General Data Processing Notice

1. General Provisions

The purpose of this Privacy Notice is to enable the Companies (hereinafter collectively referred to as the "Companies," "Joint Controllers," or "Controller"), acting as joint controllers as defined in point 2, to fulfill their obligation to provide prior information regarding the processing of personal data. This obligation arises from Articles 13 and 14 of the General Data Protection Regulation 2016/679/EU (hereinafter referred to as "GDPR¹)). Furthermore, the Controller provides detailed information on each specific processing operation as outlined in point 5.

In preparing this Privacy Notice, the Companies have specifically considered the following legislative provisions:

General Data Protection Regulation 679/2016/EU ("GDPR"),
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information ("Information Act"),
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services ("Electronic Commerce Act"),
Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities ("Act XLVIII"),
Act V of 2013 on the Civil Code ("Civil Code").

2. The relationship between the Joint Controllers and key features of the agreement between them

The Joint Controllers have designated WING Ingatlanfejlesztő és Beruházó Zrt. (registered office: 1095 Budapest, Máriássy utca 7.) as the contact entity for data subjects.

Website:	https://wing.hu/hu
Contact:	e-mail: info@wing.hu
Contact:	telefon: +36 1 451 4760
Data Protection Officer:	adatvedelem@wing.hu

Personal data is processed jointly (as part of joint processing) by WING Zrt. (company registration number: 01-10-042336, registered office: 1095 Budapest, Máriássy utca 7.) and the cooperating companies listed in Annex 1 to this Privacy Notice - with which you have entered or intend to enter into a contractual or legal relationship - in accordance with Article 26 of the GDPR.

The Joint Controllers for all cases are WING Zrt. and the company from Annex 1 with which you have or intend to have a contractual relationship. Together, the Joint Controllers determine the purposes and means of processing activities covered by this Notice, thus acting as joint controllers for such processing operations.

The Joint Controllers shall jointly determine the purposes and means of the processing activities covered by this Notice and shall therefore be considered as joint controllers for the purposes of carrying out the processing activities. This is because, in order to serve you as fully as possible, the joint controllers identified above shall determine among themselves the allocation of their responsibilities for the performance of their obligations in relation to the processing, in particular their responsibilities for exercising the rights of the data subject and providing information to the data subject. The data subject will not be disadvantaged since the Data Controllers will act jointly and severally, under joint and several liability, by establishing a common infrastructure, and full service will be of sole benefit to the data subject.
The Real Estate available on the website is related to different projects represented by WING Zrt. and its collaborating legal entities, thus the data processing operations related to each project are always primarily carried out by the controller involved in the project.

A detailed description of the legal relationship between the Joint Controllers - in this context, the division of responsibilities and tasks for each processing activity - is always provided in the privacy notice, which provides detailed information on the specific processing.

In order to ensure that interested data subjects who decide to contact and/or request an offer can receive information and/or offers on all relevant properties, the legal entities representing the projects will act as joint controllers of the personal data provided during the contact and/or request. The personal data collected by the Joint Controllers will be managed by a common electronic system.

Responsibility for fulfilling the obligations arising from the processing is as follows. The tasks related to the fulfilment of the obligations arising from data protection legislation are carried out by WING Zrt. as the designated contact point for the data subjects. Data subjects may exercise their rights in relation to the processing of their personal data by sending a request or a complaint to WING Zrt. (by post to 1095 Budapest, Máriássy utca 7, e-mail to adatvedelem@wing.hu ).

If the data subject wishes to withdraw or modify (restrict) his or her consent or object to the processing of his or her personal data, he or she may do so by postal mail addressed to WING Zrt.

The Joint Controllers shall jointly provide information to the data subjects on the specific processing activities.

The above sharing of responsibility for the processing of personal data between the Joint Controllers does not, of course, affect the right of data subjects to exercise their rights under data protection law in relation to and against each controller.

3. Definitions

3.1 Personal Data: it refers to any information relating to an identified or identifiable natural person (i.e., a Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

3.2 Data Processing: Data Processing encompasses any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. This includes, but is not limited to, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3.3 Controller: The Controller is a natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of processing personal data.

3.4 Joint Controller: When two or more controllers jointly determine the purposes and means of processing, they are considered Joint Controllers.

3.5 Data Subject: The Data Subject is any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data.

In the case of joint processing, the Data Subject may exercise his or her rights under this Privacy Notice in relation to and against each of the controllers. In such cases, the Data Subject may direct their request to any of the controllers, and the response or action of any controller will be considered a joint response or action of all the joint controllers.

3.6. Recipient: a natural or legal person, public authority, agency, or any other body to whom or with whom personal data is disclosed, regardless of whether they are a third party.

3.7 Transfer: Transfer refers to the making available of personal data to a specified third party.

3.8 Processor: A Data Controller is a natural or legal person who processes personal data relating to Data Subjects on behalf of the Controller, based on a written contract or other legal agreement with the Controller. Data Controllers do not make autonomous decisions regarding personal data; they are only authorized to act according to the contract or legal agreement with the Controller and the instructions they receive. For the activities described in this Privacy Notice, the identity of the Data Controllers is outlined in Section 13.

4. Principles of Data Processing

The Data Controller undertakes to fully comply with the principles outlined below and to ensure their adherence by its employees, partners, and associates, while implementing the highest level of data protection and data security rules. For the Data Controller, proper functioning in accordance with the principles specified in this section is a fundamental requirement that accompanies and permeates the entire data processing activity.

