In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (“Info-Act“) Shopper Park Plus Nyilvánosan Működő Részvénytársaság (registered office: 1015 Budapest, Batthyány utca 3. fszt. 1.; company registration number: 01-10-140433; tax number: 27033498-2-44, the “Controller“) informs persons who are data subjects under the GDPR (“Data Subjects“) of the processing of their personal data in this document (the “Privacy Policy”).

1. General information of the Controller

The Controller is a public limited company registered in Hungary, which, in accordance with its Articles of Association, carries out the following activities: lease and operation of owned and rented real estate, real estate management, sale of owned real estate, organisation of building construction projects, property management (holding), building management.

In the course of its activities, the Controller primarily processes the personal data of the shareholders owning its shares (the “Shareholders”) or the representative of legal person shareholders in compliance with the provisions of the applicable data protection legislation, such as the GDPR and the Info-Act.

2. Data processing on the website of the Controller

Anyone is entitled to use the www.shopperparkplus.hu website, and the content of the website is freely accessible to anyone. By clicking on the “Contact” tab in the main menu of the www.shopperparkplus.hu website, visitors can contact the Controller using the contact details provided there.

The website uses the Google Maps plug-in, which may, where applicable, transmit personal data to Google, Inc. (Mountain View, California), but which is not capable of directly identifying the visitor.

In this context, the Controller processes personal data as follows:

Processed personal data

  • Name
  • E-mail address
  • Other personal data provided by the visitor

Purpose of data processing

Making and maintaining contact

Providing information on the activities of the Controller, investment opportunities

Legal basis for data processing

GDPR Article 6(1)(b) (processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract)

Duration of data processing

From contact to conclusion of the contract, or in the absence of a contract, for 1 year from the date of contact

The data processing operations carried out by the Controller in the case of the data processing under this point are: collection, recording, storage, organisation.

3. Processing of Shareholders’ personal data

The Controller may have access to the Shareholders’ data in the event of a shareholder match. The Controller processes personal data that is made available to the Controller by the manager of the share register performing the shareholder matching after the shareholder matching has been performed.

The personal data of Investors, the purpose, legal basis and duration of the processing:

In case of natural persons

Processed personal data

  • Name
  • Address
  • Securities account number
  • Nominal value and number of shares
  • Tax number
  • ID card number

Purpose of data processing

Shareholder matching

Legal basis for data processing

GDPR Article 6(1)(f)

(Legitimate interest of the Controller)

Duration of data processing

Until the deletion of the Controller from the register

The possibility for the Controller to initiate shareholder matching is provided by law. In the case of ownership matching, the manager of the share register shall delete all data in the share register that are valid at the time of the shareholder matching and at the same time enter into the share register the data corresponding to the result of the shareholder matching. Thus, the Controller has a legitimate interest in knowing the identity of the Shareholders through the shareholder matching and in ensuring that the general assembly is duly held. In the view of the Controller the shareholder matching means a minimal intrusion into the privacy of the Shareholder and that an identity of interest can be established, as the shareholder does not need to provide proof of ownership in order to exercise their rights as a shareholder. The Controller has not identified any Shareholder rights and interests that would be prejudiced or adversely affected by the processing of data as set out in this section.

If the Shareholder wishes to participate in person or via a representative at the general assembly of the Controller, the Controller processes personal data as follows:

Processed personal data

  • Personal data indicated on the ID card and the address card of the Shareholder or his/her representative

Purpose of data processing

Verifying the identity of the Shareholder or his/her representative

Legal basis for data processing

GDPR Article 6(1)(f)

(Legitimate interest of the Controller)

Duration of data processing

As the verification of the identity is done by presenting the ID card and the address card, the processing of data is done until the return of the ID cards

The Controller has a legitimate interest to ensure that only Shareholders participate at the general assembly and it verifies the identity of the Shareholders appearing at the general assembly for this purpose. As the verification of the identity is done by presenting identification documents – ID card, address card – in line with the principle of data minimization, the processing of data has minimal impact on the privacy of the Shareholders, so the legitimate interest of the Controller overrides the rights, freedoms and legitimate interests of the Shareholders in this regard. Furthermore, the Data Controller considers that it is in the interest of the Shareholders that only those entitled to attend the general assembly are allowed to do so, thus there is an identity of interest.

If the general assembly is audio and/or video recorded in accordance with the Controller’s policies, the Controller will process personal data as follows:

Processed personal data

  • Image of the Shareholder
  • Motions and speeches at the plenary session

Purpose of data processing

Preparing accurate and valid minutes of the General Assembly

Legal basis for data processing

GDPR Article 6(1)(f)

(Legitimate interest of the Controller)

Duration of data processing

Until the deletion of the Controller from the register

The Controller has a legitimate interest in ensuring that the minutes of the general assembly held through personal participation are drawn up which accurately and truthfully record the events and resolutions of the general assembly, as well as the speeches and the motions made. As the Shareholder also has an interest in the minutes of the general assembly being drawn up in a manner that complies with the law, the Controller is of the opinion that there is an identity of interests and, in this context, the Controller has not identified any other shareholder interests of rights that would override the legitimate interests of the Controller.

