Data privacy policy

Data Privacy Policy of
KÉSZ Group

This Data Privacy Policy (hereinafter referred to as Policy) informs the Data Subjects about the personal data processed by companies and organizations that are part of KÉSZ Group (hereinafter referred to as Company/Controller) during their business-related or administrative activities, based on Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as GDPR or Regulation), with special regard to Articles 13 and 14 thereof.

The principle of fair and transparent processing requires that the Data Subject be informed of the existence of the processing operation and its purposes. The information related to the processing of personal data relating to the Data Subject shall be given to him or her at the time of collection from the Data Subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the Data Subject shall be informed when the personal data are first disclosed to the recipient. If the controller is unable to provide the Data Subject with information on the origin of the personal data, as they come from different sources, general information shall be provided.

1. The Data Controller and their Contact Information

The Companies of the KÉSZ Group apply a uniform data processing practice, regarding which this Policy governs all Companies of the KÉSZ Group, with the stipulation that individual Companies of the KÉSZ Group may apply special provisions in their data processing activities while being required to fully comply with the requirements of this Policy. The Data Privacy Policies disclosed at the websites of the Companies of the KÉSZ Group shall refer to the provisions of this Policy.

If you would like to know more about the data processing of KÉSZ Group  or any Company, or if you wish to exercise the rights contained in this Policy, you may do so by contacting us below:

  • postal address: KÉSZ Group, 1095 Budapest, Mester u. 87.;
  • e-mail address: adatvedelem [at] kesz.hu;
  • website: www.kesz.hu

Controller of the kesz.hu website:

  • Name: KÉSZ Holding ZRt.
  • Registered office: 1095 Budapest, Mester utca 87.

Currently valid data of the Controller, to be checked by inputting the name or other data suitable for identification (company registration number, VAT registration number) of the Controller, are available free of charge in the public register on www.e-cegjegyzek.hu.

Individual Companies of the KÉSZ Group shall be Controllers for the contractual and other relationships established with them. The contact details of the Controllers are disclosed on the relevant websites and in Annex 2 of this Policy.

2. Data processing during the use of the website

As in the case of most other websites, the website of the KÉSZ Group automatically collects certain information and stores it in log files. This information may contain internet protocol (IP) addresses, the region or the general location where the computer or device accesses the internet, the browser type, the operating system, and other use information concerning the use of the website of the KÉSZ Group.

The Controller may use this information to create and maintain a website that satisfies user needs; hence it may, for example, use the IP address of the Data Subject (hereinafter referred to as User or Data Subject) to diagnose server-related issues and for website administration.

The Cookie Policy (accessible via this link) provides detailed information about the scope of automatically collected data

The Controller provides the following information regarding personal data that are not automatically collected, i.e. which are given while using individual website functions.

3. Other cases of data processing activities

In addition to the use of the website, the Controller conducts other data processing in the course of its business activities, regarding which it provides the following general information.

3.1. Data Subjects

In the course of its activities or providing its services, the Controller may process the personal data of the following natural persons [hereinafter referred to as Data Subject(s)].

  • contracting entities, tenderers, or contracting parties (for private individuals, private entrepreneurs),
  • contracting entities, tenderers, or contracting parties (for organizations) (legal representatives, employees, contact persons, agents, other fulfillment partners (e.g. subcontractors, employees, temporary agency workers) of partners),
  • employees of contracted partners,
  • for partners using a service, the employee personally responsible for the subject of the service(s), other authorized persons (e.g. users of rented cars),
  • newsletter recipient;
  • person participating in an event, contest, program, promotional game, sponsorship or other program,
  • persons entering and staying at its office blocks, sites, project locations,
  • persons acting on behalf of the owner(s) of the consortium partners or suppliers of the Controller or the owner(s) during assistance programs or projects.

Detailed information on each type of Data Subjects and the scope of the processed personal data is included in Annex 1 of this Policy.

Individual Companies of the KÉSZ Group may process the personal data of Data Subjects other than the above in the course of their data processing activities. Information in this regard is available on the websites of the relevant Companies.

