PRIVACY POLICY
Effective from 9 August 2018, m
odified 1 September 2021

Dear User,

Welcome to mompark.hu, the website of OTP lngatlanbefektetési Alap (in English: Real Estate Investment Fund; registered office: H-1026 Budapest, Riadó u. 1–3.; MNB (PSZÁF) registration number: 1112-05; tax number: 18108653-2-41) (hereinafter “the Website”). Thank you for visiting our Website.

OTP lngatlanbefektetési Alap, in its capacity as a controller (hereinafter “the Controller”), provides information in respect of processing activities pursued by it in relation to the services offered on the Website by means of the present summary. In the present Privacy Policy, we summarise the principles that, in addition to the general privacy policy, govern our policies and daily practices involving the protection of personal data; describe the services where we collect personal data from our Users, and provide information about the purposes for which and how we use such data and how we secure the retention and protection of personal data.

When using our services offered through the Website (such as subscribing to newsletters, contacting us, participating in sweepstakes, using the application), you may disclose to us information qualifying as personal data. We shall process your personal data solely for the purposes of such processing, to the extent, in a manner and for a duration required for the processing, and in accordance with the legal requirements, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “the GDPR”). We make sure that a high level of data security, as well as technical and organisational measures, are in place to keep your data safe.

The Controller has no control over the processing operations and practices of the occupants of shops and office premises that are owned but not occupied by it, and in this context, the Controller shall not be construed either as a controller or as a processor, and any requests and claims in this regard are hereby expressly rejected and will be directed to the actual controller lawfully using such premises.

Please read the following information for details on how we process your data.

If you have any further questions about this Privacy Policy or the processing of the personal data you have already submitted to us, please contact us at any time at one of the following contact details.

If you have any further questions about this Privacy Policy or the processing of the personal data you have already submitted to us, please contact us at any time at one of the following contact details.

 

I. THE CONTROLLER

The personal data submitted by you are processed by:

Name of Controller: OTP lngatlanbefektetési Alap 
Registered office: H-1026 Budapest, Riadó u 1–3. 
MNB (PSZÁF) registration number: 1112-05 
Tax number: 18108653-2-41 
Mailing address: H-1026 Budapest, Riadó u 1–3. 

The Privacy Notice is available online at www.mompark.hu.

 

II. OUR PROCESSING ACTIVITIES

2.1. ENQUIRIES THROUGH THE WEBSITE
Purpose of the processing:
Please use the “Contact” form on the Website to request information about the shops and services of MOM Park, to make suggestions, lodge complaints or send other messages. 
The personal data disclosed on the “Contact” form shall be used solely for the purposes of responding to your enquiries, suggestions, or other messages, and—in the event of complaint—to record, investigate, respond to such complaint and to contact you as necessary. 
The personal data disclosed on the “Contact” form shall not be used for marketing purposes or transferred to any other third-party company for such purposes.


Scope of personal data processed: 
Personal data submitted on the “Contact Us” form, namely:
•    your name;
•    your e-mail address;
•    the content of the message;
•    other personal data disclosed in the message.
In addition to the foregoing, the time of receipt of the message will also be recorded.
To send a message, you must enter your name, e-mail address and the text of the message; if you do not fill in one of these fields, the system will not transmit the message to us.

Legal basis for the processing:
In the case of enquiries, suggestions or other messages, the legal basis for the processing is your voluntary consent based on this Privacy Policy (point (a) of Article 6(1) of the GDPR).
In the event of a complaint, the legal basis for the processing is your voluntary consent based on this Privacy Policy and Subsection (7) of Section 17/A of Act CLV of 1997 on consumer protection (“the Consumer Protection Act”).
You may give your consent by ticking the relevant field on the “Contact” form.


Duration of the processing:
The personal data processed shall be erased immediately once the purpose of such processing no longer exists, i.e., after we responded to your request or message.
If you lodge a complaint, a copy of the record of your complaint and our response will be retained for 5 (five) years in accordance with Subsection (7) of Section 17/A of the Consumer Protection Act.
 

2.2. NEWSLETTER SUBSCRIPTION 

Purpose of the processing:
If you subscribe to our newsletter, we process the information submitted to send you marketing messages from time to time by e-mail about the products and services offered by the tenants of MOM Park as well as the promotions of MOM Park that are relevant for the subject(s) you have chosen upon your subscription.  
 
Scope of personal data processed:
We process the following data in connection with the sending of newsletters:
•    e-mail address. 
 Submission of the above data is mandatory upon subscription and essential in order for your subscription to be admitted. 

Legal basis for the processing:
The legal basis for the processing is your voluntary consent based on this Privacy Policy (point (a) of Article 6(1) of the GDPR). To indicate your consent, please click on the “Subscribe” button on the mompark.hu/newsletter page. 

