1. General provisions
- General Data Protection Regulation (EU) 679/2016 (‘GDPR’)
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (‘Information Act’),
- Act CVIII of 2001 on Electronic Commerce and on Information Society Services (‘Electronic Commerce Act’);
- Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (‘Business Advertising Act’);
- Act V of 2013 on the Civil Code (‘Civil Code’)
2. The Data Controllers
The joint controllers shall determine their respective responsibilities for compliance with their obligations related to the processing between themselves in particular as regards the exercising of the rights of Data Subjects and their respective duties to provide the required information to Data Subjects.
Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject means any natural person directly or indirectly identifiable by reference to specific personal data.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Processing Operations by the Processor means performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as of the place of execution, provided that the technical task is performed on the data.
4. Services affected by Processing
The services of Controllers covered by the Processing shall cover the sale, rental and operation of office and industrial properties as well as retail units, and the ancillary services required for these.
4.1 Preparation of the contracts requested by the Data Subject (contact necessary for the service), conclusion and performance of the contract ("Contractual Processing");
4.2 Processing with regard to the operation of the properties (“Processing related to the Operation”);
4.3 sending newsletters and offers, and comprehensive information to customers ("CRM Processing");
4.4 and Processing during the visit of the website at https://wing.hu (“Website Processing”).
5. Data Processing Principles
5.1 Lawfulness, fairness and transparency: the Companies may only process data lawfully, fairly and in a manner that is transparent and accessible to its customers.
5.2 Purpose limitation: the Companies collect data subjects' data only for the purposes set out in Section 7 and do not process them in a way incompatible with such purposes.
5.3 Data minimisation: the Companies will only process data that are compatible with the purposes referred to above and will only process them to the extent necessary.
5.4 Accuracy: the Companies will take all reasonable steps to ensure that only accurate and up-to-date personal data about data subjects are processed, and they shall immediately rectify inaccurate data.
5.5 Storage limitation: the Companies will only store personal data for the time strictly necessary to achieve the purposes set out in Section 7.
5.6 Integrity and confidentiality: the Companies shall ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. Legal Basis of Processing
Legal basis for the processing with regard to the Contractual Processing mentioned in Section 4.1:
6.1 Legal basis for the processing if you are acting as a representative of a company:
- in the case of your data processed for the purpose of contact and introduction of services, your consent (Article 6 (1) (a) GDPR, consent),
- thereafter, during the communication for the conclusion of the contract, legitimate interest of the Controllers to contract with the company you represent in order to provide the Service through your data and by contacting you (Article 6 (1) (f) GDPR, legitimate interest).
If you are a natural person and acting on your own behalf:
- we process your data processed for the purpose of contact and introduction of services on the basis of your consent (Article 6 (1) (a) GDPR, consent),
- thereafter, during the communication for the conclusion of the contract, we process your personal data to conclude the contract (GDPR Article 6 (1) (b), contracting)
Legal basis for the processing with regard to the CRM Processing mentioned in Section 4.3:
6.2 The legal basis for Processing is the consent of the Data Subject in accordance with Article 6(1)(a) of the GDPR and the provisions of the Electronic Commerce Act. In the case of CRM Processing, we have also taken into account Section 6(1) of the Business Advertising Act, according to which the Companies will only process customer data if their customers have given their explicit consent to it.
Legal basis for the processing with regard to the Website Processing mentioned in Section 4.4:
6.3 In addition to the above, when you visit our website, you will find information on the data related to website usage and its processing (cookies) in Section 18 of this Policy, and you can use the settings specified therein to determine the cookie settings and thus the processing of your Website usage data. In the case of data processed for the purpose of operating the Website, in order to ensure the functionality and essential functions of the Website (essential or necessary cookies), the legal basis for the processing is the legitimate interest of the Controllers (Article 6 (1) (f) GDPR, legitimate interest). For all other cookies, the legal basis for processing is your consent (Article 6 (1) (a) GDPR, consent).
7. Purpose of Processing
Purpose of the Processing with regard to the Contractual Processing mentioned in Section 4.1:
7.1 We process your personal data for the purpose of contacting you, at your request, in connection with the Service, introducing you to our Service and keeping in touch with you for the purpose of concluding a contract, and processing your data for the purposes of performing the contract if the latter has been concluded.
Purpose of the Processing with regard to the CRM Processing mentioned in Section 4.3:
7.2 The purpose of Processing with regard to CRM Processing is to provide the services available on the website operated by the Companies, in particular to search real estate advertisements, to send business offers, to communicate and to serve the needs of the data subject to the fullest extent possible.
