1061 Budapest, Andrássy út 17. I/8

|

+36 300 81 7777

|

goldenvisa@drnovak.hu

|

+36 300 81 7777

Np Logo Black En

Privacy Notice

The purpose of this Privacy Notice (hereinafter: “Notice”) is to inform you, as the data subject entitled to personal data (hereinafter: “Data Subject“), about the data protection and data management principles, rules, and provisions applied and observed by the Data Controller in relation to the data processing carried out by it, in accordance with Articles 13-14 of Regulation (EU) 2016/679 of the European Parliament and of the Council—applicable from May 25, 2018—on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”).

  1. Identity and Contact Details of the Data Controller

Name of Data Controller: Dr. Péter Novák, Attorney-at-Law (Dr. Péter Novák Law Office)

Registered address and mailing address of the Data Controller: 1061 Budapest, Andrássy út 17. I/8.

Other contact details of the Data Controller: office@goldenvisahungary.agency

The Data Controller manages personal data in compliance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as “Info Act”),
  • Act V of 2013 on the Civil Code (hereinafter referred to as “Civil Code”),
  • Act XC of 2023 on the General Rules for the Entry and Residence of Third-Country Nationals (hereinafter referred to as “Entry and Residence Act”),
  • Act C of 2000 on Accounting (hereinafter referred to as “Accounting Act”),
  • Act CL of 2017 on the Rules of Taxation (hereinafter referred to as “Taxation Act”),
  • Decree No. 23/2014 (VI.30.) of the Ministry for National Economy on the Tax Administration Identification of Invoices and Receipts and the Electronic Preservation of Invoices (hereinafter referred to as “NGM Decree”),
  • Act CXXVII of 2007 on Value Added Tax (hereinafter referred to as “VAT Act”),

in order to ensure the enhanced protection of personal data of natural persons interacting with the Data Controller in connection with its activities and the operation of its website www.goldenvisahungary.agency. The Data Controller processes personal data in accordance with Article 5 of the GDPR.

The Data Controller is not obliged to appoint a data protection officer under Article 37 of the GDPR and, therefore, does not appoint one. Furthermore, the Data Controller is not required to designate a representative under Article 27 of the GDPR.

  1. Definitions

For the purposes of this Notice:

  • Personal data: Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Special category data: Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation.
  • Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processing: The totality of data processing operations carried out by a data processor on behalf of or under the instructions of the data controller.
  • Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
  • Data Processing Operations: Any operation or set of operations performed on personal data or data sets, whether by automated or non-automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or making available in any other way, alignment or combination, restriction, erasure, or destruction.
  • Recipient: A natural or legal person, public authority, agency, or other body, to which the personal data are disclosed, whether a third party or not.
  • Data Subject’s Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Data Restriction: The marking of stored personal data with the aim of limiting its processing in the future.
  • Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Destruction of personal data: The complete physical destruction of the data carrier containing the data.
  • Data protection incident: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data that has been transmitted, stored, or otherwise processed.
  • Data transfer: Making data available to a specified third party.
  • Public disclosure: Making data accessible to anyone.
  • Deletion of data: Rendering data unrecognizable in such a way that its restoration is no longer possible.
  • Authority: National Authority for Data Protection and Freedom of Information (NAIH).
  1. Principles of Data Processing

The Processing of Personal Data

  • Personal data must be processed lawfully, fairly, and in a manner that is transparent to the data subject (“lawfulness, fairness, and transparency“).
  • Personal data may only be collected for specified, explicit, and legitimate purposes, and must not be processed in a manner that is incompatible with those purposes (“purpose limitation“). Further processing for the purposes of archiving in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the original purpose.
  • Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization“).
  • Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, with regard to the purposes of the processing, is erased or rectified without delay (“accuracy“).
  • Personal data must be stored in a form that permits the identification of data subjects only for as long as necessary to achieve the purposes for which the personal data are processed. Longer storage periods are only permissible where personal data is processed for archiving in the public interest, scientific or historical research, or statistical purposes (“storage limitation“).
  • Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality“).
  • The Data Controller is responsible for compliance with these principles and must be able to demonstrate compliance (“accountability“).
  1. Purpose and Legal Basis of the Processing of Personal Data

All data processing carried out by the Data Controller falls within the scope of the General Data Protection Regulation (GDPR). The Data Controller processes personal data exclusively for a specific purpose and with an appropriate legal basis, as detailed below:

The Data Controller collects personal data partly directly from the Data Subject, while in certain cases indirectly through the Data Subject’s intermediary, representative, or from official, publicly available registers. The Data Controller assumes no liability for the accuracy, falseness, or unauthorized provision of personal data.