4.1 Lawfulness, Fairness, and Transparency: the Companies shall process data only lawfully, fairly and in a way that is transparent and accessible to Data Subjects.

Accordingly, the Data Controller's staff shall pay particular attention to ensuring that processing always has a legitimate legal basis (e.g. consent of the data subject, performance of a contract, performance of a legal obligation, legitimate interest of the Data Controller) and complies with the principle of fair processing, such as the absence of covert surveillance and processing that could mislead data subjects.

The Data Controller shall pay particular attention to providing all data subjects with transparent information about the processing of their data in accordance with point 5.

4.2 Purpose Limitation: The Data Controller respects that personal data may only be processed for specified, explicit and legitimate purposes and that personal data may not be processed in a way incompatible with those purposes. The Data Controller believes that the specific purposes for which personal data are processed must, in particular, be explicit and legitimate and must be specified at the time of collection of the personal data.

The Data Controller undertakes to periodically review the processing operations and, where it is determined that the purposes for which the processing is carried out no longer exist, to ensure that the processing is stopped without undue delay.

The controller will not collect (store) personal data in preparation for future use and will ensure that the processing is terminated as soon as the purpose of the processing ceases to exist.

4.3 Data Minimization: The Data Controller ensures that only the personal data strictly necessary for the purposes of processing is collected and stored. Employees are required to handle data responsibly and in alignment with this principle.

4.4 Accuracy: The Companies take all reasonable steps to ensure personal data is accurate and up-to-date. Inaccurate data is promptly corrected or deleted. Employees reconcile data periodically and update records as necessary, following the guidance of the data protection expert.

The Data Controller undertakes to take all necessary measures to ensure that its employees pay particular attention to ensure that the personal data files they process contain only accurate and correct data. To this end, they shall periodically reconcile the data with the persons identifiable in the files. All staff must follow the instructions of the data protection expert when carrying out data reconciliation.
The Data Controller undertakes that, if the data subject indicates that his/her personal data have changed or if the staff member is informed that his/her data have changed, the necessary measures will be taken to ensure that these changes are reflected in the records and databases managed, paying particular attention to the requirements of any specific regulations.

4.5 Storage limitation: Personal data is processed only for the time necessary to achieve the purposes for which it was collected unless a longer retention period is required by law. The Data Controller specifies retention periods in this Notice or relevant individual notices. Once the purpose ceases, data is erased or anonymized without delay.

The Data Controller shall specify in this notice or in specific/individual notices on each processing operation the period for which the data subjects may keep their personal data and, where this is not possible, the Data Controller shall provide information on the criteria for determining that period.

4.6 Integrity and Confidentiality: The Companies implement appropriate technical and organizational measures to ensure the security of personal data, protecting against unauthorized access, loss, or damage. Measures are designed to incorporate data protection principles from the outset of processing, balancing cost, risks, and technological feasibility.

The Controller undertakes, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of each processing operation, as well as the risks to the rights and freedoms of natural persons, the varying likelihood and severity of the risks, to take measures to incorporate data protection principles, on the one hand, and the guarantees necessary to protect the rights of data subjects and the legal requirements, on the other, into the whole process of processing, from the very beginning of the design.

4.7 Accountability: The Data Controller is responsible for demonstrating compliance with all principles outlined in this section.

The Data Controller is committed to adhering to the fundamental principles and provisions governing the processing of personal data belonging to natural persons who interact with it. The overarching aim is to safeguard the privacy and rights of these individuals in compliance with relevant legal provisions and official directives. Furthermore, the Data Controller pledges full compliance with applicable data protection laws, particularly, but not exclusively, those relevant to its operations and data processing activities. The Data Controller is especially dedicated to ensuring that data subjects can effectively exercise their rights and receive the necessary information to do so.

5. Individual Processing

For each data processing activity, the Joint Controllers fulfill their information obligations through the following structure:

General Data Processing Notice: This document outlines the common rules applicable to all processing activities conducted by the Controller. It defines the cooperating joint controllers and describes data subject rights. It also serves as the governing document for processing activities without a dedicated privacy notice, such as those related to contractual relationships.
Special Data Processing Notices: These notices provide detailed information about specific processing activities (e.g., purpose, legal basis, retention period) for particular operations, such as targeted marketing, direct marketing activities, management of office buildings, or employee data processing.
Individual Processing Notices: For processing activities conducted on a one-time or short-term basis, affecting a limited number of data subjects (e.g., a promotional campaign or one-off event), these notices detail the purpose, legal basis, retention period, and other relevant information.

Detailed information about data processing related to contractual relationships is provided in Annex 2. Please note that services under the LIVING concept are governed by separate notices, which can be found at https://living.hu/hu.

6. Legal Basis and Purposes of Processing in general

The legal basis for processing determines the lawful authority under which personal data may be processed. In compliance with Article 6 of the GDPR, the Joint Controllers rely on one or more of the following legal bases:

6.1 Consent (Article 6(1)(a) GDPR): Personal data is processed with the freely given, informed, specific, and unambiguous consent of the data subject. Consent may apply to multiple purposes simultaneously and is collected for each processing purpose individually.
Example: Data processing for targeted marketing or direct communication.

