1. General provisions

The purpose of this Privacy Policy is to allow the Companies as defined in Section 2 to comply with their obligation to inform the data subject in advance of the processing and to inform the data subject of the principles of processing and how it can be exercised legally.

In drawing up this Privacy Policy, the Companies have taken into account in particular the following laws:

• General Data Protection Regulation (EU) 679/2016 (‘GDPR’)
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (‘Information Act’),
• Act CVIII of 2001 on Electronic Commerce and on Information Society Services (‘Electronic Commerce Act’);
• Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (‘Business Advertising Act’);
• Act V of 2013 on the Civil Code (‘Civil Code’)

2. The Data Controllers

Personal data shall be processed by Wing Zrt. (company registration number: 01-10-042336, registered office: H-1095 Budapest, Máriássy utca 7) and the Company from among the cooperating Companies as listed in this Privacy Policy which you contacted jointly (in the framework of a joint processing), for the purposes of providing the services mentioned in Section 4. Therefore the joint data controllers are WING Zrt. and the company listed in Annex 1 with which you have entered into or intend to enter into a contractual relationship.

The joint controllers shall determine their respective responsibilities for compliance with their obligations related to the processing between themselves in particular as regards the exercising of the rights of Data Subjects and their respective duties to provide the required information to Data Subjects.

3. Definitions

Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The Processing carried out by the Controller is different in respect of each legal basis; the Controller’s processing activities are described in detail in this Privacy Policy.

Data Subject means any natural person directly or indirectly identifiable by reference to specific personal data.

With regard to joint processing, Data Subjects may exercise their rights provided in this Privacy Policy in respect of and against each of the Controllers. On this basis, with regard to joint processing, Data Subjects may contact either Controller with their needs, and the response and action of any Controller shall be considered as the joint response and action of the joint data controllers.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Processing Operations by the Processor means performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as of the place of execution, provided that the technical task is performed on the data.

Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data related to the Data Subjects on behalf of the Controller, based on a written contract concluded with the Controller or based on another legal act; Processors do not make any decisions on their own in connection with the personal data and may only act based on the written contract concluded with the Controller or the other relevant legal act, and according to the instructions received. In relation to the activities described in this Privacy Policy, the identity of the Processors shall be as set out in Section 13.

4. Services affected by Processing

The services of Controllers covered by the Processing shall cover the sale, rental and operation of office and industrial properties as well as retail units, and the ancillary services required for these.

This Privacy Policy shall cover the following Processing by the Companies:

4.1 Preparation of the contracts requested by the Data Subject (contact necessary for the service), conclusion and performance of the contract ("Contractual Processing");
4.2 Processing with regard to the operation of the properties (“Processing related to the Operation”);
4.3 sending newsletters and offers, and comprehensive information to customers ("CRM Processing");
4.4 and Processing during the visit of the website at https://wing.hu (“Website Processing”).

Please be informed that the services related to the apartments covered by the LIVING concept are separate from this Privacy Policy, and the relevant Privacy Policy is available at https://livinghomes.hu/hu.

Please be informed that the properties shall be operated by NEO Property Services Zrt. as a Processor (see below). For details of Processing related to the Operation mentioned in Section 4.2, please refer to the Privacy Policy published at http://neopropertyservices.hu/ .

5. Data Processing Principles

5.1 Lawfulness, fairness and transparency: the Companies may only process data lawfully, fairly and in a manner that is transparent and accessible to its customers.
5.2 Purpose limitation: the Companies collect data subjects' data only for the purposes set out in Section 7 and do not process them in a way incompatible with such purposes.
5.3 Data minimisation: the Companies will only process data that are compatible with the purposes referred to above and will only process them to the extent necessary.
5.4 Accuracy: the Companies will take all reasonable steps to ensure that only accurate and up-to-date personal data about data subjects are processed, and they shall immediately rectify inaccurate data.
5.5 Storage limitation: the Companies will only store personal data for the time strictly necessary to achieve the purposes set out in Section 7.
5.6 Integrity and confidentiality: the Companies shall ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