In the case of a person under the age of 18 or otherwise lacking legal capacity or having limited legal capacity, only the Data Subject’s legal representative is entitled to decide on granting consent related to data processing, as well as on entering into any contract, which they may do on behalf of the Data Subject.

For its clients, who are third-country nationals, the Data Controller—typically based on a relevant agency contract—provides professional, high-quality, and reliable assistance, including consultation, support, investment opportunities, professional representation, and intermediary services, in order to ensure their lawful stay in Hungary and participation in the Golden Visa Hungary program. In doing so, the Data Controller cooperates with business partners, consultants, competent authorities, and administrative bodies, thereby contributing to the acquisition of residence permits.

IV/A. Data Processing Related to Contact (via Website and Other Means)

The purpose of data processing under this subsection is to enable the Data Subject to establish contact with the Data Controller through the website www.goldenvisahungary.agency, as well as via email, telephone, postal correspondence, or personal appearance, either directly or through an authorized intermediary/representative. The “Send a Message” function available on the website aims to facilitate and expedite communication with the Data Controller, allowing website visitors to inquire about services and ask any questions from the Data Controller. Inquiries may also be submitted directly via email, telephone, postal mail, or in person. In all cases, the purpose of data processing is for the Data Controller to respond to and fulfill inquiries and requests.

For the above activities, the Data Controller requests and processes the following personal data directly from the Data Subject or their representative for the purposes specified above:

  • Name
  • Email address
  • Telephone number
  • Nationality
  • Subject and content of the inquiry

These personal data are strictly necessary for the Data Controller to provide an appropriate and comprehensive response to the Data Subject’s inquiries and to facilitate communication with the Data Subject.

The legal basis for data processing under this subsection is the Data Subject’s consent in accordance with Article 6(1)(a) of the GDPR.

The Data Subject has the right to decide whether to grant consent before initiating contact, which is not a prerequisite for using other services on the website. The Data Subject may also decide the form in which they contact the Data Controller. The platform serves exclusively for inquiries, information requests, and communication purposes; however, it does not serve as a means for concluding contracts and does not constitute a prerequisite for entering into a contract. The Data Subject shall not suffer any disadvantage if they do not provide consent, as they may contact the Data Controller through other alternative means. In such cases, the Data Subject grants consent by submitting the inquiry.

The consent granted by the Data Subject may be withdrawn at any time. The Data Subject may withdraw consent at any time on the same platform where they contacted the Data Controller or by submitting a statement via postal or electronic means to any of the Data Controller’s contact details specified above.

In the event of consent withdrawal, the Data Controller shall delete all personal data provided at the time of contact without delay upon receiving the request. The withdrawal of consent shall not affect the lawfulness of data processing based on consent prior to its withdrawal.

The Data Controller shall store personal data until the Data Subject withdraws consent, but no longer than six months from the date of the inquiry.

The Data Controller shall not transfer these personal data to third parties.

IV/B. Data management related to personal consultation, advisory services, and request for quotes

The purpose of data processing under this subsection is for the Data Controller to personally contact the Data Subject for the purpose of preliminary assessments, preparation of contracts, making and accepting offers, providing advice and consultation. This is done to ensure that all necessary information and conditions are available for the conclusion and performance of the contract, and for the Data Controller to consult with the Data Subject, offer advice regarding the service, or prepare an offer in response to the Data Subject’s request for a quote. The Data Controller also assesses how it can provide services for the Data Subject.

In connection with the activities of the Data Controller mentioned above, the following personal data is requested and processed from the Data Subject directly or, in certain cases, indirectly from their appointed representative, for the purposes outlined:

  • Name
  • Contact details (email address, phone number, mailing address)
  • Content of the consultation or advice given
  • Offer details

The legal basis for the data processing under this subsection is, in cases where the Data Subject directly contacts the Data Controller for the purpose of contract formation, Article 6(1)(b) of the GDPR, as the processing is necessary for steps taken at the request of the Data Subject prior to the conclusion of the contract. In cases where the Data Subject contacts the Data Controller through an intermediary and does not enter into a direct contractual relationship with the Data Controller, the legal basis is Article 6(1)(a) of the GDPR, i.e., the consent of the Data Subject.