6.2 Performance of a Contract (Article 6(1)(b) GDPR): Processing is necessary to fulfill a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering into a contract.
Example: Managing sale or rental agreements.

6.3 Compliance with Legal Obligations (Article 6(1)(c) GDPR): In such cases, the scope, purpose, duration, and conditions for processing are defined by the relevant legal provision.
Example: Retaining accounting records as per the Act on Accounting (Act C of 2000).

6.4 Legitimate Interest (Article 6(1)(f) GDPR): Processing is necessary to pursue the legitimate interests of the Controller or a third party, provided these interests do not override the data subject’s rights or freedoms. An interest test is conducted and made available upon request.
Example: Operating a CCTV system for asset protection.

The Joint Controllers engage in various activities, such as property sales, rentals, operations, and ancillary services. Specific purposes are detailed in relevant data processing notices but may include:

Sending targeted or direct offers related to services, products, or events.
Actions required to execute contracts, such as identifying, registering, or contacting data subjects.
Mandatory processing under applicable laws.
Asset protection, access control, and other real estate management purposes.
Website cookies for functionality, personalization, and analytics (see Cookie Policy on the website).

7. Scope of Data Processed

The scope of personal data processed depends on the relationship with the data subject and the purpose of processing:

For contracts, the data processed pertains to the contract’s subject and its requirements.
For mandatory processing, the scope is defined by law.
In all cases, data collection is limited to what is necessary (data minimization, per Section 4.3).

Details are provided in specific notices, such as those for marketing-related activities (see on the website).

8. Data Storage

Personal data is stored on servers used by the internal mail system (MS Office 365) employed by the Joint Controllers. Additional information can be found at https://www.microsoft.com/hu-hu/trust-center/privacy/data-location.

If contractual details are recorded, data is stored on WING Zrt.’s servers ((1095 Budapest, Máriássy utca 7.).

9. Period of retention of Data

As a general rule, the duration of each data processing is adapted to the legal basis used as follows, but may be different from the provisions of the specific/individual data processing prospectus. In the latter case, it will also be determined in the light of the principle of storage limitation (point 4.5).

9.1 In the case of processing based on consent, the Data Controller shall process personal data until the Data Subject's consent is withdrawn or, failing this, for a period of time reasonably necessary for the purposes of the processing.

9.2 In the case of a legal basis for performance of a contract, the Controller shall actively process the personal data until the termination of the contractual relationship in question, after which it shall store the personal data for 8 years from the date of termination.

9.3 In the case of mandatory processing, processing shall take place until the expiry of the relevant statutory period.

9.4 The retention period of personal data processed by the Controller on the basis of a legitimate interest shall be adapted to the existence of the legitimate interest and the time limit for the enforcement of that interest.

After the expiry of the specified period, the personal data shall be deleted unless otherwise requested by the data subject or requested/decided by a public authority.

10. Data Access and Transfers

The data may primarily be accessed by the Companies or their employees who are responsible for supporting the conclusion of contracts, providing services, and handling customer relations.

In the event of a transfer of personal data, the personal data held by the Data Controller about the data subject will be transferred to one (or more) recipient(s), which may be a natural or legal person, public authority, agency, or any other body.

The recipient of the transfer may be a third party external to the Data Controller, but the transfer may also occur within the organization of the Data Controller and between Joint Controllers as specified in point 2 of this Notice.

The transfer is contingent upon the Data Controller having a lawful basis for the transfer, meaning that the transfer may be based on the data subject's consent, the fulfillment of a legal obligation, or one of the other legal bases outlined in Article 6(1) of the GDPR.

If the recipient of the transfer is located in a third country, the Data Controller will ensure an adequate level of protection as per Article 44 of the GDPR, by implementing the safeguards set forth in Chapter V of the GDPR. The Data Controller will also provide detailed information in the specific/individual privacy notice for that particular processing.

11. Processing

The Data Controllers may employ Processors to assist in providing their services.

The recipients of data transfers include these Processors. When processing activities are delegated to a Processor, the Controller ensures that only Processors offering sufficient guarantees of compliance with GDPR requirements and implementing appropriate technical and organizational measures are engaged. Such processing is regulated through a contract or other legal arrangement (e.g., internal regulations) between the Controller and the Processor.

The names and roles of the Processors involved in specific processing activities are detailed in the respective privacy notices for each processing operation. Regularly engaged Processors include:

NEO Property Services Zrt. (1095 Budapest, Máriássy utca 7.) – Real Estate Management Services
Microsoft Co. (Redmond, Washington, USA) – Mail Service Provider
Mailchimp (675 Ponce de Leon Avenue NE, Suite 5000 Atlanta, GA 30308, USA) – Newsletter Distribution
Linemedia Kft. (1141 Budapest, Komócsy utca 29-31. Building C, 1st Floor, 1.) – Website Hosting and Development
WEBSTATION Computer, Trade, and Service Provider Ltd. (1034 Budapest, Makovecz Imre utca 23.) – Storage Services
Origami-Europe Kft. (2081 Piliscsaba, Ráczvölgy utca 27.) – Website Maintenance
Dialogue Creatives Kft. (1036 Budapest, Lajos utca 48-66. E Building) – Website Maintenance
Goodwill Communications Kft. (1061 Budapest, Andrássy út 29. 2/8.) – Website Maintenance
ti:me Reklámügynökség Kft. (1051 Budapest, Vigyázó Ferenc u. 4.) – Website Maintenance

The Data Controller may engage Sub-processors as necessary, under the oversight of the Data Controller. Sub-processors must comply with the Controller’s instructions, refrain from making independent decisions regarding the data, and process the data strictly for the purposes determined by the Controller. Processors are also required to store and retain personal data in compliance with the Controller’s provisions.