3.2. Access to Personal Data, Types of Personal Data Processed

The Data Subject makes the personal data to be processed available to the Controller either by himself or herself or through the business partner (e.g. contracting entity, tenderer, contracting party, partner using the services) either in the document (e.g. call for tenders, tender, contract, declaration of consent, etc.) preparing, underlying, or issued during the establishment of the legal relationship or by applying an online or web-based solution (e.g. email, registration, newsletter subscription).

The Data Controller assumes that any person (natural or legal entity) who transmits personal data to it will at all times make the relevant personal data available to them in accordance with applicable law, and in particular have appropriate and informed consent or other legal basis for the transfer of personal data.

The Data Controller, in accordance with the objectives and legal basis detailed in Annex 1 of the Policy, may also collect personal information from authentic and public databases operated by courts, the National Tax and Customs Administration (NAV), or other public organizations.

The types of personal data handled in relation to the Data Subject and the period for which the data will be stored are detailed in Annex 1 of this Policy.

3.3. Persons authorized to familiarize with the data

The employees of KÉSZ Group who operate and maintain the website of KÉSZ Group and, in the case of data provided while using individual functions, the responsible head of the relevant field or process and the persons authorized by that responsible head are authorized to control and process the data related to the website.

3.4. Certain Data Processing Objectives and Legal Bases

The following section provides detailed information on the purposes and legal bases of data processing as described in Annex 1.

3.4.1. Performance of the Contract

Processing the personal data of the Data Subject, who is a natural person, as the party initiating or concluding the contract is necessary for the fulfilment of the contractual obligations of the Controller.

The processing of personal data (typically contact details) in the contract made between the Controller and a legal person (partner) is based on the legitimate interest of the Controller to facilitate the fulfilment of contractual obligations.

The detailed terms and conditions for the provision of services under the contract are set out in the contract governing the given legal relationship and its annexes.

Given that without the provision of the above-mentioned personal data (data provision), the Data Controller or the Partner will not be able to fulfill its contractual obligations, the Partner or the Data Subject shall personally provide the personal data to the Data Controller. Failure to provide the data may result in the performance of the Contract being impossible and the Data Controller becoming entitled to withdraw from the contract.

If the legal basis of specific processing is performance of a contract, the Controller shall process the Data Subject’s data even after termination of the contract for the purposes of establishment, exercise or defense of legal claims.

The Controller shall keep the Data Subject’s personal data not erased after failure of conclusion or after termination of the contract for a period of five years after failure of conclusion or after termination of the contract according to the general rules for limitation set out in Act V of 2013 on the Civil Code. In the case of certain special-purpose contracts (e.g., construction contracts, public contracts), this period may be longer than 5 years by the provisions of contract or a legislative act.

​​​​​​​3.4.2. Fulfillment of a Legal Obligation

The Controller may process the Data Subject’s personal data also for the purposes of compliance with legal obligations. The list of legal obligations is included in Annex 1 of this Policy.

Having regard to the fact that data processing under this this Section is a legal obligation of the Controller, providing the personal data is mandatory, and the non-provision of data could render the fulfilment of the legal obligation impossible.

3.4.3. Legitimate Interest of the Data Controller and/or a Third Party

The Controller may process the Data Subject’s personal data also on the ground of his or her legitimate interests. If data processing is based on this legal basis, the Data Controller shall determine the necessary and proportionate level of data processing in the interest weighing test before commencing data processing.

Given that the processing of data under this Section is in the legitimate interest of the Data Controller or a third party, the provision of personal data is mandatory, and failure to provide data may result in the refusal of the Data Controller to enter into or perform the contract, or to participate in the events detailed in Section 6 of Annex 1.

3.4.4. Voluntary consent of the Data Subject

Personal data shall be processed based on the Data Subject’s consent (freely given, specific, informed and unambiguous indication of his or her wishes). Consent may be provided by the Data Subject

  • Separate from other statements, in , a contract regarding the fulfillment of services, or
  • in a separate statement.