Providing the above personal data is a prerequisite for entering into or performing a contract or for making an offer. If any personal data is not provided or is incorrectly provided, it may occur that the Data Controller cannot fully perform the contract, or can only do so in a different manner. The Data Controller is not liable for any damage or legal disadvantage arising from this. For this reason, contracts cannot be finalized in the absence of personal data.

The Data Subject has the right to decide whether to give consent, and the consent given by the Data Subject can be withdrawn at any time. The Data Subject may withdraw their consent at any time by making a declaration personally or via postal or electronic means addressed to the Data Controller using the contact details provided above. In case of withdrawal, the Data Controller will immediately delete all personal data provided by the Data Subject at the time of contact once the request is received. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to its withdrawal.

The Data Controller will store the personal data until the conclusion of the contract, or if no contract is concluded, for 6 months after the consultation or until the deadline for accepting the offer expires. If there is no indirect contact or contractual relationship, the data will be stored until the withdrawal of consent, but no longer than 6 months after the consultation or preliminary assessment is completed.

The Data Controller does not transfer these personal data to third parties.

IV/C. Data Management Related to Direct Provision of Services

The purpose of the data management under this subsection is for the Data Controller to perform the contract directly concluded by the Data Subject with the Data Controller, and based on this, to provide the service to the Data Subject. During this process, the Data Subject entrusts the Data Controller to assist with their lawful stay in Hungary, collaborate in this, provide professional support and advice, and if necessary, involve consultants. The Data Controller will assess the compliance and prerequisites of the Data Subject’s stay according to its professional knowledge—without any commitment to results—and assist in creating the conditions necessary for the stay. The Data Controller will provide professional help (including legal, financial, investment, etc. advice) and assist in the procedures before the relevant authorities, and if necessary, represent the Data Subject. The Data Controller will perform its tasks with the highest quality and diligence; therefore, it is not liable for the outcome of the authorities’ decisions.

In connection with the above, the Data Controller processes the following personal identification data of natural persons, which it collects directly from the Data Subject:

  • Personal identification data (name, birth name, mother’s name, place and date of birth)
  • Address, place of residence
  • Passport and document details confirming the legality of the stay (visa)
  • Nationality
  • Purpose of stay
  • Marital status data
  • Financial or property-related data (including particularly the real estate owned, assets, amounts and data on bank accounts/savings/investment accounts or funds)
  • Declaration regarding entitlement to healthcare
  • Declaration regarding the permission or prohibition of entry and exit/re-entry
  • ID photo

The legal basis for the data management under this subsection is Article 6(1)(b) of the GDPR, as the data processing is necessary for the performance of a contract in which the Data Subject and the Data Controller are parties. The Data Controller does not generally process special categories of data, but during the performance, it may be necessary to process certain sensitive personal data or personal data relating to special categories of data. In these cases, the legal basis for processing special categories of data is Article 9(2)(a) of the GDPR, i.e., the explicit consent of the Data Subject.

Providing the above personal data is mandatory for the Data Subject, who acknowledges by signing the contract that the Data Controller can fully fulfill its obligations from the service contract only if the data provided is accurate and complete. In case any personal data is not provided or incorrect data is provided, it may occur that the Data Controller cannot fully fulfill the contract or can only do so in a different manner. The Data Controller does not bear any responsibility for any damage or legal disadvantage resulting from this.

The Data Subject may withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of the data processing based on the consent before its withdrawal.

To perform the contract, the Data Controller must comply with the relevant provisions of the Act on the Legal Status of Foreigners and the documents and information required by the authorities, which are necessary for the performance of the service under the contract. Therefore, during the contract performance, the Data Controller processes only those personal data of the Data Subject which may be required for conducting the procedure under the relevant provisions of the Act.

In case of Data Subjects under 18 years of age, the same data is processed by the Data Controller based on the submission by the legal representative, in accordance with the same legal basis.

The Data Controller stores personal data until the termination or performance of the contract, and in case of further consent, the personal data is retained until the withdrawal of the consent but, for archiving purposes, no longer than 10 years after the completion of the contract.