12. Data Security

Data processing operations are designed and executed in a manner that ensures the protection of the data subject's privacy in compliance with the GDPR and other applicable data processing regulations.

We ensure data security by implementing necessary technical and organizational measures and establishing procedural rules to enforce the GDPR and other relevant data protection laws.

In particular, we take appropriate steps to safeguard data from unauthorized access, alteration, disclosure, transmission, deletion, or destruction, accidental loss or damage, and from inaccessibility due to technological changes.

To guarantee the security of your personal data, we have implemented both internal organizational procedures and state-of-the-art technical measures, including but not limited to the following:

Access to personal data is determined based on internal authorization procedures, with only those employees granted access to the data who require it for their specific duties. Access is limited to the data necessary for their tasks.
Access to systems and devices containing or storing personal data is granted only through authentication via user ID and password.
To protect data on idle computers, we use screen savers that require password entry after a set period of inactivity and can be locked manually.
Internal rules on password security are enforced, covering password length, complexity, and the frequency of required changes.
Firewalls are deployed to prevent unauthorized access from external sources, such as the internet.
Access to data processing systems and workstations is logged for security and audit purposes.
Remote access through the (SSL) VPN gateway is logged to ensure secure connections.
Any granting or modification of access permissions is logged for accountability and traceability.

13. Rights of Data Subjects

The primary purpose of this section is to provide information about your rights and remedies concerning your personal data. The Data Controller is obligated to make this information available to you, depending on the legal basis for the data processing.

The table below clarifies the relationship between the data subject's rights and the corresponding legal basis for processing. This ensures transparency and helps you understand the specific rights you may exercise based on the legal justification for the processing.

	Preliminary information	Access	Rectification	Erasure	Restriction	Data portability	Objection	Withdrawal of consent
Consent	✔	✔	✔	✔	✔	✔	✖	✔
Fulfilment and preparation of contract	✔	✔	✔	✔	✔	✔	✖	✖
Legal obligation	✔	✔	✔	✖	✔	✖	✖	✖
Vital interest	✔	✔	✔	✔	✔	✖	✖	✖
Public duty, authority	✔	✔	✔	✖	✔	✖	✔	✖
Legitimate interest	✔	✔	✔	✔	✔	✖	✔	✖

Given that the Joint Controllers have appointed WING Zrt. as the primary contact point, the data subject may primarily exercise the rights outlined in this Privacy Notice through the Data Controller appointed as the contact point. The response or action taken by WING Zrt. will be considered a joint response or action of the Joint Controllers. However, the Data Subject is still entitled to exercise their rights under data protection law with respect to and against each of the Data Controllers.

Requests for enforcement may be made through any available contact channel of the Controller. For administrative convenience, we recommend that requests be sent to adatvedelem@wing.hu.

It is important to note that, in order to protect your rights, the Data Controller is obligated to verify that the request originates from a person entitled to exercise the rights of the data subject. If there is any doubt, the identity of the data subject must be verified. Therefore, the exercise of the data subject's rights is contingent upon the successful identification of the data subject.

The Data Controller will inform the Data Subject of the action taken in response to the request without undue delay, and at the latest, within one month of receiving the request to exercise the rights outlined in this section. If necessary, taking into account the complexity of the request and the volume of requests, this timeframe may be extended by an additional two months. The Data Controller will inform the Data Subject of the extension, stating the reasons for the delay, within one month of receiving the request. If the request is made electronically, the Controller will provide the information by electronic means, where possible, unless otherwise requested.

If the Controller does not take action on the request, the Data Controller will inform the Data Subject without delay and at the latest within one month of receiving the request, providing the reasons for the failure to act and the available remedies.

The information provided in response to requests concerning the rights outlined in this section and the execution of the request will be provided by the Controller free of charge. However, the Data Controller may charge a reasonable administrative fee for complying with a request if it is deemed manifestly unfounded or excessive, particularly due to its repetitive nature, or may refuse to act on the request.

13.1 Right to Information

The data subject has the right to obtain, without a specific request, information regarding the facts and circumstances surrounding the processing of their personal data.

a) Where the personal data are collected directly from the data subject by the Controller, the Controller shall provide detailed information in specific/individual privacy notices related to the activity or service involved in the processing. This information will be in addition to what is provided in this Notice and will include the content set out in Article 13 of the GDPR. The Controller will provide this information at the time of obtaining the personal data.

b) If the personal data are not collected directly from the data subject, the information provided will be supplemented with the following (as per Article 14 of the GDPR):

the source of the personal data;
the categories of data processed.

The Data Controller shall provide the information specified above to the data subjects within a reasonable period of time from the date of obtaining the personal data, but no later than one month. If the personal data is being used to contact the data subject, the information shall be provided at least at the time of the first contact. If the data are likely to be disclosed to other recipients, the information shall be provided at the latest at the time of the first disclosure.

The information must be provided to the data subjects no later than one month from the date the personal data is obtained, and the time limits set out above should be understood as being within that one-month period.

