We are dedicated to protecting the personal data of the visitors of our website and our current and future customers and business partners and consider respect of the right to informational self-determination a priority. We treat personal data confidentially and will take all security, technical and organizational measures to guarantee data security.
- The information of the Company acting as Data Controller
The Company shall be liable for the personal data you share with us; in accordance with applicable data protection regulations, the information of the Company acting as “Data Controller” are as follows:
Name of the Data Controller: BORD Architectural Studio LLC
Registered office of the Data Controller: H-1068 Budapest, Felső erdősor 3. 3. em. 22.
Electronic mailing address of the Data Controller: firstname.lastname@example.org
Phone number of the Data Controller: +36 20 939 6968
Company registration number of the Data Controller: 01-09-870752
Tax number of the Data Controller: 13739689-2-42
Personal data: any information pertaining to an identified or identifiable person (“data subject”); an identifiable person shall mean a private individual who can be identified directly or indirectly, but particularly via identification information, for example name, number, location data, online ID or one or more factors concerning the physical, physiological, genetic, mental, economic, cultural or social identity of the given private individual.
Data processing: the totality of any procedure or procedures implemented in an automatic or non-automatic manner, concerning personal data or data files and including collecting, recording, systemizing, structuring, storing, transforming or modifying, querying, accessing, using, communicating, transferring, publishing or otherwise making accessible, coordinating or linking, limiting, erasing or terminating.
Data Controller: a private individual or legal entity, public authority, agency or any other body that may define, on its own or in cooperation with other entities, the purposes and tools of data processing; if the purposes and tools of data processing are defined by EU law or the laws of a member state, the identity of the data controller or the specific criteria for determining the identity of the data controller may be prescribed by EU law or the laws of a member state.
The Data Controller is the operator of the website.
Data processor: a private individual or legal entity, public authority, agency or any other body that processes data on behalf of the data controller.
Recipient: a private individual or legal entity, public authority, agency or any other body that is the recipient of personal data, regardless of whether the given entity is a third party or not. Public authorities that, through specific investigations, are entitled to access personal data in accordance with EU law or the laws of a member state, are not considered recipients; processing of said data by such public authorities must comply with data protections regulations applicable based on the purposes of data processing.
Data subject’s consent: freely given, specific, informed and unambiguous indication of the data subject’s will, in which the data subject, by way of a statement or an action unambiguously indicating consent, consents to the processing of personal data relating to the data subject.
Personal data breach: a breach of security which results in the unintended or unlawful termination, loss, change of, or unauthorized publication or similar unauthorized access to transferred, stored or otherwise processed personal data.
Website: the website www.bordstudio.hu and its subpages operated by the data controller.
User: a private individual who accesses the website and whose personal data is processed by the data controller.
External provider: service provider partners, acting as third parties, employed – directly or indirectly – by the data controller in regards of the operation of the website or the provisioning of the services available therein, to whom personal data is transferred or may be transferred as necessary for the provisioning of such services, and who may transfer personal data to the data controller. Service providers who are not in collaboration with the data controller, but who have access to the website relevant to the service and collect data concerning the users which, either by themselves or when combined with other data, can be used to identify the user are also considered external providers.
III. Principles of data processing
The Data Controller shall be liable for the following:
- processing personal data in a lawful and fair manner and while providing transparency to the data subject (“lawfulness, fairness and transparency”);
- collecting personal data only for specific, unambiguous and lawful purposes and processing said data in a manner incompatible with these purposes (“purpose limitation”);
- processing personal data that is appropriate and relevant for the purposes of data processing and is limited to what is necessary (“data minimization”);
- ensuring that personal data are accurate and, if necessary, up-to-date and taking all reasonably necessary measures to ensure that personal data considered inaccurate in the context of data processing purposes are erased or corrected without delay (“accuracy”);
- storing personal data in a format that enables the identification of data subjects only for the duration necessary for data processing purposes (“storage limitation”);
- processing personal data in a manner that, through the implementation of necessary technical or organizational measures, ensures their security, including security against unauthorized or unlawful processing, unintended loss, termination or damage (“integrity and confidentiality”).
- Personal data processed, the purpose, legal basis of data processing, and storage duration
Depending on the purpose of data usage, data may be processed on the following legal bases:
- your consent or the completion of an agreement (in case information is requested via the contact form available on our website, depending on the contents of the given request);
- our legitimate interest (of ensuring the protection and security, proper functioning and continuous development of the tools you use – our websites/applications/devices) or the fulfillment of legal obligations.