The consent is voluntary and the Data Subject has the right to withdraw their consent at any time without notice to the Data Controller. The Data Subject may send the notice to any of the contact addresses in Section 1 of the Policy. In such notice the Data Subject shall indicate the processing operation in respect of which he or she intends to withdraw the consent in an identifiable manner.

If the Data Subject’s personal data are processed for promotional purposes or for other award games, the Controller shall inform the Data Subjects separately of the related processing.

Withdrawal of the consent will have no consequences for the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of the data processing prior to the withdrawal carried out on the basis of the consent.

4. Recipients of the Personal Data

The Controller may transfer the Data Subject’s personal data to the following persons or entities in particular.

  • bodies entrusted by the Controller and engaged in health and safety and quality protection activities, which are regarded as joint controllers together with the Controller in respect of the personal data provided in this field. In the event the body engaged in health and safety and quality protection activities entrusts a third party with such activities, then that third party shall be regarded as a processor;
  • to the organization(s) providing back office or other services to the Data Controller (Finance and Accounting, HR, IT, Law), who are considered data processors for the data transmitted,
  • on the basis of statutory requirements, to the authority or court specified by legislation,
  • for the service provider involved in the execution of events and programs, who shall be considered a data processor on the basis of this mandate.

4.1. Processors and their contact details

In its data processing activities related to the website, the Controller relies on the following processors.

Name of processor

Registered seat of processor

Contact details of processor

Purpose of the data processing

IBCnet-Magyarország Kft.

1095 Budapest, Mester utca 87.

 

+36 1 398 8611

info [at] ibcnet.hu

Providing IT and server services

 

The Companies of the KÉSZ Group may rely on other processors in their data processing activities. The contact details of the processors are in Annex 1 of this Policy as well as on the websites of the relevant Companies.

4.2. Transmission to third countries

The Controller may not transmit personal data to third countries except if it is required for the activities of the relevant Companies, in which case the relevant information is available on the website of the relevant Companies.

5. Your rights

Any person (Data Subject) involved in data processing may at any time request information on the processing of his or her personal data and may also request that his or her personal data be rectified, specified, erased, restricted, and may exercise all his or her rights granted by the relevant laws. The following section provides detailed information on the individual rights.

5.1. Right to access

The Data subject shall have the right to receive feedback from the Data Controller that their personal data is being processed and, if such processing is in progress, to have access to the personal data and the following information:

  • the purposes of processing of the specific personal data,
  • categories of personal data of the Data Subject,
  • the categories of recipients to whom the Data Subject's personal data have been or will be disclosed, including, in particular, third country recipients; international organizations (in the case of transfers to third country recipients and international organizations, the Data Subject is entitled to request information if the data transfer is subject to appropriate safeguards),
  • the intended duration of storage of the Personal Data of the Data Subject, or, where this is not possible, the criteria for determining this time period,
  • the Data Subject's rights (right of rectification, erasure or limitation, right to data portability, and the right to object to the processing of such personal data),
  • the right to lodge a complaint with a supervisory authority,
  • if the data was not obtained by the Data Controller from the Data Subject, all the available information about the source,
  • the fact of making an automated decision on the Personal Data of the Data Subject, including profiling; if such data processing is carried out, the information shall include the logic used and the significance and likely consequences of such processing for the Data Subject.

Unless otherwise requested by the Data Subject, the information requested shall be provided in a widely used electronic format if the Data Subject has submitted the request electronically.

Prior to completing the request, the Data Controller may request the Data Subject to specify the content of the request and to specify the requested information or data processing activities.

If the Data Subject’s right for access adversely affects the rights and freedoms of others, so in particular others’ trade secrets or intellectual property, the Controller will be entitled to refuse to meet the Data Subject’s request to the extent necessary and proportionate.

In the event that the Data Subject requests the above information in multiple copies, the Data Controller shall be entitled to charge a reasonable and proportionate fee in proportion to the administrative costs of producing the additional copies.

If the Personal Data indicated by the Data Subject are not managed by the Data Controller, they shall also inform the Data Subject in writing.  

5.2. Right to Rectification

The Data Subject has the right to request the rectification of personal data concerning him or her. If the personal data concerning the Data Subject are incomplete, the Data subject has the right to request the personal data to be supplemented.

