PRIVACY NOTICE


PRIVACY NOTICE
on the processing related to targeting and direct marketing activities

I. INTRODUCTION

The purpose of this specific privacy notice (hereinafter referred to as the “Notice”) is to provide data subjects with transparent and understandable information about the processing of their data by the Controller in relation to targeting and direct marketing activities in accordance with the provisions of the General Data Protection Regulation 2016/679/EU (hereinafter referred to as the “GDPR1 ).

Please note that this Notice only provides detailed information on the specific circumstances of the processing related to targeting and direct marketing activities.

For processing not covered by this Notice, the provisions of the Privacy Notice on the Controller's website (https://wing.hu/en/privacy-policy), which is also available at the Controller's registered office, shall apply.

II. CONTROLLER

a) The personal data are processed by WING Ingatlanfejlesztő és Beruházó Zrt. and the legal persons listed in Annex 1 of the Privacy Notice (https://wing.hu/en/privacy-policy) available at www.wing.hu (hereinafter referred to as the “Controller” or “Joint Controllers”) with which the data subject is in contact related to sending offers and/or direct marketing activities.

The Joint Controllers shall determine among themselves their respective degree of responsibility for the performance of their obligations in relation to the processing and the way in which they are to divide their tasks, in particular those relating to the exercise of the data subject's rights and the provision of information to the data subject.

b) Description of the legal relationship between the Joint Controllers and the essential elements of the agreement among them:

- WING Ingatlanfejlesztő és Beruházó Zrt. has been appointed by the Joint Controllers as the contact point for the data subjects:

Name: WING Ingatlanfejlesztő és Beruházó Zrt.
Registered office: 1095 Budapest, Máriássy utca 7.
Tax number: 10872332-2-43
Company registration number: 01-10-042336
Website: www.wing.hu
Contacts: e-mail: gdprsales@wing.hu
phone: +36 1 451 4974
Contact details of the person responsible for data protection: gdprsales@wing.hu


- The Joint Controllers shall jointly determine the purposes and means of the processing covered by this Notice and shall therefore be considered joint controllers for the purposes of carrying out the processing activities.

- The legal relationship among the Joint Controllers, in this context, the division of responsibilities and liabilities related to each processing activity, is always described in detail in the Privacy Notice providing detailed information on the specific processing.

- A shared electronic system is used to process the personal data collected by the Joint Controllers.

- The source of the personal data are the data subjects who have provided their personal data to a Controller for the purpose of receiving detailed information (offers) from the Controller or another Controller involved in the joint processing on its own products, services or events or for the purpose of being contacted by the Controllers involved in the joint processing by means of direct marketing.

- Data subjects shall be contacted by the Controller with whom the data subject has initiated the targeting or to whom the data subject has given his or her consent to the processing for direct marketing purposes, or by WING Ingatlanfejlesztő és Beruházó Zrt. as the designated contact point for data subjects.

- The responsibility for the fulfilment of the obligations arising from the processing is as follows. WING Ingatlanfejlesztő és Beruházó Zrt. is responsible for the fulfilment of the obligations arising from the data protection legislation. Data subjects may exercise their rights in relation to the processing of their personal data by sending a request or complaint by post addressed to WING Ingatlanfejlesztő és Beruházó Zrt. to 1095 Budapest, Máriássy utca 7. or by e-mail to: gdprsales@wing.hu.

- The above division of responsibility for the processing of personal data among the Joint Controllers is, of course, without prejudice to the right of data subjects to exercise their rights under the data protection law in relation to and against each Controller.

III. PROCESSING IN CONNECTION WITH TARGETING (REQUEST FOR AN OFFER)

PURPOSE CATEGORIES OF THE PROCESSED DATA LEGAL BASIS STORAGE PERIOD
At the initiative of the data subject, to contact the data subject in order to recommend products, services or events provided by the Controller or by another Controller participating in the joint processing or by their partners. Identification and contact details (name, job title demonstrating right of representation, company name, e-mail address, phone number). Consent of the data subject.

[GDPR Art. 6 par. 1 (a)]
Until the consent is withdrawn, but not more than 12 months from the date of the provision of the data.
Verification of the legality of previous communications. Personal data provided related to the consent to the processing, modification or the withdrawal of consent to the processing.

Information on the fact, date, method and content of previous contact.
Legitimate interest in enforcing legal claims and proving compliance.

[GDPR Art. 6 par. 1 (f)]
The general statute of limitations (5 years) from the date of the consent under Act V of 2013 on the Civil Code (hereinafter referred to as the “Civil Code”).