6. Legal Basis of Processing

Legal basis for the processing with regard to the Contractual Processing mentioned in Section 4.1:

6.1 Legal basis for the processing if you are acting as a representative of a company:

• in the case of your data processed for the purpose of contact and introduction of services, your consent (Article 6 (1) (a) GDPR, consent),
• thereafter, during the communication for the conclusion of the contract, legitimate interest of the Controllers to contract with the company you represent in order to provide the Service through your data and by contacting you (Article 6 (1) (f) GDPR, legitimate interest).

If you are a natural person and acting on your own behalf:

• we process your data processed for the purpose of contact and introduction of services on the basis of your consent (Article 6 (1) (a) GDPR, consent),
• thereafter, during the communication for the conclusion of the contract, we process your personal data to conclude the contract (GDPR Article 6 (1) (b), contracting)

Legal basis for the processing with regard to the CRM Processing mentioned in Section 4.3:

6.2 The legal basis for Processing is the consent of the Data Subject in accordance with Article 6(1)(a) of the GDPR and the provisions of the Electronic Commerce Act. In the case of CRM Processing, we have also taken into account Section 6(1) of the Business Advertising Act, according to which the Companies will only process customer data if their customers have given their explicit consent to it.

Legal basis for the processing with regard to the Website Processing mentioned in Section 4.4:

6.3 In addition to the above, when you visit our website, you will find information on the data related to website usage and its processing (cookies) in Section 18 of this Policy, and you can use the settings specified therein to determine the cookie settings and thus the processing of your Website usage data. In the case of data processed for the purpose of operating the Website, in order to ensure the functionality and essential functions of the Website (essential or necessary cookies), the legal basis for the processing is the legitimate interest of the Controllers (Article 6 (1) (f) GDPR, legitimate interest). For all other cookies, the legal basis for processing is your consent (Article 6 (1) (a) GDPR, consent).

7. Purpose of Processing

Purpose of the Processing with regard to the Contractual Processing mentioned in Section 4.1:

7.1 We process your personal data for the purpose of contacting you, at your request, in connection with the Service, introducing you to our Service and keeping in touch with you for the purpose of concluding a contract, and processing your data for the purposes of performing the contract if the latter has been concluded.

Purpose of the Processing with regard to the CRM Processing mentioned in Section 4.3:

7.2 The purpose of Processing with regard to CRM Processing is to provide the services available on the website operated by the Companies, in particular to search real estate advertisements, to send business offers, to communicate and to serve the needs of the data subject to the fullest extent possible.

Purpose of the Processing with regard to the Website Processing mentioned in Section 4.4:

7.3 Processors use cookies to operate their websites, the purpose of which is to measure the number of visits to the website, the details thereof are set out in Section 18.

With regard to all Processing:

7.4 The Controllers shall not use the personal data of the data subject for purposes other than those specified in these sections. The disclosure of personal data to third parties or public authorities is only possible with the prior express consent of the data subject, unless otherwise provided by law.

7.5 The Controllers do not control the personal data provided by the data subject. Only the person providing the data is responsible for the accuracy of their personal data. This does not affect the Controllers' obligation to only process accurate personal data. When providing an e-mail address, the data subject also accepts responsibility for the fact that the e-mail address provided is used exclusively by the data subject. In view of such commitment, any liability for the use of an e-mail address provided shall be borne solely by the person who registered the e-mail address.

8. The Scope of Data Processed

8.1 For Contractual Processing: Your personal data we process is the data you provide when requesting a quote on the Website and which we collect about you when you use the Website.

Personal data provided when requesting a quote: name, email address, phone number.

With regard to concluded contracts, the scope of data processed is wider and is the same as mentioned in Section 8.2 on CRM Processing.

8.2 CRM Processing:

Data to be recorded during the registration process: username, password, password reminder, e-mail address, name, country, address, gender, telephone number, consent to send newsletters and/or marketing materials, date of registration, number of entries, date of the last entry, the IP address of the entry, services used by the data subject on the webpage/website and their details.