The Joint Controllers intend to fulfill this obligation by issuing and continuously updating the privacy notice related to the processing of personal data. These notices are available in paper format at the Controller's headquarters and on the Controller's website. Upon request, the Controller will send the relevant information to the data subject via the email or postal address provided by the data subject.

13.2 Right of Access by the Data Subject

Data subjects have the right to request information on the processing of their personal data. The Controller shall provide information about:

The purposes of processing;
Categories of personal data processed;
Recipients or categories of recipients;
Details of transfers to third countries, including safeguards under Article 46 of the GDPR;
Legal bases for processing;
Duration of processing or the criteria for determining it;
Sources of indirectly collected data;
Data subject rights and how to exercise them;
Automated decision-making or profiling, if applicable, including their significance and potential effects.

The Data Controller shall, upon request, provide the data subject with a copy of the personal data that is the subject of the processing. If the data subject submits the request via electronic means, the information will be provided in a commonly used electronic format, unless the data subject requests it in another format.

The Data Controller will fulfill the data subject's initial request without charging a fee. However, if the data subject requests additional copies, the Controller reserves the right to charge a reasonable fee based on the administrative costs and additional expenses incurred in fulfilling the request.

If providing the requested information could negatively impact the rights and freedoms of others, or if it is necessary to restrict the data subject's rights due to legal requirements, legal obligations, or international treaties, or when special processing operations are involved (such as those related to national security, state security, defense, criminal investigations, or the investigation of ethical or disciplinary offenses), the Data Controller may restrict or refuse to provide the information. Such restrictions will be based on the principles of necessity and proportionality.

13.3 Right to Rectification

The data subject has the right to request the rectification of any personal data processed by the Controller that the data subject considers inaccurate. This rectification shall be carried out without undue delay. Additionally, if the data subject believes that the personal data processed by the Controller is incomplete, they have the right to request the completion of such data, assessed in relation to the purposes of the processing.

If the personal data processed by the Controller is found to be inaccurate, incorrect, or incomplete, the Controller shall rectify, correct, or complete the data upon the data subject's request without undue delay, unless a legal obstacle prevents such action.

The Data Controller may, at their sole discretion, rectify personal data without the data subject's request when the circumstances requiring rectification are identified by the Controller. If the personal data is found to be inaccurate and the Controller has access to the correct data, the Controller shall rectify the data even without the data subject’s request. In such cases, the Controller shall notify the data subject, the Processor (if applicable), and the recipient of the original data, in writing, about the rectification. The Controller will also inform the relevant parties (Processor or other controllers) where necessary about the need for the rectification.

The Data Controller is exempt from the obligation to rectify, specify, or complete the data if the correct, accurate, or complete personal data is not available to the Controller, and the data subject does not provide such data, or if the accuracy of the personal data provided by the data subject cannot be confirmed beyond reasonable doubt.

13.4 Right to Erasure ("Right to Be Forgotten")

The Data Controller shall delete personal data without undue delay upon the Data Subject’s request under specific conditions:

(a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) The data subject has withdrawn their consent, provided there is no other legal basis for further processing;
(c) The data subject objects to the processing and the Controller has no overriding legitimate grounds for continuing the processing;
(d) The personal data have been unlawfully processed;
(e) The personal data must be erased to comply with a legal obligation under EU or member state law to which the Controller is subject;
(f) The personal data were collected directly in connection with the provision of information society services to children, without the consent of the holder of parental responsibility.

Where the Controller has disclosed the personal data and is under an obligation to erase it, the Controller shall take reasonable steps, including technical measures, considering the available technology and the cost of implementation, to inform other controllers processing the data that the data subject has requested the erasure of links to or copies of the personal data in question. These steps shall ensure that other controllers are informed of the data subject's request to erase the relevant personal data, in accordance with the erasure obligation.

However, the right to erasure is subject to limitations, including:

(a) The exercise of the right to freedom of expression;
(b) The exercise of the right to be informed;
(c) Compliance with an obligation under EU or member state law applicable to the Controller;
(d) For the establishment, exercise, or defense of legal claims (e.g., personal data are needed as evidence in proceedings);
(e) For a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(f) Public interest in the field of public health;
(g) In the case of processing personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the data subject's right to erasure would, if the request for erasure were complied with, likely render impossible or seriously impair this type of processing.

Where the data subject provides the Controller with personal data that are not necessary for the purposes of processing, the Controller shall return the storage medium (e.g., a form) containing the personal data to the data subject, with reasoning. Exceptions to this rule may be made if the return would impose a disproportionate burden and cost. In such cases (e.g., data stored in an electronic system), the Controller shall erase or destroy the data.

Where the processing of personal data is based on the legal basis of the data subject's consent and the data subject withdraws their consent to the processing, the Controller shall cease processing (erase the data). This shall not affect the lawfulness of the processing prior to the withdrawal of consent.

13.5 Right to Restriction of Processing

The data subject shall have the right to obtain, upon request, the restriction of access to personal data by the Controller where one of the following conditions applies:

(a) The Controller no longer needs the personal data for the purposes for which they were intended to be processed, but the data subject requires them for the establishment, exercise, or defense of legal claims;
(b) The data subject contests the accuracy, correctness, or completeness of the personal data processed by the Controller or the Processor, and the accuracy, correctness, or completeness of the personal data cannot be established beyond reasonable doubt. In such a case, the data subject may request the restriction of the processing of personal data until the doubts have been resolved;
(c) The processing is unlawful for any reason, but the data subject opposes the erasure of their personal data and instead requests the restriction of its use;
(d) The data subject has objected to the processing pursuant to Article 21 (1) of the GDPR, in which case the restriction shall apply until it is determined that the legitimate grounds and interests of the Controller override the legitimate grounds and interests of the data subject.