Purpose of the Processing with regard to the Website Processing mentioned in Section 4.4:
With regard to all Processing:
7.4 The Controllers shall not use the personal data of the data subject for purposes other than those specified in these sections. The disclosure of personal data to third parties or public authorities is only possible with the prior express consent of the data subject, unless otherwise provided by law.
7.5 The Controllers do not control the personal data provided by the data subject. Only the person providing the data is responsible for the accuracy of their personal data. This does not affect the Controllers' obligation to only process accurate personal data. When providing an e-mail address, the data subject also accepts responsibility for the fact that the e-mail address provided is used exclusively by the data subject. In view of such commitment, any liability for the use of an e-mail address provided shall be borne solely by the person who registered the e-mail address.
8. The Scope of Data Processed
8.1 For Contractual Processing: Your personal data we process is the data you provide when requesting a quote on the Website and which we collect about you when you use the Website.
Personal data provided when requesting a quote: name, email address, phone number.
With regard to concluded contracts, the scope of data processed is wider and is the same as mentioned in Section 8.2 on CRM Processing.
8.2 CRM Processing:
Data to be recorded during the registration process: username, password, password reminder, e-mail address, name, country, address, gender, telephone number, consent to send newsletters and/or marketing materials, date of registration, number of entries, date of the last entry, the IP address of the entry, services used by the data subject on the webpage/website and their details.
In addition to the data indicated above, the Controllers record the customer's activity, the contact, its content and the time of contact. If the Data Subject wishes to enter into an agreement regarding the services provided by the Controllers, additional data will be entered into the Controllers' system: data of the Data Subject, their personal identification data (tax number, identity card number, mother's name, place and date of birth), data of the selected real estate, specifications, design and construction data.
If those interested enter into a contract for the selected real estate, the Controllers will continue to store their personal data in order to contact them with any further business offers, so that they can keep in touch with their existing customers. By giving their consent, customers also consent to the processing of their Personal Data by the Controllers even after the conclusion of the contract for the given real estate.
8.3 Website Processing: detailed content of Website Processing and the scope of data processed shall be described in Section 18.
9. Content of Data Processing
The content of Processing is aimed at the performance of the Services, and the knowledge and management of the data is necessary in order to prepare for the conclusion of contracts with the Data Subjects and to perform the contracts.
The electronic mail addresses (e-mail addresses) managed by the Companies are primarily used for communication purposes. In the event of a change in the services provided by the Companies, the Companies will send information about the change via e-mail. The Companies' mailing addresses will only be used to send advertising e-mails as specified below: in certain cases, the Companies will send them to the data subjects in an electronic format in e-mail, in accordance with the legal requirements.
10. Storage of the data
Your personal data is stored on servers in use for the internal mail system (MS Office 365) used by the Controllers. Microsoft’s information on this: https://www.microsoft.com/hu-hu/trust-center/privacy/data-location.
Should the details of the contract be recorded after the contact, the data will be stored on the servers of Wing Zrt. (H-1095 Budapest, Máriássy utca 7.), which operates the server itself.
11. Duration of Processing
11.1 For the preparation of the contracts:
In the case of consent-based data processing, we will actively process your personal data until the withdrawal of the consent, and for the purpose of concluding the contract, we will actively process your data until the conclusion of the contract between the parties or the failure to contract. Thereafter no substantive processing operation will take place, the emails containing the data will be archived. Data can be retrieved from archived emails only in special cases. Archived e-mails are deleted after 5 years, the legal basis for their retention is the legitimate interest of the controller in its secure operation.
11.2 For the conclusion of the contracts and CRM Processing:
The Controller will delete the Data after 5 years from the date of recording, unless the Controller is required by law to store those data for a longer period. Examples of such requirements are Section 169 of Act C of 2000 (“Accounting Act”) and Section 57(1) of the Anti-Money Laundering Act, pursuant to which the Controller is required to retain personal data for eight (8) years from the termination of the relationship (or agency) with the Data Subject, and it is also required to retain the Contracts concluded for eight (8) years from their conclusion.
We process your personal data processed through cookies for the period specified in our cookie information.
12. Persons with Access to the Data, Data Transfer
12.1 The data may be accessed primarily, but shall not be disclosed by the controller companies or by the companies' employees who are responsible for contributing to the conclusion of the contracts and the provision of the services and to provide for tasks related to CRM.
12.2 The Controllers shall not publish Personal Data. However, the law may prescribe the disclosure of personal data in the public interest, by expressly indicating the scope of the data. In all other cases, disclosure requires the written consent of the data subject. If there is any doubt, it is to be presumed that the data subject failed to provide his/her consent.
