (Section 6:22 (1) of the Civil Code).

  • Unique identification number (IP);
  • Date;
  • Dates.

Art. 6 para. 1 lit. a GDPR.

With the exception of online store-specific cookies, the so-called “shopping cart cookies” and “security cookies” are not required for the use of which prior consent is required from the Data Subjects.

Tracking visitors to the online store.       Until the withdrawal of consent.

  • Full name;
  • Email address.

Art. 6 para. 1 lit. a GDPR.            Sending electronic newsletters in connection with the products and services distributed by the Data Controller to those Data Subjects who have given their express consent to the sending of electronic newsletters in advance.            Until the withdrawal of consent.

  • Full name;
  • Address;
  • Place, time and manner of lodging the complaint;
  • Email address;
  • Billing name and address.

Art. 6 para. 1 lit. c GDPR.

Pursuant to Section 17/A (5) of Act CLV of 1997.

Handling quality complaints and problems arising in connection with products ordered and received from the Data Controller.               Copies of the minutes, transcripts and responses to the objection raised shall be kept for 3 (three) years pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

The Data Subject may withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing prior to its withdrawal.

Cookies used in the web shop:

Type of cookie  Name of cookie Service Provider             Expiry of data processing

__qca   Cookie  Quantcast          30 days

euconsent-v2    Cookie  Quantcast          30 days

qcSxc    Cookie  Quantcast          30 days

Security of Data Management

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the data processor used by it shall implement appropriate technical and organizational measures to guarantee a level of data security appropriate to the degree of risk.

The Data Controller ensures the security of the personal data of the Data Subjects, furthermore takes the technical and organizational measures and establishes the procedural rules necessary to enforce the GDPR, the Privacy Act and other data and confidentiality rules.

The Data Controller protects personal data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.

All persons engaged in data processing are obliged to act with the utmost care in order to ensure the authenticity and preservation of data and to prevent unauthorized access.

Everyone has access only to the data and to the extent that they absolutely need to do their job.

In order to protect the data files processed electronically in the various registers, the Data Controller shall ensure with appropriate technical solution that the data stored in the registers – unless permitted by law – cannot be directly linked and assigned to the Data Subject.

In order to maintain security and prevent data processing in violation of the GDPR or the InformationVortex, the Data Controller assesses the risks arising from the nature of the data processing and, if necessary, applies additional measures to mitigate these risks, such as encryption and pseudonymization. Currently, no such measures are applied by the Data Controller.

The Data Controller selects and operates the IT tools used to process personal data during the provision of its service in such a way that the personal data processed:

accessible to authorised persons (‘availability’);

its authenticity and authentication is ensured (“credibility of processing”);

its unchangedness can be demonstrated (‘data integrity’);

be protected against unauthorized access (“confidentiality of data”).

During data processing, the Data Controller shall preserve:

confidentiality: protects the personal data of the Data Subject so that only those who are entitled to access it can access it;

integrity: protects the accuracy and completeness of the information and the method of processing;

availability: ensures that when the authorized user acting on behalf of the Data Controller needs it, he can actually access the required information and the related tools are available.

In order to enforce and ensure the conditions of data security, the Data Controller ensures the appropriate and regular preparation and further training of the employees, subcontractors and personal collaborators concerned.

Automated decision-making (including profiling):

No automated decision-making, including profiling, takes place during data processing.

Transfer of personal data, recipients or categories of recipients of personal data:

The Data Controller uses the following data processor in connection with data processing:

EU-FIRE Kft., activities related to data management: operation of online store; Email: info@eu-fire.hu

OTP Mobile Service Provider Ltd., activities related to data management: online payment system; Email: ugyfelszolgalat@simple.hu

hu Kft. (Számlázz.hu), activities related to data management: online invoicing software; Email: info@szamlazz.hu

WeDo Technologies Kft., activities related to data management: hosting provider; e-mail: info@we-do.hu

GLS Hungary Kft., activities related to data management: transportation, transportation; Email: info@gls-hungary.com

UPS Hungary Kft., activities related to data management: transportation, transportation; Email: upshungary@ups.com

SPRINTER Courier Service Ltd., activities related to data management: transportation, transportation; Email: info@sprinter.hu

DPD Hungary Kft., activities related to data management: transportation, transportation; Email: dpd@dpd.hu

EU-FIRE Kft., activities related to data management: marketing; Email: info@eu-fire.hu

Personal data will be transmitted to the following recipients:

Personal data will not be transferred to a third country (i.e. outside the European Union) or to an international organization.

