Contact
DATA PROTECTION AND DATA PROCESSING POLICY
The application of the Data Protection and Data Processing Policy
The name of the company: Biggeorge Fund Management Private Limited Company and the real estate investment funds established by it (hereinafter: Company or Controller)
The seat of the Company: 1023 Budapest, Lajos u. 28.32.
The person responsible for the policy: Compliance officer
The date of the entry into force of the policy: 25 May 2018
This policy (hereinafter: Policy) lays down rules for the protection of natural persons regarding the Processing of Personal data and the free flow of Personal data. The rules laid down in the Policy shall be applied during the specific Processing activities and upon issuing instructions and notifications regulating the Processing.
The Company shall not employ a data protection officer.
The scope of the Policy
The Policy shall be valid until withdrawal, its scope shall cover the officers, employees, subcontractors and agents of the Company as well as the possible processors engaged by the Controller.
The purpose of the Policy
The purpose of the Policy is to ensure compliance with the legislation on data protection and the proper Processing of Personal data.
During its activities, the Company intends to comply fully with the legal requirements regarding the Processing of Personal data, in particular the rules laid down in the Regulation (EU) 2016/679 of the European Parliament and of the Council.
It is also an important purpose of issuing the Policy to enable the employees, subcontractors and agents of the Company to lawfully process the data of natural persons by getting to know and complying with it.
Definitions:
- controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- processing means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- processor means a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller;
- personal data means any information relating to an identified or identifiable natural person (Data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- third party means a natural or legal person, public authority, agency or body other than the Data subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal data;
- Data subject means a certain natural person identified or – directly or indirectly – identifiable on the basis of personal data;
- consent of the Data subject means any freely given, specific, informed and unambiguous indication of the Data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal data relating to him or her;
- personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise processed.
The principles of Processing
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data subject.
Personal data shall be collected for specified, explicit and legitimate purposes.
The purpose of the Processing of Personal data shall be adequate and relevant and limited to what is necessary.
Personal data shall be accurate and kept up to date. Personal data that are inaccurate shall be erased without delay.
Personal data shall be kept in a form which permits identification of Data subjects for no longer than is necessary. Personal data may be stored for longer periods insofar as the Personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Personal data shall be processed in a manner that ensures appropriate security of the Personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The principles of data protection shall be applied to all information relating to an identified or identifiable natural person.
The employees of the Company carrying out Processing activities shall be liable to disciplinary action, the payment of damages as well as civil and criminal sanctions for the lawful Processing of Personal data. If the employee becomes aware of the fact that the Personal data processed by the employee is inaccurate, incomplete or not up-to-date, the employee shall be obliged to rectify such data or to initiate its rectification at the employee responsible for the recording of such data.
The Processing of Personal data
Since natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers, these identifiers combined with other information may be used to create profiles of the natural persons and identify them.
The Processing of Personal data should take place only, if the Data subject give its consent by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data subject's agreement to the Processing of Personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Ticking a box when visiting an internet website is also considered to be a consent to Processing. Silence, pre-ticked boxes or inactivity should not constitute consent.
Consent can also include choosing technical settings for information society services by a user or another statement or conduct which clearly indicates in this context the Data subject's acceptance of the Processing of his or her Personal data.
Children merit specific protection with regard to their Personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the Processing of Personal data. Such specific protection should, in particular, apply to the use of Personal data of children for the purposes of marketing or creating personality or user profiles.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the Personal data, including for preventing unauthorised access to or use of Personal data and the equipment used for the Processing.
Every reasonable step should be taken to ensure that Personal data which are inaccurate are rectified or deleted.
Lawfulness of Processing
Processing shall be lawful only, if one of the following applies:
- the Data subject has consented to the processing of his or her Personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data subject is party or in order to take steps at the request of the Data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the Controller is subject;
- Processing is necessary in order to protect the vital interests of the Data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data subject which require protection of Personal data, in particular where the Data subject is a child.
In view of the above, Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
Where Processing is carried out in accordance with a legal obligation to which the Controller is subject or where Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the Processing should have a basis in Union or Member State law.
The Processing of Personal data should be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the Data subject or to protect the interests of another natural person mentioned above. Processing of Personal data based on the vital interests of another natural person should in principle take place only where such Processing cannot be based on another legal basis.
Some types of Processing may serve both important grounds of public interest and the vital interests of the Data subject as for instance when Processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
The legitimate interests of the Controller, including such a Controller to which the Personal data may be disclosed, or of a Third party, may provide a legal basis for Processing. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the Data subject and the Controller in situations such as where the Data subject is a client or in the service of the Controller.
The Processing of Personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the Controller concerned. The Processing of Personal data for direct marketing purposes may also be regarded as carried out for a legitimate interest.
At any rate the existence of a legitimate interest would need careful assessment including whether a Data subject can reasonably expect at the time and in the context of the collection of the Personal data that Processing for that purpose may take place. The interests and fundamental rights of the Data subject could in particular override the interest of the Controller where Personal data are processed in circumstances where Data subjects do not reasonably expect further Processing.
The Processing of Personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by public authorities, by computer emergency response teams, computer security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the Controller concerned.
