Privacy policy

Privacy policy

of

Downtown Apartments LTD (registered office: Budapest 1221. Kapisztrán u. 7. e-mail address: website: http://www.downtownapartments.eu/eng/student-site/our-flats/dtabooking@speedcarve.hu hereinafter: “Data Controller”] 

Hereby provides information to data subjects regarding the data processing operations connected with business activities carried out by itself, in order to comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (GDPR). 

I. SUMMARY OF THE DATA PROCESSING OPERATION 

Downtown Apartments ltd. help international students, workers, interns to find accommodation in Budapest; operates own and rented apartments; also connecting independent accommodation operators with Data Subjects on their request. The Data Controller assures lawful, fair and transparent processing of personal data and the fulfilment of principles relating to processing of personal data while carrying out its business activity. Personal data are collected from the Data Subjects, who applied for rooms or flats of the Data Controller (or authorised other organisations – universities, student housing services organisations- sharing their personal data with the Data Controller for accommodation purpose); in the course of providing his/her data on the website or sending e-mail. Hereby the Data Controller provides information to data subjects pursuant to the Article 13 of the GDPR: The present notice contains information among others on 

a) the identity and the contact details of the controller, 

b) the purposes of the processing, for which the personal data are intended, as well as the legal basis of the processing, 

c) categories of recipients of the personal data, 

d) the period for which the personal data will be stored, 

e) the rights related to the processing of personal data. 

The Data Controller provides meaningful overview of its data processing operation with the following table:

DATA PROCESSING OPERATIONPURPOSE OF DATA PROCESSINGLEGAL BASIS OF DATA PROCESSINGSCOPE OF PROCESSED DATAPERIOD OF DATA PROCESSINGCATEGORIES OF RECIPIENTS OF THE PERSONAL DATA AND DATA PROCESSORS
concluding rental contracts with Downtow Apartments ltdcreating and modifing rental contractsconsent given by the data subjests [Point a) of Article 6 (1) in the GDPR]; the consent can be withdrawn at any time.The name, the e-mail address and the phone number of the data subject and personal data provided by data subject in his/her messageUntil the consent is withdrawn by the data subject, although, at the longest, it takes five years. 
a.)Downtow Apartments ltd as lessor itself (including employees and subcontractors of Data Controller)b.) Hosting Service
concluding rental contracts with other landlordscreating and modifing rental contractsconsent given by the data subjests [Point a) of Article 6 (1) in the GDPR]; the consent can be withdrawn at any time.The name, the e-mail address and the phone number of the data subject and personal data provided by data subject in his/her messageUntil the consent is withdrawn by the data subject, although, at the longest, it takes five years. 
a.) Other  landlords, on request of Data Subjetsb.) Hosting Service

II. THE LEGAL BASIS AND PURPOSE OF DATA PROCESSING, THE SCOPE OF PROCESSED DATA AND THE PERIOD OF DATA PROCESSING 

II.1. CONCLUDING RENTAL CONTRACTS BETWEEN DATA SUBJETS AND DATA CONTROLLER 

1. The Data Controller provides real estate service. The purpose of data processing is to conclude rental contracts. The legal basis of data processing is consent given by the data subject [Point a) of Article 6 (1) in the GDPR]; the consent can be withdrawn at any time. 

2. Data Controller collects, processes and stores the name, the e-mail address and the phone number of the data subject and personal data provided by data subject in his/her message. 

3. The period of data processing is up to the withdrawal of the consent of the data subject, although, at the longest, it takes five years from the day when personal data are obtained. 

4. The categories of recipients of the personal data: lessors or owners of properties. In case Downtown Apartments ltd can not provide an accommodation meeting all requirements of Data Subject, it may forward the request of the Data Subject to other landlords if Data Subject ask the fofrwarding. The transfer of personal data is necessary in order to provide data for concluding rental contract with other landlord (on request of Data Subjet).

 II.2. ENABLING CONTACT BETWEEN OTHER LANDLORDS AND THE DATA SUBJECT 

1. The secondary purpose of data processing is to providing possibility to data subject to ask questions by telephone or by electronic means (e-mails or on the website) regarding other properties provided not by the Data Controller. The data processing operation is independent from handling complaints of data subjects. connected with the activity of Data Controller. The legal basis of data processing is consent given by the data subject [Point a) of Article 6 (1) in the GDPR]; the consent can be withdrawn at any time. 