Duration of the processing:
Your personal data processed in connection with subscriptions to newsletters will be erased from our database:
•    upon your request; or 
•    upon the withdrawal of your consent; or
•    if you object to the processing for sending newsletters; or
•    if you unsubscribe from the newsletter. 

You may unsubscribe from our newsletter at any time, free of charge, without any obligation to justify your decision and without restriction:
•    by clicking on the “Unsubscribe” link in the footer of the newsletter;
•    by sending a statement to that effect by e-mail to mompark@mompark.hu ;
•    by mail to H-1026 Budapest, Riadó u 1–3.
 

2.3. SWEEPSTAKES 

We may organise sweepstakes on our Website from time to time. Details of the relevant processing activities are set out of the respective event’s privacy notice which is published on the Website in each case. 

 

2.4. MOM PARK APPLICATION

Purpose of the processing:

To offer the most relevant and up-to-date products and services available in MOM Park to the users of the application, to enhance customer experience by making their choice easier, to present new products and discounts.

Scope of personal data processed:

Data submitted upon registration:

  • last name;
  • first name;
  • e-mail address;
  • year of birth (optional);
  • postal code (optional);
  • gender (optional);
  • areas of interest (according to selected shop categories of MOM Park).

Data generated during the use of the application:

For the operation and optimization of the application, our processors will process the following data that is unsuitable for identifying users: the user's registration ID and device identifier; areas of interest based on clicks on shops and products and the use of coupons; language settings, time zone and location data of the registered device.

On the basis of the data submitted upon registration and generated during the use of the application, the Controller will create a consumer profile to maintain an efficient communication channel and to offer targeted information that best suits the consumer's interests and enhances customer experience.

Legal basis for the processing:

The legal basis for the processing is your voluntary consent (point (a) of Article 6(1) of the GDPR), granted upon registration following downloading the application by accepting this Privacy Policy and using the application. You may simply withdraw your consent at any time by cancelling the registration. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal.

Duration of the processing:

The data submitted during the use of the application will be processed until the withdrawal of your consent.

 

2.5. GENERAL INFORMATION ON PROCESSING
Under no circumstances shall we collect sensitive data, i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data serving the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

The Controller may supplement and combine personal or other data submitted by Users with data or information obtained from other sources to enhance customer experience and to offer higher-quality services.
In all cases where the Controller intends to use personal data for purposes other than those for which they were originally collected, it shall inform the Users thereof and obtain their explicit prior consent and enable them to prohibit such use.
 

III.  WHO HAVE ACCESS TO PERSONAL DATA? 

III/A. MEMBERS OF THE CONTROLLER’S STAFF

The personal data you submit will be handled confidentially and disclosed or transferred to third parties not covered by the scope hereof only with your prior consent. 
Our staff members, processors and their employees acting in pursuit of the purpose of the processing may have access to your personal data. These parties are also required to handle the personal data disclosed to them in a confidential manner. 
The following staff members may have access to personal data in the course of the processing described under item II:

  WHO MAY HAVE ACCESS TO PERSONAL DATA WITHIN OUR ORGANISATION?
CONTACTING US THROUGH THE WEBSITE marketing manager, customer service personnel
NEWSLETTER SUBSCRIPTION marketing manager 
SWEEPSTAKES marketing manager, customer service personnel
MOM PARK APPLICATION marketing manager

Personal data submitted may be disclosed to courts, the prosecution service, other authorities in compliance with our legal obligations, to the extent and in a manner set out by the applicable laws.

 

III/B. PROCESSORS

We use the processors listed in the following table to carry out the technical tasks related to the above processing operations. Processors shall act in accordance with the laws and our instructions in the course of such processing operations. They shall not process the personal data accessed by them except on instructions from the Controller, shall not process such data for their own purposes, and they shall store and retain it in accordance with the Controller’s instructions.
We reserve the right to engage other processors in the future, provided that we inform you about such change by amending the present Privacy Policy.
We use the following processors:

PROCESSOR ACTIVITIES CARRIED OUT AND SCOPE OF DATA ACCESSED BY THE PROCESSOR
Name: Café Communications Kft.
Registered office: H-1037 Budapest,
Seregély utca 3–5.
Telephone: +36 30 435 6152
Café Communications Kft. is responsible for the operation of the Website and is also the host thereof. In the context of the foregoing, Café Communications Kft. may have access to any and all personal data listed in item II.
Name: The Rocket Science Group
LLC d/b/a MailChimp
Registered office: 675 Ponce de Leon
Avenue NE, Suite 5000
Atlanta, GA 30308, USA
Telephone: 678 999 0141
We use MailChimp, an online newsletter delivery service operated by The Rocket Science Group LLC d/b/a MailChimp, for the delivery of our newsletters. In doing so, we disclose the data listed in item 2.2 above to The Rocket Science Group LLC d/b/a MailChimp.
The Rocket Science Group LLC d/b/a MailChimp is a company registered in the United States of America (USA) and a participant of the Privacy Shield Framework for EU-US data transfers. By joining the Framework, The Rocket Science Group LLC d/b/a MailChimp ensures an adequate level of protection for the personal data transferred to it.
More information on the Privacy Shield Framework is available on the following websites:
https://www.privacyshield.gov/
https://ec.europa.eu/info/law/law-topic/data-protection/datatransfers-outside-eu/eu-us-privacy-shield_en

