Privacy notice

  1. Introduction

Gordon & Webster Consultancy and Investment Ltd. (Registered office: 1012 Budapest, Márvány u. 18., Hungary, Company Registration No.: 01-10-043484, Tax No.: 12228863-2-13, hereinafter referred to as “Data Controller”), as Data Controller, is subject to the provisions of the Hungarian Data Protection Act of 2011 on the right to information self-determination and freedom of information. CXII of 2011 (hereinafter referred to as the “Information Act”), the Data Controller, on the basis of Article 20 (1) and (2) of the Act on Information Freedom of Information and Privacy (hereinafter referred to as the “Information Act”), hereby publishes this Data Management Notice (hereinafter referred to as the “Data Management Notice”), which describes the principles of data management that the Data Controller acknowledges as binding. The Data Controller shall take all measures reasonably necessary to ensure the security of the personal data it processes.

In the Data Management Notice, the Data Controller shall inform the data subjects in a clear and detailed manner of all relevant facts concerning the processing of the data.

Gordon & Webster Zrt. as a consultancy firm provides services to its Clients on the basis of service agreements concluded.

By reading this Privacy Policy, the Customer agrees that the Data Controller may process his/her personal data within the framework of this Privacy Policy, in accordance with the applicable Hungarian legislation, and use it to the extent, in the manner and for the duration set out in this document.

This Privacy Notice covers the data obtained and processed in the course of the relationship, which is necessary for the use of the service. This Privacy Policy is published by Gordon & Webster Ltd. on its website https://www.gordon-webster.com/ (hereinafter referred to as the “Website”). Gordon & Webster Zrt. may unilaterally amend this Privacy Policy.

The current version of this Privacy Policy is available on the Gordon & Webster Zrt. Gordon & Webster Zrt. will inform its Clients of any changes to the Privacy Policy 15 days before the date on which the changes to the Privacy Policy enter into force. In the event of an amendment to the prospectus, Gordon & Webster Zrt. will provide its customers with the opportunity to withdraw their consent or to have their data amended or deleted in whole or in part within 30 days of the publication of the notice of amendment.

b. Concepts

The terms used in this notice shall have the following meanings:

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, storage, alteration, use, disclosure

Controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data

Data Subject: a natural person who is or may be identified on the basis of the data; a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, online identifier

Data/ Personal data: any information relating to the data subject

  1. Legal basis for processing

The legal basis for the processing of personal data is the Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information. (Infotv.) and Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing. The purpose of the processing of data is to enable the Customer to use the services provided by the Data Controller and to enable the Data Controller to perform the services.

The provision of the data is voluntary, the Customer is not obliged to give his consent to the processing of the data, however, he acknowledges that the contract will be terminated if he fails to provide the specified data.

The Data Controller may process the data collected for the purpose of complying with a legal obligation to which it is subject, or for the purposes of the legitimate interests pursued by the Data Controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject’s consent, unless otherwise provided by law.

  1. Scope of the data processed

Gordon & Webster Zrt. processes personal data solely for the purpose of providing services to the customer. Taking into account this principle, Gordon & Webster Zrt. processes the following data during the period of data processing:

Data Nature Purpose and reason for processing

Purpose and purpose of use

Purpose and purpose of the use of the service

The purpose of the data processing is to carry out the qualification procedure required by the internal regulations of Gordon & Webster Zrt. and to complete the security screening processes within the framework of this procedure.

(e.g. counter terrorism and money laundering)

Tax identification number Mandatory

Name at birth Mandatory

Nationality Mandatory

Place and date of birth Mandatory

Mother’s maiden name Mandatory

Type and number of identity document Required

Address Conditionally required

In the case of the client organisation (legal person or unincorporated organisation)

Name and abbreviated name Mandatory Qualification procedure

Conducting the qualification process required by Gordon & Webster Ltd’s internal rules and regulations and completing the security screening process.

(e.g. counter-terrorism and anti-money laundering)

Headquarters Mandatory

In the case of a foreign head office, branch in Hungary if there is one Strictly necessary

Main activity Mandatory

Names, titles of authorised representatives Mandatory

Identifying information of the person authorised to act as agent for the delivery of the goods Mandatory

Company registration number Mandatory

For the beneficial owner

Name Mandatory Qualification procedure

Conduct the qualification process required by Gordon & Webster Ltd’s internal rules and regulations and complete the security screening process.

(e.g. counter-terrorism and anti-money laundering)

Name of birth Mandatory

Nationality Mandatory

Place and date of birth Mandatory

Address Mandatory

Nature and extent of ownership interest Mandatory

Declaration by the beneficial owner of a prominent public figure Mandatory

The Controller does not assume any responsibility for the accuracy of the personal data processed! The responsibility for the personal data provided lies solely with the Customer or the person acting on his behalf.

In order to comply with Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, the Company shall make a copy of the personal data.

e. Electronic mail

The basic data for customer communication with the customer are e-mail address and telephone number, which must be provided by default.

Please be informed that the e-mail address provided will not be used by the Data Controller to send marketing e-mails. The sole purpose of recording the e-mail address is for contact, administration, document and data transmission.

  1. Data processing, data transfers, data processors and their outsourced processing tasks

Gordon & Webster Zrt. (Registered office: Terrapark, 1012 Budapest, Márvány u. 18., Hungary, Company registration number: 01-10-043484, Tax number: 12228863-2-13, hereinafter referred to as “Controller”), as Data Controller, is the person entitled to process and process personal data. The personal data to be processed may be known to the respective legal representative(s), employees/agents/contractors of the Controller. The Data Controller shall not transfer personal data to third parties, except with the express consent of the data subject.