12.3 In certain cases, the Controllers may disclose to third parties the data subject's accessible data in the event of a formal judicial or police request, legal proceedings for copyright, property or other infringements or reasonable suspicion thereof, damage to the interests of the Controllers, endangering the provision of its services, the enforcement of claims by the Controllers, etc.
12.4 The Controllers may and shall transfer all personal data available and properly stored by them to the competent authorities, which it is required to transfer by law or in an inquiry of an authority (e.g. request, decision, ruling, etc.). The Controllers may not be held liable for such data transfer or any consequences thereof. In such a case, the Companies will verify that the request is indeed from a public authority or a court, and will transfer the data in a secure manner that prevents data leaks.
12.5 If Data Subjects wish to conclude a contract for a service offered by the Controllers, the Controllers shall be entitled, to transfer the data subjects' personal data necessary for the conclusion of the contract to the companies cooperating with the Controllers in respect of the service in question. The Controllers shall separately inform the data subjects of the exact recipient of the personal data and the circumstances of the transfer.
12.6 In all cases where the Companies intend to use the data for purposes other than those for which they were originally collected, the Companies shall immediately inform the data subject and obtain their prior explicit consent or provide the data subject with the opportunity to object to such use.
12.7 We do not transfer personal data about you to third parties other than the persons listed, unless required to do so by an authority, court or law.
13. Processing Operations
13.1 Data Controllers may use Data Processors to provide the services. The Processors undertake to ensure that its data processors ensure the lawful and secure processing of data and enable data subjects to exercise their rights under the law.
13.2 The Companies use the following Data Processors:
- NEO Property Services Zrt. (H-1095 Budapest, Máriássy utca 7.)
Property management service
- Microsoft Co. (Redmond, Washington, USA
corresponding service provider
- Mailchimp (675 Ponce de Leon Avenue NE, Suite 5000 Atlanta, GA 30308, USA)
- Linemedia Kft. (H-1141 Budapest, Komócsy utca 29-31. C. ép. 1. em. 1.)
website operation and development
- WEBSTATION Számítástechnikai, Kereskedelmi és Szolgáltató Bt. (H-1082 Budapest, Nap utca 32-34. földszint Ü/1.)
Provision of storage space
- Origami-Europe Kft. (H-2081 Piliscsaba Ráczvölgy utca 27.)
- Dialogue Creatives Kft. (H-1036 Budapest, Lajos utca 48-66. E ép.)
- Goodwill Communications Kft. (H-1061 Budapest, Andrássy út 29. 2/8.)
- ti:me Reklámügynökség Kft. (H-1051 Budapest, Vigyázó Ferenc u. 4.)
13.4 The data processor may employ other data processors in the course of their activities, as determined by the controller. The data processor may not make any decision on the merits of data processing, and it shall process any and all personal data entrusted to them solely in accordance with the instructions given by the controller; the processor shall not engage in data processing for their own purposes, and shall store and safeguard personal data according to the instructions of the controller.
14. Data Security
We design and implement its data processing operations in a way that ensures the protection of the privacy of the data subject in the application of the GDPR and other applicable rules on data processing.
We shall ensure the security of the data, take the technical and organisational measures, and establish the procedural rules necessary to enforce the GDPR and other data protection rules.
We shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, transmission, disclosure, deletion or destruction, accidental destruction or damage, and inaccessibility due to changes in the technology used.
To ensure the security of your personal data, we have put in place internal organisational and state-of-the-art technical measures, in particular the following:
- Authorisation of access to personal data is determined based on internal authorisation procedures, and only those of our employees have access to the data, and only to those data, for whom and to which it is absolutely necessary, respectively.
- Systems and devices that contain or store personal data can only be accessed with user ID and password authentication.
- During the session, we use screen savers to prevent access to data on unused computers that require a password after a certain time and can be locked manually.
- We apply internal rules regarding password security (length, complexity and frequency of password change) and the use of passwords.
- Using firewalls prevents unauthorised access through the Internet.
- Access to data processing systems and workstations is logged.
- Remote access through the (SSL) VPN gateway is logged.
- Granting/modification of the access is logged.
15. Users' rights in relation to their personal data processed by the controller:
15.1 The data subject may request from the Controllers (a) information on the processing of his/her personal data, (b) rectification of their personal data, and (c) erasure or blocking of his/her personal data, except for mandatory processing, and may also withdraw their consent to the processing.
15.2 At the data subject’s request, the Controllers shall provide information concerning the data relating to them, including the data processed by a data processor employed by the data controller or by others based on its instructions, the source from where such data were obtained, the purpose, legal basis and duration of processing, the name and address of the data processor and on its activities relating to data processing, and if the data subject’s personal data have been transferred to others, the legal basis and the recipients of such transfer.