In addition to the data indicated above, the Controllers record the customer's activity, the contact, its content and the time of contact. If the Data Subject wishes to enter into an agreement regarding the services provided by the Controllers, additional data will be entered into the Controllers' system: data of the Data Subject, their personal identification data (tax number, identity card number, mother's name, place and date of birth), data of the selected real estate, specifications, design and construction data.

If those interested enter into a contract for the selected real estate, the Controllers will continue to store their personal data in order to contact them with any further business offers, so that they can keep in touch with their existing customers. By giving their consent, customers also consent to the processing of their Personal Data by the Controllers even after the conclusion of the contract for the given real estate.

8.3 Website Processing: detailed content of Website Processing and the scope of data processed shall be described in Section 18.

9. Content of Data Processing

The content of Processing is aimed at the performance of the Services, and the knowledge and management of the data is necessary in order to prepare for the conclusion of contracts with the Data Subjects and to perform the contracts.

The electronic mail addresses (e-mail addresses) managed by the Companies are primarily used for communication purposes. In the event of a change in the services provided by the Companies, the Companies will send information about the change via e-mail. The Companies' mailing addresses will only be used to send advertising e-mails as specified below: in certain cases, the Companies will send them to the data subjects in an electronic format in e-mail, in accordance with the legal requirements.

10. Storage of the data

Your personal data is stored on servers in use for the internal mail system (MS Office 365) used by the Controllers. Microsoft’s information on this: https://www.microsoft.com/hu-hu/trust-center/privacy/data-location.

Should the details of the contract be recorded after the contact, the data will be stored on the servers of Wing Zrt. (H-1095 Budapest, Máriássy utca 7.), which operates the server itself.

11. Duration of Processing

11.1 For the preparation of the contracts:

In the case of consent-based data processing, we will actively process your personal data until the withdrawal of the consent, and for the purpose of concluding the contract, we will actively process your data until the conclusion of the contract between the parties or the failure to contract. Thereafter no substantive processing operation will take place, the emails containing the data will be archived. Data can be retrieved from archived emails only in special cases. Archived e-mails are deleted after 5 years, the legal basis for their retention is the legitimate interest of the controller in its secure operation.

11.2 For the conclusion of the contracts and CRM Processing:

The Controller will delete the Data after 5 years from the date of recording, unless the Controller is required by law to store those data for a longer period. Examples of such requirements are Section 169 of Act C of 2000 (“Accounting Act”) and Section 57(1) of the Anti-Money Laundering Act, pursuant to which the Controller is required to retain personal data for eight (8) years from the termination of the relationship (or agency) with the Data Subject, and it is also required to retain the Contracts concluded for eight (8) years from their conclusion.

We process your personal data processed through cookies for the period specified in our cookie information.

12. Persons with Access to the Data, Data Transfer

12.1 The data may be accessed primarily, but shall not be disclosed by the controller companies or by the companies' employees who are responsible for contributing to the conclusion of the contracts and the provision of the services and to provide for tasks related to CRM.

12.2 The Controllers shall not publish Personal Data. However, the law may prescribe the disclosure of personal data in the public interest, by expressly indicating the scope of the data. In all other cases, disclosure requires the written consent of the data subject. If there is any doubt, it is to be presumed that the data subject failed to provide his/her consent.

12.3 In certain cases, the Controllers may disclose to third parties the data subject's accessible data in the event of a formal judicial or police request, legal proceedings for copyright, property or other infringements or reasonable suspicion thereof, damage to the interests of the Controllers, endangering the provision of its services, the enforcement of claims by the Controllers, etc.

12.4 The Controllers may and shall transfer all personal data available and properly stored by them to the competent authorities, which it is required to transfer by law or in an inquiry of an authority (e.g. request, decision, ruling, etc.). The Controllers may not be held liable for such data transfer or any consequences thereof. In such a case, the Companies will verify that the request is indeed from a public authority or a court, and will transfer the data in a secure manner that prevents data leaks.

