Privacy Policy

  • Definitions:
  1. Data processing data processing’ shall mean the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data.
  2. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law, acting on the controller’s behalf or following the controller’s instructions.
  3. Controlling of data shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images).
  4. Privacy Policy shall mean the present regulations.
  5. Controller shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data within the framework of law or binding legislation of the European Union, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them.
  6. Disclosure by transmission shall mean making data available to a specific third party.
  7. Erasure of data shall mean the destruction or elimination of data sufficient to make them irretrievable.
  8. Personal data breach shall mean a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  9. Interested person shall mean a natural or legal person, who is interested in the services provided by the Service Provider, but did not conclude a service agreement with the Service Provider.
  10. Data subject shall mean the Client the employees of the Client, Interested Persons and the guests entering into the territory of House of Business office.
  11. GDPR shall mean regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  12. Authority: shall mean the Hungarian National Authority for Data Protection and Freedom of Information (Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Postal address:1530 Budapest, P.O. Box.: 5.).
  13. Consent shall mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  14. Data Protection Act shall mean Act CXII of 2011 on the right of informational Self-Determination and on Freedom of Information.
  15. Service Provider shall mean House of Business Bank Center Korlátolt Felelősségű Társaság (Company Registry Number.: 01-09-331085, Seat: 1054 Budapest, Szabadság tér 7., e-mail: bankcenter@houseofbusiness.com).
  16. Public disclosure shall mean making data available to the general public.
  17. Webpage shall mean the https://www.houseofbusiness.com/ page.
  18. Hungarian Civil Code shall mean Act V of 2013 on the civil code.
  19. Personal data shall mean any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject.
  20. Client shall mean a natural or legal person who has entered into a service agreement with Service Provider.
  • Principles relating to controlling of personal data
    1. Personal data shall be
      1. controlled lawfully, fairly and in a transparent manner in relation to the Data subject (principle of lawfulness, fairness and transparency); 
      2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of purpose limitation);
      3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation);
      4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);
      5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (principle of storage limitation);
      6. controlled in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (principle of integrity and confidentiality);
    2. The Controller shall be responsible for, and be able to demonstrate compliance with Section 2.1.1.-2.1.6. of the Privacy Policy.
  • Data controlling concluded by the Service Provider

 

Data control 1.
Conclusion of Client Contracts

Controlled data

In all cases: Name, e-mail address, phone number, postal address, place and date of birth, mother’s maiden name, ID card number, the contracted services and pertaining service fees, (In case of contract concluded with legal person): Position, Tax number, registration number, in case of private entrepreneurs tax number and registration number

Purpose of data controlling

Making offer, negotiating about the contract, conclusion of the contract

Legal basis of the data control

GDPR Article 6 (1) b) – Controlling is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Planned time of the data control

Until the 15thday after the termination of the contract

Data subjects

Clients and their representatives/contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted? 

For the accountant after the conclusion of the contract; To the auditor once a year; upon official request to the authorities

Are the data processed

Accountant, auditor

Purpose of data procession (if applicable)

In order to comply with legal accounting and auditing obligation

Form and place of storage

The controlled data are stored in encrypted form in a central client database on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 2.
Preparation of entry card for tenants/employees which provides access to the office building and the recording of data regarding entrance

Controlled data

Client/employee name, related company name, scope of authorization, card number, photo, time of entering into the office building

Purpose of data controlling

Creating an access card and ensuring that only authorized persons can enter the premises of the office building

Legal basis of the data control

GDPR Article 6 (1) f) Enforcing legitimate interests pursued by the controller and Article 32 Act CXXXIII. of 2005 (Security Services Act)

Planned time of the data control

Until the 15thday after the card is being returned. The data regarding the entrance to the building shall be deleted after the 15th day of the entrance

Data subjects

Clients and their employees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 3.
Data control related to debt collection

Controlled data

Name, e-mail address, delivery address, amount of debt and related invoices (in case of a legal entity): position in the organization

Purpose of data controlling

Managing client data for debt collection purposes

Legal basis of the data control

GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

Planned time of the data control

Until the debt is settled or until the statue of limitation of civil law claims related to the debt (the latter is typically 5 years)

Data subjects

Clients and their representatives and contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted? 

Yes, for the legal representative

Are the data processed 

Authorized legal representative of the Service Provider

Purpose of data procession (if applicable)

Recovery of receivables

Form and place of storage

The controlled data are stored in encrypted form in a central debt collection database and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider, authorized legal representative of the Service Provider

 

 

Data control 4.
Sending offers, replying to messages from Interested persons 

Controlled data

Contact person’s name, e‐mail address, phone number, subject of contact (in the case of a legal person): related company name

Purpose of data controlling

Upon request of Data subject, sending price offer and information about the Service Provider’s services for the purpose of concluding a contract

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

If the data subject does not become a Client of the Service Provider, until the settlement of the negotiating phase, if the data subject becomes a Client of the organization, the 1st data control operation (see above) shall take place from the conclusion of the contract (Conclusion of the Customer Contract)

Data subjects

Interested persons regarding the services of the Service Provider

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in the mail system of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 5.
Sending out newsletters 

Controlled data

Name, e ‐ mail address

Purpose of data controlling

Sending materials for marketing purposes in order to promote the services of the Service Provider

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

Until withdrawal of consent

Data subjects

Clients and Interested persons in the services of the Service Provider

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 6.
Sending out informational e-mails to Clients regarding the services 

Controlled data

Name, e‐mail address

Purpose of data controlling

Informing Clients of important information related to the Services

Legal basis of the data control

GDPR Article 6 (1) b): Performance of contract

Planned time of the data control

Until the 15th day after the termination of the legal relationship with the Client

Data subjects

Clients and their contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 7.
Filing and registering incoming documents

Controlled data

Client/employee (consignee) name, date of receipt, name and address of consignor, consignment tracking number

Purpose of data controlling

Keeping records in order to trace which Client/employee received consignment from whom and when 

Legal basis of the data control

GDPR Article 6 (1) b): Performance of contract

Planned time of the data control

For 1 year after the receipt of the consignment, in order to confirm the receipt and traceability of the consignments

Data subjects

Clients and their employees, consignees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

In the postal register related to the filing of incoming documents, on paper, in a closed cabinet.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 8. 

Filing of outgoing documents for invoicing purposes

Controlled data

For both postal and courier items: Client/employee name, address, date of dispatch, consignee’s name, consignment tracking number (identification number)

In the case of courier services, the following as well: consignee’s name, phone number, e-mail address

Purpose of data controlling

Keeping records in order to invoice the costs of outgoing mails to the Client; and, in the case of courier, all contact details required for an effective delivery

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if invoice containing the costs of the letter is paid. In the event of default, until the end of the debt collection procedure

In the case of courier items contact data controlled will be deleted 15 days after successful delivery.

Data subjects

Clients and their employees, consignees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted? 

Yes, with the purpose of sending mail, courier items

Are the data processed 

Mail Services Kft., MBE Hungary Kft., Courier service

Purpose of data procession 

Posting of letters, packages

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

The contact data required for the delivery of courier items will only be indicated on the item and will be forwarded to the courier service immediately for delivery.