IV. PROCESSING FOR DIRECT MARKETING PURPOSES

PURPOSE CATEGORIES OF THE PROCESSED DATA LEGAL BASIS STORAGE PERIOD
Offering the Joint Controllers' own services (products) by means of direct communication. Identification and contact details (name, job title demonstrating right of representation, company name, e-mail address). Consent of the data subject.

[GDPR Art. 6 par. 1 (a)]
Until the consent is withdrawn.
Verification of the legality of previous communications. Personal data provided related to the consent to the processing, modification or the withdrawal of consent to the processing.

Information on the fact, date, method and content of previous contact.
The Controller's legitimate interest in exercising legal claims and proving compliance

[GDPR Art. 6 par. 1 (f)]
Until the withdrawal (modification) of the consent and then from the withdrawal (modification) of the consent until the lapse of the statute of limitations (5 years) set in the Civil Code (Ptk.).
Not to contact in the future the data subject who has withdrawn his or her consent to the processing. Personal data provided on the consent withdrawal form. The legitimate interest of the Controller in avoiding the sending of future communications to data subjects who have withdrawn their consent, possible complaints about unsolicited communications and reputational damage.

[GDPR Art. 6 par. 1 (f)]
From the date of the withdrawal of consent until the Controller performs marketing activities or until data subjects give consent to the processing of their personal data for such purposes.


V. ADDITIONAL IMPORTANT INFORMATION ABOUT PROCESSING FOR THE ABOVE PURPOSES

SCOPE OF DATA SUBJECTS Natural persons and natural persons acting on behalf of legal persons who take the initiative to be approached by any of the Controllers involved in the joint processing with their own or their partners’ offer and who have consented to the processing for direct marketing purposes.
Source The source of the data processed is the data subject.
PERSONS ENTITLED TO ACCESS The authorised employees of the Controller and WING Ingatlanfejlesztő és Beruházó Zrt. involved in the joint processing, who may process the data only to the extent strictly necessary for the performance of their tasks.
DATA TRANSFER For processors.


VI. DATA SUBJECTS RIGHTS

On the basis of Articles 15-22 of the GDPR, data subjects shall have the right to:

a) request access to their personal data;
b) request the rectification of their personal data;
c) request the erasure of their personal data;
d) request the restriction of processing of their personal data;
e) request data portability;
f) object to the processing of their personal data based on the legitimate interests of the Controller;
g) request not to be subject to a decision based solely on automated processing.

In addition to the above, data subjects shall also have the right to:

a) withdraw their consent to the processing if it was based on their prior consent; and
b) lodge a complaint with the Controller in relation to the processing; or

c) lodge a complaint with the competent supervisory authority or go to court

This chapter summarises the specific rights that data subjects have in relation to the processing in the context of targeting and direct marketing activities. Data subjects' further rights and details of how to exercise them in relation to the processing are set out in the Privacy Notice available on the Controller's website (https://wing.hu/en/privacy-policy).

Right to object

Data subjects shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest, as well as to profiling.

In this case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Automated decision-making, profiling

The Controller does not make decisions about the data subject based solely on automated processing and does not perform profiling in connection with this processing activity.

Withdrawal of consent to the processing

Data subjects may withdraw their consent to these processing purposes at any time, without restriction and without giving reasons, free of charge, as follows.

  • by e-mail: gdprsales@wing.hu (offers and direct marketing activities);
  • by clicking the unsubscribe link in any e-mail message (direct marketing activities).

A declaration of withdrawal, objection or modification may be made by any means that includes the name of the declarant and at least sufficient information to clearly identify the declarant. The declaration is accepted by the Controller even in the absence of this, if it comes from a communication channel (e.g. an e-mail address) which the data subject has previously provided to the Controller for the purpose of contacting, targeting or sending newsletters.

Following the withdrawal of consent, the Controller will not use the contact data provided for the purpose of sending targeted communications/ direct marketing activities, but will retain the data on the basis of legitimate interest in order to verify the prior existence and validity of the declaration and the lawfulness of previous contacts, and will analyse the effectiveness of previous communications for statistical purposes, in an anonymised manner.

The Controller will not check the correctness, truthfulness or accuracy of the personal data provided. The data subject providing the personal data is exclusively responsible for the correctness and accuracy of the data, and by providing their e-mail address, they assume responsibility for ensuring that they will be the only person to use the service with the e-mail address provided. As a result, any all liability in connection with logins with a specific e-mail address will be borne exclusively by the data subject who provided this e-mail address to the Controller.