13.6 Right to Data Portability

The data subject shall have the right to receive personal data relating to him or her, which the data subject has provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on the data subject's consent or on a contract with the data subject, and the processing of the personal data is carried out by automated means.

In exercising this right, the data subject shall have the right to request, where the legal and technical conditions are met, the direct transfer of the personal data relating to him or her, which he or she has provided, between controllers.

The data subject acknowledges that the exercise of the right to data portability shall not infringe the right to erasure, shall not adversely affect the rights and freedoms of others, and shall not be used where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In fulfilling a request to exercise this right, the Controller shall make personal data available to the data subject in a transparent manner and shall endeavor to use a file format indicated by the data subject that allows software applications to easily identify the individual data contained therein.

13.4 Right to Object

Where personal data is processed based on the legitimate interests of the Controller, the data subject has the right to object, at any time, on grounds related to their specific situation, to the processing of their personal data, including profiling.

In such cases, the Controller must limit processing until the data subject demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject, including those related to the establishment, exercise, or defense of legal claims.

However, exceptions apply to processing for marketing purposes and targeted inquiries. In these cases, the data subject's objection will automatically result in the cessation of such processing.

The data subject may also object to the processing of their personal data for scientific, historical, or statistical research purposes, unless the processing is essential for performing a task in the public interest (Article 89(1) GDPR).

13.5 Right to Withdraw Consent

The data subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the processing that occurred prior to withdrawal. The Controller informs the data subject that the withdrawal will not have retroactive effect and will apply only to future processing.

Where applicable, the Controller will erase or anonymize personal data related to the data subject once consent is withdrawn.

In accordance with Article 5(2) of the GDPR, the Controller will process any prior consent until the end of the general limitation period (five years) from the withdrawal date to comply with the burden of proof requirements.

13.6 Right to Object to Automated Decision-Making (including Profiling)

The data subject has the right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect them.
However, this right does not apply if the decision is:

(a) Based on the explicit consent of the data subject;
(b) Necessary for entering into, or performance of, a contract between the data subject and the Controller;
(c) Permitted by EU or member state law applicable to the Controller, which also ensures appropriate safeguards for the rights and freedoms of the data subject.

14. Binding Nature and Modification of the Privacy Notice

The Joint Controllers are committed to processing personal data in accordance with the provisions outlined in this notice.

The Joint Controllers reserve the right to amend this notice at any time by unilateral decision.
In the event of any modification, the data subject will be informed by appropriate means (e.g., newsletter, website notice). By continuing to use the service, the data subject acknowledges the updated data processing rules, with no further consent required.

If modifications significantly affect the purpose, duration, quantity, or type of data processed, the data controllers will obtain specific consent from the data subjects for the additional processing.

15. Remedies

Before initiating judicial or administrative proceedings, the data subject is encouraged to send a request or complaint to the Controller regarding the processing of their personal data, so it can be investigated and, where appropriate, addressed.

Data Controller

The data subject can exercise their rights by:
(a) Mailing to: 1095 Budapest, Máriássy utca 7;
(b) Sending an email to: adatvedelem@wing.hu

If the form or content of the request does not clearly indicate the purpose of the request, but the data subject’s complaint relates to the processing, and it cannot be classified as a request enforcing one of the data subject’s rights, the Controller will treat it as a complaint.

The Controller will inform any recipient to whom personal data has been disclosed about any rectification, erasure, or restriction of processing, unless this is impossible or would involve disproportionate effort. The data subject can request information about these recipients.

If the data subject disagrees with any decision of the Controller or if the Controller fails to meet any applicable time limits, the data subject may lodge a complaint with the following authority:

Authority

National Authority for Data Protection and Freedom of Information
(a) www.naih.hu
(b) Email/receiving address: ugyfelszolgalat@naih.hu
(c) Office gateway: NAIH; KR ID: 429616918
(d) Address: 1055 Budapest, Falk Miksa utca 9-11.

The data subject has the right to file a complaint with the Authority if they believe their personal data is being processed unlawfully or if there is a risk of legal harm. The investigation by the Authority is free of charge, and the costs are borne by the Authority. No disadvantage will result from notifying the Authority. The identity of the notifier may only be disclosed by the Authority if the investigation would not be possible without it. If the notifier so requests, the Authority may not disclose his identity even if the investigation cannot be carried out without it.

Court of Justice

The data subject may also seek recourse in court if their rights have been infringed. Generally, the competent court is that of the location where the Controller is established, but the data subject may choose to bring the case before the court in the jurisdiction where they reside or are domiciled. The court must prioritize the case.

Any individual who suffers pecuniary or non-pecuniary damage due to a GDPR breach may claim compensation from the Controller or Processors. If the Controller unlawfully processes personal data or breaches data security, the data subject may seek damages.

The Controller may be exempt from liability if the damage was caused by an unforeseeable event outside the scope of the processing, for which the Controller is not responsible. No compensation will be provided for damage caused by the data subject's own intentional or grossly negligent conduct.

