Privacy policy

This Privacy Policy (hereinafter: ‘Policy’) notifies the Data Subjects in regards the personal data processed in the course of the business or administrative activities of the companies corresponding to the BAM Group (hereinafter: ‘Company/Controller) on the protection of natural persons or legal entities on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The principle of fair and transparent data processing requires that the Data Subject shall receive notification on the fact and purposes of the data processing.

The notification related to the processing of personal data related to the Data Subject shall be provided to the Data Subject at the time of the data collection, and/or if the data were collected not from the Data Subject, but from another source, then taking the circumstances of the case into consideration, they shall be made available within a reasonable deadline. Should the personal data may be lawfully disclosed to another recipient, then concurrently with the first disclosure to the recipient, Data Subject shall be also notified. Should Controller be unable to provide information to the Data Subject on the origin of the personal data, with respect to that they arise from different sources, then general information shall be provided to the Data Subject.

Definitions related to the processing

‘Personal Data’: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Data Processor’: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;

‘Recipient’: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘Data Subject’s consent’: means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Personal Data Breach’: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Controller and its contact details

The Companies belonging to the BAM Group follow a uniform data processing practice, in respect of which the provisions of this Policy shall apply on all Companies belonging to the BAM Group, provided that each Company belonging to the BAM Group may also use special provisions in the course of its data processing, however, it must fully comply with the provisions of this Policy.

Controller undertakes to ensure the security of the personal data and take all such technical measures that ensure the protection of the personal data processed against unauthorized learning, destruction, modification or use. Controller also undertakes to also call all such third parties (eg. Data Processor) to whom it may potentially transfer or hand-over the personal data, to fulfil their duties.

Controller’s contact details:

  • postal address:     1138 Budapest, Népfürdő str. 22. B. tower 15th floor
  • e-mail address:     info@bamgroup.hu
  • web:                         bamgroup.hu

Regarding the www.bamgroup.hu website, Controller:

  • address:                   BAM Services Kft.
  • registered office:   1138 Budapest, Népfürdő str. 22. B. tower 15th floor
  • VAT No.:                   11724517-2-41

Controller’s actually effective company data are available in the www.e-cegjegyzek.hu free and public records upon providing Controller’s name and other ID details (company reg. No., VAT No.).

The Companies belonging to the BAM Group is deemed Controller in case of contractual and other relationships established with it.

Principles of the processing of personal data

The processing of personal data shall be performed lawfully, fairly in a manner transparent for the Data Subject (“lawfulness, fairness and transparency”) and the collection of personal data may take place only for specified, clear and legitimate purposes, they shall not be processed in a manner not complying with the purposes. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”).

From the aspect of the purposes of processing:

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed  (“data minimisation”),
  • every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).

The personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this regulation in order to safeguard the rights and freedoms of the data subject  (“storage limitation”).

The personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).  The Controller shall be responsible for, and be able to demonstrate compliance with the above (“accountability”).

In specific cases, in particular in the course of request by or proceeding of a court or any authority, the Controller shall make Data Subject’s personal data accessible in the manner and to the extent provided in such call.

Controller’s system may collect data on the activity of the users, visitors, which shall not be linked to other data provided by the Data Subject upon the registration, nor with data arising when using other websites or services.

Taking the relevant provisions of the GDPR into consideration, Controller is not required to appoint a Data Protection Officer.

Controller shall be liable for the compliance with the principles.

Data processing related to the operation of the website

BAM Group’s website, such as most other websites, automatically collects certain information and stores them in log files. The information may include Internet Protocol (IP) addresses, the region or the general location, where the computer or the device connects to the Internet, the type of the browser, the operating system and other information related to the use of the BAM Group’s website.

Controller uses the information circumscribed in the previous section to create and maintain the website mostly appropriate to the user’s needs, i.e. it may use the Data Subject’s IP address to diagnose problems related to the server as well as for the administration of the website.

On the automatically collected data, the Cookie provides detailed information.

