top of page

General data protection

IMG_20210603_172355.jpg

1. Scope of the General Data Protection Policy

1.1. Bimfra Design and Service Limited Liability Company (registered office: 1085 Budapest, Kálvin tér 12, 7th floor, company registration number: 01-09-177156, registered in the company register maintained by the Metropolitan Court of Budapest) establishes the following policy regarding personal data processing and data protection in accordance with the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.), and Regulation (EU) 2016/679 of the European Parliament and the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), in order to ensure the protection of personal data it processes.

1.2. The purpose of this policy is to ensure the protection of personal data processed by Bimfra Design and Service Limited Liability Company (hereinafter: the Company, Bimfra Ltd., or Data Controller) during its operations, to define the data protection rules to be followed in the processing of personal data, to ensure the enforcement of constitutional principles of data protection, the requirements of data security, and to prevent unauthorized access to personal data, as well as its unauthorized alteration or disclosure.

1.3. This policy contains the provisions regarding the personal data processing of Bimfra Ltd., complying with the applicable legal requirements. The Data Controller has developed and applies this policy, including technical and organisational measures, within the framework of legal compliance, to protect the rights of data subjects.

1.4. The personal scope of the policy extends to all employees of Bimfra Ltd., contracted data processors, their employees, and individuals who come into contact with the personal data processed by Bimfra Ltd. in any manner (e.g., through a contract) (natural persons and legal entities, organisations without legal personality, etc.).

1.5. The material scope of this policy covers all personal data processed by Bimfra Ltd. for any purpose and all records containing personal data that are held by the Company, regardless of their format.

1.6. The current consolidated version of this policy is continuously available on the website of the Data Controller [www.bimfra.com].

2. Name and Details of the Data Controller

2.1. The name of the Data Controller: Bimfra Design and Service Limited Liability Company

2.2. Identification details of the Data Controller:

  • Company registration number: 01-09-177156

  • Tax number: 24682567-2-42
     

2.3. Contact details of the Data Controller:

  • Registered office: 1085 Budapest, Kálvin tér 12, 7th floor

  • Email: info@bimfra.com
     

2.4. The representative of the Data Controller: János Dobsi, Managing Director

 

3. General Information on Data Processing: Basic Terms Related to Data Processing

3.1. "Personal data": Any information relating to an identified or identifiable natural person (data subject); a natural person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

3.2. "Data processing": Any operation or set of operations performed on personal data or on data sets, whether by automated or non-automated means, including collection, recording, organisation, structuring, storage, alteration or modification, retrieval, consultation, use, disclosure, transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3.3. "Restriction of data processing": Marking stored personal data with the aim of limiting its future processing.

3.4. "Data controller": The natural or legal person, public authority, agency, or any other body which determines the purposes and means of the processing of personal data, either alone or in conjunction with others.

3.5. "Data processor": The natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller.

3.6. "Recipient": A natural or legal person, public authority, agency, or any other body to whom or to which personal data is disclosed, regardless of whether they are a third party. Public authorities which may access personal data within the framework of a specific investigation under Union or Member State law are not considered recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.

3.7. "Third party": A natural or legal person, public authority, agency, or any other body which is not the data subject, the data controller, the data processor, or persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.

3.8. "Data subject": A natural person to whom personal data relates, which is processed by the Data Controller.

3.9. "Consent of the data subject": A voluntary, specific, informed, and unambiguous indication of the data subject's wishes, given by a statement or by a clear affirmative action, through which the data subject signifies their agreement to the processing of personal data relating to them.

3.10. "Profiling": Any form of automated processing of personal data, which involves the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

3.11. "Pseudonymisation": The processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the data cannot be attributed to an identified or identifiable natural person. The provisions of the GDPR apply to pseudonymised data.

 

3.12. "Anonymisation": The process of transforming personal data in such a way that the data subject is no longer identifiable. The GDPR does not apply to the processing of anonymous information, including data processing for statistical or research purposes.

3.13. "Data breach": A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that has been transmitted, stored, or otherwise processed.

3.14. "Data set": The totality of data managed in a particular register.

