AUTOWALLIS Ltd. (hereinafter the “Controller”) wishes to provide information about the general requirements and conditions of its data processing operations during liaising with investors as well as the rights of data subjects in this document.
The fundamental rules of the management of personal data are laid down in Regulation 2016/679/EU (“General Data Protection Regulation” or “GDPR”) and in Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information.
The Controller only engages in such data processing operations in respect of the data subjects that are unavoidable and justifiable for the given legal relationships. The Controller focuses on enforcing the principle of data minimisation and does not manage any sensitive data.
The Controller complies with all laws applicable to the data processing operations conducted by it at all times and treats personal data with particular care.
In its documents pertaining to data processing, the Controller strives to reduce the usage of legal terminology to the greatest extent possible. However, in order to ensure the clarity of the information, the following terms shall have the following meanings, as defined in the GDPR:
On the investor relations subpage of its website at https://autowallis.hu/befektetoi-kapcsolattartas/, the Controller allows investors to liaise with the Controller through electronic messages. The legal basis for data processing is the data subject’s consent that the data subject may withdraw at any time. In such cases, the Controller shall examine the messages exchanged and if, in his opinion, the contents thereof need to be retained with a view to the protection of its legitimate interests and the data protection legal conditions for such retention exist, then the Controller shall retain the messages exchanged until the relevant limitation period.
The Controller shall process the data during the general five year limitation period.
The fundamental principles of the data processing operations conducted by the Controller are laid down in Article 5 of the GDPR; these principles are to be construed in respect of the Controller as follows:
The data processing operations conducted by the Controller always have an appropriate legal basis and the Controller fully complies with the provisions of the relevant data processing laws or contracts.
The Controller manages the processed data with fairness and integrity, acts in good faith, does not abuse the personal data processed by it and respects and does not violate the data subject’s privacy and right to informational self-determination.
The Controller conducts its data processing operations in a transparent manner both in respect of the Authority and the data subjects. The Controller informs the data subject about all data processing operations and where the data subject exercises his right of access, the Controller provides all necessary information prescribed in the GDPR in this regard. In the case of a personal data breach, if required by the law, the Controller shall comply with his notification obligation without delay.
The Controller conducts all data processing operations exclusively for justified and legitimate purposes. The purpose of data processing is always specified and the related information is unambiguous and not misleading.
The Controller only processes personal data if this is necessary, also having regard to the principles of purpose limitation, lawfulness and fairness. All data processing operations conducted by the Controller are adequate and necessary for the company’s business.
The Controller strives to ensure that the personal data processed by it are complete, accurate and up-to-date and takes every reasonable step to ensure the rectification of any inaccuracies.
The Controller only processes personal data until there is adequate legal basis for such processing and purpose limitation is ensured. Thereafter, the personal data are either erased, or the document containing such data is returned, or the given data are deprived of their personal nature.
The time limits applicable to the processing of the different categories of data are specified in the information documents pertaining to the given client contract or the processing of employee data.
The Controller takes the necessary and adequate technical or organisational measures in order to ensure that its data processing operations comply with the data security requirements provided for in the GDPR and the relevant sectoral laws.
The Controller makes sure that only authorised persons can have access to the personal data processed by it and that such data are exclusively processed either by the Controller at its headquarters or by persons over whom the Controller has monitoring rights. The Controller’s infrastructure complies with the requirements provided for in the relevant sectoral laws.
Furthermore, the Controller ensures that the persons involved in the processing of the personal data are bound by an obligation of confidentiality.
Data subjects are entitled to exercise their rights specified below. Such legal statements shall be sent to the Controller’s registered office by mail. Requests for general information can also be sent by email. The Controller shall assess the legal statements without delay and if the conditions of lawfulness are met, the Controller shall comply with the request without delay but within one month at the latest. If the legal statement for the exercise of the data subject’s rights is unclear, the Controller shall call upon the data subject to supplement or modify the legal statement.
The data subject may request information about the data processing operations and may request the Controller to provide access to the personal data concerning him/her.
The Controller only provides access to the personal data if the data subject adequately proves his/her identity. Otherwise, the Controller may only provide general information.
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of data processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
The right to erasure may be limited for the reasons provided for in Article 17 (3) of the GDPR.
The data subject shall have the right to obtain from the Controller restriction of data processing where one of the following applies:
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction is lifted, the Controller shall inform the data subject thereof before the restriction of data processing is lifted.
The Controller is not engaged in any data processing concerning the personal data of its clients and employees or the personal data of any other data subject in relation to its client contracts that is fully automated and, accordingly, the data subjects are not entitled to exercise the right to data portability in respect of the personal data processed by the Controller.
The data subject shall have the right to object, on grounds relating to his/her particular situation, at any time to the processing of his/her personal data, if the Controller processes such personal data on grounds of public interest or the enforcement of the legitimate interests of a third party.
In such cases, the Controller may only continue to process the personal data if the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The data subject shall have the right to file an objection or bring a civil action pursuant to the provisions of Section 6.
The data subject shall have the right to file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information if he/she believes that his/her rights provided for in the GDPR or the Information Act have been violated. In such cases, please first file your complaint with the Controller. Your complaint will be assessed immediately and the results of the assessment will be communicated to you.
mailing address: 1530 Budapest, Pf.: 5.
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL http://naih.hu
Furthermore, the data subject shall have the right to apply to a court if the data protection laws are violated. In such cases, the competent court under the GDPR shall be the Metropolitan Court of Budapest in respect of the Controller’s data processing operations, while for violations of the Information Act, the action can also be brought before the competent court at the data subject’s domicile or place of permanent residence.
AUTOWALLIS Nyrt.
Address: 1055 – Budapest, Honvéd utca 20.
Telephone/Fax: +36 1 551 5773
E-mail: info {at} autowallis.hu
This information document shall take effect upon publication. The Controller may unilaterally amend this information document. The Controller shall inform data subjects about such amendments through its website.