In the exercise of the right to rectification / addition, the Data Subject shall indicate which pieces of data are inaccurate or incomplete, and shall also inform the Data Controller of the exact and complete data. In justified cases, the Controller shall be entitled to invite the Data Subject to demonstrate the clarified data appropriately, first of all, by means of documents to the Controller.

The Data Subject shall correct the data without any undue delay.

After having complied with the Data Subject’s request for exercising his or her right to rectification, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

5.3. Right to Erasure ("The Right to Forget")

The Data Subject shall have the right to propose that the Data Controller delete his or her personal data or pieces of personal data, without undue delay if any of the following reasons exist:

  • the personal data provided by the Data Subject is not required for the purpose for which it was collected or otherwise processed by the Data Controller,
  • the Controller processed the personal data (including also special data) based on the Data Subject’s consent and the Data Subject has withdrawn such consent and there is no other legal basis for the processing,
  • the Data Subject objects to the processing based on the Controller’s legitimate interest and there are no compelling legitimate grounds for the processing by the Controller which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims,
  • the Data Controller has unlawfully processed the personal data,
  • the data managed by the Data Controller must be deleted in order to comply with any legal obligation under EU or national law applicable to the Data Controller,
  • the Data Subject protests against the data processing, and there is no overriding reason for the data processing.

The Data Subject shall submit their request for deletion in writing, and indicate the reason for which they wish to have the personal data deleted.

Where the Controller adopts the Data Subject’s motion for erasure, it will erase the personal data processed in all registers and will inform the Data Subject thereof in an appropriate manner.

In the event the Controller shall erase the Data Subject’s personal data, the Controller shall take all reasonable actions, including application of technical measures, that are necessary for informing also the controllers who have become aware of the Data Subject’s personal data as a result of publication of such data about the mandatory erasure of the personal data. In the course of providing such information, the Controller shall inform the other controllers that erasure of links, copies or replicates of the Data Subject’s personal data has been initiated by the Data Subject.

After having complied with the Data Subject’s request for exercising his or her right of rectification, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

The Data Controller shall not be obliged to delete personal data if such data processing is necessary for the following:

  • for the exercise of the right to freedom of expression and information,
  • to comply with any obligation of the Data Controller under Hungarian or European Union law to process personal data,
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
  • for the pursuit of a general interest in the field of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the Data Subject’s right to be forgotten is likely to render impossible or seriously impair the achievement of the objectives of that processing,
  • for the filing, enforcement or defense of legal claims.

5.4. Right to Restrict Data Processing

The Data Subject shall have the right to propose that the Data Controller restrict the processing and use of his or her personal data or pieces of personal data, without undue delay if any of the following reasons exist:

  • the Data Subject disputes the accuracy of the personal data (in which case the restriction will continue until the Data Controller verifies the accuracy of the data),
  • the Controller’s processing was unlawful but the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • the purpose of the data processing for the Data Controller has ceased to exist, but the Data Subject requires them for the purpose of submitting, asserting or defending legal claims,
  • the Data Subject objects to processing in respect of that based on the Controller’s legitimate interest and there are no compelling legitimate grounds for the processing by the Controller which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims; in such a case restriction will exist until it is established pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of an EU Member State.

The Data Controller shall inform the Data Subject in advance of the lifting of the restriction of data processing.

After having complied with the Data Subject’s request for exercising his or her right to restriction, the Controller shall immediately inform the persons to whom the Data Subject’s personal data have been disclosed provided that it is not impossible or does not require a disproportionate effort of the Controller. At the request of the Data Subject, they shall be informed by the Data Controller of these recipients.

5.5. Right to Protest

If the processing of the data of the Data Subject is based on a legitimate interest, an important guarantee provision is that the Data Subject shall be provided with appropriate information and the right to object in relation to the data processing. This right must be expressly brought to your attention at the latest when you first contact the Data Subject.

The Data Subject shall be entitled to object to the processing of his or her personal data and, in such a case, the Controller shall no longer process the Data Subject’s personal data unless it can be demonstrated that

  • the processing by the Controller is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject, or
  • the processing is related to the filing, validation or defense of the Data Controller's legal needs.