3.15. "Data processing": The totality of data processing operations carried out by a data processor on behalf of or following the instructions of the data controller.

3.16. "Data deletion": The process of making data unrecognisable in such a way that recovery is no longer possible.

3.17. "Data destruction": The complete physical destruction of the data carrier containing the data.

3.18. "Data transmission": Making data available to a specific third party.

3.19. "EEA Member State": A member state of the European Union and any other state party to the European Economic Area (EEA) Agreement, as well as any state that, under an international treaty concluded between the European Union, its member states, and a state not party to the EEA Agreement, enjoys the same status as an EEA member state citizen.

3.20. "Third country": Any state that is not an EEA member state.

3.21. "Genetic data": Personal data relating to the inherited or acquired genetic characteristics of a natural person, which provides unique information about that person's physiology or health and which is primarily derived from the analysis of a biological sample taken from the individual.

3.22. "Biometric data": Personal data resulting from specific technical processing of a natural person's physical, physiological, or behavioural characteristics that allows or confirms the unique identification of that individual, such as facial images or fingerprint data.

3.23. "Health data": Personal data relating to the physical or mental health condition of a natural person, including data concerning health services provided to the person, which carries information about their health condition.

3.24. "Special categories of data": Personal data that pertains to sensitive categories, including racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of unique identification of individuals, health data, and personal data related to a person's sex life or sexual orientation.

3.25. "Binding corporate rules": A personal data protection rule followed by a data controller (or data processor) operating in the territory of a Member State of the Union and involving the transfer of personal data within the same corporate group or among businesses conducting joint economic activities in one or more third countries.

4. General Information on Data Processing:

Principles of Data Processing

4.1. The Data Controller shall act in accordance with and ensure the application of the following principles in the processing of personal data, as defined in Article 5 of the GDPR and Section 4 of the Infotv:

a.) Lawfulness, fairness, and transparency: The Data Controller processes personal data lawfully and fairly, and in a transparent manner to the data subject.

b.) Purpose limitation: The Data Controller processes personal data solely for specified, legitimate purposes, and for the exercise of legal rights or the fulfilment of legal obligations.

c.) Accuracy: The Data Controller seeks to ensure the accuracy, completeness, and, where necessary for the purposes of processing, the up-to-date nature of personal data. The Data Controller takes all reasonable measures to ensure that inaccurate personal data is rectified or erased without undue delay.

d.) Data minimisation: The Data Controller processes only personal data that is adequate, relevant, and necessary for the purposes of processing.

e.) Storage limitation: The Data Controller stores personal data in a manner that allows identification of data subjects only for as long as necessary to achieve the purpose of processing, ensuring that data subjects can only be identified for the duration of the processing purpose.

f.) Integrity and confidentiality: The Data Controller ensures the security of personal data using appropriate technical or organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

4.2. The Data Controller is responsible for complying with the data protection principles and must be able to demonstrate this compliance. In consideration of the nature, scope, circumstances, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons with varying likelihoods and severity, the Data Controller implements appropriate technical and organisational measures to ensure and demonstrate that personal data is processed in accordance with the GDPR (accountability).

5. General Information on Data Processing:

Legal Basis for Data Processing (Lawful Processing of Personal Data)

5.1. According to Articles 6-9 of the GDPR, the application of the appropriate legal basis is an essential condition for lawful data processing.

5.2. The Data Controller may process personal data only under the following circumstances (legal bases):

a.) The data subject has given consent to the processing of their personal data for one or more specific purposes;

b.) The processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;

c.) The processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

d.) The processing is necessary to protect the vital interests of the data subject or another natural person;

e.) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

f.) The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject, particularly when the data subject is a child.

5.3. For each data processing activity, the most appropriate legal basis should be applied whenever possible.

5.4. In addition to determining the appropriate legal basis, the principles of data processing (Chapter 4 of this Policy) must always be adhered to in order to ensure lawful data processing.

5.5. Regarding special categories of personal data, the general rule is the prohibition of processing, which may only be lifted if, in addition to the legal basis set out in Article 6 of the GDPR, one of the conditions specified in Article 9(2) is also met.