2. Data Controller collects, processes and stores the name, the e-mail address and the phone number of the data subject and personal data provided by data subject in his/her message. 

3. The period of data processing is up to the withdrawal of the consent of the data subject, although, at the longest, it takes five years from the day when personal data are obtained. 

III. DATA PROCESSORS 

Processors, who process personal data of the data subject on behalf of and according to the instructions of the Data Controller: [Company name of data processor] [registered office:…; e-mail address:…; website:…] Activity of the data processor: hosting service; The above-mentioned processor processes the personal data of the data subject according to the data processing agreement concluded by the Data Controller and the data processor.  

IV. DATA SECURITY, THE PERSONS AUTHORIZED TO BECOME AWARE OF THE DATA 

1. The Data Controller erases personal data of data subjects at the expiry of the data processing period. 

2. The Data Controller ensures the security of the processed data and does its utmost in order to protect privacy of data subjects avoiding unauthorized access, alteration, transfer, disclosure, erasure or destruction, inaccessibility of data due to the change of applied technology, accidental destruction or damage of data. 

3. In the scope of measures required to maintain data security in the database, the Data Controller processes data of the data subject in a computer database, in automatic and manual manners, and has ensured that the processing is carried out, at all times, in a closed, password protected system, saved to hard drive, and that such systems are used only by persons authorized to become aware of the data, only in relation to the provision of the services and only to the extent essential thereto. 

4. The computer systems are provided with fire walls and appropriate virus protection. 

5. The Data Controller carries out the technical monitoring of the system and takes the appropriate measures in case a malfunction is detected or indicated. 

6. The Data Controller ensures that the persons authorized to access the data are fully informed of the data protection rules. As a safeguard of data protection, the managing officer and employees of the Data Controller are bound by confidentiality obligation and legal liability regarding the personal data they became aware of in the course of their work. For subcontractors Data Controller apply the same confidentiality obligations. 

7. The information and network IDs (IP addresses), which become accessible to the Data Controller due to the fact that the data subject who visits its website uses of his/her computer, shall be logged in order to generate website traffic statistics and to detect possible malfunctions and attacks. The Data Controller does not link the network IDs to any other data on the basis of which the person who visits the website or the data subject could be identified.

 V. RIGHTS OF THE DATA SUBJECTS, REMEDIES 

1. Data subjects are entitled to exercise their rights defined in this section by electronic means via e-mail to the email address semmelweishousing@gmail.com or by post to the postal address of the Data Controller. 

2. Data subjects have right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: [Article 15 (1) in the GDPR; right of access by data subject]: 

a) the purposes of data processing; 

b) he categories of personal data concerned; 

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; 

d) the period of data processing; 

e) the rights of the data subject and of the remedies he/she is entitled to. 

3. At the request of data subjects, the Data Controller provides a copy of the personal data undergoing processing in a commonly used electronic form or in other form chosen by the data subject [Article 15(3) in the GDPR; right to obtain a copy]. 

4. The Data Controller modifies the personal data of data subject or makes it more accurate (rectification) pursuant to the request of data subject [Article 16 in the GDPR; right to rectification]. 

 5. The Data Controller erases personal data of data subject if requested so by the data subject. The Data Controller is entitled to deny such request if Article 17(3) of the GDPR is applicable, for instance in case of the personal data are necessary for the establishment or exercise of legal claims, for compliance with a legal obligation prescribed by Union or Member State law to which the controller is subject, for public interest or for exercising the right of freedom of expression and information [Article 17 in the GDPR; right to erasure]. 

6. The data subject is entitled to withdraw his/her consent to the processing of his/her personal data, without restriction or reasoning, and free of charge. In such case, the Data Controller erases all of the data subject’s personal data without delay [right to the withdrawal of consent]. The withdrawal shall not affect the lawfulness of the data processing carried out prior to the withdrawal, on the basis of the consent. 