In case of legal person Shareholders

Processed personal data

  • Details of the authorised representative/contact person (name, birth name, mother’s name, permanent address, type and number of identity document), position, telephone number, e-mail address for contact

Purpose of data processing

Keeping a register of Shareholder representatives

Contact

Legal basis for data processing

GDPR Article 6(1)(f)

(Legitimate interest of the Controller)

Duration of data processing

The Controller processes the data until the Shareholder owns the shares. If the identity of the representative changes, the Controller shall process the personal data of the new representative on the basis of the notification of the Shareholder.

Regarding the contacts between the Controller and the legal person Shareholders, the Controller considers that the processing of the personal data of the Shareholder’s representative is in the legitimate interest of both the Controller and the Shareholder, and thus an identity of interest can be established. Without the processing of the personal data of the Shareholder’s representative, smooth communication between the parties would be more difficult to ensure, and the personal data processed are indispensable for the maintenance of the relationship and constitute a minimal intrusion into the privacy of the data subject, in accordance with the principle of data minimisation. The Controller has not identified any representative rights or interests which would be prejudiced or adversely affected by the processing of personal data under this section.

The data processing operations carried out by the Controller for the data processing operations covered by this point are: collection, recording, storage, organisation, transmission by communication.

4. Automated decision-making (including profiling):

No automated decision-making, including profiling, takes place during the processing.

5. Transfer of personal data, recipients of personal data and categories of recipients:

The Controller uses the following data processors in connection with data processing:

ViaCom Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 2360 Gyál, Deák Ferenc utca 17., company registration number: 13-09-109794), which provides hosting services.

6. Rights of the Data Subject

The Data Subject (including the Shareholder) may exercise the rights set out in Chapter III of the GDPR in relation to the processing described in this Policy, as follows:

Withdrawal of consent

The Data Subject has the right to withdraw his or her consent to the processing of his or her personal data at any time, without giving any reason, and without imposing any financial or other obligation on the Data Subject.

Right of access and information

The Data Subject has the right to receive information on whether his or her personal data is being processed and, if so, to have access to information related to the processing (purpose of processing, categories of personal data, source of personal data, etc.). The Data Subject may also request a copy of the personal data that are the subject of the processing.

Right of rectification

The Data Subject shall have the right to request the rectification or addition of personal data processed by the Controller.

Right to deletion

At the Data Subject’s request, the Controller shall have the right to delete the personal data processed by the Controller if one of the following reasons applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the Data Subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
  • the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller;
  • the personal data have been collected in connection with the provision of information society services.

However, the right to deletion is not unlimited and may be limited by the requirements of applicable EU and national data protection laws.

Right to restriction of processing

Data Subjects have the right to request the restriction of processing in the following cases:

  • the Data Subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the Data Subject requests the restriction of the processing instead of the erasure of the data;
  • the Controller does not need the personal data for the purposes of the processing but the Data Subject requires them for the establishment, exercise or defence of legal claims; or
  • the Data Subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.

After the restriction of processing, the personal data subject to the restriction may be processed, except for storage, only with the consent of the Data Subjects or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

Data Subjects also have the right to receive their personal data provided to the Controller by electronic means and to have them transmitted to another controller.

Right to object

The Data Subject has the right to object to the processing of his or her personal data if the processing is carried out for direct marketing purposes. In this case, the data that are the subject of the objection may no longer be processed for direct marketing purposes.

In matters relating to their complaints, Data Subjects have the right to file a complaint with the competent data protection supervisory authority.

Given that the Controller is not a public authority or other organisation with public tasks, nor does it carry out systematic and large-scale systematic monitoring of Data Subjects, nor does it process data relating to criminal offences, the Controller does not have a Data Protection Officer.

7. General rules on the exercise of rights of the Data Subject:

The Controller shall inform the Data Subject of the action taken in response to the request without undue delay, but no later than 30 days from the receipt of the request. Where necessary, taking into account the complexity of the request and the number of requests made by the Data Subjects, this time limit may be extended by a further two months. The Controller shall inform the Data Subject of the extension of the time limit within 30 days of receipt of the request, stating the reasons for the delay.

The Controller shall provide the Data Subject with information and action free of charge. If the Data Subject’s request is obviously unfounded or excessive, in particular because of its repetitive nature, the Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

  1. charge a reasonable fee, or
  2. refuse to act on the request.

The burden of proof that the request is obviously unfounded or excessive lies with the Controller.

If the Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the Data Subject.

8. Enforcement options:

The Data Subject may at any time contact the representatives of the Controller, Kristóf Péter Bárány, Gábor Németh, András Marton, regarding the processing of his/her personal data. Contact details of the Controller’s representative:

e-mail address: info@shopperparkplus.hu

The Controller shall respond to requests received in the manner and within the time limits set out in point 7 of this Policy.

The Data Subject may take the Controller to court in the event of a breach of his or her rights. The court shall rule on the case out of turn. The Controller shall prove that the processing complies with the law. The regional courts, in the capital city the Metropolitan Court shall have jurisdiction to hear the case. The action may also be brought before the regional court of the place of residence or domicile of the Data Subject.

In the event of a complaint regarding the processing of personal data, the Data Subject may also contact the supervisory authority where the Data Controller is established, National Authority for Data Protection and Freedom of Information (Dr. Péterfalvi Attila, President of the National Authority for Data Protection and Freedom of Information, postal address: Budapest, Falk Miksa u. 9-11, 1055, Hungary, Phone: +36 (30) 683-5969; E-mail: ugyfelszolgalat@naih.hu; Website: www.naih.hu). The Data Subject also has the right to file a complaint in the Member State of his or her habitual residence, place of work or place of the alleged infringement.