5.6. Right to Data Portability

The Data Subject shall have the right to receive personal data relating to him or her, processed by the Data Controller, in a structured, widely used, machine-readable format, and to transmit such data to another Data Controller without being hindered by the Data Controller.

The right to data portability shall be exercised with respect to the personal data provided to the Data Controller by the Data Subject, and

  • the data processing is based on the consent of the data subject or on a contractual basis, and
  • Data processing is automated.

If it is otherwise technically feasible, the Data Controller shall, at the request of the Data Subject, forward the personal data directly to another data controller indicated in the Data Subject's application. The right to data portability under this section does not create an obligation for data controllers to install or maintain technically compatible data processing systems.

In the field of data portability, the Data Controller shall make the data file available to the Data Subject free of charge.

If the data subject's right to data portability adversely affects the rights and freedoms of others, so in particular others’ trade secrets or intellectual property, the Controller will be entitled to refuse to meet the Data Subject’s request to the extent necessary.

The Data Controller's measure taken in the field of data portability does not mean the deletion of the data, and it shall be recorded by the Data Controller for as long as the Data Controller has a proper purpose or legal basis for the processing of the data.

5.7. The Right to Decide on Automated Decision-Making in Individual Cases, Including Profiling

The Controller informs the Data Subject that it does not apply automated decision-making, including profiling, with regard to the personal data; should this, however, be necessary, the Controller shall inform the Data Subjec

5.8. Right to Legal Remedies

5.8.1. Right to Complain

If the Data Subject considers that the processing of personal data by the Data Controller violates the prevailing data protection laws, in particular the GDPR, he has the right to lodge a complaint to the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság).

Contact details of the National Data Protection and Freedom of Information Authority:

  • Website: www.naih.hu
  • Address: 1055 Budapest, Falk Miksa utca 9-11.
  • Mail address: 1374 Budapest, Pf. 603
  • Phone: +36-1-391-1400
  • Fax: +36-1-391-1410
  • E-mail: ugyfelszolgalat [at] naih.hu

The Data Subject has the right to lodge a complaint with another supervisory authority, in particular in the Member State in which he or she has habitual residence, is employed, or the alleged infringement took place.

5.8.2. Right to Apply to the Courts (Right of Action)

Irrespective of his or her right to lodge a complaint, the Data Subject may access a court if his or her rights under the GDPR were infringed in the course of the processing of his or her personal data.

The Data Controller, as a data controller with a domicile in Hungary, may be sued before a Hungarian court.

Based on Paragraph (3) of Section 23 of the Information Act, the Data Subject may file for a lawsuit at, as he or she may elect, either the regional court having jurisdiction over his or her place of domicile or the regional court having jurisdiction over his or her place of residence. The contact details of the Hungarian courts can be found on the following link: http://birosag.hu/torvenyszekek.

Considering that the Controller is not a public authority of a Member State acting in the exercise of its public powers, the Data Subject may bring the action also before courts having competence and jurisdiction in the Member State of his or her habitual residence provided that the Data Subject’s habitual residence is in another Member State of the European Union.

5.8.3. Other remedial options

The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly constituted in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of Data Subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to carry out the judicial review of the decision of the supervisory authority, to bring an action and to exercise the right to receive compensation.

6. Data security

Data Controller undertakes to provide the security of Personal Data, and also takes all necessary technical measures to ensure the protection of Personal Data from unauthorized acquisition, deletion, modification, and use. Furthermore, Data Controller undertakes to advise any third party (e.g., Data Processor) to whom they forward Personal Data about the necessity of such obligations.     

7. Miscellaneous

In the event that the Data Controller has a reasonable doubt as to the identity of the person making the request under sections 6.1 to 6.7 of the Policy, the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

The Data Controller reserves the right to unilaterally modify this Policy with effect from the time of the modification, subject to any applicable legal restrictions and prior notice to the Data Subject.

Annex 1

Annex 2

* * *

Budapest, December 10, 2020