12.5 If Data Subjects wish to conclude a contract for a service offered by the Controllers, the Controllers shall be entitled, to transfer the data subjects' personal data necessary for the conclusion of the contract to the companies cooperating with the Controllers in respect of the service in question. The Controllers shall separately inform the data subjects of the exact recipient of the personal data and the circumstances of the transfer.

12.6 In all cases where the Companies intend to use the data for purposes other than those for which they were originally collected, the Companies shall immediately inform the data subject and obtain their prior explicit consent or provide the data subject with the opportunity to object to such use.

12.7 We do not transfer personal data about you to third parties other than the persons listed, unless required to do so by an authority, court or law.

13. Processing Operations

13.1 Data Controllers may use Data Processors to provide the services. The Processors undertake to ensure that its data processors ensure the lawful and secure processing of data and enable data subjects to exercise their rights under the law.

13.2 The Companies use the following Data Processors:

• NEO Property Services Zrt. (H-1095 Budapest, Máriássy utca 7.)
  Property management service
• Microsoft Co. (Redmond, Washington, USA
  corresponding service provider
• Mailchimp (675 Ponce de Leon Avenue NE, Suite 5000 Atlanta, GA 30308, USA)
  newsletter sender
• Linemedia Kft. (H-1141 Budapest, Komócsy utca 29-31. C. ép. 1. em. 1.)
  website operation and development
• WEBSTATION Számítástechnikai, Kereskedelmi és Szolgáltató Bt. (H-1082 Budapest, Nap utca 32-34. földszint Ü/1.)
  Provision of storage space
• Origami-Europe Kft. (H-2081 Piliscsaba Ráczvölgy utca 27.)
  website maintenance
• Dialogue Creatives Kft. (H-1036 Budapest, Lajos utca 48-66. E ép.)
  website maintenance
• Goodwill Communications Kft. (H-1061 Budapest, Andrássy út 29. 2/8.)
  website maintenance
• ti:me Reklámügynökség Kft. (H-1051 Budapest, Vigyázó Ferenc u. 4.)
  website maintenance

13.4 The data processor may employ other data processors in the course of their activities, as determined by the controller. The data processor may not make any decision on the merits of data processing, and it shall process any and all personal data entrusted to them solely in accordance with the instructions given by the controller; the processor shall not engage in data processing for their own purposes, and shall store and safeguard personal data according to the instructions of the controller.

14. Data Security

We design and implement its data processing operations in a way that ensures the protection of the privacy of the data subject in the application of the GDPR and other applicable rules on data processing.

We shall ensure the security of the data, take the technical and organisational measures, and establish the procedural rules necessary to enforce the GDPR and other data protection rules.

We shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, transmission, disclosure, deletion or destruction, accidental destruction or damage, and inaccessibility due to changes in the technology used.

To ensure the security of your personal data, we have put in place internal organisational and state-of-the-art technical measures, in particular the following:

• Authorisation of access to personal data is determined based on internal authorisation procedures, and only those of our employees have access to the data, and only to those data, for whom and to which it is absolutely necessary, respectively.
• Systems and devices that contain or store personal data can only be accessed with user ID and password authentication.
• During the session, we use screen savers to prevent access to data on unused computers that require a password after a certain time and can be locked manually.
• We apply internal rules regarding password security (length, complexity and frequency of password change) and the use of passwords.
• Using firewalls prevents unauthorised access through the Internet.
• Access to data processing systems and workstations is logged.
• Remote access through the (SSL) VPN gateway is logged.
• Granting/modification of the access is logged.

15. Users' rights in relation to their personal data processed by the controller:

15.1 The data subject may request from the Controllers (a) information on the processing of his/her personal data, (b) rectification of their personal data, and (c) erasure or blocking of his/her personal data, except for mandatory processing, and may also withdraw their consent to the processing.

