Privacy Notice
last update: 20 February 2024
1. Name of the data controller
Data Controller: Bentley Golden Visa Ltd. (hereinafter: Data Controller)
Registered seat: H-1139 Budapest, Lomb u. 15.
Corporate registration number: 01-09-428494
Tax number: 32520796-2-41
Website: www.bentleygoldenvisa.com
Email: office@bentleygoldenvisa.com
2. General legislative provisions serving as a legal basis for data processing
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR or General Data Protection Regulation)
-
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of
Information (Act on Privacy) -
Act V of 2013 on the Civil Code (Civil Code)
-
Act CXXVII of 2007 on Value Added Tax (Act on VAT)
-
Act C of 2000 on Accounting (Act on Accounting)
3. Terms and definitions
Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data includes in particular: name, address, place and date of birth, mother's name.
Filing system: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Supervisory authority: means an independent public authority which is established by a Member State pursuant to Article 51, thus in Hungary it is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).
4. Principles
The Data Controller takes into account the following principles relating to the processing of personal data, so that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(‘lawfulness, fairness and transparency’);
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1) of the GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (‘data minimisation’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);
g. the Data Controller shall be responsible for, and be able to demonstrate compliance
with, the foregoing provisions (‘accountability’).
5. Legal basis for processing
The Data Controller will only perform the processing of personal data if at least one of the following applies:
a. the data subject has given consent to the processing of his or her personal data for one
or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation to which the data
controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of
another natural person;
e. processing is necessary for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the data controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the data
controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
6. Data processing activities
a. General information provision, information request (Send message)
Legal basis for processing: Consent of the data subject based on Article 6 (1) a) of the GDPR
Duration of data processing: until withdrawal of the data subject's consent
b. Data processing related to product purchase
Legal basis for processing: Article 6 (1) b) of the GDPR: Performance of contract and Article 6 (1) c) Civil Code.
Duration of the data processing: 5 years under Section 6:22 of the Civil Code
c. Data processing related to invoicing
Legal basis for processing: Section 159 (1) of the Act on VAT
Duration of the data processing: 8 years under Section 169 (1) of the Act on Accounting
7. Data accessibility and data transfers
Personal data may be accessed by the Data Controller's staff for the purpose of performing their tasks.
The Data Controller engages a Data Processor for the processing. The Data Processors do not make independent decisions, they are only entitled to proceed based on their contract concluded with the Data Controllers and the orders received. The Data Controller only engages Data Processors that implement appropriate technical and organizational measures in order to guarantee data security appropriate for the level of risk. The specific tasks and responsibilities of the Data Processor are governed by the contract concluded between the Data Controller and the Data Processor.
The Data Controller engages the following Data Processors for the processing activity:
-
invoicing tasks: KBOSS.hu Kft., (registered seat: H-1031 Budapest, Záhony utca 7/D.;
corporate registration number: 01-09-303201 )
-
server provider: Wix.com LTD. (registered seat: Yunitsman 5 Tel Aviv Israel) VAT ID : EU442008451
-
system administrator: none
-
Data storage: Tresorit Group AG (registered seat: Franklinstr. 27, CH-8050 Zürich, corporate registration number: CHE.461.665.254 ),
The Data Controller shall only transfer the processed personal data to an authority, court, or other public body in a manner and for the purposes specified under legislation. Under legal obligation, the data is transferred by the Data Controller to the following public authority: Hungarian National Tax and Customs Authority
8. Data security measures
The Data Controller will store the personal data on the servers of the server provider. The Data Controller ensures by way of appropriate IT, technical and personnel measures that the processed personal data is protected against unauthorised access or alteration. Thus, for example, logs are kept about any access to the data stored in the IT system, therefore it can always be monitored what kind of personal data was accessed, who accessed the data and when.
9. Rights relating to data processing
➢ Right to request information
The data subject may request information from the Data Controller in writing via the contact
details provided in section 1 concerning
• what personal data,
• on what legal basis,
• for what processing purposes,
• from what sources,
• for how long are processed,
• who to, when, and based on which legislation did the Data Controller provide access
to the data subject's personal data or who were they transmitted to.
The Data Controller will address the data subject's request within a month by way of a letter
sent to the contact details provided by the data subject.
➢ Right to rectification
The data subject may request the rectification of personal data in writing from the Data
Controller via the contact details provided under section 1 (for example when the email address or other contact details are changed). The Data Controller will address the request within a month and notify the data subject by way of a letter sent to the contact details provided by the data subject.
➢ Right to erasure
The data subject may request the erasure of his or her personal data from the Data Controller
in writing via the contact details provided in section 1. The request for erasure will be rejected by the Data Controller if the Data Controller is obliged to retain the personal data under legislation. If, however, no such obligation prevails, the Data Controller will process the data subject's request within one month and send the response to the contact details provided by the data subject.
➢ Right to blocking (restriction of processing)
The data subject may request the blocking of his or her personal data from the Data Controller
in writing via the contact details provided in section 1 (by clearly indicating the restricted nature of the processing and ensuring separate processing from other data). The blocking shall last as long as the retention of data is required for the reason indicated by the data subject. Data subjects can request the blocking of their data, for example, if they think that their submission was unlawfully processed by the Data Controller, however, for the purposes of the authority or court procedure initiated by the data subject it is necessary that the submission is not erased by the Data Controller. In such cases the Data Controller will retain the personal data (for example, the given submission) until the notice of the authority or court is received, and following this the data will be deleted.
➢ Right to objection
The data subject may object to the processing of his or her personal data by the Data
Controller in writing via the contact details provided in section 1, if the personal data would be transferred or used for public survey or scientific research. Therefore, the data subject may oppose to the personal data to be used for scientific research purposes without the Data Controller's consent.
10. Exercising rights relating to data processing
➢ the data subject can also contact the Data Controller in relation to exercising the rights
to the protection of personal data, via the contact details indicated in section 1.
➢ in the event of breach of the data subject's right to the protection of personal data,
the data subject may seek legal remedy from the following authority:
Hungarian National Authority for Data Protection and Freedom
of Information (NAIH)
address: Budapest, Szilágyi Erzsébet fasor 22c, 1125
postal address: 1530 Budapest, Pf.: 5.
telephone: +36 (1) 391-1400
website: www.naih.hu
email: ugyfelszolgalat@naih.hu
➢ Engagement in legal proceedings: if the data subject experiences any unlawfulness in the processing of his or her personal data, a civil procedure can be initiated against the Data Controller. The judgement of the civil lawsuit falls under the competence of the tribunal. The lawsuit - according to the data subject's choice - can also be brought before the tribunal of the place of residence of the data subject (please find the contact details of the tribunals at the following link: https://birosag.hu/torvenyszekek)
11. Update and availability of the Privacy Notice
The Data Controller reserves the right to unilaterally amend this Privacy Notice. This Notice may be amended in particular if it is required due to legislative changes, data protection authority practice, business demand or newly explored security risk. Upon request of the data subject, the Data Controller will send a copy of the Notice in effect, in a form mutually agreed with the data subject.