If data processing requires your consent, you may give consent freely, having received proper information, in a prior statement, which statement shall contain your express consent to the processing of the personal data provided while using the website. You, as user, in case of data processing requiring consent, are entitled to revoke consent at any time, which, however, does not affect the lawfulness of data processing carried out before the revocation.
At the same time, you are liable for legally acquiring the consent of any private individuals acting as data subjects for the processing of personal data provided or made accessible on behalf of other private individuals. You are liable for any data you provide and, upon providing such data, also assume liability for ensuring that you are the only one procuring services via the specified e-mail address and using the data you have provided. We do not review personal data, the person providing such data shall bears sole liability for their accuracy.
The legal basis of data processing may also be the legitimate interest and legal obligations of the Company, acting as Data Controller. In cases where the legal basis of data processing is the legitimate interest of the Data Controller, we have done and shall continue to do balancing tests in accordance with the relevant provisions of the GDPR; the balancing test establishes whether our legitimate interest concerning data processing takes precedence over your data processing related rights and freedoms.
When you access the website, the Data Controller, in connection with the provisioning of services, on basis of the Data Controller’s legitimate interest and for the purpose of provisioning services in a lawful manner (e.g. in order to detect unlawful usage or illegal content), shall record your IP address even without your express consent.
For further details regarding data processing or the scope, purposes and legal bases of data processing, please see the information provided below.
Types of “cookies” used:
“Session cookies” are necessary for browsing the website and using its functions, including recording operations carried out by the visitor on the website, its functions or services. The smooth operation of the website cannot be guaranteed without the use of “session cookies”. The scope of their validity covers the duration of the given visit, as such “cookies” are automatically erased upon ending the session, leaving the website or closing the browser. Ensuring the proper functioning of the website is carried out in accordance with relevant legislation.
“user supporting cookies”
These “cookies” allow the website to remember the mode of operation selected by the user (e.g. language, selection of accessibility options, how many results are to be displayed simultaneously by the search tool, etc.). They are meant to ensure that the user does not need to reselect these options upon the next visit.
“targeted advertising cookies”
“Targeted advertising cookies” are used to select the advertisements most relevant or most interesting to the given user to be displayed on the website. These cookies enable external providers – including Google – to display targeted advertising on other websites based on the user’s prior visits to the website.
Such cookies cannot be used to specifically identify the user. At the same time, these cookies collect data regarding, for example, which website has the user visited, where on the website did the user click, how many pages did the user open.
The website uses the “targeting and advertising cookies” of the following service providers:
- Facebook: for detailed information regarding the service, please see the following link: https://www.facebook.com/help/cookies/
- Doubleclick: For detailed information regarding the service, please see the following link: https://www.google.com/intl/hu/policies/privacy
“web statistics cookies”
The Data Controller uses “web statistics cookies” to collect information regarding the way users use the website. The purpose of these cookies is to develop the website in accordance with user requirements. These “cookies” may be used to track the number of visitors to the website and the contents users are interested in.
The website uses the analytical cookies of Google Tag Manager, Google Analytics, which collect information regarding the users’ usage of the website. For detailed information regarding the service, please see the following link:
The purpose of data processing: identification, distinguishing of users, identification of the current browsing sessions of users, storing data provided during these sessions, prevention of data loss, web analytics surveys, verifying the operation of the website when visiting, preventing misuse and determination of user requirements.
Legal basis of data processing: Item a) of Paragraph (1) of Article 6 of the GDPR, the data subject’s consent, Paragraph (3) of Section 13/A. of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter referred to as: Electronic Services Act), and Item f) of Paragraph (1) of Article 6 of the GDPR.
Scope of the data processed: data, time, IP address, address of previously visited website, data regarding the operating system and browser of the user, time spent browsing the website.
Duration of data processing: …. after visiting the website, except in the case of session cookies, which are automatically erased upon leaving the website or closing the browser.
The portal’s HTML code contains links unrelated to the Data Controller and provided by and linking to external servers. Servers of external providers connect directly to the user’s computer. Please note that the providers of these links are able to collect user data (e.g. IP address, data of browser, operating system, cursor movements, clicks, the address of the visited website and the time and duration of the visit) due to the direct connection to their servers and direct communication with the user’s browser. An IP address is a series of numbers based on which the users’ computers and mobile devices used for online browsing can be clearly identified. Based on the IP address, the visitor using the given computer may even be located geographically. The addresses of the websites visited and data concerning times and dates are not sufficient to identify the data subject, but, when connected to other data, may be used to draw certain conclusions regarding the user.
- Processing of personal data provided via the contact form available on the website
We have provided an option on the website for interested parties to request information regarding our services. During this process, users may be required to provide some personal data.