Data transmission

Within the Data Controller’s organization, the personal data of Data Subjects may only be transferred in accordance with the principle of purpose limitation and access to such data may only be provided if there is an appropriate purpose.

The Data Controller may only use the personal data of the Data Subjects for direct marketing, direct marketing or informational purposes, in particular for its own marketing purposes, only with the express and prior consent of the Data Subject.

General rules for data transfer to third parties other than the Data Controller:

Personal data may only be transferred to third parties on the basis of legal authorization or with the prior consent of the Data Subject.

Prior to the data transfer, the Data Controller is obliged to examine whether its legal conditions are met and whether the conditions of data processing are fulfilled for each personal data after the transfer.

Before data are transferred to the same controllers, concerning the same Data Subject and for the same purpose, the Data Protection Officer should be involved in the assessment of the lawfulness of the transfer. Subsequent transmissions need not be subject to a separate investigation.

Transfer abroad or to a third country:

Prior to the data transfer, the Data Controller is obliged to examine, with the involvement of the Data Protection Officer, whether its legal conditions are met and whether the conditions of data processing are fulfilled for each personal data affected by the transfer after the transfer.

Pursuant to Article 13 (1) (f) of the GDPR, the Data Controller states that it will not transfer data processed by it to an international organization at the time of entry into force of this prospectus.

Pursuant to Article 13 (1) (f) of the GDPR, the Data Controller stipulates that at the time of the entry into force of this prospectus, in the case of repatriation to a third country exclusively for the repatriation of the person served by the Data Controller or the Data Controller or for the purpose of organizing care to another country, the data controller or ground patient transporter or his relatives will continue to provide personal data in accordance with the provisions of this prospectus, provided that at least one of the following conditions is met:

the Data Subject has given his or her explicit consent to the intended transfer after having been informed of the potential risks arising from the transfer due to the absence of an adequacy decision and appropriate safeguards;

the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or for the implementation of pre-contractual measures taken at the request of the Data Subject;

the transfer is necessary to protect the vital interests of the Data Subject or of another person and the Data Subject is physically or legally incapable of giving consent.

In other cases, the Data Controller shall not transfer the data processed by it to a third country.

Data provision upon request from the authorities

Based on a request for data received from official bodies (in particular, but not limited to, courts, prosecutors’ offices, investigating authorities, misdemeanour authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law), information, disclosure, transfer of data and documents are provided by the Data Controller in the manner and content indicated therein, if the requesting authority’s request for data is  To the best of the Data Controller’s knowledge, it is likely to be lawful. The Data Controller excludes any additional liability for the possible unlawfulness of the transfer of personal data to official bodies.

Personal data processed by the Data Controller may be transferred without the consent of the Data Subject:

bodies (conciliation body, supervisory authority, etc.) that may be legally competent to settle disputes between the Data Controller and the Data Subject;

if the Data Subject is unable to give his or her consent for unavoidable reasons, in order to protect the vital interests of the Data Subject or another person, or to prevent or prevent danger to the life, physical integrity or property of persons, to the authorized body at the request of the body authorized by special law to access the data;

legal  representatives (law firms) occasionally involved in enforcing the rights of the Data Controller;

in the event of (sub)assignment of its claim against the Data Subject or the company represented / owned by the Data Controller to  third parties, data on the claims concerned and the debtors of the claims to the assignee or the person making an offer for the claim;

to the Data Controller for the enforcement of its claim against the Data Subject or the company represented/owned by it  to the other administrative body, authority, court, bailiff (which) conducts any legal procedure necessary for debt collection;

to any other official body to which the provision of information is required by the legislation in force, in the manner and to the extent prescribed by such legislation;

further persons or organisations who, on behalf of the Data Controller, otherwise participate as data processors in the preparation or performance of the contractual relationship between the Data Subject and the Data Controller.

I acknowledge that the following personal data stored in the user database of shop.eu-fire.hu by EU-FIRE Real Estate Development and Consulting Limited Liability Company (registered seat: 1143 Budapest, Hungária körút 83.) will be transferred to OTP Mobil Kft. as data processor. The scope of data transmitted by the data controller is as follows: [name, email address, billing address, delivery address, telephone number]. The nature and purpose of the data processing activity performed by the data processor can be found in the SimplePay Privacy Policy, at the following link: https://simplepay.hu/vasarlo-aff

Personal data breach

A personal data breach within the meaning of the GDPR is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Any employee, processor or other contributor of the Data Controller who has detected a personal data breach shall without delay notify the Data Controller to the Data Controller’s representative or data protection officer, who shall immediately investigate and recommend the necessary measures and ensure and monitor the implementation of the following measures.