The Data Controller shall not sell, rent or in any way make available personal data or information relating to the Customer to any other company or individual, except for the provision of data necessary to fulfil accounting obligations.

The Data Controller shall ensure the appropriate security of the data to the extent that it can be expected to do so, and shall take the technical and organisational measures necessary to ensure the enforcement of data protection rules and principles and to facilitate the security of personal data.

g. Duration of Data Processing

The Data Controller shall process personal data provided on the basis of the User’s consent until the purpose of the processing is achieved, and thereafter for the period necessary to fulfil the requirements of Article 6 (5) of the Data Protection Act, or until the Employee’s consent is withdrawn. Gordon & Webster Zrt. is entitled to process the personal data on the basis of Section 6 (5) of the Infotv. within the scope specified therein, even after the withdrawal of consent.

Unless otherwise provided by law, the Data Controller may process the personal data collected a) for the purpose of complying with a legal obligation to which it is subject, or b) for the purposes of the legitimate interests of the Data Controller or of a third party, if the exercise of such interests is proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the consent of the data subject.

The Data Controller shall retain and process the personal data provided by the Customer for the purpose of fulfilling the accounting obligations pursuant to Section 169 of Act C of 2000 for a period of 8 years or within the limitation period set forth in Act XCII of 2003 on the Rules of Taxation.

  1. Processing of data of employees of Gordon & Webster Zrt.

Data processing may also be carried out in the employment relationship on the basis of a legal authorisation (tax, social security legislation) or on the basis of the prior and voluntary consent of the data subject. The employee may only be asked to make a statement or provide data which does not infringe his/her right to privacy (1) and which is relevant for the establishment, performance or termination of the employment relationship (2). The latter is the equivalent of the purpose limitation of data processing under employment law. If either of these conditions is not met, no lawful processing can take place.

In the context of the establishment of an employment relationship, the data contained in the CVs are processed by the employer for the purpose of establishing an employment relationship, as provided for in Article 10(1) of the Labour Code. The data shall be processed in accordance with the Infotv. for as long as the purpose of the processing continues to exist.

For the purpose of fulfilling the obligations arising from the employment relationship, the employer may transfer the employee’s personal data to a data processor, stating the purpose of the data provision, as defined by law. The employee must be informed of this in advance. The legitimate purpose can only be the fulfilment of an obligation arising from the employment relationship. The conditions include the explicit consent of the data subject and an adequate level of data protection. If the data subject does not give his or her explicit consent, the employer may invoke Section 6(5) of the Data Protection Act again. The processing of data is in the employer’s legitimate interest and to ensure an adequate level of protection of personal data.

As a matter of principle, the employer is obliged to inform the employee about the processing of his personal data pursuant to Section 10(2) of the Labour Code. The employer may disclose facts, data and opinions concerning the employee to third parties only in the cases specified by law or with the employee’s consent.

The data transfer rules apply in all cases where the employer makes data available to third parties, including the employer’s owner, parent company, subsidiary or even within a group of companies. Data may therefore be transferred to them, but the legal limits must be taken into account.

  1. Employees’ rights, enforcement and remedies in relation to the processing of their personal data

The data subject has the right to receive feedback on whether or not his or her personal data are being processed and, if such processing is taking place, the right to access his or her personal data and certain information relating to the processing.

The right of access includes, among other things, the following information: the purposes of the processing, the categories of data processed, to whom the data have been disclosed. The data subject also has the right to request a copy of the personal data processed by the Controller.

In certain circumstances, the data subject has the right to obtain, upon request, the rectification of inaccurate Personal Data relating to him or her or the completion of incomplete Personal Data. He or she also has the right to have Personal Data relating to him or her erased in certain cases.

You may also request that the processing of Personal Data concerning you be restricted. In such cases, the data concerned may be processed only for specified purposes.

In certain cases, the data subject may have the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and may also have the right to request, where technically feasible, the direct transfer of personal data between controllers.

In certain cases, the data subject may also have the right to object to the processing of his or her personal data, in which case the controller may no longer process those data.

In relation to the above rights, please note that in some cases, the nature of the Data may prevent or limit the possibility of complying with the request, and that the above rights are not unlimited and may be subject to the conditions of the applicable data protection rules. For example: erasure does not apply to processing required by law, which the controller is obliged to keep for the necessary period of time as specified by law.

You have the right to request information, modification or erasure using the following contact details:

Postal address.

E-mail address: adatvedelem@gordon-webster.com

If you feel that your rights regarding the processing of your personal data may have been infringed, please notify us in writing at the contact details of the Data Controller given above.

In the event of a breach of your rights in relation to the processing of personal data, you may apply to the National Authority for Data Protection and Freedom of Information (NAIH) (Authority’s address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Postal address: 1530 Budapest, P.O. Box 5) under Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, and ultimately enforce your rights before a court of law. The Tribunal has jurisdiction to hear the case.

  1. Data Protection Officer

A Data Protection Officer has been appointed at Gordon & Webster Ltd. to ensure compliance with data protection legislation. Contact details of the Data Protection Officer:

Name: Kitti Molnár

E-mail: adatvedelem@gordon-webster.com

k. Amendment of this leaflet

Gordon & Webster Zrt. has the right to amend this privacy policy in case of changes in the legal environment or in the data management activities. The date of the last update will be indicated at the end of this notice. Please ensure that you review this notice at regular intervals to ensure that you have up-to-date information on the processing of your personal data.

Date: 22.05.2018.