15.3 The Controllers shall comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 25 days.
15.4 The Controllers may only refuse to provide the information in the cases specified in the GDPR. Where information is refused, the Controllers shall inform the data subject in writing as to the provision of the GDPR serving as a ground for refusal. Where information is refused, the Controllers shall inform the data subject of the judicial remedy available and the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter the “Authority”).
15.5 Where a personal data is deemed inaccurate, and the correct personal data is at the Controller’s disposal, the Controllers shall rectify the personal data in question.
15.6 The personal data shall be deleted if (a) its processing is unlawful; (b) the data subject requests so; (c) it is incomplete or inaccurate, and it cannot be lawfully remedied, provided that deletion is not prohibited by law; (d) the purpose of the processing has ceased or the statutory period for storing the data has expired; (e) it has been ordered by a court or the Authority.
15.7 Instead of erasure, the Controllers shall block personal data if the data subject so requests so, or if, on the basis of the information available to it, it is likely that erasure would harm the data subject's legitimate interests. Blocked personal data shall be processed only as long as the processing purpose which prevented their erasure prevails.
15.8 The Controllers shall notify the data subject of the rectification, blocking and erasure, as well as all those to whom the data were previously transferred for processing. Notification is not required if it does not violate the legitimate interest of the Data Subject in light of the purpose of processing.
15.9 If the Controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 25 days of receipt of the request. Where rectification, blocking or erasure is refused, the Controllers shall inform the data subject of the judicial remedy available and the right to lodge a complaint with the Authority.
15.10 The data subject may object to the processing of their personal data if the Controllers are not processing it on the basis of their consent.
15.11 The Controllers shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, and shall decide whether the objection is justified and inform the applicant, i.e. the data subject, of their decision in writing.
15.12 If the Controllers establish that the objection is justified, they shall cease the processing, including further collection and transfer of the data and block the data concerned, as well as notify of the objection and the ensuing measures all recipients to whom any of this personal data had previously been transferred and who must take measures in order to enforce the right to object.
15.13 If the data subject does not agree with the decision of the Controllers, or if the Controllers fail to meet the due date above, the data subject may refer the matter to the court within 30 days from the notification of the decision or from the last day of the due date.
15.14 The data subject may at any time withdraw their consent to the processing of the data provided, without limitation, and may prohibit further processing by sending a statement to the Controllers by e-mail or to the postal address, in which case the Controllers shall delete the data provided by the data subject within 10 business days of receiving the Policy of withdrawal of consent.
17. Enforcement Options
17.1 The Controllers shall use their best efforts to ensure that the personal data of data subjects are processed in accordance with the law and the applicable data protection principles. In the unforeseen event that a data subject feels that there is a problem with the processing of his or her personal data, he or she may contact the Controller or its staff with any questions or comments regarding the personal data processing, using the contact details below:
phone: 36 1 4514760
17.2 Anyone may file a report with the National Authority for Data Protection and Freedom of Information to initiate an investigation on the grounds that a violation of rights has occurred or is imminent in relation to the processing of their personal data:
National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: H-1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: H-1530 Budapest, Pf.: 5.
Phone: 36 (1) 391-1400
Fax: 36 (1) 391-1410
17.3 The data subject may enforce their rights under the GDPR and the Civil Code before a court of law, and may take legal action in the event of a breach of his or her rights.
17.4 If the user has provided third party data during registration for the use of the service or has caused damage in any way during the use of the website, the Controllers are entitled to claim damages. In such a case, the Controllers will provide all reasonable assistance to the competent authorities in order to establish the identity of the offending person.
18. Cookie information
Processing in relation to the operation of the website. The Company has its own website, available at https://WING.hu/. The website automatically collects data (through cookies, Google Analytics, etc.).
Visitors' entry into and exit from the website is facilitated by small data packages (hereinafter: cookies) placed on and retrieved from the IT device of the visitors by the website.
The website uses unique temporary “spublic” cookies to identify workflows, in other words, to find out whether a visitor is logged on to the website or not. This way, “spublic” cookies facilitate visitors’ entry into or exit from the website. “Spublic” cookies are temporary cookies automatically deleted from the visitor’s IT device when closing the browser or can be deleted manually by the visitor in the browser settings. The following cookies are used to help establish the statistical data below regarding visits to and usage of the website collected for this purpose:
whether the visitor came from a search engine, a keyword or a link (“utmz” cookie),
how many times the visitor visited the website (“utmb” cookie),
how long the visitor stayed on the website (“utma” and “utmv” cookie),
when did the visitor first visit the website (“utma” and “utmv” cookie), and
when did the visitor last visit the website (“utmc” and “utmv” cookie).