5.6. If data processing is based on the data subject’s consent, the Data Controller must obtain the data subject’s voluntary, specific, and informed written consent before processing the data. If data processing is based on consent, the Data Controller must be able to demonstrate that the data subject has consented to the processing of their personal data. In the case of consent as the legal basis, personal data may only be processed after receiving the documented/electronically recorded declaration from the data subject. The Data Controller must record that the data subject has been informed that they can withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. The data subject must be informed about the ability to withdraw consent before providing it, and the withdrawal process must be as simple as providing consent.

5.7. The legal basis of contract performance applies to data processing that is strictly necessary for the performance of a contract. The legal basis for contract performance can only be applied when the data subject, whose data is to be processed under or for the preparation of the contract, is a party to the contract. This basis cannot be applied in the absence of a direct contractual relationship.

5.8. In the case of data processing based on a legal obligation, the Data Controller must be able to identify the specific EU or national legal obligation (e.g., law, local regulation) under which the processing is based (see detailed requirements in Article 6(3) of the GDPR).

5.9. A legal basis for data processing can be invoked to protect the vital interests of the data subject or another person, particularly in emergency situations where there is an imminent risk to life, physical integrity, or property. This legal basis can only be used in exceptional cases and when no other legal basis is applicable.

5.10. If the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, and the legal basis is determined by EU law or the national law applicable to the Data Controller, this legal basis may be invoked.

5.11. Data processing based on legitimate interest is lawful when it is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party. An initial legitimate interest assessment must be performed, weighing the interests of the data subject and the Data Controller, ensuring that the processing does not unduly interfere with the privacy of the data subject, and does not cause disproportionate harm.

5.12. In the case of legitimate interest as a legal basis for data processing, a legitimate interest assessment must be conducted. In line with the accountability principle, personal data may only be processed after conducting and documenting the legitimate interest assessment.

5.13. The legal bases for each data processing activity are specified in the data processing notices.

6. Rights of the Data Subject

6.1. The data subject shall be entitled to the following rights in relation to data processing, within the framework of mandatory legal provisions concerning data processing:

a) Right to transparent information related to data processing;

b) Right of access to information related to data processing, including a copy of the personal data processed;

c) Right to rectify inaccurate or incomplete personal data, or to supplement it;

d) Right to erasure;

e) Right to restriction of processing;

f) Right to data portability;

g) Right to object.

6.2. The Data Controller shall provide the data subject with all information related to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, clearly and in an easily understood manner.

6.3. The notices to the data subjects shall include the mandatory elements prescribed in Articles 13 and 14 of the GDPR. If personal data are collected from the data subject, the Data Controller shall provide the information at the time of collection. If the Data Controller intends to further process personal data for purposes other than the original collection purpose, the data subject must be informed of this different purpose before the further processing.

6.4. The data subject may request access to their personal data. The data subject is entitled to receive feedback from the Data Controller as to whether their personal data are being processed, and if so, is entitled to access the personal data and further information. If personal data are transferred to a third country or an international organisation, the data subject is entitled to receive information about the appropriate safeguards pursuant to Article 46 of the GDPR.

6.5. The data subject is entitled to request a copy of their personal data from the Data Controller, which does not include a copy of any documents created using the personal data. The Data Controller may charge a reasonable fee based on administrative costs for any further copies requested by the data subject. If the request is submitted electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise.

6.6. If the data subject requests rectification, the Data Controller must rectify the inaccurate personal data without undue delay, and the data subject is entitled to request the completion of incomplete personal data.

6.7. The data subject is entitled to request the erasure of their personal data from the Data Controller, and the Data Controller is obliged to erase the personal data without undue delay if: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; or b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing; or c) the data subject objects to processing based on public interest, the exercise of official authority, or legitimate interests, and there are no overriding legitimate grounds for processing; or d) the data subject objects to processing for direct marketing purposes; or e) the personal data have been unlawfully processed; or f) the personal data must be erased to comply with a legal obligation in Union or Member State law to which the Data Controller is subject; or g) the personal data were collected in relation to the offering of information society services to children.