15.2 At the data subject’s request, the Controllers shall provide information concerning the data relating to them, including the data processed by a data processor employed by the data controller or by others based on its instructions, the source from where such data were obtained, the purpose, legal basis and duration of processing, the name and address of the data processor and on its activities relating to data processing, and if the data subject’s personal data have been transferred to others, the legal basis and the recipients of such transfer.

15.3 The Controllers shall comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 25 days.

15.4 The Controllers may only refuse to provide the information in the cases specified in the GDPR. Where information is refused, the Controllers shall inform the data subject in writing as to the provision of the GDPR serving as a ground for refusal. Where information is refused, the Controllers shall inform the data subject of the judicial remedy available and the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter the “Authority”).

15.5 Where a personal data is deemed inaccurate, and the correct personal data is at the Controller’s disposal, the Controllers shall rectify the personal data in question.

15.6 The personal data shall be deleted if (a) its processing is unlawful; (b) the data subject requests so; (c) it is incomplete or inaccurate, and it cannot be lawfully remedied, provided that deletion is not prohibited by law; (d) the purpose of the processing has ceased or the statutory period for storing the data has expired; (e) it has been ordered by a court or the Authority.

15.7 Instead of erasure, the Controllers shall block personal data if the data subject so requests so, or if, on the basis of the information available to it, it is likely that erasure would harm the data subject's legitimate interests. Blocked personal data shall be processed only as long as the processing purpose which prevented their erasure prevails.

15.8 The Controllers shall notify the data subject of the rectification, blocking and erasure, as well as all those to whom the data were previously transferred for processing. Notification is not required if it does not violate the legitimate interest of the Data Subject in light of the purpose of processing.

15.9 If the Controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 25 days of receipt of the request. Where rectification, blocking or erasure is refused, the Controllers shall inform the data subject of the judicial remedy available and the right to lodge a complaint with the Authority.

15.10 The data subject may object to the processing of their personal data if the Controllers are not processing it on the basis of their consent.

15.11 The Controllers shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, and shall decide whether the objection is justified and inform the applicant, i.e. the data subject, of their decision in writing.

15.12 If the Controllers establish that the objection is justified, they shall cease the processing, including further collection and transfer of the data and block the data concerned, as well as notify of the objection and the ensuing measures all recipients to whom any of this personal data had previously been transferred and who must take measures in order to enforce the right to object.

15.13 If the data subject does not agree with the decision of the Controllers, or if the Controllers fail to meet the due date above, the data subject may refer the matter to the court within 30 days from the notification of the decision or from the last day of the due date.

15.14 The data subject may at any time withdraw their consent to the processing of the data provided, without limitation, and may prohibit further processing by sending a statement to the Controllers by e-mail or to the postal address, in which case the Controllers shall delete the data provided by the data subject within 10 business days of receiving the Policy of withdrawal of consent.

16. Binding Force and Amendment of the Privacy Policy

16.1. The Controllers undertake to act in accordance with the provisions of this Privacy Policy when processing the personal data of data subjects.

16.2. The Controllers reserve the right to amend this Privacy Policy at any time by unilateral decision.

16.3. They shall duly and properly inform the data subject (e.g. by means of a newsletter, a Policy on the website or otherwise) following an amendment of this Privacy Policy. By continuing to use the service, the data subject acknowledges the modified data processing rules and no further consent is required.

16.4. If this Privacy Policy is amended by the Companies in such a way that the purpose, duration of the processing, the scope and type of data processed are affected, the Controllers will request the specific consent of the data subjects to the additional processing.