The Data Controller may transfer personal data to its employees, appointed advisors, cooperating professional partners, the relevant authorities, and financial or investment service providers based on the consent of the Data Subject.

IV/DData Management Related to Indirect Provision of Services

The purpose of the data management under this subsection is for the Data Controller to provide a service to the Data Subject through an intermediary under a service contract concluded with business partners, without a direct contractual relationship. During this process, the business partner entrusts the Data Controller to assist with the lawful stay of the Data Subject in Hungary, collaborate in this, provide professional support and advice, and if necessary, involve consultants. The Data Controller will assess the compliance and prerequisites of the Data Subject’s stay according to its professional knowledge—without any commitment to results—and assist in creating the necessary conditions for the stay. The Data Controller will provide professional help (including legal, financial, investment, etc. advice) and assist in the procedures before the relevant authorities, and if necessary, represent the Data Subject. The Data Controller will perform its tasks with the highest quality and diligence; therefore, it is not liable for the outcome of the authorities’ decisions. The Data Controller is not responsible for the legality of data management between the intermediary and the Data Subject.

In connection with the above, the Data Controller processes the following personal identification data of natural persons, which is collected in some cases not directly from the Data Subject, but from their intermediaries or the Data Controller’s own business partners:

  • Personal identification data (name, birth name, mother’s name, place and date of birth)
  • Address, place of residence
  • Passport and document details confirming the legality of the stay (visa)
  • Nationality
  • Purpose of stay
  • Marital status data
  • Financial or property-related data (including particularly the real estate owned, assets, amounts and data on bank accounts/savings/investment accounts or funds)
  • Declaration regarding entitlement to healthcare
  • Declaration regarding the permission or prohibition of entry and exit/re-entry
  • ID photo

The legal basis for the data management under this subsection is Article 6(1)(a) of the GDPR. While the Data Controller does not generally process special categories of data, during the performance, it may become necessary to process certain sensitive personal data or personal data relating to special categories of data. In these cases, the legal basis for processing special categories of data is Article 9(2)(a) of the GDPR, i.e., the explicit consent of the Data Subject.

The Data Subject is entitled to decide whether to consent to transferring their data to the Data Controller or allowing the intermediary to transmit it, or if the Data Controller may use this data upon the Data Subject’s request for providing the service. The Data Subject has the right to decide to grant consent, which is not a prerequisite for accessing the service by other means. If consent is not granted, the Data Subject will not face any disadvantage.

The Data Subject may withdraw their consent at any time. The Data Subject may withdraw their consent at any time using the same platform where they contacted the Data Controller, or by making a postal or electronic declaration addressed to the Data Controller using any of the contact details provided above.

In case of withdrawal, the Data Controller will immediately delete all personal data provided by the Data Subject at the time of contact once the request is received. Withdrawal of consent does not affect the lawfulness of the data processing based on consent prior to its withdrawal.

In the case of Data Subjects under 18 years of age, the same data is processed by the Data Controller after submission by the legal representative, based on the same legal basis.

The Data Controller stores personal data until the withdrawal of the Data Subject’s consent.

The Data Controller may transfer personal data to its employees, appointed advisors, cooperating professional partners, the relevant authorities, and financial or investment service providers based on the consent of the Data Subject.

IV/E. Data processing related to invoicing

The purpose of the data processing in this subsection is to fulfill the invoicing obligation of the Data Controller regarding the fee/commission/payment owed to the Data Controller following the successful performance of the mandate agreement, as well as the management of invoices received during the Data Controller’s market orders and the fulfillment of its accounting obligations. Based on this, the Data Controller is obliged to process the following personal data of the data subject:

  • Name
  • Billing and bank details

The legal basis for the data processing in this subsection is Article 6(1)(c) of the GDPR, based on the legal obligation of the Data Controller under the Accounting Act and the relevant regulations of the Ministry for National Economy (NGM). Providing the above personal data by the data subject is mandatory. The data subject is responsible for the accuracy of the provided personal data.

The Data Controller stores the personal data for 8 years following the issuance and completion of the invoice (Section 169(1)-(2) of the Accounting Act).

The Data Controller may transfer the personal data to its current accountant and the invoicing software provider.