Persons entitled to know the data

Employees of Service Provider, Mail Services Kft., MBE Hungary Kft., Courier service

 

 

Data control 9.
Operating call center and invoicing of its costs

Controlled data

Client name, phone number, detailed call log / detailed call list

Purpose of data controlling

Keeping records of call expenses for Clients who requested IP-based phone system service, operating the connection between the central phone and the extensions

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the calls are paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. The summary of the call lists arrives from the telecommunication service provider to the Service Provider on paper, in aggregate form. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 10.
Data control related to the reservation of meeting rooms

Controlled data

Client name, date of meeting room use, duration, number of participants 

Purpose of data controlling

Keeping records of the costs of Clients who requested rental service regarding the meeting rooms, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the meeting room rental fees is paid. In the event of default, until the end of the debt collection procedure

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 11.
Data control related to private office use

Controlled data

Client name, date of private office use

Purpose of data controlling

Keeping records of the costs of Clients who requested rental service regarding private offices, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the private office fees is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 12.
Invoicing related to prints and scans sent directly to the cloud-based printer by the Client

Controlled data

Name, number of printed/scanned pages (the Service Provider does not have access to the content of the scanned / printed document)

Purpose of data controlling

Keeping records of the costs of Clients who requested service regarding printing/scanning, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of printing/scanning is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in a cloud-based electronic system.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 13.
Data stored in connection with administrative assistance given to Clients

Controlled data

Personal data provided by the Client with consent

Purpose of data controlling

Administrative assistance given to Client (for printing, scanning etc.), only in exceptional cases and only at the express request of the Client

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

If administrative assistance is not required for invoicing, the data will be deleted immediately after the assistance is performed. If the assistance is related to invoicing, until the 30th day after the end of the month to which the assistance relates, if the invoice containing the costs of the assistance is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in the form of which was made available by the Client.

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 14.
Keeping records of the measures related to exercising data subject rights in accordance with GDPR

Controlled data

Name, contact information, decision, submission, registration data

Purpose of data controlling

Compliance with the obligation to register the exercise of data subject rights in accordance with GDPR (cp. Article 5 (2) and Article 12)

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

Planned time of the data control

For 5 years after the request is processed

Data subjects

Individuals requesting data subject access rights

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Only for the authorities upon authority request

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider, the authority upon request of authorities

 

 

Data control 15.
Data control related to the invoicing of additional services used by the Client

Controlled data

Client name, additional service used and its remuneration

Additional services: Exit painting, costs of construction works, kitchen services, internet service, administrative support, furniture sales, furniture rental, furniture delivery, Catering service, Envelope, CD, Scotch tape, battery, DVD, etiquette label, genotherm, rubber folder, extension cord, internet cable, corrector, staple folder, stapler set, copy paper, Post it, staple purchase, Mineral water purchase, plant rental and care, lamination, spiralling

Purpose of data controlling

Invoicing for additional services used by the Clients

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the additional services is paid. In the event of default, until the end of the claim management procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 16.
Issuance and storage of invoices and receipts

Controlled data

Client name, seat/ address, e-mail address, tax number, services used, date of invoice and execution, payment deadline, amount payable

Purpose of data controlling

Compliance with invoicing obligation in accordance with the laws

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

Planned time of the data control

For 8 years after the invoice has been issued in line with Accounting Act (currently Article 169 Act C of 2000)

Data subjects

Clients

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Yes, for the accountant and the Tax Authority (in order to comply with legal obligation)

Are the data processed 

Accountant

Purpose of data procession 

In order to comply with legal invoicing and bookkeeping obligation

Form and place of storage

Electronically in the szamlazz.hu system and in the mail system of the Service Provider.

For those Clients who do not accept electronic invoices, the invoices are issued and stored on paper.

Persons entitled to know the data

Employees of Service Provider, Accountant, Tax Authority

 

 

Data control 17.
Personal data control while providing virtual office / registered seat address services

Controlled data

Natural identification data of the managing director/ representative and the beneficial owner, citizenship, address, type and number of identification document, in the case of delivery agent its name and address; in the case of managing director/representative a copy of the identity card and a copy of the address card’s side which does not include the personal identification number; in the case of beneficial owner, the nature and extent of the ownership interest, and if (s)he qualifies as a politically exposed person.

Purpose of data controlling

Compliance with the obligations under the legislation on registered seat address service and money laundering

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Compliance with obligations under the Money Laundering Act)

Planned time of the data control

For 8 years after the termination of virtual office/registered seat address service contract in line with Money Laundering Act

Data subjects

Managing director/representative and the beneficial owner of the Clients, and the delivery agent of a member/managing director of a legal entity

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

Only to the competent authority upon official request

Are the data processed

Purpose of data procession

Form and place of storage

On paper in accordance with the Service Provider’s internal regulations in line with the Money Laundering Act. The registered documents are stored in separate folders belonging to each Client, separated from the other documents of the Client.

Persons entitled to know the data

Employees of Service Provider, authorities upon request

 

 

Data control 18.
Data control related to camera system

Controlled data

During the operation of the Camera Systems, the portrait (moving image) and actions of the Data subjects who appear in the field of view of the cameras will be monitored and recorded. The camera system does not record any sound.

Purpose of data controlling

The camera system installed in the territory of House of Business is solely for the purpose of protection of human life, physical integrity, personal freedom, prevention and proof of violations, and to protect the property of House of Business and the Clients. It is probable that the detection of violations and the actions of perpetrators, and the prevention and proof of these violent acts cannot be achieved by any other methods. The purpose of data control is not to monitor the behaviour and habits of people in the premises of House of Business.

Legal basis of the data control

GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

Planned time of the data control

The portrait (moving image) or actions of Data subject recorded during the operation of the camera system will be stored for 15 days after the recording, the recordings will be automatically deleted afterwards – except for the case of use.  Use is considered to be the use of the recorded image and other Personal Data as evidence in court or other official proceedings due to suspicion of a crime, violation of the law, unlawful conduct or damage, and if the Data subject wishes to inspect the recordings concerning himself/herself.

Prior notice of data control 

Those wishing to enter or stay on the premises of House of Business will be informed in advance of the data controlled related to the camera system, the rights of Data subjects and of the identity and contact details of the operator.

  • On the premises of House of Business at all entrances “camera surveillance area” sign and a Camera System pictogram is displayed;
  • Present Privacy Policy is available at the reception of House of Business.

Data subjects

Clients and their employees, guests and all persons entering the premises of House of Business

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, bankcenter@houseofbusiness.com

Are the data transmitted?

For the court or authority upon request 

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

Persons entitled to know the data

The operator of the camera system and the managing director of the Service Provider. The operator of the camera system shall be a person specified in the Security Services Act.

  • In the case of suspicion of a criminal offense, infringement or damage, the competent authority or court;
  • In the case of suspicion of damage and violation of law, in the legitimate interest of the Service Provider, the managing director shall initiate the necessary proceedings;
  • Data subject, whose personal data is included in the recording.

A report shall be drawn up on the inspection of the recordings made by the camera system, which shall contain the data necessary in order to identify the recording, the name of the person who is entitled to know the data, as well as the purpose and time of access to the data.