In addition, some cookies protect the website from being overloaded (“utmt” cookie), and some cookies used by Google Analytics also record the IP address of the visitor’s IT device for analytical, statistical and security purposes. Data are stored on the visitor’s IT device. The independent measurement and auditing of usage and other web analytics data of the website is facilitated by servers of Google Analytics as a third-party provider using the cookies above.
Detailed information about the processing of measurement data is provided by the controller of these data at https://www.google.com/analytics/, and more details on Google’s data protection guidelines are available at http://www.google.hu/intl/hu/policies/privacy/.
Data transferred from the website to Google Analytics servers cannot directly identify visitors by themselves, and can only identify the IP address of the IT device. Purpose of processing: the provider records visitor data in order to monitor the functioning of the service and to prevent misuse during visits to the website; Scope of data processed: date, time, IP-address of the user’s computer, the URL of the website visited, the URL of the previous website visited, information about the visitor’s operating system and browser; Page 2 WING Zrt. – Privacy and Data Security Policy; Legal basis for the processing: the consent of the data subject pursuant to Article 6(1)(a) of the GDPR, and Section 13/A (3) of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services; Deadline for the storage: 30 days from the visit to the website; Means of storage: electronic; You can request electronic Information about the handling of your personal data, as well as request the correction or deletion of your personal data, with the exception of data processing prescribed by law, in the manner indicated upon data collection and using the contact details provided by the data controller.
19. What may be the consequences of not providing us with your data?
If you do not provide us with your personal data:
- you will not be able to indicate your interest to us through our Website and thus will not receive information about our Service, as well as we will not be able to contact you;
- we cannot provide our announced Services to you
- we cannot answer your question.
|Company name||Registered office|
|ANDRÁSSY PALOTA Kft.||1095 Bp., Máriássy u. 7.|
|Airport City Kft.||1095 Bp., Máriássy u. 7.|
|Airport City Phase B Kft.||1095 Bp., Máriássy u. 7.|
|EAST GATE BUSINESS PARK Kft.||1095 Bp., Máriássy u. 7.|
|ECOTRANS INGATLAN Kft.||1095 Bp., Máriássy u. 7.|
|EURÉKA PARK Kft.||1095 Bp., Máriássy u. 7.|
|GLADIÁTOR Befektető Alapkezelő Zrt.||1095 Bp., Máriássy u. 7.|
|KÖNYVESPARK Kft.||1095 Bp., Máriássy u. 7.|
|MÁRIÁSSY HÁZ Kft.||1095 Bp., Máriássy u. 7.|
|Magnum Hungaria Invest Kft.||1032 Bp., Bécsi út 154.|
|Manhattan Development Global Kft.||1032., Bp. Bécsi út 154.|
|Medius Tours Kft.||1095 Bp., Máriássy u. 7.|
|PROPWIN Kft.||1095 Bp., Máriássy u. 7.|
|REALWINGEST Kft.||1095 Bp., Máriássy u. 7.|
|TCW ARRABONA||1095 Bp., Máriássy u. 7.|
|TCW HONVÉD IRODAHÁZ Kft. (TCW Honvéd Center Kft.)||1095 Bp., Máriássy u. 7.|
|TSZ DEVELOPMENT Kft.||1095 Bp., Máriássy u. 7.|
|WING Zrt.||1095 Bp., Máriássy u. 7.|
|WING IHC Zrt.||1095 Bp., Máriássy u. 7.|
|WINGEUROPE Zrt.||1095 Bp., Máriássy u. 7.|
|WINGHOLDING Zrt.||1095 Bp., Máriássy u. 7.|
|WINGPROP Zrt.||1095 Bp., Máriássy u. 7.|
|WPROPA CENTER Kft.||1095 Bp., Máriássy u. 7.|
|WPR Alfa Kft.||1095 Bp., Máriássy u. 7.|
|Gladiátor I. Ingatlan Befektetési Alap||1095 Bp., Máriássy u. 7.|
|Gladiátor II. Ingatlan Befektetési Alap||1095 Bp., Máriássy u. 7.|
|Gladiátor III. Ingatlan Befektetési Alap||1095 Bp., Máriássy u. 7.|
|Gladiátor IV. Ingatlanfejlesztő Befektetési Alap||1095 Bp., Máriássy u. 7.|
|Gladiátor V. Ingatlanfejlesztő Befektetési Alap||1095 Bp., Máriássy u. 7.|
|Gladiátor VI. Ingatlan Befektetési Alap||1095 Bp., Máriássy u. 7.|