IV/F. Data processing related to the performance of the contract and personal data of representatives in the contract

The purpose of the data processing in this subsection is to identify the contracting parties, who are natural persons/sole proprietors, and any representatives or contacts mentioned in the contract, as well as to establish communication with them, and to ensure that the contract is properly performed.

In connection with the above, the Data Controller processes the following personal identification data of natural persons, which is collected directly from the data subject or their legal representative:

  • For contracting parties (natural persons, sole proprietors): Personal identification data, contact details, signature
  • For representatives and contacts: Name, contact details, title, signature

The legal basis for the data processing in this subsection is Article 6(1)(b) of the GDPR for natural persons/sole proprietors who are contracting parties, as the data processing is necessary for the performance of a contract in which the data subject and the Data Controller are parties. For legal entities or other contacts, the legal basis is Article 6(1)(f) of the GDPR, which refers to the legitimate interest of the Data Controller.

Providing the above personal data is mandatory for the data subject, who, by entering into the contract, acknowledges that the Data Controller can only fully perform the obligations arising from the contract if the above data is truthful and complete. If any personal data is not provided or incorrect data is given, it may result in the Data Controller being unable to fully perform the contract, or being able to fulfill it only in a different way, and the Data Controller assumes no responsibility for any resulting damage or legal disadvantage. The Data Controller has a legitimate interest in identifying the representatives and those authorized to communicate during the contract performance and being able to contact them. The legitimate interests of the Data Controller take precedence over the data subject’s fundamental rights and interests. The data subject may object to the processing of their personal data at any time.

The Data Controller stores the personal data for 5 years after the termination or completion of the mandate agreement.

The Data Controller does not transfer these personal data to third parties.

IV/G. Data Processing Related to the Enforcement of Legal Claims, Conducting Legal Proceedings, and Debt Collection

The purpose of the data processing under this subsection is to enable the Data Controller to enforce its legal claims arising from or outside of the contract—whether against the contractual Data Subject or against other data subjects—collect its claims, and initiate and conduct the related proceedings.

In connection with the above, the Data Controller processes the following personal identification data of natural persons, which it collects directly from the Data Subject or from their legal representative:

  • Personal identification data (Name, birth name, mother’s name, place and date of birth, personal identification number, tax identification number)
  • Address/residence
  • Contact details (e-mail, telephone)

The processing of personal data in certain proceedings (depending on the evidence, among other things, additional data processing may occur beyond the aforementioned data) is, as a rule, carried out for the purpose of enforcing the Data Controller’s claims and requirements, namely for the identification of the Data Subject and for establishing contact with them.

The legal basis for the data processing under this subsection is Article 6(1)(f) of the GDPR, that is, the legitimate interest of the Data Controller. Providing the above personal data is mandatory for the Data Subject, as it is the legitimate interest of the Data Controller to be able to identify and contact the Data Subject for the purpose of enforcing its claims and requirements, or to make them reachable during the proceedings. The legitimate interest of the Data Controller takes precedence over the fundamental rights and interests of the Data Subject. The Data Subject may object to the processing of their personal data at any time.

The Data Controller stores the personal data for 5 years after the termination or performance of the mandate agreement, or until the respective proceeding is conclusively completed.

The Data Controller may transfer these personal data to its legal representative and to the competent authority in connection with the proceeding, as well as to its current employees and representatives.

IV/H. Data Processing Related to Online Visitors

The primary purpose of the data processing under this subsection is to record the acceptance of the cookies used on the www.goldenvisahungary.agency website, or, if applicable, to ensure the browsing session on the website, and to make the services provided by the website more effective, more secure, and tailored to the visitor’s needs.

The website controlled by the Data Controller may, by virtue of the fact that the website is visited, perform data storage or data processing in the visitor’s terminal device using cookies. The data recorded in this way are generally not related to personal data; however, it may occur that data concerning the visitor are stored.

On the one hand, the cookies are internal cookies from the Data Controller, which are set by the website visited by the user itself; furthermore, there may be cookies from third parties, which are installed on the user’s computer by other service providers when the user visits our website for the purpose of analysis or the collection of statistical data. In this context, the user’s data are also processed by these service providers – such as Google (Google Ireland Ltd.).

Cookies may be temporary, which do not have a set validity period but are deleted when the browser is closed, or permanent, which remain active until they are deleted or until a certain validity period expires.