With respect to personal data collected no automatically, eg. provided in the course of using each feature of the website, in addition to the use of the website, Controller performs further processing in the course of its business activity, when it may process the personal data of the following natural persons or legal entities:

  • Requesting Entity, Tenderer or contracting party (in case of natural persons, sole entrepreneurs),
  • Requesting Entity, Tenderer or contracting party (in case of a company, organization), its natural person legal representative, employee, contract person, assignee or other performance assistance, eg. subcontractor, employee, hired employee,
  • employee of a contracted partner,
  • in case of a partner using the service, the party entitled to the subject of the service, the employee undertaking personal liability for the subject of the service, other entitled party,
  • persons entering to and being present in its office buildings, sites, project sites.

Fact of data collection, scope of data processed and the purpose of data processing:

Personal data
Contracting, order, customization of service, management thereof
Surname, first name, company name
Contracting, order, customization of service, management thereof, contact keeping
E-mail address, phone No.
Contact keeping, information exchange, notification
Billing data
Billing, management of financials

Access to personal data, types of personal data processed

The personal data processed shall be made available by the Data Subject on his/her own or by his/her business partner (eg. Requesting Entity, Tenderer, contracting party, partner using the service), when using the document issued in the course of the establishment of the relationship, preparing the relationship or being the basis thereof (eg. request for proposals, proposal, contract, consent letter, etc.) or online and/or by using web solution (eg. e-mail), to Controller.

Controller assumes that the (natural or legal) persons transferring data to it make the relevant personal data in accordance with the applicable laws at all times, in particular they have appropriate and informed consent or other legal basis to transfer the personal data.

Controller may perform the collection of personal data even through getting informed from public databases operated by the courts, the NAV or other administrative bodies.

Data Processors and their contact details

The employees assigned to operate, maintain the BAM Group’s website, and in case of data provided in the course of using each feature, the responsible head of the particular area, process and the persons assigned by him/her are entitled to process the data related to the website

Each Company related to the BAM Group may unilaterally make decision on using Data Processors in the course of their processing of personal data.

The contracts

The processing of the personal data of the natural person or legal entity Data Subject, as a party initiating the contract, or of the Contracting Party is necessary for the performance of Controller’s contractual obligations and is based on Controller’s legitimate interest.

The detailed conditions of provision of services as per the contract are provided in the contract applicable to the particular relationship and the annexes thereof.

Should without the provision of the personal data (data service) Controller be unable to perform its obligations undertaken in the contract, then Data Subject shall provide the personal data required to conclude the contract, to Controller. In the event of failure to provide the data, the performance of the contract may become unfeasible, in which case Controller may become entitled to refuse to conclude the contract.

Controller shall retain the Data Subjects’ personal data not erased following the termination/performance of the contract for five years from the failure and/or termination/performance of the contract, in accordance with the general forfeiture provisions of Act V of 2013 on the Civil Code. In case of certain contracts of special subject (eg. construction-installation contracts, contract of public procurement subject), this period may be even longer than 5 years on the basis of the contract or a provision of law.

Data Subject’s voluntary consent

The processing of personal data shall take place based on the Data Subject’s (voluntary, exact and firm) consent (based on appropriate notification). Data Subject shall grant his/her consent in a declaration separate from other statements and contracts.

Granting the consent is voluntary and Data Subject may revoke his/her consent anytime without limitation in a notice delivered to Controller. Data Subject shall deliver the notice to Controller’s contact details specified in this Policy. In the notice, the Data Subject shall designate in an identifiable manner on what processing (s)he is willing to exercise the revocation of his/her consent.

The revocation of the consent has no consequences on the Data Subject. The revocation of the consent, however, shall not affect the legitimacy of the processing performed on the basis of the consent prior to such revocation.

Recipients of the personal data

Controller may transfer Data Subject’s personal data in particular to the following persons and/or bodies:

  • the body assigned by Controller, performing health & safety, health protection, quality assurance activity, which is deemed joint controller with Controller with respect to the personal data provided within this scope. Should the body performing health & safety, health protection, quality assurance activity assigns a third party with this duty, then such third party is deemed Data Processor;
  • the body(ies) providing back-office or other services for Controller (financial and accounting, HR, IT, legal), who are deemed Data Processor with respect to the personal data transferred;
  • authority, court specified in the laws upon such call.