6.8. The data subject may request the restriction of processing, if: a) the data subject disputes the accuracy of the personal data; b) the processing is unlawful, and the data subject opposes the erasure of the data; c) the Data Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defence of legal claims; d) the data subject has objected to the processing based on legitimate interests or public interest (until it is determined whether the Data Controller’s legitimate grounds override those of the data subject). The Data Controller must notify the data subject of the lifting of the restriction.

6.9. The data subject is entitled to receive their personal data, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and is entitled to transmit those data to another data controller without hindrance from the Data Controller, where the legal conditions for data portability are met. The right to data portability must not adversely affect the rights and freedoms of others. The right to data portability applies to personal data related to employment or customer relations, meaning a copy of the personal data, not a copy of any document or any other form (including electronic documents) created using personal data.

6.10. The data subject is entitled to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on public interest or in the exercise of official authority or legitimate interests, including profiling based on these grounds. In the event of an objection, the Data Controller must cease processing the personal data and erase it, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or are related to the establishment, exercise, or defence of legal claims.

6.11. The data subject is entitled to withdraw their consent to the processing of their personal data at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject may withdraw consent in the same easy manner as they gave it.

6.12. The Data Controller is obliged to facilitate the exercise of the data subject’s rights. The data subject may submit their request to exercise their rights electronically, orally, or in writing. The Data Controller cannot refuse to comply with a request to exercise the data subject’s rights, unless it can demonstrate that it is unable to identify the data subject. The Data Controller must provide feedback to the data subject free of charge and without undue delay, but no later than one month from the receipt of the request. If necessary, the one-month period may be extended by a further two months. The Data Controller must also inform the data subject within one month if no action is taken on the data subject’s request. In this case, the information shall include the reasons for not taking action and the data subject’s right to lodge a complaint with the supervisory authority.

6.13. In the case of unlawful data processing, the Data Controller ensures that data subjects have appropriate legal remedies (right to remedy). In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (NAIH).

6.14. If the data subject believes that the processing of their personal data violates the relevant legal provisions concerning data processing, they may initiate court proceedings or file a complaint with the NAIH.

6.15. Contact details of the National Authority for Data Protection and Freedom of Information: Address: 1055 Budapest, Falk Miksa Street 9-11. Mailing address: 1363 Budapest, P.O. Box 9. Phone: +36 1 391 1400 Fax: +36 1 391 1410 Email address: ugyfelszolgalat@naih.hu Website: http://www.naih.hu

6.16. Anyone who suffers damage as a result of a breach of the applicable data protection laws may demand compensation for their proven damages. The Data Controller is liable for any damage caused by data processing that infringes the provisions of applicable data protection laws, unless it can prove that it is not responsible for the event causing the damage.

7. Data Security

7.1. The Data Controller takes appropriate technical and organisational measures to ensure the proper level of security for personal data and to protect personal data – specifically against unauthorised access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental loss or damage – in accordance with the risks posed to the fundamental rights of data subjects by the data processing. The Data Controller will implement appropriate technical and organisational measures, taking into account the nature, scope, circumstances, and purposes of the data processing and any potential risks to the data subjects' rights. The Data Controller will take all necessary actions to guarantee an adequate level of data security and prevent data protection incidents. In the design and implementation of these measures, the Data Controller pays particular attention to establishing risk-minimising procedures and processes within its business operations, as well as to the efficient operation of its IT systems in a way that guarantees data security.

7.2. To ensure an adequate level of data security, the Data Controller will grant access to personal data only to those employees who, in accordance with the current Regulations and applicable laws, require access to such data in order to fulfil their job responsibilities.

7.3. The Data Controller is committed to implementing any newly identified technical solutions or organisational processes that provide a higher level of data security than previous ones, in order to continuously improve data security.

7.4. The Data Controller reviews its data processing activities periodically and, where necessary, implements measures to ensure compliance with the relevant legal requirements. If the review or the measures taken as a result necessitate any amendments or additions to the current Regulations, the Data Controller will promptly make these changes and publish the updated Regulations.