The Data Controller uses the following cookies on its website:

Name: wordpress_test_cookie
Description: WordPress sets a cookie named wordpress_test_cookie to check whether cookies are enabled in the user’s browser and also to check whether the user’s browser is capable of accepting cookies so as to provide an appropriate user experience. WordPress sets this cookie when the website is opened, and then it is immediately deleted when the website is closed. The cookie does not contain any personal data, however, it is indispensable for the operation of the website and technically necessary.

Name: cookieyes-consent
Description: This cookie is used by CookieYes. It remembers the users’ consent preferences and manages the visitors’ consents, so that these can be respected when the user subsequently visits the website. It does not collect or store any personal data about the website visitors. The cookie is indispensable as it stores the consents for cookies. The cookie is stored for 1 year after it is recorded; however, it can be disabled or deleted at any time from the browser settings.

Every cookie can be deleted from the computer and can be disabled in the browser. Disabling them may affect the convenience of using the browser, or some of its functions and operation.

In order to use cookies, the data subject must in every case give their consent by activating the icon provided to express that consent next to the “This website uses cookies” information text displayed on the website. The cookies indispensable for the operation of the website, which run automatically, are exempt from this.

The data subject is not obliged to give consent for the possible use of functional, analytical, or marketing cookies in order to be able to visit the website; however, in the absence of consent, it may occur that the website or some of its subpages will not function properly, or the website may deny the data subject access to certain data.

By using cookies on its website, the Data Controller processes the following data:

a. Certain data of the device that provides the visitor’s connection to the website via an open network,
b. The IP address used by the visitor,
c. Page settings,
d. Login status, the fact of the visit, and the time of the visit.

The legal basis for the data processing under this subsection in relation to indispensable cookies is Article 6(1)(f) of the GDPR, as the legitimate interest of the Data Controller, while in the case of any functional, analytical, or marketing cookies, it is based on the data subject’s consent under Article 6(1)(a) of the GDPR.

Providing the above personal data by the data subject is mandatory, since it is the legitimate interest of the Data Controller to store the users’ cookie consents and subsequently prove them. Only such cookies operate on the website on the basis of the legitimate interest of the Data Controller that are truly indispensable for operating the website and for the principle of accountability. The legitimate interest of the Data Controller takes precedence over the fundamental rights and interests of the data subject. The data subject may object to the processing of their personal data at any time.

The consent given by the data subject may be withdrawn at any time. Essentially, the data subject can delete cookies and browsing history by deleting the browsing data, or the settings can be modified via the website. The running of cookies is not automatic; they may be enabled or disabled before the session begins. Withdrawal of consent does not affect the lawfulness of the data processing based on consent prior to its withdrawal. Withdrawal of consent or failure to give consent does not result in an obstacle to visiting the website.

The Data Controller stores the personal data as follows: in the case of indispensable cookies, as cookies for varying durations (they are deleted immediately or after 1 year), and if such cookies run on the website, then in the case of functional, analytical, or marketing cookies, they are stored until the consent is withdrawn (i.e., until tracking is stopped).

  1. Automated Decision-Making, Profiling

The Data Controller does not process personal data through automated decision-making and profiling, and does not use such methods.

  1. Data Transmission, Scope of Recipients

The Data Controller does not transmit personal data to a third country outside the European Union or to an international organization in accordance with Articles 44–49 of the GDPR.

The Data Controller transmits the personal data of the Data Subject to the following recipients:

  • To the Data Controller’s current entrusted accountant, as a data processor, regarding the billing data, for the purpose of fulfilling the billing and accounting obligations specified by law (GDPR Article 6(1)(c));
  • To the Data Controller’s current entrusted legal representative, as a data processor, for matters related to the enforcement of legal claims and demands (GDPR Article 6(1)(f));
  • To the billing program provider currently used by the Data Controller, as a data processor, for the purpose of fulfilling the billing obligation, we transmit billing data (GDPR Article 6(1)(c));
  • The Data Controller is obliged to provide data to the court, the prosecutor, the regulatory authority for administrative offenses, the administrative authority, the investigating authority, or to other bodies empowered by law for the purpose of providing information, transmitting data, handing over, or making documents available. In this context, the data transmission is only to the extent that is strictly necessary for achieving the objective of the authority ordering the data transmission – provided that the authority has specified the exact scope of the data and the exact purpose. The Data Controller cannot be held liable for the fulfillment of such data transmissions or for any resulting consequences, and no claim may be brought against it. Such data transmissions may occur on a case-by-case basis, pursuant to legal authorization (GDPR Article 6(1)(c));
  • In other cases, the Data Controller may perform data transmission only expressly with the consent of the Data Subject (including, among others, for the purpose of proceedings before the competent authorities, for banks, investment service providers, civil organizations, as well as for the fulfillment of services to professional advisory partners, legal representative partners, and investment advisors) (GDPR Article 6(1)(a)).