Data Subject’s rights

Data Subject may request information on the processing of his/her personal data anytime, and further, may request the rectification, erasure, restriction of his/her personal data, and may exercise all of his/her rights that are granted by the relevant laws.

Controller shall notify Data Subject without undue delay but latest within 1 month of receiving the request on the measures taken on the basis of such request. Should Controller take measures with delay within the provided deadline despite of Data Subject’s request, then it shall notify Data Subject on the causes of such delay or the failure to take the appropriate measures, and in regards at which authority or court may use Data Subject his/her remedies.

Right to access: The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.

Right to rectification: The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure: The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay upon Data Subject’s such request.

Right to be forgotten: Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to restrict processing: The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies,

  • the accuracy of the personal data is contested by the Data Subject, or
  • the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead, or
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims, or
  • the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Right to data portability: The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where.

Right to object: The Data Subject shall have the right to object against the processing of his/her personal data, including profiling anytime.

Objection against direct marketing: If the processing of personal data takes place for direct marketing purposes, the Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Automated decision-making in individual cases, including profiling: The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This clause shall not apply if the decision is necessary for entering into, or performance of a contract between the Data Subject and a data controller or authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests or is based on the Data Subject’s explicit consent.

Remedies

Should Data Subject deem that the processing of personal data by the Controller breaches the actual data protection laws in force, in particular the GDPR, then Data Subject shall have the right to file a complaint to the National Authority for Data Protection and Freedom of Information.

Contract details of the National Authority for Data Protection and Freedom of Information:

Website: www.naih.hu
Address: 1055 Budapest, Falk Miksa str. 9-11.
Postal address: 1363 Budapest, PO: 9.
Phone No.: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Data Subject shall have the right to also file a complaint to another supervisory authority established in the Member State of his/her common place of residence, workplace or the place of the assumed breach.

Data Subject shall have the right to assign such a non-profit body or association with the court review of the decision made by the supervisory authority, filing a lawsuit and exercising his/her right to indemnification on his/her behalf, which functions based on either European Union Member State jurisdiction, and whose purpose stated in the bylaws is serving public interest, and which operates in the area of the protection of rights regarding Data Subject’s rights and the personal data.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data as necessary,
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Data Breach

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the Data Subject without undue delay. The communication to the Data Subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures

  • the nature of the data breach, and the name and contact details of the Data Protection Officer or other parties providing information,
  • the likely consequences arising from the data breach,
  • the measures taken or planned by the Controller to recover the data breach, including in certain case the measures aimed to mitigate the potential adverse consequence arising from the data breach.

Controller is not required to directly notify the Data Subject, but must publicly make available,

  • the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption,
  • the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise,
  • the notification would require undue efforts.

If the Controller has not already communicated the personal data breach to the Data Subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

The supervisory authority shall be notified on the data breach without undue delay, but latest 72 hours following learning the data breach, unless the data breach is not likely to involve a risk regarding the rights of natural persons or legal entities.

Laws

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation.)
  • Act CXII of 2011 – on the Informational self-determination and freedom of information
  • Act CVIII of 2001 – on certain issues of services related to electronic trading services and the informational society
  • Act XLVII of 2008 – on the prohibition of unfair trading practice against the consumers
  • Act XLVII of 2008 – on basic conditions and certain limitations of business advertisement activity
  • Act XC of 2005 – on the electronic freedom of information
  • Act C of 2003 – on electronic telecommunication
  • Opinion No. 16/2011 on the EASA/IAB recommendation related to the best practices of behaviour-based online advertisement
  • Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior notification

Final Provisions

The Controller reserves the right to unilaterally amend this Policy without retrospective effect, taking potential changes of the laws and Data Subject’s prior notifications into consideration.

Budapest, 11th October 2021