The Processing of Personal data for purposes other than those for which the Personal data were initially collected should be allowed only where the Processing is compatible with the purposes for which the Personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the Personal data is required.
The Processing of Personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.
The consent of the Data subject, conditions
- Where Processing is based on consent, the Controller shall be able to demonstrate that the Data subject has consented to the Processing of his or her Personal data;
- If the Data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters;
- The Data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal. Prior to giving consent, the Data subject shall be informed thereof. It shall be as easy to withdraw as to give consent;
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the Processing of Personal data that is not necessary for the performance of that contract;
- In relation to the offer of information society services directly to a child, the Processing of the Personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such Processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Processing of Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited unless the Data subject has given explicit consent to the Processing of those Personal data for one or more specified purposes.
Processing of Personal data relating to criminal convictions and offences or related security measures shall be carried out only by an official authority.
Processing which does not require identification
If the purposes for which a Controller processes Personal data do not or do no longer require the identification of a Data subject by the Controller, the Controller shall not be obliged to maintain additional information.
Where the Controller is able to demonstrate that it is not in a position to identify the Data subject, the Controller shall inform the Data subject accordingly, if possible.
The provision of information to and the rights of the Data subject
The principles of fair and transparent Processing require that the Data subject be informed of the existence of the Processing and its purposes.
Where the Personal data are collected from the Data subject, the Data subject should also be informed whether he or she is obliged to provide the Personal data and of the consequences of the failure to provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended Processing.
The information in relation to the Processing of Personal data relating to the Data subject should be given to him or her at the time of collection from the Data subject, or, where the Personal data are obtained not from the Data subject but from another source, within a reasonable period, depending on the circumstances of the case.
The Data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the Processing. Every Data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the Personal data are processed, and where possible the period for which the Personal data are processed.
The Data subject should have the right, in particular to have his or her Personal data erased and no longer processed where the Personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent.
Where Personal data are processed for the purposes of direct marketing, the Data subject should have the right to object to such Processing of Personal data concerning him or her, at any time and free of charge.
The review of Personal data
In order to ensure that the Personal data are not kept longer than necessary, time limits should be established by the Controller for erasure or for a periodic review. The time limit established by the head of the Company for a periodic review: 1 year.
The responsibilities of the Controller
The Controller shall implement appropriate data protection policies to ensure the lawfulness of the Processing of Personal data. These rules shall apply to the responsibility and liability of the controller.
The Controller shall be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of Processing activities with the applicable legal regulations.
Those rules should take into account the nature, scope, context and purposes of the Processing and the risk to the rights and freedoms of natural persons.
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures. Pursuant to the Policy, the Controller shall review and update the other internal rules where necessary.
The Controller or the Processor shall maintain appropriate records of Processing activities carried out under its responsibility. Each Controller and Processor shall be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those Processing operations.
Rights relating to Processing
- The right to request information: by using the contact details provided, any person shall have the right to request information on which data concerning him or her the Company processes and on what legal basis, for what purpose of Processing, from what sources and for how long. Upon his or her request, information shall be sent to the provided contact details without delay, but within 30 days at the latest.
- The right to rectification: by using the contact details provided, any person shall have the right to request the amendment of any of his or her data. Upon his or her request, measures shall be taken in this regard without delay, but within 30 days at the latest and information shall be sent to the provided contact details.
- The right to erasure: by using the contact details provided, any person shall have the right to request the erasure of his or her data. Upon his or her request, the erasure shall be carried out without delay, but within 30 days at the latest and information shall be sent to the provided contact details.
- The right to blocking of data and to restriction of processing: by using the contact details provided, any person shall have the right to request the blocking of his or her data. The data shall be blocked until the storage of data is necessary for the reason indicated. Upon request, the blocking shall be carried out without delay, but within 30 days at the latest and information shall be sent to the provided contact details.
- The right to object: by using the contact details provided, any person shall have the right to object to the Processing. The objection shall be examined as soon as possible, but within 15 days at the latest after the submission of the request, decision shall be brought on whether the objection was well-founded or not and information on the decision shall be sent to the contact details provided.
Remedies relating to Processing
National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, P.O. box: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL https://naih.hu
The Data subject, in the case of the breach of his or her rights, may apply to the court against the Controller. The court gives such a case priority. The Data subject may choose to initiate the proceedings before the competent regional court of his or her domicile or place of residence.
The legal basis of Processing
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Act CXII of 2011 on the right to self-determination as regards information and freedom of information;
- Act CVIII of 2001 on certain issues of electronic commerce activities and information society services;
- Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
- Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity;
- Act XC of 2005 on the freedom of electronic information;
- Act C of 2003 on electronic communications;
- Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
- Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior notification.
This Data Protection and Data Processing Policy was approved by the Board of Directors of Biggeorge Fund Management Private Limited Company with its decision No. 1/2018 (V.25.), the policy is valid and effective as of 25 May 2018.
- © 2026 www.bgalapkezelo.hu
- Legal Terms and Conditions
- Privacy Policy
- Regulatory License
Headquarters: 1023 Budapest, Lajos utca 28-32.
Tax number: 13589288-2-41
Company registration number: 01-10-045316