7. The data subject is entitled to request the restriction (blocking) of the processing of his/her personal data in case 

a) he/she contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; 

b) the data processing is unlawful and he/she opposes the erasure of the personal data and requests the restriction of their use instead; 

c) the Data Controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defense of legal claims; [Article 18 in the GDPR; right to the restriction of data processing (blocking)]. 

The Data Controller fulfils the request of data subject for restriction by storing the concerned personal data separately from any other personal data, for instance by saving them to an external data storage media in case of electronic databases, or by placing the data stored in paper form into a separate folder. The Data Controller is entitled to process the concerned data, with the exception of storage, only with the consent of data subject or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The Data Controller informs the data subject before such restriction of processing is lifted. 

8. The data subject is entitled to receive his/her personal data in a structured, commonly used and machinereadable format and to transfer those data to another data controller. Furthermore, the Data Controller ensures, if expressly requested so by the data subject, the direct transfer of personal data of the data subject to another data controller designated by the data subject. [Articles 20(1) and 20 (2) in the GDPR; right to data portability]. 

9. The Data Controller notifies the data subject of the measure taken within one month from receiving the request. In case the request is rejected, the Data Controller notifies the data subject of the reasons of the rejection and of the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority) and to seek remedy in court. 

10. The exercise of right is free of charge. In particular cases, the Data Controller is entitled to charge fee based on administrative costs or to deny taking measures on the basis of the request, in case the data subject requests a copy of his/her data or if the request of the data subject is manifestly unfounded or exaggerated, particularly due to repetition. 

11. The Data Controller reserves the right to ask the data subject for information required to verify his/her identity in case it has a reasonable doubt concerning the identity of the data subject. The request for a copy of the data of the data subject shall be deemed a case where the above is applicable in particular, since the Data Controller verifies that the request was submitted by the authorized person. 

12. Before initiating the procedures set out in the present section, the data subject is entitled to submit, by electronic means, his/her complaint to the Data Controller in order that his/her concerns are 5 eliminated and the lawful conditions are restored. The Data Controller examines the complaint within one month, takes minutes thereof, renders a decision on the merits of the complaint and notifies the data subject of that decision in writing, by electronic means. If the Data Controller finds the complaint well-founded, it restores the lawful conditions of data processing or terminates the data processing, including further obtaining of data or the transfer thereof. In such case, the Data Controller does not continue processing the personal data of the data subject, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claim. The Data Controller notifies the persons, to whom it transferred the data concerned with the complaint, of the complaint and of the measures taken on the basis thereof. 

13. In case the data subject considers that the Data Controller violated his/her right to the protection of personal data or carries out unlawful data processing, he/she is entitled to initiate the procedure of the Authority. Contact details of the Authority: postal address: H-1530 Budapest, Pf.: 5.; e-mail address: ugyfelszolgalat@naih.hu; phone number: +36 (1) 391-1400; website: www.naih.hu

14. In case of the data subject considers that the Data Controller violated his/her right to the protection of personal data, he/she is entitled also to initiate judicial proceedings and to claim the reimbursement of his/her damage arising from the unlawful processing of his/her data or from the breach of data security, and to claim compensation for non-material damage in case of violation of personality rights. In case the rights are enforced in court, the data subject is entitled to initiate the proceedings also before the court competent by reference to the data subject’s place of residence or place of stay. 

VI. OTHER PROVISIONS 

1. The Data Controller displays a Privacy Notice on its website in case of amendments along with sending the amended Privacy Notice to the email address provided by the data subject in order to provide that he/she can become aware of it.

2. The Data Controller provides information on the data processing activities not described in the present Privacy Notice at obtaining the data. The court, the prosecutor, the investigating authorities, the administrative authority, the Authority or other bodies authorized by law are entitled to request the Data Controller to provide information, to provide or hand over data, or to make documents available. The Data Controller is entitled to disclose, in case the authorities designate the accurate purpose and the scope of the requested data, only the personal data which are essential to fulfil the purpose of the request and only to the extent thereof to the said authorities. 

3. In case the Data Controller discloses the data to other addressees, it will inform data subjects thereof, upon the first disclosure of the personal data. 

4. In case the Data Controller wishes to carry out further data processing regarding the personal data of the data subject for a purpose other than the purpose the data were collected for, the Data Controller informs him/her, prior to such data processing, of the new purpose and of all relevant supplemental information.