In the case of real estate investments, the Data Controller transmits personal data to its permanent real estate investment advisor, as a data processor, for the purpose of fulfilling the mandate agreement.

Company name:Redwood Holding Kft.
Registration number:01-09-275468
Seat:1011 Budapest, Szilágyi Dezső tér 1.

The website and its hosting operated by the Data Controller is provided to it by an external company, acting as a data processor, who exclusively performs storage services with respect to the data, registrations, and visits recorded on the website.

Webhosting:Websupport Magyarország Kft.
Registration number:01-09-381419
Seat:1119 Budapest, Fehérvári út 97-99.

All of the Data Controller’s senior officers and employees may be authorized to process personal data in connection with their activities and areas of responsibility.

  1. Data Security

In the processing of personal data by the Data Controller, in all cases the principles set out in Article 5 of the GDPR are complied with.

The Data Controller ensures that, in the electronic and paper-based processing, storage, and transmission of personal data, it takes all the technical and organizational measures necessary so that, at the current state of technological development, the Data Controller is able to choose the technical solution for these processes that guarantees a higher level of protection of personal data.

The Data Controller implements appropriate technical and organizational measures taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances, and purposes of the processing and the probability and severity of the risks for the rights and freedoms of natural persons, in order to guarantee a level of data security proportional to the degree of risk. These measures include:

  • the pseudonymization and encryption of personal data,
  • ensuring the continuous confidentiality, integrity, availability, and resilience of the systems and services used for processing personal data,
  • the ability, in the event of a physical or technical incident, to restore access to personal data and their availability within an appropriate period,
  • procedures for the regular testing, assessment, and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of the processing.

The Data Controller is obliged to delete from all its records any personal data for which the legal relationship with the data subject has terminated for any reason and for which the purpose of the processing has ceased, except where the retention of the personal data is prescribed by law for the Data Controller.

In the event that an incident occurs which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data (hereinafter: “Data Protection Incident”), the Data Controller undertakes to notify the National Authority for Data Protection and Information Security, as the competent supervisory authority, without delay and, if possible, within 72 hours after becoming aware of the Data Protection Incident. The notification obligation does not apply if the Data Protection Incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the Data Protection Incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the Data Protection Incident without undue delay, and such information shall clearly and understandably disclose the nature of the Data Protection Incident.

  1. The Rights Entitled to the Data Subject

The natural persons whose personal data is processed by the Data Controller are entitled, in relation to the Data Controller’s processing, to the following rights:
a. the right to information (GDPR Articles 13–14);
b. the right of access (GDPR Article 15);
c. the right to rectification (GDPR Article 16);
d. the right to erasure (the right to be forgotten) (GDPR Article 17);
e. the right to restriction of processing (GDPR Article 18);
f. the right to data portability (GDPR Article 20);
g. the right to object (GDPR Article 21).

a. Right to Information

Considering that the Data Controller collects personal data directly from the Data Subject, it fulfills its obligation to provide information pursuant to Article 13 of the GDPR by means of this Data Processing Notice. The Data Controller does not collect personal data from any source other than the Data Subject.

b. Right of Access

The Data Subject has the right to request information and confirmation as to whether personal data concerning them has been processed. The Data Controller is obliged to provide such information, including access to the information set out in Article 15 of the GDPR.

c. Right to Rectification

In the event that the Data Controller processes any personal data of the data subject inaccurately or incompletely, the Data Subject may request that the Data Controller immediately rectify any personal data processed inaccurately or supplement any personal data processed incompletely on the basis of the data provided and verified by the data subject.

d. Right to Erasure (Right to be Forgotten)

The Data Subject is entitled to request that the Data Controller promptly delete the personal data concerning them if any of the following grounds apply:

  • the personal data are no longer necessary for the purpose for which they were collected or otherwise processed,
  • the Data Subject withdraws the consent on which the processing is based and there is no other legal basis for the processing,
  • the Data Subject objects to the processing and there is no overriding legitimate interest for the processing,
  • the personal data have been processed unlawfully,
  • the personal data must be erased in order to comply with a legal obligation to which the Data Controller is subject,
  • the personal data were collected in connection with the offering of information society services.

