Contents

1. General provisions and contact details

2. Updates and access to the Policy

3. Other data protection conditions

4. The scope of handled data and the purpose of data handling

5. Transfer of personal data to our contracted partners

6. Cookies used on the https://en.cordia.hu/ website

7. Personal data relating to children and third parties

8. Data security

9. Your data protection rights and legal options for remediation

1. General provisions and contact details

This information notice (“Information Notice“) is provided by Cordia Management SzolgáltatóKorlátolt Felelősségű Társaság (“Cordia Management“) and/or Cordia Agent Hitelszervező ésIngatlanforgalmazó Korlátolt Felelősségű Társaság (“Cordia Agent“) concerning any information(personal data) relating to an identified or identifiable natural person (data subject).

In this Notice, where a data processing activity is carried out independently by one of the Cordiacompanies, it appears under its own separate company name. In the case of joint data processingactivities, Cordia Management and Cordia Agent are jointly referred to as “Cordia“. Joint dataprocessing means that the purposes and means of the data processing are determined jointly byCordia Management and Cordia Agent. The joint data controllers shall determine in a transparentmanner, in an agreement between them, the division of responsibilities in relation to their respectivetasks for fulfilling their obligations under the EU General Data Protection Regulation 2016/679(“GDPR“). The essence of the agreement shall be made available to the data subject.

Cordia address: 1082 Budapest, Futó utca 43-45. II. em.
Cordia Management company registration number: Cg. 01-09-289024
Cordia Agent company registration number: Cg. 01-09-877571
Cordia webpage: https://en.cordia.hu/
Cordia phone number: +36 1 266 2181
Cordia e-mail address: cordia.management@cordiahomes.com
Cordia representative and contact information: Földi Tibor, see contact information above

If you have any questions or comments regarding this Notice before using the https://cordia.hu/website or submitting any data in accordance with this Notice, please contact Cordia using one ofthe contact details above.

If you provide us with personal data through the use of a third-party service (e.g. through a socialnetworking site), the data processing policy and other terms of use of that service may also applyto the processing of your data. Cordia is not responsible for this.

2. Updates and availability of the Policy

Cordia reserves the right to unilaterally amend this Policy with effect from the date of theamendment, subject to the restrictions set out in the relevant legislation and, where necessary, by giving prior notice to the data subjects at in good time. This Notice may be amended in particularif it is necessary due to changes in legislation, data protection authority practices, business or employee requirements, new data processing purposes, newly discovered security risks , or feedback from data subjects . Cordia may use the contact details of the data subject available to Cordia for the purpose of contacting and communicating with the data subject in relation to this Policy or data protection issues, as well as in the course of other communications with the data subject. Upon request, Cordia will, for example, send the data subject a copy of the current Notice or confirm that the data subject has read the Notice.

3. Other data protection conditions

Specific data protection conditions may apply when using certain services, about which you will be informed before using the service in question.

Data subjects are required to provide Cordia with the relevant personal data in accordance with the applicable legislation in all cases. In particular, they must have appropriate and informed consent or other legal basis for the transfer of personal data (e.g. when providing contact details or details of relatives). If Cordia becomes aware that the data of a data subject has been disclosed without their consent or other appropriate legal basis, Cordia may delete the data immediately, and the data subject shall be entitled to exercise their rights and remedies in accordance with this Notice. Cordia shall not be liable for any damage, loss or injury resulting from any breach of the above obligations or representations by data subjects.

4. The scope of date processed and purposes of data processing

The scope of personal data processed by Cordia Management and/or Cordia Agent, the purposes of data processing, the duration of data processing and the persons authorised to access the data are presented in detail in the table below.

The purposes of data processing can be summarised as follows:

• which is established between Cordia Management’s clients and the sellers of the properties they wish to purchase, prepares the property purchase agreement , in particular by providing information about the properties you are looking for. In connection with the performance of the property purchase agreement, Cordia Management will forward the buyers’ contact details (name, address, e-mail, telephone number) to the joint representatives of the condominiums concerned.
• Data transfer to Cordia FM Társasházkezelő Korlátolt Felelősségű. Property management services and the use of related property rental, real estate agency and other services.
• Creation of an online account on one of Cordia’s websites.
• Sending advertising materials by email and/or telephone (direct marketing) on behalf of Cordia.
• Completing questionnaires and satisfaction surveys, verbally, in writing, by email or by telephone.
• Sending customer information by email from Cordia.
• Preparation of loan and account agreements related to the property purchase agreement by OTP Bank Nyrt.
• Installation and operation of the Smart Home system and devices for home automation in your residential property.
• Processing the data of contact persons of contractual partners acting in connection with other contracts not specified in this Notice, as well as persons involved in performance and performance monitoring, for the purpose of contract performance (day-to-day execution).
• Processing of data relating to contractual partners, their contact persons and persons involved in the performance and monitoring of performance at for the purpose of any compliance issues relating to the contract or any other tasks relating to the performance of the contract, including seeking legal remedies necessary to ensure contractual rights.
• Processing of data relating to contractual partners, contact persons of contractual partners and persons involved in performance and performance monitoring for the purpose of any compliance issues relating to the contract or any other tasks relating to the performance of the contract, including seeking legal remedies necessary to ensure contractual rights.
• Data processing related to the enforcement of the data protection rights of data subjects (for details, see point 9)
• Archiving of data subjects’ consent to data processing and any withdrawal of consent
• Recording of data protection incidents (including documentation of steps taken to address incidents)

If a data processing purpose is necessary for the enforcement of the legitimate interests of Cordia or a third party, Cordia will make the balancing test used to determine the legitimate interest available upon request submitted to one of the above contact details.

Cordia expressly draws the attention of data subjects to the fact that they have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interests, including profiling based on the aforementioned provisions. In this case, Cordia will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. When unsubscribing from advertising materials, you will receive a confirmation link to the email address you provided, which you must click to confirm your request to unsubscribe. Confirmation is important so that Cordia can verify that the person requesting the unsubscription is not a robot, is acting on their own behalf, is confirming the request in relation to their own email account, and is using a genuine email address. The confirmation link is valid for 48 (forty-eight) hours. The unsubscription period begins upon confirmation. If you do not confirm your unsubscription within 48 hours, the link will expire and you will need to request a new link.

The legal basis and duration of each data processing operation has been determined primarily on the basis of the following legislation:

• “Art.” – Act CL of 2017 on the Rules of Taxation. Cordia is obliged to retain data supporting tax documents.
• “Ptk.” – Act V of 2013 on the Civil Code. If the period of data processing is specified as the limitation period for the enforceability of the claim, any action interrupting the limitation period shall extend the period of data processing until the new date of the limitation period (Civil Code, Section 6:25(2)). In the event of a suspension of the limitation period, the claim may be enforced within one year from the date of cessation of the obstacle, or within three months in the case of a limitation period of one year or less, even if the limitation period has already expired or less than the above period remains (Section 6:24(2) of the Civil Code).
• “Advertising Act”: Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities.
• “Accounting Act” – Act C of 2000 on Accounting. Certain data – such as data that forms part of the accounting records or is included in documents relating to the conclusion of a contract between Cordia and its contractual partner (e.g. a sales contract), in accounting supporting documents or on issued invoices – must be retained by Cordia in accordance with the Accounting Act. The 8-year data retention period specified in the Accounting Act shall be calculated from the date on which an accounting item related to the data arose in the given year or the report/accounting relied on the given data in any way. In practice: if the data is included in a contract on the basis of which several performances take place (e.g. several services are provided under one contract), the 8 years shall be calculated separately for each performance, because a separate invoice is issued for each performance, on the basis of which the given transaction is accounted for. If the data is included in a contract that concerns, for example, the sale of an item (the transfer takes place and the contract is terminated upon performance), the transaction is recorded in the accounts for the given year on the basis of the contract and the invoice, and the eight-year period begins from that point.

5. Transfer of personal data to our contractual partners

In addition to the contractual partners specifically named in this Notice, Cordia uses the following contractual partners to perform tasks related to data processing operations.

The contracted partners are summarised as follows:

• salesforce.com EMEA Limited – hosting services.
• Attention CRM Consulting Kft. – website development and maintenance.
• LEAD GENERATION Kft. – customer relations.
• DONE Digital Kft. – website development.
• Silver Frog Informatikai Kereskedelmi és Szolgáltató Kft. – hosting services.
• Hidden Design Kft. – hosting services.
• Wavemaker Hungary Média, Tartalom és Technológia Kft. – media planning and media buying tasks.
• Cordia sales representatives – preparation of sales contracts.
• Business Solution Informatikai Zrt. – use of server virtualisation and hosting services.
• NK Services (Hungary) Infocommunications Solutions and Services Limited Liability Company – use of server virtualisation and hosting services.
• Meta Ireland Limited, Google Ireland Limited: display of personalised advertisements.