To report a personal data breach:

The Data Controller is obliged to notify the personal data breach to the competent supervisory authority (NAIH) without undue delay and, if possible, within 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

The information provided shall include:

the nature of the incident, including, where possible, the categories and approximate number of Data Subjects and the categories and approximate number of data affected by the incident;

the name and contact details of the controller’s representative or data protection officer as contact person;

the likely consequences of the incident;

the measures taken or planned by the Data Controller to remedy the personal data breach, including, where applicable, measures to mitigate the possible adverse consequences of the personal data breach.

Information to Data Subjects:

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the representative of the Data Controller shall communicate the personal data breach to the Data Subject without undue delay, stating its nature, the name and contact details of the Data Controller’s contact person, the likely consequences and the measures taken or planned to remedy or mitigate the personal data breach, unless Article 34 GDPR complies with Article 34 GDPR  (3).

Investigation and handling of a personal data breach:

The person responsible for the process handling or processing the data shall inform the representative of the Data Controller or the data protection officer about each measure taken to remedy the personal data breach immediately, but no later than within 2 (two) working days after the implementation of the given measures.

Records of personal data breaches:

The Data Controller is obliged to record personal data breaches, which contain the facts related to the personal data breach, its effects and the measures taken to remedy it.

Rights of the Data Subject related to data processing:

The Data Subject may request from the Data Controller:

(a) access to personal data relating to him,

  1. b) rectify your personal data, and
  2. c) erasure or restriction of processing of your personal data, with the exception of mandatory data processing.

Right of access:

The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The Data Controller shall provide the Data Subject with a copy of the personal data undergoing processing. For further copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless otherwise requested by the Data Subject.

Right to rectification:

The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to erasure:

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  1. b) the Data Subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR and there is no other legal basis for the processing;
  2. c) the Data Subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 (2) GDPR;

(d) the personal data have been unlawfully processed;

  1. e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
  2. f) the personal data have been collected in connection with the offer of information society services referred to in Article 8(1) GDPR (child’s consent conditions).

Right to restriction of processing:

The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the Data Subject, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
  3. c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. d) the Data Subject has objected to processing pursuant to Article 21 (1) of the GDPR; in this case, the restriction applies for the period until it is established whether the legitimate reasons of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Right to data portability:

Furthermore, the Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (i) processing is carried out pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR  based on consent or on a contract pursuant to Art. 6 para. 1 lit. b GDPR; and (ii) the processing is carried out by automated means.

Right to object:

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In that case, the controller shall no longer process the personal data unless the controller demonstrates compelling  legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

General rules for exercising the rights of the Data Subject:

The Data Controller shall inform the Data Subject of the measures taken in response to his or her request without undue delay, but no later than within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the Data Subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay. If the Data Subject submitted the request electronically, the information shall be provided electronically whenever possible, unless otherwise requested by the Data Subject.

The Data Controller shall provide the Data Subject with information and action free of charge. If the Data Subject’s request is manifestly unfounded or excessive, in particular because of its repetitive character, the Data Controller, taking into account the administrative costs of providing the requested information or communication or taking the action requested, may:

(a) charge a reasonable fee, or

(b) refuse to act on the request.

The burden of proving the manifestly unfounded or excessive nature of the request lies with the Data Controller.

If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the Data Subject.

Enforcement options:

In case of violation of his rights, the Data Subject may turn to court against the Data Controller. The court shall deal with the case as a matter of priority. The Data Controller shall be obliged to prove that the data processing complies with the provisions of the law. The trial falls within the jurisdiction of the General Court, in the capital the Metropolitan Court of Justice. The action may also be brought before the court of the place of residence or residence of the Data Subject.

The Data Controller shall compensate for any damage caused to others by the unlawful processing of the Data Subject’s data or by violating the requirements of data security. The Data Controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. No compensation shall be paid to the extent that it resulted from intentional or grossly negligent conduct on the part of the injured party.

In case of a complaint related to the processing of his or her personal data, the Data Subject may also turn to the National Authority for Data Protection and Freedom of Information (dr. Attila Péterfalvi, President of the National Authority for Data Protection and Freedom of Information, postal address: 1363 Budapest, Pf.: 9., address: 1055 Budapest, Falk Miksa utca 9-11.; Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; Email: ugyfelszolgalat@naih.hu; website: www.naih.hu).