 

  • Disposal of personal data
  • If any changes occur in the controlled Personal Data, we ask the Data subjects to notify the Service Provider of the changes within 3 days, in order to ensure the data’s accuracy. In case the Data subject fails to notify the Service Provider of change, the Service Provider is not responsible for the accuracy of the data.
  • Any request regarding personal data deletion shall be submitted to the Service Provider (via e-mail or in writing)
  • Once the request to delete or modify personal data has been fulfilled, the previous (deleted) data can no longer be recovered.
  • Rights of Data subjects regarding personal data control 

Data subjects have the following rights in regards with data control

  1. Right of access: the Data Subject shall request information on the controlled data, the purpose and time of data controlling and to whom the data is transferred, as well as the source of the controlled data.
  2. Right to rectification: in case of change in the data of the Data subject, inaccurate or incomplete data recording, the Data subject shall have right to request correction, rectification or clarification.
  3. Right to erasure: Data Subject shall request the erasure of his/her Personal data in the cases described in the Data Protection Act and the GDPR.
  4. Right to restriction of controlling: Data Subject shall request the restriction of Personal data control in the cases described in Data Protection Act and the GDPR.
  5. If a request set forth in Section 5.1-5.4. has been submitted, the Controller shall act in accordance with the provisions of the Data Protection Act and the GDPR and shall inform the Data Subject within one month of the measures taken on the basis of the request.
  6. Right to withdraw consent: Data subject is entitled to withdraw Consent given for the controlling of Personal data which is controlled on the basis of Consent at any time, which, however, does not affect the lawfulness of the data control prior to the withdrawal.
  7. Right to lodge a complaint: Data Subject is entitled to submit a complaint to the competent supervisory Authority (see section 1.12.) in case of a violation regarding the controlling of Personal data. 
  8. Right to remedy: Further the Data Subject is also entitled to bring an action against the Controller in front of the court in the event of a breach regarding personal data protection.
  9. Right to object: Data subject shall have the right to object to the Personal data control based on Article 6 (1) e) or f) of GDPR at any time, including profiling based on the mentioned provisions.
  • Occurrence of Personal data breach 
      1. In the event of Personal data breach Controller shall notify the Authority without undue delay and, if possible, within 72 hours after becoming aware of the breach, unless the Personal data breach is not likely to pose a risk to the rights and freedoms of natural persons. If the notification does not happen within 72 hours, the cause for the delay must be attached as well.
      2. The Data Processor shall notify the Controller of the Personal data breach without undue delay after becoming aware of the breach.
      3. If the Personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay, inform the Data subject of the Personal data breach.
  • Anonymous user IDs (cookies), data control for statistical purposes
      1. The Webpage uses anonymous user IDs (cookies) to increase the quality of the use and to make the use of the Webpage easier for visitors. (An anonymous user ID – cookie – is a series of tokens suitable for unique computer identification and storage of profile information, which is placed on the User’s computer by the service providers. The token itself cannot identify the User in any way, it is only suitable for recognizing the computer.) If you prefer the anonymous user ID to not be placed on your computer, you can configure your browser so that it does not allow them to be placed. In this case, however, you may not be able to have access to some services or not in the form in which you allow the placement of anonymous user IDs.
      2. The Service Provider collects anonymous information and data on the Webpage for statistical purposes. This information relates to an unidentified or unidentifiable natural person and to personal data which have been anonymised in such a way that the data subject is either not identified or can no longer be identified. The provisions of GDPR does not cover the control of these information [see recital 26 of GDRP].
    1. Data security measures
      1. During managing documents, the access to each document and data shall be restricted to the persons listed in the last rows of the tables published in section 3.
      2. Regarding physical data security, the Service Provider ensures the proper closing and protection of its doors and windows. Only those who duly substantiate their legal interest may inspect the documents.
      3. The premises in which data storage devices are placed have been designed by the Service Provider in a way that they are suitable to provide sufficient security against unauthorized or violent intrusion, fire or natural disaster.
  • Assistance, comments, complaint handling
      1. Assistance to the Data subject regarding data control and securing Personal data rights is provided by the person designated as the Data Protection Officer at the Controller.
  • Right of amendment
    1. The Service Provider reserves the right to unilaterally amend the Privacy Policy by informing Data subjects on the Webpage or via e-mail. The Service Provider shall publish the amended Privacy Policy on the Webpage on the tenth (10th) day before the amended Privacy Policy enters into force.

[Date]

 

  • Definitions:
  1. Data processing data processing’ shall mean the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data.
  2. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law, acting on the controller’s behalf or following the controller’s instructions.
  3. Controlling of data shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images).
  4. Privacy Policy shall mean the present regulations.
  5. Controller shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data within the framework of law or binding legislation of the European Union, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them.
  6. Disclosure by transmission shall mean making data available to a specific third party.
  7. Erasure of data shall mean the destruction or elimination of data sufficient to make them irretrievable.
  8. Personal data breach shall mean a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  9. Interested person shall mean a natural or legal person, who is interested in the services provided by the Service Provider, but did not conclude a service agreement with the Service Provider.
  10. Data subject shall mean the Client the employees of the Client, Interested Persons and the guests entering into the territory of House of Business office.
  11. GDPR shall mean regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  12. Authority: shall mean the Hungarian National Authority for Data Protection and Freedom of Information (Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Postal address:1530 Budapest, P.O. Box.: 5.).
  13. Consent shall mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  14. Data Protection Act shall mean Act CXII of 2011 on the right of informational Self-Determination and on Freedom of Information.
  15. Service Provider shall mean House of Business Capital Square Korlátolt Felelősségű Társaság (Company Registry Number.: 01-09-377030, Seat: 1133 Budapest, Váci út 76., e-mail: capitalsquare@houseofbusiness.com).
  16. Public disclosure shall mean making data available to the general public.
  17. Webpage shall mean the https://www.houseofbusiness.com/ page.
  18. Hungarian Civil Code shall mean Act V of 2013 on the civil code.
  19. Personal data shall mean any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject.
  20. Client shall mean a natural or legal person who has entered into a service agreement with Service Provider.
  • Principles relating to controlling of personal data
    1. Personal data shall be
      1. controlled lawfully, fairly and in a transparent manner in relation to the Data subject (principle of lawfulness, fairness and transparency); 
      2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of purpose limitation);
      3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation);
      4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);
      5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (principle of storage limitation);
      6. controlled in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (principle of integrity and confidentiality);
    2. The Controller shall be responsible for, and be able to demonstrate compliance with Section 2.1.1.-2.1.6. of the Privacy Policy.
  • Data controlling concluded by the Service Provider

 

Data control 1.
Conclusion of Client Contracts

Controlled data

In all cases: Name, e-mail address, phone number, postal address, place and date of birth, mother’s maiden name, ID card number, the contracted services and pertaining service fees, (In case of contract concluded with legal person): Position, Tax number, registration number, in case of private entrepreneurs tax number and registration number

Purpose of data controlling

Making offer, negotiating about the contract, conclusion of the contract

Legal basis of the data control

GDPR Article 6 (1) b) – Controlling is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Planned time of the data control

Until the 15thday after the termination of the contract

Data subjects

Clients and their representatives/contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted? 

For the accountant after the conclusion of the contract; To the auditor once a year; upon official request to the authorities

Are the data processed

Accountant, auditor

Purpose of data procession (if applicable)

In order to comply with legal accounting and auditing obligation

Form and place of storage

The controlled data are stored in encrypted form in a central client database on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 2.
Preparation of entry card for tenants/employees which provides access to the office building

Controlled data

Client/employee name, related company name, scope of authorization, card number

Purpose of data controlling

Creating an access card and ensuring that only authorized persons can enter the premises of the office building

Legal basis of the data control

GDPR Article 6 (1) f) Enforcing legitimate interests pursued by the controller and Article 32 Act CXXXIII. of 2005 (Security Services Act)

Planned time of the data control

Until the 15thday after the card is being returned

Data subjects

Clients and their employees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 3.
Data control related to debt collection

Controlled data

Name, e-mail address, delivery address, amount of debt and related invoices (in case of a legal entity): position in the organization

Purpose of data controlling

Managing client data for debt collection purposes

Legal basis of the data control

GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

Planned time of the data control

Until the debt is settled or until the statue of limitation of civil law claims related to the debt (the latter is typically 5 years)

Data subjects

Clients and their representatives and contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted? 