The contractual partner acts as a so-called “data processor”: it processes the personal data specified in this Notice on behalf of Cordia. Cordia may only use data processors that provide adequate guarantees, particularly in terms of expertise, reliability and resources, that they will implement technical and organisational measures to ensure compliance with the requirements of the GDPR, including the security of data processing. The specific tasks and responsibilities of the data processor are governed by the contract between Cordia and the data processor. After performing data processing on behalf of Cordia, the data processor shall, at Cordia’s discretion, return or delete the personal data, unless the data processor is required to store them under EU or Member State law applicable to the data processor.

Contracting partners.

6. Personal data relating to children and third parties

Persons under the age of 16 may not provide personal data about themselves unless they have obtained permission from their parents to do so.

By providing personal data, you declare and guarantee that you will act in accordance with the above and that your legal capacity to provide information is not restricted.

If you are not legally entitled to provide any personal data independently, you are required to obtain the consent of the third parties concerned (e.g. legal representative, guardian, other person on whose behalf you are acting) or to provide another legal basis for the provision of the data. In this context, you are required to consider whether the consent of a third party is necessary in connection with the disclosure of the personal data in question. It may be the case that Cordia does not have personal contact with the data subject, in which case you are responsible for ensuring compliance with this point and Cordia bears no responsibility in this regard. Regardless of this, Cordia is always entitled to check whether there is an appropriate legal basis for the processing of personal data. For example, if you are acting on behalf of a third party, we are entitled to request your authorisation and/or the relevant data subject’s consent to the processing of their data in relation to the matter in question.

We will make every reasonable effort to delete any information that has been provided to us without authorisation and to ensure that this information is not passed on to others or used by us (either for advertising or other purposes). Please notify us immediately if you become aware that a child has provided personal data about themselves or a third party about you without authorisation. You can contact us using the contact details provided at the beginning of this Policy.

7. Data security measures

Cordia protects the personal data it processes by restricting access to the information. For example, only those persons who need the data to achieve the above-mentioned purposes have access to it.

8. Data protection rights and remedies

Your data protection rights and legal remedies are set out in detail in the relevant provisions of the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82 of the GDPR). The following summary contains the most important provisions, and Cordia provides you with information about your rights and remedies in relation to data processing in accordance with these provisions.

Please note that with regard to the profiling (sending advertising materials, managing related housing search preferences), you have the right to request human intervention from Cordia, to express your position in the manner described in this section and to bring it to Cordia’s attention, and to object to Cordia’s decision following the results of profiling. In this case, Cordia will review the decision with human intervention, taking into account the information you have provided, and will inform you of the result.

The information must be provided in writing or by other means, including, where applicable, by electronic means. Verbal information may also be provided at your request, provided that your identity has been verified by other means.

Identity verification by electronic means is done by sending a confirmation link to the email address you provided, which you must use to confirm your request for information. Confirmation is important to ensure that the person requesting the information is not a robot, is acting on their own behalf, is confirming the request from their own email account, and is using a genuine email address. The confirmation link is valid for 48 hours. The information deadline begins upon confirmation. If you do not confirm your request for information within 48 hours, the link will expire and you will need to request a new link.

Cordia will inform you of the measures taken in response to your request without undue delay, but in any case within one month of receiving your request to exercise your rights (see Articles 15-22 of the GDPR). If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. Cordia will inform you of any extension of the deadline within one month of receiving your request, stating the reasons for the delay. If you submitted your request electronically, the information will be provided electronically, unless you request otherwise.

If Cordia does not take action on your request, it will inform you without delay, but no later than one month after receipt of the request, of the reasons for not taking action and that you may lodge a complaint with a supervisory authority and seek a judicial remedy.

8.1 Your right of access

(1) You have the right to receive confirmation from us as to whether your personal data is being processed. If such processing is taking place, you have the right to access your personal data and the following information:

a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where applicable, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) your right to request from us the rectification, erasure or restriction of processing of personal data concerning you, and to object to the processing of such personal data;
f) your right to lodge a complaint with a supervisory authority; and
g) if the data has not been collected from you, any available information as to its source;
h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for you.