17. Enforcement Options

17.1 The Controllers shall use their best efforts to ensure that the personal data of data subjects are processed in accordance with the law and the applicable data protection principles. In the unforeseen event that a data subject feels that there is a problem with the processing of his or her personal data, he or she may contact the Controller or its staff with any questions or comments regarding the personal data processing, using the contact details below:

e-mail: info@WING.hu
phone: 36 1 4514760

17.2 Anyone may file a report with the National Authority for Data Protection and Freedom of Information to initiate an investigation on the grounds that a violation of rights has occurred or is imminent in relation to the processing of their personal data:

National Authority for Data Protection and Freedom of Information (NAIH)

Registered office: H-1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: H-1530 Budapest, Pf.: 5.
Phone: 36 (1) 391-1400
Fax: 36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL: http://naih.hu

17.3 The data subject may enforce their rights under the GDPR and the Civil Code before a court of law, and may take legal action in the event of a breach of his or her rights.

17.4 If the user has provided third party data during registration for the use of the service or has caused damage in any way during the use of the website, the Controllers are entitled to claim damages. In such a case, the Controllers will provide all reasonable assistance to the competent authorities in order to establish the identity of the offending person.

18. Cookie information

Processing in relation to the operation of the website. The Company has its own website, available at https://WING.hu/. The website automatically collects data (through cookies, Google Analytics, etc.).

Visitors' entry into and exit from the website is facilitated by small data packages (hereinafter: cookies) placed on and retrieved from the IT device of the visitors by the website.

Cookies are designed to enable the proper functioning of the website, improved service efficiency and anonymised statistical data collection. Visitors can delete cookies from their IT devices or cookies are automatically deleted when the browser is closed. Alternatively, the visitor can also disable the use of cookies in their browser settings. Visitors can continue to use the website even if they had manually disabled cookies in their browser settings.

The website uses unique temporary “spublic” cookies to identify workflows, in other words, to find out whether a visitor is logged on to the website or not. This way, “spublic” cookies facilitate visitors’ entry into or exit from the website. “Spublic” cookies are temporary cookies automatically deleted from the visitor’s IT device when closing the browser or can be deleted manually by the visitor in the browser settings. The following cookies are used to help establish the statistical data below regarding visits to and usage of the website collected for this purpose:

whether the visitor came from a search engine, a keyword or a link (“utmz” cookie),

how many times the visitor visited the website (“utmb” cookie),

how long the visitor stayed on the website (“utma” and “utmv” cookie),

when did the visitor first visit the website (“utma” and “utmv” cookie), and

when did the visitor last visit the website (“utmc” and “utmv” cookie).

In addition, some cookies protect the website from being overloaded (“utmt” cookie), and some cookies used by Google Analytics also record the IP address of the visitor’s IT device for analytical, statistical and security purposes. Data are stored on the visitor’s IT device. The independent measurement and auditing of usage and other web analytics data of the website is facilitated by servers of Google Analytics as a third-party provider using the cookies above.

Detailed information about the processing of measurement data is provided by the controller of these data at https://www.google.com/analytics/, and more details on Google’s data protection guidelines are available at http://www.google.hu/intl/hu/policies/privacy/.

Data transferred from the website to Google Analytics servers cannot directly identify visitors by themselves, and can only identify the IP address of the IT device. Purpose of processing: the provider records visitor data in order to monitor the functioning of the service and to prevent misuse during visits to the website; Scope of data processed: date, time, IP-address of the user’s computer, the URL of the website visited, the URL of the previous website visited, information about the visitor’s operating system and browser; Page 2 WING Zrt. – Privacy and Data Security Policy; Legal basis for the processing: the consent of the data subject pursuant to Article 6(1)(a) of the GDPR, and Section 13/A (3) of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services; Deadline for the storage: 30 days from the visit to the website; Means of storage: electronic; You can request electronic Information about the handling of your personal data, as well as request the correction or deletion of your personal data, with the exception of data processing prescribed by law, in the manner indicated upon data collection and using the contact details provided by the data controller.

19. What may be the consequences of not providing us with your data?

If you do not provide us with your personal data:

• you will not be able to indicate your interest to us through our Website and thus will not receive information about our Service, as well as we will not be able to contact you;
• we cannot provide our announced Services to you
• if you do not consent to the use of cookies, certain features of the Website may not work properly;
• we cannot answer your question.

Annex 1