Processors used for the MOM Park Application:

PROCESSOR ACTIVITIES CARRIED OUT AND SCOPE OF DATA ACCESSED BY THE PROCESSOR
Name: Google Ireland Limited
Registered office: Gordon House, Barrow St., Dublin 4, Ireland
Telephone: +353 1 436 1000
Google Ireland Limited, a European subsidiary of Google LLC, uses Google Firebase to measure and collect data about the Users’ activity when they use the application without identifying them by name. Further information is available at https://firebase.google.com/support/privacy
Name: Mondriaan DC Kft.
Registered office: H-1036 Budapest
Lajos u. 48–66. B/V.
Telephone: +36 1 800 9896
Pushwize, a service developed by Mondriaan DC Ltd., sends push messages to the Users of the application based on the authorisations set by such Users, without having access to personal data that allow their identification.
Further information is available at https://pushwize.com/

IV. SECURITY OF PERSONAL DATA

We undertake that we shall implement the measures required for ensuring the security of personal data. In that context, we adopt, implement, and regularly review technical and organisational measures and procedures that ensure the security of the personal data we process, and we will strive to prevent the destruction, unauthorised use or modification of such data, and to ensure that it cannot be accessed, disclosed, transmitted, modified or erased by unauthorised persons. We remind the parties to whom we transfer personal data to comply with the requirements of personal data security, and we also call upon our employees engaged in processing activities to do the same.

In the context of the above, our design and selection of information technology solutions are intended to ensure exclusive access to the authorised parties and to preserve the authenticity and integrity of the data.

We always remain up to date on the technological developments, apply the available technical, technological, and organisational solutions and implement measures appropriate to the level of protection necessitated by the processing.


V. PERSONAL DATA BREACH MANAGEMENT

A personal data breach means any event leading to the unlawful processing or technical processing of personal data transmitted, stored, or otherwise processed, in particular the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.


We shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the National Authority for Data Protection and Freedom of Information (hereinafter: “NAIH”) about any personal data breach, unless we can demonstrate that it is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification cannot be made within 72 hours, it shall be accompanied by reasons for the delay. The notification of NAIH shall at least:
•    describe the nature of the personal data breach, the categories and number of data subjects and personal data concerned;
•    communicate the name and contact details of the data protection officer;
•    describe the likely consequences of the personal data breach;
•    describe the measures taken or proposed to address, fend off or remedy the personal data breach.


Furthermore, when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we shall communicate such breach to the data subject without undue delay, unless we have successfully eliminated the adverse impacts and risks thereof. Such notice will also be published on the Website and it shall include at least the information specified under this item.

We keep records of personal data breaches to monitor the measures implemented in relation thereto and to inform data subjects with the following content:
•    facts relevant to the personal data breach:
o     nature of the personal data breach;
o    scope (categories) and number of personal data affected;
o    scope (categories) and number of data subjects affected;
o    time of the personal data breach;
•    circumstances and effects of the personal data breach;
•    measures implemented to eliminate the personal data breach.

The data recorded will be retained for 5 years from becoming aware of the personal data breach.
 

VI. YOUR RIGHTS

WITHDRAWAL OF CONSENT: If we process your data based on your consent, you shall have the right to withdraw such consent at any time. After such withdrawal, your personal data shall no longer be processed. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal. 


RIGHT OF ACCESS: You may request information at the contact details in item I at any time as to whether or not personal data concerning you are being processed or enquire about: the purpose and legal basis of the processing; your personal data processed by us; the categories of such personal data; the recipients or categories of recipients (including our processors) to whom the personal data have been or will be disclosed (in case of transfers to third countries, together with the safeguards to ensure adequate protection of the data); the legal basis for the data transfer; the envisaged period for which the personal data will be stored; your right to obtain from the Controller the rectification, erasure or restriction of the processing of your personal data and to object to the processing thereof; your right to lodge a complaint with NAIH; the source of data; the circumstances of a possible personal data breach, its effects and the measures implemented to fend it off. 