Purpose of data processing: Answering queries, quotation, providing information, improving services
Legal basis of data processing: The data subject’s consent, Item a) of Paragraph (1) of Article 6 of the GDPR and Paragraph (1) of Section 5 of the Privacy Act; or, in case of the fulfillment of an agreement, call for offer for a specific service, Item b) of Paragraph (1) of Article 6 of the GDPR
Scope of the data processed: first and last name, e-mail address, phone number, and any other personal data provided by the user on a voluntary basis in connection with the given question (such disclosures may even contain sensitive data).
Duration of data processing, deadline for the erasure of data: We shall erase any such data on the 90th day after the case referred to in your query is closed, except in special cases where the Data Controller’s legitimate interest justifies the continued processing of personal data, in which case data shall be processed for the duration of the existence of the Data Controller’s legitimate interest.
The Data Controller shall transfer data to the hosting service provider Neue Medien Münnich
for the purposes of IT support.
The Data Controller shall not transfer or make accessible personal data to third parties for advertising purposes.
- Method of storing personal data, data processing security
The Data Controller’s computer systems and other data storage devices are located at its registered office and at its data processors.
The Data Controller shall select and operate the IT devices used for the processing of personal data and the provisioning of the service with the goal of ensuring that
- processed data are accessible to authorized parties (availability)
- the authenticity and authentication of processed data is provided for (authenticity of data processing)
- the integrity of processed data is verifiable (data integrity)
- processed data is protected against unauthorized access (data confidentiality).
The Data Controller shall ensure the security of data through appropriate measures, particularly as regards security against unauthorized access, modification, transfer, publication, erasure or termination, unintended termination, damage, and, furthermore, against data becoming inaccessible due to changes in the technology in use. In order to protect the data files electronically processed in the context of the Data Controller’s various records, the Data Controller shall employ an appropriate technical solution to ensure that the data stored are not directly connectible and assignable to the data subject – except where permitted by law. The Data Controller, with regard to the current state of technology, shall implement technical, managerial and organizational measures that ensure the security of data processing and provide a level of protection appropriate to the risks affecting data processing.
During data processing, the Data Controller shall provide for the following:
- confidentiality: protecting information by ensuring that only authorized parties have access;
- integrity: ensuring the accuracy and completeness of information and the data processing method;
- availability: ensuring that, when needed, authorized users are actually able to access the requested information, and that the tools needed to access such information are available.
The IT systems and networks of the Data Controller and its partners are all protected against computer assisted fraud, spying, sabotage, vandalism, fire and flood, computer viruses, computer hacking and denial-of-service attacks. The operator guarantees protection via server-level and application-level security procedures.
We hereby inform you that electronic messages transmitted via the internet are vulnerable to network-level threats which may result in unethical activities, contractual disputes or the revealing, modification of information. The Data Controller shall take all reasonable steps to protect against such threats. It shall monitor systems in order to ensure that all security issues are reported, and proof is made available whenever a security incident occurs. System monitoring also enables the verification of the efficiency of the protective measures in use.
In case of a personal data breach, the Data Controller shall be obligated to report the issue without undue delay and, if possible, within 72 hours after learning of the personal data breach to the supervisory authority competent under Article 55, except if the given personal data breach is unlikely to pose a risk to the rights and freedoms of private individuals. If the issue is not reported within 72 hours, a description of the reasons justifying the delay must also be attached.
If the personal data breach is likely to pose a high risk to the rights and freedoms of private individuals, the Data Controller shall be obligated to inform the data subject of the issue without undue delay. The Data Controller is not obligated to inform the data subject if any of the following conditions apply:
- the Data Controller has implemented appropriate technical and organizational measures and these measures were applied to the data affected by the personal data breach, particularly in the case of measures – such as the use of encryption – that make the personal data incomprehensible for unauthorized parties upon access;
- following the personal data breach, the Data Controller has implemented measures that ensure that the high risk to the data subject’s rights and freedoms is unlikely to materialize in the future;
- informing the data subject would require disproportionate effort. In such cases, data subjects are to be informed by making the information publicly available or by way of a similar measure suitable for ensuring efficient communication with data subjects.
If the Data Controller has not yet informed the data subject of the personal data breach, the supervisory authority, after evaluating the probable risk level of the personal data breach, may order the Data Controller to inform the data subject.
The website may contain links linking to or originating from the websites of our partner network and advertisers. If you follow any of the links to said websites, please note that they have their own privacy policies, for which we are not liable. Please read these privacy policies before sharing your personal data on these websites.
Do not forget that content published on any of our social media platforms will be visible to the public, so be careful when providing certain personal data, for example financial information or address data. We shall not be liable for the actions of third parties in case you publish personal data on our social media platforms, and, at the same time, we recommend that you do not share such information.