The Data Controller informs the Data Subjects that it is not obliged to comply with a request to exercise the right to erasure (or to be forgotten) if the processing is necessary:

  • for the exercise of the right of freedom of expression and information and the right to receive information,
  • for the performance of a legal obligation prescribing the processing of personal data or for the exercise of official authority,
  • for the performance of a task carried out in the public interest,
  • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes,
  • for the establishment, exercise or defense of legal claims.

e. Right to Restriction of Processing

The Data Subject is entitled to request that the Data Controller restrict the processing of their personal data if:

  • the Data Subject contests the accuracy of the personal data collected and stored by the Data Controller for a period necessary for verifying the accuracy of such data; or
  • the processing carried out by the Data Controller is unlawful and the Data Subject opposes the erasure of the personal data collected and stored; or
  • the purpose of the processing has ceased and the Data Controller does not require the personal data any longer, but the Data Subject requests further (limited) processing in order to assert, exercise, or defend a legal claim; or
  • the Data Subject exercises their right to object, pending an investigation of the lawfulness of the processing.

f. Right to Data Portability

The Data Subject has the right to receive the personal data concerning them that they have provided to a Data Controller in a structured, commonly used, and machine-readable format, if:

  • the processing is based on the consent pursuant to Article 6(1)(a) or on a contract pursuant to Article 6(1)(b) of the GDPR, or based on the consent pursuant to Article 9(2)(a) of the GDPR; and
  • the processing is carried out by automated means.
    During the exercise of the right to data portability, the Data Subject is entitled, where technically feasible, to request the direct transmission of the personal data between Data Controllers.

g. Right to Object

The Data Subject is entitled to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the legitimate interests of the Data Controller, including processing based on the aforementioned provisions and profiling. In such cases, the Data Controller shall cease further processing of the personal data, unless the Data Controller demonstrates that the processing is justified by compelling legitimate grounds which override the interests, rights, and freedoms of the Data Subject, or is necessary for the establishment, exercise, or defense of legal claims. If the processing of personal data is carried out for direct marketing purposes, the Data Subject is entitled to object at any time to the processing of their personal data for such purposes, including profiling, insofar as it is related to direct marketing.

The Data Subject may exercise the rights defined in this chapter at any time by submitting a request to the Data Controller. The request of the Data Subject may be submitted electronically, in paper form using the universal postal service, or in paper form by delivering it to the headquarters of the Data Controller or to the Data Controller’s representative. The Data Controller shall provide information on the processing of personal data and on the exercise of the rights without undue delay and, in any event, within 1 month of receipt of the request free of charge, in the same form in which the request was made.

  1. Legal Remedies

If the data subject observes that the Data Controller violates the provisions set out in the data protection legislation in the handling of their personal data, they may, in order to protect their rights, submit a legal remedy request to the territorially competent court or to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) .

Nemzeti Adatvédelmi és Információszabadság Hatóság

Seat: 1055 Budapest, Falk Miksa u. 9-11.
Mail address: 1363 Budapest, Pf.: 9.
Telefon: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Weboldal: http://naih.hu  

The Data Controller also publishes its current Data Processing Notice on its website in electronic form. In the event that the Data Subject submits an electronic or paper-based request in this regard, the Data Controller shall send the Data Processing Notice as an attachment to an electronic message to the email address provided by the Data Subject.

The Data Controller reserves the right to unilaterally modify this Data Processing Notice, particularly if required by changes in legislation, supervisory practice, or other external circumstances. The Data Controller shall in any case notify the Data Subject of the change, and upon the Data Subject’s request, will provide the content of the current notice.

Effective: from March 17, 2025

Dr. Novák Péter Ügyvéd
(Dr. Novák Péter Ügyvédi Iroda)