We will provide you with a copy of the personal data undergoing processing. The first copy is free of charge, any additional copies, however, may be subject to a reasonable fee. We will disclose the amount of the latter in advance. 


RIGHT TO RECTIFICATION AND COMPLETION OF PERSONAL DATA: If you become aware that any of your personal data is inaccurate, incorrect, erroneous or incomplete, we will correct or complete it at your request (indicating the correct or additional data).


RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’): You shall have the right to obtain the erasure of your personal data. Withdrawal of your consent to the processing also implies the erasure of such data, there is no other legal ground for the processing. Please note that we may refuse to erase your data, in particular if we need or may need it for compliance with a legal obligation or to enforce a claim. 
Additionally, we will erase your personal data if: 

a.    the personal data are no longer necessary in relation to the purposes for which they were processed; 
b.    you objected to the processing and there are no overriding legitimate grounds for the processing; 
c.    you objected to the processing for sending newsletters; 
d.    the personal data have been unlawfully processed; 
e.    the personal data have to be erased for compliance with Union or Member State law to which we are subject; 

RIGHT TO RESTRICTION OF PROCESSING: In the course of processing, you may request the restriction of processing if: (i) you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; (iv) you have objected to processing based on our legitimate interest, pending the verification whether our legitimate grounds override yours. 
In the event of restriction, we will only store your data and refrain from any other operations, unless you give your consent thereto, or for the protection of our rights or those of a third party, or for reasons of public interest. 
In the event of a restriction of processing, you shall be informed before such restriction is lifted. 
 

RIGHT TO DATA PORTABILITY: You may request that the personal data that you submitted to us and that we process electronically be delivered to you or to another person you designate in a commonly known and easy-to-use electronic format. 

RIGHT TO OBJECT: If we process your personal data for sending newsletters, you shall have the right to object at any time to the processing of personal data concerning you for such purposes. If you object to the processing of your data for newsletter sending, we shall no longer process your personal data for such purposes.
 

SUBMISSION OF AND RESPONDING TO REQUESTS 
You may exercise the above rights by sending your request by e-mail to mompark@mompark.hu or by post to the following address of OTP lngatlanbefektetési Alap: H-1026 Budapest, Riadó u. 1–3. Please make sure that your identification details and postal address are included in your letter. If we have any doubt about your identity or if the information you provide is insufficient to ascertain it, we may request additional identification information. 
We shall inform you of the measures taken upon your request without undue delay and at the latest within 1 month of receipt thereof. That period may be extended by 2 further months where necessary, taking into account the complexity and number of the requests. We shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
Justified requests will be granted free of charge. Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, we may either charge a reasonable fee or refuse to act on the request. 
We shall inform those to whom we disclosed the relevant data about the rectification, erasure, or restriction thereof unless this proves to be impossible or would involve a disproportionate effort. Upon your request, we will disclose to you the recipients to whom we disclose or disclosed information as described above. 

VII. COMPENSATION FOR PECUNIARY DAMAGES; GRIEVANCE AWARD 

If you or another person incurs any damages due to our unlawful or unsecure processing of your personal data, you or the person who has suffered damages may enforce your claims against us. 

If we infringe your personality rights in the above context, you shall be entitled to claim a grievance award (in Hungarian: “sérelemdíj”).  

Please note that we will have no obligation to pay compensation for pecuniary damages, or grievance award if it can be demonstrated that the damage was caused by an unavoidable external cause beyond the scope of our processing activity, or it was the result of your intentional conduct or gross negligence. 

 

VIII. HOW TO LODGE A CLAIM? 

8.1. CONTACTING THE CONTROLLER 

If you believe that our processing of your personal data is unlawful, please contact us, the Controller first and share your thoughts or claim using one of the contact details indicated under item I, thus enabling us to process and handle your feedback as swiftly and efficiently as possible. 

8.2. LODGING A COMPLAINT WITH THE DATA PROTECTION AUTHORITY

In the event of unlawful processing, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information (“NAIH”) and request that proceedings be initiated. 

Contact details of NAIH: 
Website: http://www.naih.hu/ 
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c. 
postal address: H-1530 Budapest, Pf.: 5. 
e-mail address: ugyfelszolgalat@naih.hu 

  8.3. JUDICIAL REDRESS 
You may engage in legal proceedings to enforce your claim. Regional courts have material jurisdiction to hear the case. You may bring the action before the regional court having territorial jurisdiction over your domicile or place of residence, according to your choice. 


8.4. COMPLAINTS INVOLVING NEWSLETTERS
You may contact the National Media and Infocommunications Authority regarding advertising sent via electronic channels (newsletter). 
 

Budapest, 


Budapest, 1 September 2021 

OTP Ingatlanbefektetési Alap 

Controller

Get to know everything that happens at MOM Park!