Yes, for the legal representative

Are the data processed 

Authorized legal representative of the Service Provider

Purpose of data procession (if applicable)

Recovery of receivables

Form and place of storage

The controlled data are stored in encrypted form in a central debt collection database and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider, authorized legal representative of the Service Provider

 

 

Data control 4.
Sending offers, replying to messages from Interested persons 

Controlled data

Contact person’s name, e‐mail address, phone number, subject of contact (in the case of a legal person): related company name

Purpose of data controlling

Upon request of Data subject, sending price offer and information about the Service Provider’s services for the purpose of concluding a contract

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

If the data subject does not become a Client of the Service Provider, until the settlement of the negotiating phase, if the data subject becomes a Client of the organization, the 1st data control operation (see above) shall take place from the conclusion of the contract (Conclusion of the Customer Contract)

Data subjects

Interested persons regarding the services of the Service Provider

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in the mail system of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 5.
Sending out newsletters 

Controlled data

Name, e ‐ mail address

Purpose of data controlling

Sending materials for marketing purposes in order to promote the services of the Service Provider

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

Until withdrawal of consent

Data subjects

Clients and Interested persons in the services of the Service Provider

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 6.
Sending out informational e-mails to Clients regarding the services 

Controlled data

Name, e‐mail address

Purpose of data controlling

Informing Clients of important information related to the Services

Legal basis of the data control

GDPR Article 6 (1) b): Performance of contract

Planned time of the data control

Until the 15th day after the termination of the legal relationship with the Client

Data subjects

Clients and their contact persons

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 7.
Filing and registering incoming documents

Controlled data

Client/employee (consignee) name, date of receipt, name and address of consignor, consignment tracking number

Purpose of data controlling

Keeping records in order to trace which Client/employee received consignment from whom and when 

Legal basis of the data control

GDPR Article 6 (1) b): Performance of contract

Planned time of the data control

For 1 year after the receipt of the consignment, in order to confirm the receipt and traceability of the consignments

Data subjects

Clients and their employees, consignees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

In the postal register related to the filing of incoming documents, on paper, in a closed cabinet.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 8. 

Filing of outgoing documents for invoicing purposes

Controlled data

For both postal and courier items: Client/employee name, address, date of dispatch, consignee’s name, consignment tracking number (identification number)

In the case of courier services, the following as well: consignee’s name, phone number, e-mail address

Purpose of data controlling

Keeping records in order to invoice the costs of outgoing mails to the Client; and, in the case of courier, all contact details required for an effective delivery

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if invoice containing the costs of the letter is paid. In the event of default, until the end of the debt collection procedure

In the case of courier items contact data controlled will be deleted 15 days after successful delivery.

Data subjects

Clients and their employees, consignees

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted? 

Yes, with the purpose of sending mail, courier items

Are the data processed 

Mail Services Kft., MBE Hungary Kft., Courier service

Purpose of data procession 

Posting of letters, packages

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

The contact data required for the delivery of courier items will only be indicated on the item and will be forwarded to the courier service immediately for delivery.

Persons entitled to know the data

Employees of Service Provider, Mail Services Kft., MBE Hungary Kft., Courier service

 

 

Data control 9.
Operating call center and invoicing of its costs

Controlled data

Client name, phone number, detailed call log / detailed call list

Purpose of data controlling

Keeping records of call expenses for Clients who requested IP-based phone system service, operating the connection between the central phone and the extensions

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the calls are paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. The summary of the call lists arrives from the telecommunication service provider to the Service Provider on paper, in aggregate form. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 10.
Data control related to the reservation of meeting rooms

Controlled data

Client name, date of meeting room use, duration, number of participants 

Purpose of data controlling

Keeping records of the costs of Clients who requested rental service regarding the meeting rooms, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the meeting room rental fees is paid. In the event of default, until the end of the debt collection procedure

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 11.
Data control related to private office use

Controlled data

Client name, date of private office use

Purpose of data controlling

Keeping records of the costs of Clients who requested rental service regarding private offices, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the private office fees is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 12.
Invoicing related to prints and scans sent directly to the cloud-based printer by the Client

Controlled data

Name, number of printed/scanned pages (the Service Provider does not have access to the content of the scanned / printed document)

Purpose of data controlling

Keeping records of the costs of Clients who requested service regarding printing/scanning, for invoicing purposes

Legal basis of the data control

GDPR Article 6 (1) b): Performance of Contract

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of printing/scanning is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in a cloud-based electronic system.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 13.
Data stored in connection with administrative assistance given to Clients

Controlled data

Personal data provided by the Client with consent

Purpose of data controlling

Administrative assistance given to Client (for printing, scanning etc.), only in exceptional cases and only at the express request of the Client

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

Planned time of the data control

If administrative assistance is not required for invoicing, the data will be deleted immediately after the assistance is performed. If the assistance is related to invoicing, until the 30th day after the end of the month to which the assistance relates, if the invoice containing the costs of the assistance is paid. In the event of default, until the end of the debt collection procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in the form of which was made available by the Client.

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 14.
Keeping records of the measures related to exercising data subject rights in accordance with GDPR

Controlled data

Name, contact information, decision, submission, registration data

Purpose of data controlling

Compliance with the obligation to register the exercise of data subject rights in accordance with GDPR (cp. Article 5 (2) and Article 12)

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

Planned time of the data control

For 5 years after the request is processed

Data subjects

Individuals requesting data subject access rights

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Only for the authorities upon authority request

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider, the authority upon request of authorities

 

 

Data control 15.
Data control related to the invoicing of additional services used by the Client

Controlled data

Client name, additional service used and its remuneration

Additional services: Exit painting, costs of construction works, kitchen services, internet service, administrative support, furniture sales, furniture rental, furniture delivery, Catering service, Envelope, CD, Scotch tape, battery, DVD, etiquette label, genotherm, rubber folder, extension cord, internet cable, corrector, staple folder, stapler set, copy paper, Post it, staple purchase, Mineral water purchase, plant rental and care, lamination, spiralling

Purpose of data controlling

Invoicing for additional services used by the Clients

Legal basis of the data control

GDPR Article 6 (1) a): Consent of data subject

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

Planned time of the data control

Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the additional services is paid. In the event of default, until the end of the claim management procedure.

Data subjects

Clients 

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

Persons entitled to know the data

Employees of Service Provider

 

 

Data control 16.
Issuance and storage of invoices and receipts

Controlled data

Client name, seat/ address, e-mail address, tax number, services used, date of invoice and execution, payment deadline, amount payable

Purpose of data controlling

Compliance with invoicing obligation in accordance with the laws

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

Planned time of the data control

For 8 years after the invoice has been issued in line with Accounting Act (currently Article 169 Act C of 2000)

Data subjects

Clients

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Yes, for the accountant and the Tax Authority (in order to comply with legal obligation)

Are the data processed 

Accountant

Purpose of data procession 

In order to comply with legal invoicing and bookkeeping obligation

Form and place of storage

Electronically in the szamlazz.hu system and in the mail system of the Service Provider.