16. Personal Data Relating to Children and Third Parties

The consent or subsequent approval of the legal representative (parent) is not required for the validity of a legal declaration of consent by a minor aged 16 or over in relation to online information society services. However, a minor data subject under the age of 16 may not provide personal data about him/herself unless he/she has received a statement of consent from his/her legal representative (parent).

The Data Controller will consider the consent of the legal representative to be given when using the website. By providing personal data, you declare and warrant that you will act in compliance with the above and that your capacity to act is not limited in relation to the provision of personal data and information.

If you are not legally entitled to provide any personal data on your own, you must obtain the consent of the third parties concerned (e.g., legal representative, guardian, or other person on whose behalf you are acting) or provide another legal basis for the provision of the data. In this context, you must consider whether the consent of a third party is required in connection with the provision of the personal data in question, for which the Controller is not liable. The Controller is entitled to verify at any time whether the appropriate legal basis for processing personal data is available, and the Controller is entitled to request your authorisation and/or the appropriate consent of the data subject in relation to the matter in question, if you are acting on behalf of a third party.

We will use all reasonable endeavours to delete any information that has been unlawfully provided to us and will ensure that such information is not disclosed to or used by others (whether for advertising or other purposes).

Please let us know immediately if you become aware that a child has unauthorisedly provided personal information about you or a third party.

17. Miscellaneous Provisions

The Controller publishes the current version of this Privacy Notice on the wing.hu website and makes a hard copy available at its headquarters.

This Privacy Notice and its contents are protected by copyright, which is owned by the Controller. The content may only be used with the Controller's prior written consent. By accepting this Notice, users agree to use the website ethically and not for data collection purposes.

This Privacy Policy is governed by Hungarian law. In cases not addressed by this policy, the GDPR and other Hungarian regulations apply.

Annex 1:

Company name	Registered Seat
AA2:B4893 Property Korlátolt Felelősségű Társaság	1095 Bp., Máriássy u. 7.
Airport City Kft.	1095 Bp., Máriássy u. 7.
ANDRÁSSY PALOTA Kft.	1095 Bp., Máriássy u. 7.
ANGOL PROPERTY Kft.	1095 Bp., Máriássy u. 7.
ASPECTUS ARCHITECT Zrt.	1095 Bp., Máriássy u. 7.
AURORA Alapok Alapja	1095 Bp., Máriássy u. 7.
Báthory Utca Kft.	1095 Bp., Máriássy u. 7.
Borvidék Kft.	1095 Bp., Máriássy u. 7.
RPORT COURT Kft	1095 Bp., Máriássy u. 7.
BULWIN Kft.	1095 Bp.; Máriássy u. 7.
BUILDWING Ingatlanfejlesztő Korlátolt Felelősségű Társaság	1095 Bp., Máriássy u. 7.
EAST GATE BUSINESS PARK Kft.	1095 Bp., Máriássy u. 7.
ECOSERWING Kft.	1095 Bp., Máriássy u. 7.
ECOTRANS INGATLAN Kft.	1095 Bp., Máriássy u. 7.
EURÉKA PARK Kft.	1095 Bp., Máriássy u. 7.
Gladiátor Ingatlan Kft.	1095 Bp., Máriássy u. 7.
GLADIÁTOR Befekt. Alapkezelő Zrt.	1095 Bp., Máriássy u. 7.
Gladiátor I. Ingatlan Befektetési Alap	1095 Bp., Máriássy u. 7.
Gladiátor II. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
Gladiátor III. Ingatlan Befektetési Alap	1095 Bp., Máriássy u. 7.
Gladiátor V. Alapok Alapja	1095 Bp., Máriássy u. 7.
Gladiátor VI. Ingatlan Befektetési Alap	1095 Bp., Máriássy u. 7.
Gladiátor VII. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
Gladiátor VIII. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
GOLUX-Invest Kft.	1095 Bp., Máriássy u. 7.
KÖNYVESPARK Kft.	1095 Bp, Máriássy u. 7.
KRAOT Kft.	1095 Bp., Máriássy u. 7.
LIVING I. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING II. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING III. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING IV. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING V. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING VI. Ingatlanfejlesztő Befektetési Alap	1095 Bp., Máriássy u. 7.
LIVING Alapok Alapja	1095 Bp., Máriássy u. 7.
LIVING-Service Szolgáltató Korlátolt Felelősségű Társaság	1095 Bp., Máriássy u. 7.
LIVING-Szabolcs Ingatlanfejlesztő Korlátolt Felelősségű Társaság	1095 Bp., Máriássy u. 7.
Magnum Hungaria Invest Kft.	1032 Bp., Bécsi út 154.
Medius Tours Kft.	1095 Bp. Máriássy u. 7.
MEVINVEST Kft.	1095 Bp., Máriássy u. 7.
ParkWest 2 Kft.	1095 Bp., Máriássy u. 7.
PARK WEST Four Kft.	1095 Bp., Máriássy u. 7.
PW3 Kft.	1095 Bp., Máriássy u. 7.
Property Service Kft	1095 Bp., Máriássy u. 7.
PROPWIN Kft.	1095 Bp. Máriássy u. 7.
REALWINGEST Kft.	1095 Bp., Máriássy u. 7.
S-HOTEL Kft.	1095 Bp., Máriássy utca 7.
Skylight City Kft	1095 Bp., Máriássy u. 7.
TCW ARRABONA Kft.	1095 Bp., Máriássy u. 7.
TCW HONVÉD IRODAHÁZ Kft.	1095 Bp., Máriássy u. 7.
TCW Liget Kft.	1095 Bp., Máriássy u. 7.
TCW Zrt.	1095 Bp., Máriássy u. 7.
TSZ DEVELOPMENT Kft.	1095 Bp., Máriássy u. 7.
URBAN CONSTRUCT Kft.	1095 Bp., Máriássy u. 7.
V45 Kft.	1095 Bp., Máriássy u. 7.
WINASSET Kft.	1095 Bp, Máriássy u. 7.
WINCENTER EUROPE Kft.	1095 Bp., Máriássy u. 7.
WINDEVELOP PROJEKT Kft.	1095., Bp. Máriássy u. 7.
WINMEGA Kft.	1095 Bp., Máriássy u. 7.
WINSZERIM Kft.	1095 Bp., Máriássy u. 7.
WINERSZ-ING Kft.	1095 Bp., Máriássy u. 7.
WINTSZ Kft.	1095 Bp., Máriássy u. 7.
WINHUN PROJEKT Kft.	1095 Bp.; Máriássy u. 7.
WING Zrt.	1095 Bp., Máriássy u. 7.
WING INTERNATIONAL Zrt.	1095 Bp., Máriássy u. 7.
WING IHC Zrt.	1095 Bp., Máriássy u. 7.
WINGEUROPE Zrt.	1095 Bp., Máriássy u. 7.
WINGLINE Kft.	1095 Bp., Máriássy u. 7.
WINLOFT Kft	1095 Bp., Máriássy u. 7.
WINGHOLDING Zrt.	1095 Bp., Máriássy u. 7.
WINGUEST Kft.	1095 Bp., Máriássy utca 7.
WINGPROP Zrt.	1095 Bp., Máriássy u. 7.
WINGSERVE Kft.	1095 Bp., Máriássy u. 7.
WINHOST Kft.	1095 Bp., Máriássy u. 7.
WINHUB Ingatlan Kft	1095 Bp., Máriássy u. 7.
WINPORT Kft.	1095 Bp., Máriássy utca 7.
WINWAVE Kft.	1095 Bp., Máriássy u. 7.
WINSZIM Kft	1095 Bp., Máriássy u. 7.
WINPARK PROJEKT Kft.	1095 Bp., Máriássy u. 7.
WINWORKER Kft.	1095 Bp. Máriássy u. 7.
WIPNORG Kft.	1095 Bp., Máriássy u. 7.
WPROPA CENTER Kft.	1095 Bp., Máriássy u. 7.
WPR Alfa Kft.	1095 Bp., Máriássy u. 7.
WPR MÉDIA Kft.	1095 Bp., Máriássy u. 7.
WPR Quartus Kft.	1095 Bp., Máriássy u. 7.
WPR PORT Kft.	1095 Bp., Máriássy u. 7.