- Data transmission, data processing, external providers
- General principles
Courts, attorneys, investigating authorities, authorities with competence over misdemeanors, public authorities, the Hungarian National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, and other bodies granted legislative authority may approach the Data Controller for information, data, the communication, transfer of data, or access to documents. The Data Controller shall only share personal data with authorities at the level and to the extent strictly necessary for the realization of the outlined goals – if the given authority has specified the exact goal and the scope of relevant data.
- Data processors
Hosting service provider:
Neue Medien Münnich
Hauptstrasse 68, 02742 Friedersdorf
- External providers
External providers assisting in the login process:
The Data Controller, for the purpose of provisioning services, may cooperate with external providers providing access to applications to assist users in the registration and login processes. In the course of this cooperation, certain personal data (e.g. IP address, e-mail, login name) may be transmitted by external providers to the Data Controller and/or data processor. These external providers record, process and transmit personal data in accordance with their own privacy policies.
External providers cooperating with the Data Controller and assisting in the registration or login processes: Facebook Inc.
Web analytics and ad serving external providers:
Cookies installed by such external providers may be erased from the user’s devices at any time; using the appropriate browser settings, the use of these cookies may be altogether disabled. Cookies installed by external providers may be identified based on the domain associated with the given cookie. Web beacons, click tags and other click tracking tools may not be disabled. These external providers process the personal data transmitted to our Company in accordance with their own privacy policies.
Web analytics and ad serving external providers cooperating with the Data Controller: Facebook Inc., Google LLC.
External providers providing customized messaging services:
The Data Controller cooperates with external providers that enable the user to use certain provided services through other channels (e.g. Facebook, Messenger, Viber, etc.) also used by the same user. External providers may also collect additional data regarding the user by way of cookies, questionnaires or the user’s registration to the external providers’ websites or interfaces, which data may be used, either by themselves or when combined with other data, to identify the user. These external providers process the personal data transmitted to our Company in accordance with their own privacy policies.
Other external providers:
Certain external providers do not have a contractual relationship with the Data Controller or are purposefully avoided by the Data Controller in the context of a given data processing activity, but may otherwise have access to the website/services, and as such are able to collect data regarding the users or their activities on the websites, which data, in certain cases, can be used – either by themselves or when combined with other data collected by the given external provider – to identify the user. These external service providers include particularly, but are not limited to: Facebook Inc., Google LLC, Instagram LLC., Twitter International Company, Viber Media LLC, Vimeo INC., YouTube LLC. These external providers process the personal data they receive in accordance with their own privacy policies.
VII. Rights of data subjects
You are entitled to ask the Data Controller whether it is processing any of your personal data; if it is, you are also entitled to request access to the personal data it processes. You may request information regarding the issue by sending a registered letter or registered letter with acknowledgment of receipt to the Data Controller’s address or an e-mail to email@example.com. In order to facilitate your request, the
Data Controller may request the verification of your identity. The Data Controller shall consider your request for information to be valid if the given user can be clearly identified based on the request sent.
Information may be requested regarding the data managed by the Data Controller, the sources of such data, the purpose, legal basis, duration of data processing, the name and address of any data processors, data processing related activities, and, in case of transmission of personal data, who is the recipient and for what purpose is the data transmitted.
You are entitled to the following rights:
Your essential rights
Right of access: you are entitled to information regarding whether your personal data is being processed, and if so, you are also entitled to access said personal data and the information listed by the GDPR.
We shall not answer any obviously unsubstantiated, excessive or repetitive requests.
Right to rectification: you are entitled to have the Data Controller rectify any corresponding personal data without undue delay. Considering the purpose of data processing, you may also be entitled – including by means of providing a supplementary statement – to request the amendment of incomplete personal data.
Right to erasure/right to be forgotten: In certain cases, you are entitled to have your personal data erased. This is not an absolute right, as in certain cases (e.g. the fulfillment of legal obligations) we are entitled to retain your personal data.
Right to erasure:
You are entitled to have the Data Controller erase your corresponding personal data without undue delay; at the same time, the Data Controller, under specific circumstances, shall be obligated to erase your corresponding personal data without undue delay.
Right to be forgotten:
If the Data Controller has made a piece of personal data public and becomes obligated to erase said personal data, it shall be obligated to take all reasonable steps – including any technical measures -, with regard to the current state of technology and the costs of implementation, in order to inform the data processors processing the data in question that you have requested the erasure of links linking to such personal data and any copies or duplicates of said personal data.