For those Clients who do not accept electronic invoices, the invoices are issued and stored on paper.

Persons entitled to know the data

Employees of Service Provider, Accountant, Tax Authority

 

 

Data control 17.
Personal data control while providing virtual office / registered seat address services

Controlled data

Natural identification data of the managing director/ representative and the beneficial owner, citizenship, address, type and number of identification document, in the case of delivery agent its name and address; in the case of managing director/representative a copy of the identity card and a copy of the address card’s side which does not include the personal identification number; in the case of beneficial owner, the nature and extent of the ownership interest, and if (s)he qualifies as a politically exposed person.

Purpose of data controlling

Compliance with the obligations under the legislation on registered seat address service and money laundering

Legal basis of the data control

GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Compliance with obligations under the Money Laundering Act)

Planned time of the data control

For 8 years after the termination of virtual office/registered seat address service contract in line with Money Laundering Act

Data subjects

Managing director/representative and the beneficial owner of the Clients, and the delivery agent of a member/managing director of a legal entity

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

Only to the competent authority upon official request

Are the data processed

Purpose of data procession

Form and place of storage

On paper in accordance with the Service Provider’s internal regulations in line with the Money Laundering Act. The registered documents are stored in separate folders belonging to each Client, separated from the other documents of the Client.

Persons entitled to know the data

Employees of Service Provider, authorities upon request

 

 

Data control 18.
Data control related to camera system

Controlled data

During the operation of the Camera Systems, the portrait (moving image) and actions of the Data subjects who appear in the field of view of the cameras will be monitored and recorded. The camera system does not record any sound.

Purpose of data controlling

The camera system installed in the territory of House of Business is solely for the purpose of protection of human life, physical integrity, personal freedom, prevention and proof of violations, and to protect the property of House of Business and the Clients. It is probable that the detection of violations and the actions of perpetrators, and the prevention and proof of these violent acts cannot be achieved by any other methods. The purpose of data control is not to monitor the behaviour and habits of people in the premises of House of Business.

Legal basis of the data control

GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

Planned time of the data control

The portrait (moving image) or actions of Data subject recorded during the operation of the camera system will be stored for 15 days after the recording, the recordings will be automatically deleted afterwards – except for the case of use.  Use is considered to be the use of the recorded image and other Personal Data as evidence in court or other official proceedings due to suspicion of a crime, violation of the law, unlawful conduct or damage, and if the Data subject wishes to inspect the recordings concerning himself/herself.

Prior notice of data control 

Those wishing to enter or stay on the premises of House of Business will be informed in advance of the data controlled related to the camera system, the rights of Data subjects and of the identity and contact details of the operator.

  • On the premises of House of Business at all entrances “camera surveillance area” sign and a Camera System pictogram is displayed;
  • Present Privacy Policy is available at the reception of House of Business.

Data subjects

Clients and their employees, guests and all persons entering the premises of House of Business

Name and contact details of data controller

Service Provider (See section 1.15.)

Data protection officer (DPO)

Fehér Attila managing director

Contact details of the DPO

+36-1-8037600, capitalsquare@houseofbusiness.com

Are the data transmitted?

For the court or authority upon request 

Are the data processed

Purpose of data procession

Form and place of storage

The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

Persons entitled to know the data

The operator of the camera system and the managing director of the Service Provider. The operator of the camera system shall be a person specified in the Security Services Act.

  • In the case of suspicion of a criminal offense, infringement or damage, the competent authority or court;
  • In the case of suspicion of damage and violation of law, in the legitimate interest of the Service Provider, the managing director shall initiate the necessary proceedings;
  • Data subject, whose personal data is included in the recording.

A report shall be drawn up on the inspection of the recordings made by the camera system, which shall contain the data necessary in order to identify the recording, the name of the person who is entitled to know the data, as well as the purpose and time of access to the data.

 

  • Disposal of personal data
  • If any changes occur in the controlled Personal Data, we ask the Data subjects to notify the Service Provider of the changes within 3 days, in order to ensure the data’s accuracy. In case the Data subject fails to notify the Service Provider of change, the Service Provider is not responsible for the accuracy of the data.
  • Any request regarding personal data deletion shall be submitted to the Service Provider (via e-mail or in writing)
  • Once the request to delete or modify personal data has been fulfilled, the previous (deleted) data can no longer be recovered.
  • Rights of Data subjects regarding personal data control 

Data subjects have the following rights in regards with data control

  1. Right of access: the Data Subject shall request information on the controlled data, the purpose and time of data controlling and to whom the data is transferred, as well as the source of the controlled data.
  2. Right to rectification: in case of change in the data of the Data subject, inaccurate or incomplete data recording, the Data subject shall have right to request correction, rectification or clarification.
  3. Right to erasure: Data Subject shall request the erasure of his/her Personal data in the cases described in the Data Protection Act and the GDPR.
  4. Right to restriction of controlling: Data Subject shall request the restriction of Personal data control in the cases described in Data Protection Act and the GDPR.
  5. If a request set forth in Section 5.1-5.4. has been submitted, the Controller shall act in accordance with the provisions of the Data Protection Act and the GDPR and shall inform the Data Subject within one month of the measures taken on the basis of the request.
  6. Right to withdraw consent: Data subject is entitled to withdraw Consent given for the controlling of Personal data which is controlled on the basis of Consent at any time, which, however, does not affect the lawfulness of the data control prior to the withdrawal.
  7. Right to lodge a complaint: Data Subject is entitled to submit a complaint to the competent supervisory Authority (see section 1.12.) in case of a violation regarding the controlling of Personal data. 
  8. Right to remedy: Further the Data Subject is also entitled to bring an action against the Controller in front of the court in the event of a breach regarding personal data protection.
  9. Right to object: Data subject shall have the right to object to the Personal data control based on Article 6 (1) e) or f) of GDPR at any time, including profiling based on the mentioned provisions.
  • Occurrence of Personal data breach 
      1. In the event of Personal data breach Controller shall notify the Authority without undue delay and, if possible, within 72 hours after becoming aware of the breach, unless the Personal data breach is not likely to pose a risk to the rights and freedoms of natural persons. If the notification does not happen within 72 hours, the cause for the delay must be attached as well.
      2. The Data Processor shall notify the Controller of the Personal data breach without undue delay after becoming aware of the breach.
      3. If the Personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay, inform the Data subject of the Personal data breach.
  • Anonymous user IDs (cookies), data control for statistical purposes
      1. The Webpage uses anonymous user IDs (cookies) to increase the quality of the use and to make the use of the Webpage easier for visitors. (An anonymous user ID – cookie – is a series of tokens suitable for unique computer identification and storage of profile information, which is placed on the User’s computer by the service providers. The token itself cannot identify the User in any way, it is only suitable for recognizing the computer.) If you prefer the anonymous user ID to not be placed on your computer, you can configure your browser so that it does not allow them to be placed. In this case, however, you may not be able to have access to some services or not in the form in which you allow the placement of anonymous user IDs.
      2. The Service Provider collects anonymous information and data on the Webpage for statistical purposes. This information relates to an unidentified or unidentifiable natural person and to personal data which have been anonymised in such a way that the data subject is either not identified or can no longer be identified. The provisions of GDPR does not cover the control of these information [see recital 26 of GDRP].
    1. Data security measures
      1. During managing documents, the access to each document and data shall be restricted to the persons listed in the last rows of the tables published in section 3.
      2. Regarding physical data security, the Service Provider ensures the proper closing and protection of its doors and windows. Only those who duly substantiate their legal interest may inspect the documents.
      3. The premises in which data storage devices are placed have been designed by the Service Provider in a way that they are suitable to provide sufficient security against unauthorized or violent intrusion, fire or natural disaster.
  • Assistance, comments, complaint handling
      1. Assistance to the Data subject regarding data control and securing Personal data rights is provided by the person designated as the Data Protection Officer at the Controller.
  • Right of amendment
    1. The Service Provider reserves the right to unilaterally amend the Privacy Policy by informing Data subjects on the Webpage or via e-mail. The Service Provider shall publish the amended Privacy Policy on the Webpage on the tenth (10th) day before the amended Privacy Policy enters into force.