Annex 2:

Data processing relating to contracts:

PURPOSE	CATEGORIES OF PROCESSED DATA	LEGAL BASIS	RETENTION PERIOD
Preparation, conclusion, and performance of a contract between the contracting parties²	Data necessary for identification (name), specimen signature, job title (probable right to be representative), contact details (e-mail address, telephone number).	The Data Controller’s legitimate interest in proper contractual communication and administration [Article 6(1)(f) GDPR].	Until the termination of the contract.
Preparation, conclusion, and performance of the contract between the contracting parties.³	Identification data (name, mother’s name, date and place of birth), contact data (e-mail address, telephone number, notification address), billing data (e.g., tax identification number, bank account number), signature.	Steps to be taken at the request of the data subject prior to the conclusion of the contract [Article 6(1)(b) GDPR].	Until the termination of the contract.
Appropriate settlement of claims arising from the contract after termination.	Categories of personal data as defined in the previous points.	The legitimate interest of the Controller in the establishment, exercise, and defense of its legal claims arising from the contractual relationship [Article 6(1)(f) GDPR].	From the termination of the contract until the end of the general limitation period (5 years) under Act V of 2013 on the Civil Code.
Compliance with the provisions of Act C of 2000 on Accounting (Accounting Act).	Personal data included in the document that constitutes an accounting document under the Accounting Act.	Fulfillment of the legal obligation set out in paragraph 169 (2) to (3) of the Accounting Act [Article 6(1)(c) GDPR].	Until the end of the retention period (8 years) as defined by the Accounting Act.
Carrying Out Customer Due Diligence Measures in Relation to Potential Tenants/Customers	Categories of data as defined in paragraphs 7-11 of the Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML Act).	Compliance with the legal obligation provided for in Articles 7 to 11 of the AML Act. [Article 6(1)(c) GDPR].	8 years (10 years in the cases specified in the AML Act) from the termination of the contractual relationship in accordance with the AML Act (AML Act 56-59 § ).

¹ Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

² During the contracting process, the Data Controller and its contractual partner(s) (collectively referred to as the "Contracting Party(ies)") are considered joint data controllers with regard to the processing of personal data of natural persons designated as contact persons in the contract between them, who are authorized to represent and assist in the performance of the contract.

³ The data subject of the processing of data relating to the contracting process is the natural person contractual partner of the Data Controller