Right to revoke consent at any time to data processing depending on such consent: If the processing of your data is dependent on consent, you are entitled to revoke the consent to data processing. The revocation of consent does not affect the lawfulness of data processing carried out before the revocation. For information regarding what processing of data is dependent on consent, see the provisions above.
If personal data is processed for the purposes of direct marketing, you are entitled to object to the processing of your personal data for such purposes at any time, including in the case of profiling, if carried out for a direct marketing purpose. If you object to the processing of personal data for the purposes of direct marketing, the Data Controller shall not be entitled to process such data in the future.
Right to object to data processing based on legitimate interest: If the processing of your data is based on legitimate interest, you are entitled to revoke your consent to such processing at any time. For information regarding what processing of data is based on legitimate interest, see the provisions above.
Right to lodge a complaint with a supervisory authority: you are entitled to contact the data protection authority of your country or bring the matter to court in order to lodge a complaint regarding the Company’s data protection practices. Please feel free to contact us via the contact information provided below before lodging a complaint to the competent data protection authority.
Right to data portability: you are entitled to receive a copy of your corresponding personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which you have provided the personal data in question.
Right to restriction of processing: you are entitled to request that the Data Controller restricts the processing of data if any of the following conditions apply:
– you are contesting the accuracy of personal data in which case the restriction shall apply to a period enabling the Data Controller to verify the accuracy of the personal data;
– data processing is unlawful, and you oppose the erasure of data and instead request the restriction of their use instead;
– the Data Controller no longer needs the personal data for the purposes of data processing, but you request access to such data for the establishment, exercise or defense of legal claims;
– you have objected to data processing in which case the restriction shall apply to a period enabling the Data Controller to verify whether their legitimate interests take precedence over your legitimate interests.
Many cookies are used to enhance the utility or functionality of websites/applications, thus disabling cookies may prevent access to certain elements of websites/applications.
If you would like to restrict the use of all enabled cookies (thus preventing the use of certain elements of the website), you may do so modifying the settings of your browser. To change these settings, please see the Help function of your browser. For further information, please see the following link:
Right to object: The data subject shall be entitled to object at any time, on grounds relating to its particular situation, to the processing of its personal data carried out in the public interest or in the exercise of official authority vested in the Data Controller or to the processing of its personal data for purpose of the pursuit of the Data Controller’s or a third party’s legitimate interests, except if these legitimate interests fall behind in priority to the data subject’s interests or basic rights and freedoms which necessitate the protection of personal data, including profiling performed on the legal basis of the specified provisions. In such cases to Data Controller is not entitled to continue the processing of such personal data, except if the Data Controller is able to prove that data processing is made necessary by compelling legitimate grounds which take precedence over the interests, rights and freedoms of the data subject, or is required for the establishment, exercise or defense of the Data Controller’s legal claims.
If personal data is processed for the purposes of direct marketing, the data subject shall be entitled to object to the processing of its personal data for such purposes at any time, including in the case of profiling, if carried out for a direct marketing purpose. If the data subject objects to the processing of personal data for the purposes of direct marketing, the Data Controller shall not be entitled to process such data in the future.
The Data Controller shall inform you of the steps taken as result of the above requests without undue delay, but at the latest within 1 month following the submission of the request. This deadline may be extended by an additional period of 2 months if the Data Controller informs you of the reasons for the delay within 1 month following the submission of the request. If the Data Controller has taken no steps on basis of your request, it shall be obligated to inform you without undue delay, but at the latest within 1 month following the submission of the request of the reasons for its inaction and that you are entitled to lodge a complaint to the supervisory authority and to exercise your right to judicial remedy.
VIII. Data retention
The Data Controller shall only retain your personal data for as long as necessary for the purpose for which they are recorded.
Data recorded automatically, via technical means during the operation of the system may be stored following their generation in the system for as long as required to ensure the functioning of the system. The Data Controller shall ensure that such automatically recorded data cannot be connected to other personal data – except where required by legislation.
Automatically recorded IP addresses shall be retained no longer than 7 days after their recording.
In order to fulfill certain legal or regulatory obligations, to allow for the exercising of our rights (e.g. the enforcement of our claims in court), and for statistical or precedential reasons, we may retain certain personal data for longer periods of time. If we no longer need your personal data, we shall immediately remove it from our systems and records or anonymize it to the extent that it cannot be used to determine your identity.
- Contact and legal remedies
Complaints regarding data processing may be submitted directly to the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: firstname.lastname@example.org; website: www.naih.hu); if you believe that your rights have been violated, you are also entitled to bring the issue to court. Such disputes fall within the jurisdiction of the competent court. Lawsuits may also be brought – depending on the preference of the data subject – to the court with competence of the data subject’s place of residence or habitation.
Budapest, 25 May 2018