[Date]

 

    • Definitions:
    1. Data processing data processing’ shall mean the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data.
    2. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law, acting on the controller’s behalf or following the controller’s instructions.
    3. Controlling of data shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images).
    4. Privacy Policy shall mean the present regulations.
    5. Controller shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data within the framework of law or binding legislation of the European Union, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them.
    6. Disclosure by transmission shall mean making data available to a specific third party.
    7. Erasure of data shall mean the destruction or elimination of data sufficient to make them irretrievable.
    8. Personal data breach shall mean a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
    9. Interested person shall mean a natural or legal person, who is interested in the services provided by the Service Provider, but did not conclude a service agreement with the Service Provider.
    10. Data subject shall mean the Client the employees of the Client, Interested Persons and the guests entering into the territory of House of Business office.
    11. GDPR shall mean regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    12. Authority: shall mean the Hungarian National Authority for Data Protection and Freedom of Information (Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Postal address:1530 Budapest, P.O. Box.: 5.).
    13. Consent shall mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
    14. Data Protection Act shall mean Act CXII of 2011 on the right of informational Self-Determination and on Freedom of Information.
    15. Service Provider shall mean House of Business Roosevelt Korlátolt Felelősségű Társaság (Company Registry Number.: 01-09-275401, Seat: 1051 Budapest, Széchenyi István tér 7-8., e-mail: roosevelt@houseofbusiness.com).
    16. Public disclosure shall mean making data available to the general public.
    17. Webpage shall mean the https://www.houseofbusiness.com/ page.
    18. Hungarian Civil Code shall mean Act V of 2013 on the civil code.
    19. Personal data shall mean any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject.
    20. Client shall mean a natural or legal person who has entered into a service agreement with Service Provider.
    • Principles relating to controlling of personal data
      1. Personal data shall be
        1. controlled lawfully, fairly and in a transparent manner in relation to the Data subject (principle of lawfulness, fairness and transparency); 
        2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of purpose limitation);
        3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation);
        4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy);
        5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (principle of storage limitation);
        6. controlled in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (principle of integrity and confidentiality);
      2. The Controller shall be responsible for, and be able to demonstrate compliance with Section 2.1.1.-2.1.6. of the Privacy Policy.
    • Data controlling concluded by the Service Provider

     

    Data control 1.
    Conclusion of Client Contracts

    Controlled data

    In all cases: Name, e-mail address, phone number, postal address, place and date of birth, mother’s maiden name, ID card number, the contracted services and pertaining service fees, (In case of contract concluded with legal person): Position, Tax number, registration number, in case of private entrepreneurs tax number and registration number

    Purpose of data controlling

    Making offer, negotiating about the contract, conclusion of the contract

    Legal basis of the data control

    GDPR Article 6 (1) b) – Controlling is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

    Planned time of the data control

    Until the 15thday after the termination of the contract

    Data subjects

    Clients and their representatives/contact persons

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted? 

    For the accountant after the conclusion of the contract; To the auditor once a year; upon official request to the authorities

    Are the data processed

    Accountant, auditor

    Purpose of data procession (if applicable)

    In order to comply with legal accounting and auditing obligation

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 2.
    Preparation of entry card for tenants/employees which provides access to the office building

    Controlled data

    Client/employee name, related company name, scope of authorization, card number

    Purpose of data controlling

    Creating an access card and ensuring that only authorized persons can enter the premises of the office building

    Legal basis of the data control

    GDPR Article 6 (1) f) Enforcing legitimate interests pursued by the controller and Article 32 Act CXXXIII. of 2005 (Security Services Act)

    Planned time of the data control

    Until the 15thday after the card is being returned

    Data subjects

    Clients and their employees

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 3.
    Data control related to debt collection

    Controlled data

    Name, e-mail address, delivery address, amount of debt and related invoices (in case of a legal entity): position in the organization

    Purpose of data controlling

    Managing client data for debt collection purposes

    Legal basis of the data control

    GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

    Planned time of the data control

    Until the debt is settled or until the statue of limitation of civil law claims related to the debt (the latter is typically 5 years)

    Data subjects

    Clients and their representatives and contact persons

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted? 

    Yes, for the legal representative

    Are the data processed 

    Authorized legal representative of the Service Provider

    Purpose of data procession (if applicable)

    Recovery of receivables

    Form and place of storage

    The controlled data are stored in encrypted form in a central debt collection database and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider, authorized legal representative of the Service Provider

     

     

    Data control 4.
    Sending offers, replying to messages from Interested persons 

    Controlled data

    Contact person’s name, e‐mail address, phone number, subject of contact (in the case of a legal person): related company name

    Purpose of data controlling

    Upon request of Data subject, sending price offer and information about the Service Provider’s services for the purpose of concluding a contract

    Legal basis of the data control

    GDPR Article 6 (1) a): Consent of data subject

    Planned time of the data control

    If the data subject does not become a Client of the Service Provider, until the settlement of the negotiating phase, if the data subject becomes a Client of the organization, the 1st data control operation (see above) shall take place from the conclusion of the contract (Conclusion of the Customer Contract)

    Data subjects

    Interested persons regarding the services of the Service Provider

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in the mail system of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 5.
    Sending out newsletters 

    Controlled data

    Name, e ‐ mail address

    Purpose of data controlling

    Sending materials for marketing purposes in order to promote the services of the Service Provider

    Legal basis of the data control

    GDPR Article 6 (1) a): Consent of data subject

    Planned time of the data control

    Until withdrawal of consent

    Data subjects

    Clients and Interested persons in the services of the Service Provider

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 6.
    Sending out informational e-mails to Clients regarding the services 

    Controlled data

    Name, e‐mail address

    Purpose of data controlling

    Informing Clients of important information related to the Services

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of contract

    Planned time of the data control

    Until the 15th day after the termination of the legal relationship with the Client

    Data subjects

    Clients and their contact persons

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 7.
    Filing and registering incoming documents

    Controlled data

    Client/employee (consignee) name, date of receipt, name and address of consignor, consignment tracking number

    Purpose of data controlling

    Keeping records in order to trace which Client/employee received consignment from whom and when 

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of contract

    Planned time of the data control

    For 1 year after the receipt of the consignment, in order to confirm the receipt and traceability of the consignments

    Data subjects

    Clients and their employees, consignees

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    In the postal register related to the filing of incoming documents, on paper, in a closed cabinet.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 8. 