(2) If personal data is transferred to a third country, you have the right to be informed of the appropriate safeguards for the transfer.

(3) We will provide you with a copy of the personal data that is the subject of the processing. If you have submitted your request electronically, the information will be provided in a widely used electronic format, unless you request otherwise.

8.2 Right to rectification

You have the right to request that we rectify inaccurate personal data concerning you without undue delay. You have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.

8.3 Right to erasure (‘right to be forgotten’)

(1) You have the right to request that we erase personal data concerning you without undue delay if one of the following grounds applies:

a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

b) you withdraw your consent on which the processing is based and there is no other legal ground for the processing;

c) you object to the processing and there are no overriding legitimate grounds for the processing;

d) the personal data has been unlawfully processed;

e) the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which we are subject; or

f) the personal data was collected in relation to the offer of information society services.

The technical rules for deleting your account can be found under the relevant data processing purpose.

(2) If Cordia has made the personal data public and is obliged to erase it pursuant to paragraph 1, it shall, taking into account the available technology and the cost of implementation, take reasonable steps , including technical measures, to inform data controllers who process the data that the data subject has requested the deletion of any links to, or copies or replications of, that personal data.

(3) Paragraphs 1 and 2 shall not apply if processing is necessary, inter alia:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject;

c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

d) for the establishment, exercise or defence of legal claims.

8.4 Right to restriction of processing

(1) You have the right to request that we restrict data processing if any of the following applies:

a) You contest the accuracy of the personal data, in which case the restriction applies for a period enabling us to verify the accuracy of the personal data;

b) the processing is unlawful and you oppose the erasure of the data and request the restriction of its use instead;

c) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or

d) you have objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of Cordia override those of the data subject.

(2) Where processing is restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) We will inform you in advance about the lifting of the restriction on data processing.

8.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Cordia will inform all recipients to whom we have disclosed personal data of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. We will inform you of these recipients at your request.

8.6 Right to data portability

(1) You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Cordia, where:

a) the processing is based on consent or a contract; and

b) the data processing is carried out by automated means.

(2) When exercising your right to data portability under paragraph (1), you have the right to request the direct transfer of personal data between data controllers, if this is technically feasible.

8.7 Right to object

(1) You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests, including profiling. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

(2) If the processing of personal data is for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, insofar as it is related to direct marketing. When unsubscribing from advertising materials, you will receive a confirmation link to your specified email address, which you must click to confirm your request to unsubscribe. Confirmation is important to ensure that the person requesting the unsubscription is not a robot, is acting on their own behalf, is confirming the request from their own email account, and is using a real email address. The confirmation link is valid for 48 hours. The unsubscription becomes valid upon confirmation. If you do not confirm your unsubscription within 48 hours, the link will expire and you will need to request a new link.

(3) If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for this purpose.

(4) In relation to the use of information society services and by way of derogation from Directive 2002/58/EC, you may exercise your right to object by means of automated devices based on technical specifications.

(5) Where personal data are processed for scientific or historical research purposes or statistical purposes, you have the right to object to the processing of personal data concerning you on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.8 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11; 1363 Budapest, Pf.: 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail:ugyfelszolgalat@naih.hu ).

8.10 Right to effective judicial remedy against the controller or processor

(1) You have the right to effective judicial remedy against a legally binding decision of the supervisory authority concerning you.

(2) You have the right to an effective judicial remedy if the competent supervisory authority does not deal with your complaint or does not inform you within three months of the progress or outcome of the complaint.

(3) Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.

8 .10 Right to effective judicial remedy against the controller or processor

(1) You have the right to an effective judicial remedy if you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in breach of the GDPR.

(2) Proceedings against the controller or processor shall be brought before the courts of the Member State where the controller or processor has its place of business. Such proceedings may also be brought before the courts of the Member State where the data subject has his or her habitual residence. In Hungary, such proceedings fall within the jurisdiction of the courts. The data subject may also bring proceedings before the court (törvényszék) with jurisdiction over their place of residence or place of stay, at their discretion. Information on the jurisdiction and contact details of the courts (törvényszékek) is available on the following website: www.birosag.hu.

Previous Data Protection Notices:
Last modification: 19 May 2025

30 July 2019
26 March 2019
23 May 2018
05 April 2018