VII. DATA TRANSFER, PROCESSING

The personal data processed may be transferred to other persons (hereinafter referred to as the “Recipients"). Recipients may be public authorities, administrative bodies or other authorities vested with public powers, or courts to whom the transfer of personal data is necessary for compliance with a legal obligation [GDPR Art. 6 par. 1 (c)].

Recipients of such transfers may be third party processors who process the personal data on behalf of the Controller on a contractual basis and for the purposes specified by the Controller. The Controller uses processors only that provide adequate safeguards for the protection of personal data.

In connection with targeting and direct marketing activities, the Controller uses the following processors.

PROCESSOR ACTIVITIES

WEBSTATION Számítástechnikai, Kereskedelmi és Szolgáltató Betéti Társaság
(registered office: 1034 Budapest, Makovecz Imre utca 23.; company registration no: 01-06-115421; tax number: 28351735-2-41)
Sending offers related to targeting and direct marketing communications (newsletters), management of blacklists, drafting of reports, in particular: collection, recording, organisation, structuring, storage and retrieval of personal data.

CollabIT Zrt.
(registered office: 1119 Budapest, Fehérvári út 77/C.; company registration no: 01-10-140165)
OPERATION of the SharePoint system for the storage of personal data, in particular: collection, recording, organisation, structuring, storage and retrieval of personal data.

The Rocket Science Group LLC d/b/a Mailchimp (Intuit Group Companies)
(https://www.intuit.com/legal/intuit-group-companies/)
Sending direct marketing communications (newsletters), management of blacklists, in particular: collection, recording, organisation, structuring, storage and retrieval of personal data.

The headquarters and servers of the system operated by the processor are located in the United States of America (USA), so the activities of such processor require the transfer of personal data to a third country (outside the EEA).

Until 10 July 2023, i.e. until the adoption of an adequacy decision for the US, the transfer was only made on the basis of an instrument containing appropriate safeguards (standard data protection clauses) under Article 46 of the GDPR, and accordingly the standard data protection clauses set out in the Implementing Decision 2021/914 adopted by the Commission (Controller to Processor Clauses (2021) | Mailchimp) form part of the data processing agreement between the parties, whereby the Controller provides appropriate safeguards for the transfer of personal data to a third country processor.

However, pursuant to the adequacy decision for the EU-US Data Protection Framework under Article 45 of the GDPR, adopted on 10 June 2023, transfers to the US generally (even in the absence of other additional safeguards) comply with the general principle for transfers to third countries (essentially the principle of equivalent level of protection - Article 44 GDPR). This is guaranteed by the adequacy decision for the EU-US Data Protection Framework under Article 45 of the GDPR, adopted by the European Commission, under which the US ensures an adequate level of protection for personal data transferred to the US, comparable to that in the European Union.

This data processor is a party to the EU-US data protection framework, so it is able to provide essentially the same level of protection for personal data without other safeguards.

(https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TXVKAA4&status=Active

Linemedia Kft.
(registered office: 1141 Budapest, Komócsy utca 29-31. C. ép. 1. em. 1. ajtó, company registration no: 01-09-940357)
In the context of its tasks related to the development and operation of the website, in particular: storage, retrieval and access to personal data.


VIII. LEGAL REMEDIES

Data subjects have the right to lodge a complaint against the processing carried out by the Controllers, as detailed in the Privacy Notice available at https://wing.hu/en/privacy-policy.

The Controller recommends that data subjects make use of the opportunity to lodge a complaint with the Controller before filing a complaint with the authorities or commencing a legal proceeding. In addition to the contact details of the Controller, data subjects may also exercise their rights at the following e-mail address provided by the Controller for this purpose: gdprsales@wing.hu

Data subjects may lodge a complaint about the processing of their personal data with the National Authority of Data Protection and Freedom of Information (NAIH - 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; e-mail: ugyfelszolgalat@naih.hu; phone: +36 (30) 683-5969, +36 (30) 549-6838; +36 (1) 391 1400; fax: +36 (1) 391-1410) or may also go to the court of their habitual residence.

IX. MISCELLANEOUS PROVISIONS

This Notice or any of its contents are protected by copyright, the rights to which are held by the Controller, and its contents may be used only with the prior written permission of the Controller.

This Notice is governed by the rules of Hungarian law. Matters not covered by this Notice are primarily governed by the GDPR and the Hungarian laws.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.