    Filing of outgoing documents for invoicing purposes

    Controlled data

    For both postal and courier items: Client/employee name, address, date of dispatch, consignee’s name, consignment tracking number (identification number)

    In the case of courier services, the following as well: consignee’s name, phone number, e-mail address

    Purpose of data controlling

    Keeping records in order to invoice the costs of outgoing mails to the Client; and, in the case of courier, all contact details required for an effective delivery

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of Contract

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if invoice containing the costs of the letter is paid. In the event of default, until the end of the debt collection procedure

    In the case of courier items contact data controlled will be deleted 15 days after successful delivery.

    Data subjects

    Clients and their employees, consignees

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted? 

    Yes, with the purpose of sending mail, courier items

    Are the data processed 

    Mail Services Kft., MBE Hungary Kft., Courier service

    Purpose of data procession 

    Posting of letters, packages

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) and in the mail system on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    The contact data required for the delivery of courier items will only be indicated on the item and will be forwarded to the courier service immediately for delivery.

    Persons entitled to know the data

    Employees of Service Provider, Mail Services Kft., MBE Hungary Kft., Courier service

     

     

    Data control 9.
    Operating call center and invoicing of its costs

    Controlled data

    Client name, phone number, detailed call log / detailed call list

    Purpose of data controlling

    Keeping records of call expenses for Clients who requested IP-based phone system service, operating the connection between the central phone and the extensions

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of Contract

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the calls are paid. In the event of default, until the end of the debt collection procedure.

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. The summary of the call lists arrives from the telecommunication service provider to the Service Provider on paper, in aggregate form. 

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 10.
    Data control related to the reservation of meeting rooms

    Controlled data

    Client name, date of meeting room use, duration, number of participants 

    Purpose of data controlling

    Keeping records of the costs of Clients who requested rental service regarding the meeting rooms, for invoicing purposes

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of Contract

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the meeting room rental fees is paid. In the event of default, until the end of the debt collection procedure

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 11.
    Data control related to private office use

    Controlled data

    Client name, date of private office use

    Purpose of data controlling

    Keeping records of the costs of Clients who requested rental service regarding private offices, for invoicing purposes

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of Contract

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the private office fees is paid. In the event of default, until the end of the debt collection procedure.

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 12.
    Invoicing related to prints and scans sent directly to the cloud-based printer by the Client

    Controlled data

    Name, number of printed/scanned pages (the Service Provider does not have access to the content of the scanned / printed document)

    Purpose of data controlling

    Keeping records of the costs of Clients who requested service regarding printing/scanning, for invoicing purposes

    Legal basis of the data control

    GDPR Article 6 (1) b): Performance of Contract

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of printing/scanning is paid. In the event of default, until the end of the debt collection procedure.

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in a cloud-based electronic system.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 13.
    Data stored in connection with administrative assistance given to Clients

    Controlled data

    Personal data provided by the Client with consent

    Purpose of data controlling

    Administrative assistance given to Client (for printing, scanning etc.), only in exceptional cases and only at the express request of the Client

    Legal basis of the data control

    GDPR Article 6 (1) a): Consent of data subject

    Planned time of the data control

    If administrative assistance is not required for invoicing, the data will be deleted immediately after the assistance is performed. If the assistance is related to invoicing, until the 30th day after the end of the month to which the assistance relates, if the invoice containing the costs of the assistance is paid. In the event of default, until the end of the debt collection procedure.

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in the form of which was made available by the Client.

    The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted. 

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 14.
    Keeping records of the measures related to exercising data subject rights in accordance with GDPR

    Controlled data

    Name, contact information, decision, submission, registration data

    Purpose of data controlling

    Compliance with the obligation to register the exercise of data subject rights in accordance with GDPR (cp. Article 5 (2) and Article 12)

    Legal basis of the data control

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

    Planned time of the data control

    For 5 years after the request is processed

    Data subjects

    Individuals requesting data subject access rights

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Only for the authorities upon authority request

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider, the authority upon request of authorities

     

     

    Data control 15.
    Data control related to the invoicing of additional services used by the Client

    Controlled data

    Client name, additional service used and its remuneration

    Additional services: Exit painting, costs of construction works, kitchen services, internet service, administrative support, furniture sales, furniture rental, furniture delivery, Catering service, Envelope, CD, Scotch tape, battery, DVD, etiquette label, genotherm, rubber folder, extension cord, internet cable, corrector, staple folder, stapler set, copy paper, Post it, staple purchase, Mineral water purchase, plant rental and care, lamination, spiralling

    Purpose of data controlling

    Invoicing for additional services used by the Clients

    Legal basis of the data control

    GDPR Article 6 (1) a): Consent of data subject

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Invoicing)

    Planned time of the data control

    Until the 30th day after the end of the month to which the invoice relates, if the invoice containing the costs of the additional services is paid. In the event of default, until the end of the claim management procedure.

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in encrypted form in a central client database (operate system) on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled to. The security backups are also encrypted.

    Persons entitled to know the data

    Employees of Service Provider

     

     

    Data control 16.
    Issuance and storage of invoices and receipts

    Controlled data

    Client name, seat/ address, e-mail address, tax number, services used, date of invoice and execution, payment deadline, amount payable

    Purpose of data controlling

    Compliance with invoicing obligation in accordance with the laws

    Legal basis of the data control

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject

    Planned time of the data control

    For 8 years after the invoice has been issued in line with Accounting Act (currently Article 169 Act C of 2000)

    Data subjects

    Clients

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Yes, for the accountant and the Tax Authority (in order to comply with legal obligation)

    Are the data processed 

    Accountant

    Purpose of data procession 

    In order to comply with legal invoicing and bookkeeping obligation

    Form and place of storage

    Electronically in the szamlazz.hu system and in the mail system of the Service Provider.

    For those Clients who do not accept electronic invoices, the invoices are issued and stored on paper.

    Persons entitled to know the data

    Employees of Service Provider, Accountant, Tax Authority

     

     

    Data control 17.
    Personal data control while providing virtual office / registered seat address services

    Controlled data

    Natural identification data of the managing director/ representative and the beneficial owner, citizenship, address, type and number of identification document, in the case of delivery agent its name and address; in the case of managing director/representative a copy of the identity card and a copy of the address card’s side which does not include the personal identification number; in the case of beneficial owner, the nature and extent of the ownership interest, and if (s)he qualifies as a politically exposed person.

    Purpose of data controlling

    Compliance with the obligations under the legislation on registered seat address service and money laundering

    Legal basis of the data control

    GDPR Article 6 (1) c): Controlling is necessary for compliance with a legal obligation to which the controller is subject (Compliance with obligations under the Money Laundering Act)

    Planned time of the data control

    For 8 years after the termination of virtual office/registered seat address service contract in line with Money Laundering Act

    Data subjects

    Managing director/representative and the beneficial owner of the Clients, and the delivery agent of a member/managing director of a legal entity

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Only to the competent authority upon official request

    Are the data processed

    Purpose of data procession

    Form and place of storage

    On paper in accordance with the Service Provider’s internal regulations in line with the Money Laundering Act. The registered documents are stored in separate folders belonging to each Client, separated from the other documents of the Client.

    Persons entitled to know the data

    Employees of Service Provider, authorities upon request

     

     

    Data control 18.
    Data control related to camera system

    Controlled data

    During the operation of the Camera Systems, the portrait (moving image) and actions of the Data subjects who appear in the field of view of the cameras will be monitored and recorded. The camera system does not record any sound.