8. Data Protection Incident

8.1. If a data protection incident occurs, such as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data, the Data Controller will immediately report the incident to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of becoming aware of the incident, in accordance with the legal requirements. If, in the Data Controller's reasonable judgment, the incident is unlikely to pose a risk to the data subjects, the obligation to notify the authorities, as stipulated in this section, will not apply.

8.2. In addition to notifying the NAIH, the Data Controller will inform the affected data subjects about the data protection incident if there is a legal obligation to do so.

 

9. Data breach

 

9.1. If any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (data breach) occurs, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) without delay, but if possible no later than within 72 hours of becoming aware of the data breach, with the content required by law.

 

9.2. In addition to notifying the NAIH, the Data Controller shall inform the data subject about the data breach if a specific information obligation is imposed on the Data Controller by law.

 

9.3. The Controller shall keep a record of the data breaches, indicating the facts relating to the data protection incident, its effects and the measures taken to remedy it.

 

10. Data security

 

10.1. The Data Controller shall implement appropriate technical and organizational measures, in particular taking into account the nature, scope, circumstances and purposes of the data processing and the possible risks to the rights of the data subjects, in order to guarantee an adequate level of data security to the extent of potential risks and take all necessary measures in order to prevent possible data breaches.

Developing and taking appropriate technical and organizational measures, the Data Controller pays special attention to the development of risk minimization procedures and processes within the framework of its business activities, as well as to the efficient and data security operation of the information technology (IT) systems used.

 

10.2. In order to guarantee an adequate level of data security, the Data Controller shall grant access to the data only to those employees and only to the extent necessary for the fulfillment of their job responsibilities. In compliance with these Regulations and the legislation in force at any time, the employees of the Data Controller may process data only in order to fulfill their job responsibilities, during and to the extent necessary for that purpose.

 

10.3. The Data Controller is committed to the implementation of new technical solutions or organizational processes that guarantee data security to a greater extent than before, and will strive to implement them in order to continuously increase data security.

 

10.4. The Data Controller reviews its data management activities from time to time and, in addition to implementing any measures that may be necessary, continuously ensures compliance with the provisions of the legislation governing data management.If the review or the measures implemented as a result of it necessitate the amendment or supplementation of these Regulations, these amendments or supplementations shall be implemented immediately by the Data Controller and the amended or supplemented Regulations – according to Section 1.6 of these Regulations shall also be published by the Data Controller.

 

11. Legal remedy

 

11.1. In case that the data subject considers that the processing of personal data concerning him or her against the rights of the legal provisions governing data processing, in order to enforce the data subject's rights - the Regulation 2016/679 (27 April 2016) of the European Parliament and Council (EU) on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and repealing Regulation 95/46/EK (GDPR) and on the right to informational self-determination and freedom of information 2011 CXII. And and on basis of Act V of 2013 on the Civil Code - may initiate legal proceedings or submit a complaint to the National Data Protection and Freedom of Information Authority (NAIH).

 

11.2. Contact details of the National Data Protection and Freedom of Information Authority:

  • mailing address: 1530 Budapest, P.O.B.: 5.

  • address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c

  • telephone: +36 1 391 1400

  • fax: +36 1 391 1410

  • e-mail: ugyfelszolgalat@naih.hu
     

11.3. Any person who suffers damage as a result of infringement of data processing law may claim compensation for proven damage. The Data Controller shall be liable for any damage caused by its data processing which infringes legal provisions governing its data processing activities, unless he /she can prove that he / she is not liable for the event that caused the damage.

Lépjen velünk kapcsolatba!

Lépjen velünk kapcsolatba!

Contact us

Should you have any question about our services, please contact us by email or phone, our colleagues will be at your disposal.

bsi BIM 19650.png

Address

Budapest, Hungary Kálvin Square Building,

Kálvin square 12./7.

1085

Email

info@bimfra.com

Phone

+36 1 799 2199

  • Facebook
  • LinkedIn
  • YouTube
sgs ISO 9001.png

Köszönjük szépen a megkeresést!

NKFIA_tajekoztatasi_nyilvanossagi_kotelezettsegek_program_EUREKA Cent_.jpg
bottom of page