    Purpose of data controlling

    The camera system installed in the territory of House of Business is solely for the purpose of protection of human life, physical integrity, personal freedom, prevention and proof of violations, and to protect the property of House of Business and the Clients. It is probable that the detection of violations and the actions of perpetrators, and the prevention and proof of these violent acts cannot be achieved by any other methods. The purpose of data control is not to monitor the behaviour and habits of people in the premises of House of Business.

    Legal basis of the data control

    GDPR Article 6 (1) f): Enforcing the legitimate interests pursued by the controller

    Planned time of the data control

    The portrait (moving image) or actions of Data subject recorded during the operation of the camera system will be stored for 15 days after the recording, the recordings will be automatically deleted afterwards – except for the case of use.  Use is considered to be the use of the recorded image and other Personal Data as evidence in court or other official proceedings due to suspicion of a crime, violation of the law, unlawful conduct or damage, and if the Data subject wishes to inspect the recordings concerning himself/herself.

    Prior notice of data control 

    Those wishing to enter or stay on the premises of House of Business will be informed in advance of the data controlled related to the camera system, the rights of Data subjects and of the identity and contact details of the operator.

    • On the premises of House of Business at all entrances “camera surveillance area” sign and a Camera System pictogram is displayed;
    • Present Privacy Policy is available at the reception of House of Business.

    Data subjects

    Clients and their employees, guests and all persons entering the premises of House of Business

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    For the court or authority upon request 

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored in electronic form on the server of the Service Provider, which guarantees that only those persons have access to the personal data who are entitled. The security backups are also encrypted.

    Persons entitled to know the data

    The operator of the camera system and the managing director of the Service Provider. The operator of the camera system shall be a person specified in the Security Services Act.

    • In the case of suspicion of a criminal offense, infringement or damage, the competent authority or court;
    • In the case of suspicion of damage and violation of law, in the legitimate interest of the Service Provider, the managing director shall initiate the necessary proceedings;
    • Data subject, whose personal data is included in the recording.

    A report shall be drawn up on the inspection of the recordings made by the camera system, which shall contain the data necessary in order to identify the recording, the name of the person who is entitled to know the data, as well as the purpose and time of access to the data.

     

     

    Data control 19.
    Data required to provide guest parking

    Controlled data

    License plate, duration of parking

    Purpose of data controlling

    Administrative assistance for the Client in order to provide parking space for the Client’s guests

    Legal basis of the data control

    GDPR Article 6 (1) a): Consent of data subject

    Planned time of the data control

    Until the 5th working day after leaving the parking lot

    Data subjects

    Clients 

    Name and contact details of data controller

    Service Provider (See section 1.15.)

    Data protection officer (DPO)

    Fehér Attila managing director

    Contact details of the DPO

    +36-1-8037600, roosevelt@houseofbusiness.com

    Are the data transmitted?

    Are the data processed

    Purpose of data procession

    Form and place of storage

    The controlled data are stored the form of which was made available by the Client (typically on paper or via e-mail in the mail system).

    Persons entitled to know the data

    Employees of Service Provider

     

    • Disposal of personal data
    • If any changes occur in the controlled Personal Data, we ask the Data subjects to notify the Service Provider of the changes within 3 days, in order to ensure the data’s accuracy. In case the Data subject fails to notify the Service Provider of change, the Service Provider is not responsible for the accuracy of the data.
    • Any request regarding personal data deletion shall be submitted to the Service Provider (via e-mail or in writing)
    • Once the request to delete or modify personal data has been fulfilled, the previous (deleted) data can no longer be recovered.
    • Rights of Data subjects regarding personal data control 

    Data subjects have the following rights in regards with data control

    1. Right of access: the Data Subject shall request information on the controlled data, the purpose and time of data controlling and to whom the data is transferred, as well as the source of the controlled data.
    2. Right to rectification: in case of change in the data of the Data subject, inaccurate or incomplete data recording, the Data subject shall have right to request correction, rectification or clarification.
    3. Right to erasure: Data Subject shall request the erasure of his/her Personal data in the cases described in the Data Protection Act and the GDPR.
    4. Right to restriction of controlling: Data Subject shall request the restriction of Personal data control in the cases described in Data Protection Act and the GDPR.
    5. If a request set forth in Section 5.1-5.4. has been submitted, the Controller shall act in accordance with the provisions of the Data Protection Act and the GDPR and shall inform the Data Subject within one month of the measures taken on the basis of the request.
    6. Right to withdraw consent: Data subject is entitled to withdraw Consent given for the controlling of Personal data which is controlled on the basis of Consent at any time, which, however, does not affect the lawfulness of the data control prior to the withdrawal.
    7. Right to lodge a complaint: Data Subject is entitled to submit a complaint to the competent supervisory Authority (see section 1.12.) in case of a violation regarding the controlling of Personal data. 
    8. Right to remedy: Further the Data Subject is also entitled to bring an action against the Controller in front of the court in the event of a breach regarding personal data protection.
    9. Right to object: Data subject shall have the right to object to the Personal data control based on Article 6 (1) e) or f) of GDPR at any time, including profiling based on the mentioned provisions.
    • Occurrence of Personal data breach 
        1. In the event of Personal data breach Controller shall notify the Authority without undue delay and, if possible, within 72 hours after becoming aware of the breach, unless the Personal data breach is not likely to pose a risk to the rights and freedoms of natural persons. If the notification does not happen within 72 hours, the cause for the delay must be attached as well.
        2. The Data Processor shall notify the Controller of the Personal data breach without undue delay after becoming aware of the breach.
        3. If the Personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay, inform the Data subject of the Personal data breach.
    • Anonymous user IDs (cookies), data control for statistical purposes
        1. The Webpage uses anonymous user IDs (cookies) to increase the quality of the use and to make the use of the Webpage easier for visitors. (An anonymous user ID – cookie – is a series of tokens suitable for unique computer identification and storage of profile information, which is placed on the User’s computer by the service providers. The token itself cannot identify the User in any way, it is only suitable for recognizing the computer.) If you prefer the anonymous user ID to not be placed on your computer, you can configure your browser so that it does not allow them to be placed. In this case, however, you may not be able to have access to some services or not in the form in which you allow the placement of anonymous user IDs.
        2. The Service Provider collects anonymous information and data on the Webpage for statistical purposes. This information relates to an unidentified or unidentifiable natural person and to personal data which have been anonymised in such a way that the data subject is either not identified or can no longer be identified. The provisions of GDPR does not cover the control of these information [see recital 26 of GDRP].
      1. Data security measures
        1. During managing documents, the access to each document and data shall be restricted to the persons listed in the last rows of the tables published in section 3.
        2. Regarding physical data security, the Service Provider ensures the proper closing and protection of its doors and windows. Only those who duly substantiate their legal interest may inspect the documents.
        3. The premises in which data storage devices are placed have been designed by the Service Provider in a way that they are suitable to provide sufficient security against unauthorized or violent intrusion, fire or natural disaster.
    • Assistance, comments, complaint handling
        1. Assistance to the Data subject regarding data control and securing Personal data rights is provided by the person designated as the Data Protection Officer at the Controller.
    • Right of amendment
      1. The Service Provider reserves the right to unilaterally amend the Privacy Policy by informing Data subjects on the Webpage or via e-mail. The Service Provider shall publish the amended Privacy Policy on the Webpage on the tenth (10th) day before the amended Privacy Policy enters into force.

    [Date]