Contents

1. General provisions and contact details

2. Updates and availability of the Data Protection Notice

3. Other data protection terms

4. The scope of handled data and the purpose of data handling

5. Transfer of personal data to our contracted partners

6. Personal data relating to children and third parties

7. Data security measures

8. Data protection rights and remedies

1. General provisions and contact details

This Data Protection Notice (“Data Protection Notice”) applies to any information relating to identified or identifiable natural persons (hereinafter referred to as: “data subject”, “individual” or “you”) (personal data) that is processed by Cordia Management Szolgáltató Korlátolt Felelősségű Társaság (“Cordia Management”) and/or Cordia Agent Hitelszervező és Ingatlanforgalmazó Korlátolt Felelősségű Társaság (“Cordia Agent”).

In this Data Protection Notice, where a data processing activity is carried out independently by one of the Cordia companies, it will appear under its own separate company name. In the case of joint data controllership, Cordia Management and Cordia Agent are collectively referred to as “Cordia”. Joint controllership means that the purposes and means of the data processing are determined jointly by Cordia Management and Cordia Agent. The joint data controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under Regulation (EU) 2016/679 on the General Data Protection Regulation (“GDPR”) by means of an arrangement between them. The essence of the agreement shall be made available to the individuals.

Cordia’s address: 1082 Budapest, Futó utca 47-53. VII. em.

Cordia Management’s company registration number: Cg. 01-09-289024

Cordia Agent’s company registration number: Cg. 01-09-877571

Cordia’s website: https://cordia.hu/

Cordia’s telephone number: 36/1/2662181

Cordia’s email address: cordia.management@cordia.hu

Cordia’s representative and contact details: Tibor Földi, see above for contact details

If you have any questions or comments regarding this Data Protection Notice, before using the https://cordia.hu/ website or submitting any data in accordance with this Data Protection Notice, please contact Cordia using one of the above-mentioned contact details.

If you provide your personal data to by using the services of a third-party (e.g. by using a social networking site), the data protection notice and other terms of use of that service may also apply. Cordia assumes no liability in this regard.

2. Updates and availability of the Data Protection Notice

Cordia reserves the right to amend this Data Protection Notice unilaterally, with effect from the date of the amendment, subject to the limitations set out in applicable law and, where necessary, by giving individuals sufficient prior notice. In particular, Cordia may amend this Data Protection Notice if required due to changes in legislation, data protection authority practice, business or employee needs, new data processing purposes, newly identified security risks, or feedback from individuals. Cordia may use the contact details available for an individual for communication purposes related to this Data Protection Notice or other data protection matters, or otherwise when contacting the individual. For example, upon request, Cordia will send the individual a copy of the current Data Protection Notice or confirm that the individual has read it.

3. Other data protection terms

Specific data protection conditions may also apply when individuals use certain special services, and we will be inform individuals of these before using the service in question.

Individuals must in all cases provide Cordia with the relevant personal data in accordance with applicable laws. In particular, they must have an appropriate and informed consent or another valid legal basis for transferring personal data (for example, when providing contact details or information about relatives). If Cordia becomes aware that an individual’s data has been disclosed without their consent or another appropriate legal basis, Cordia may delete the data immediately, and the individual may exercise their rights and remedies in accordance with this Data Protection Notice. Cordia shall not be liable for any damage, loss or injury resulting from any breach of the above obligations or representations by individuals.

4. The scope of date processed and purposes of data processing

The scope of personal data processed by Cordia Management and/or Cordia Agent, the purposes and legal bases of the processing, the duration of the processing, and the persons entitled to access the data are set out in the table below.

The purposes of data processing can be summarised as follows:

• Preparation of the property purchase agreement between you, as a client of Cordia Management, and the sellers of the properties you wish to purchase, including providing information about the properties you are interested in. In connection with the performance of the property purchase agreement, Cordia Management will forward buyers’ contact details (name, address, email address, telephone number) to the relevant condominium representatives.
• Data transfer to Cordia FM Társasházkezelő Korlátolt Felelősségű Társaság for property management services and the use of related leasing, real estate agency and other services.
• Creation of an online account on one of Cordia’s websites.
• Sending marketing materials by email and/or telephone (direct marketing) by Cordia.
• Conducting customer satisfaction surveys – for example verbally, in writing, by email or by telephone – following the purchase of a property or the use of services provided by Cordia.
• Sending customer information from Cordia via email.
• Preparation of loan and account agreements related to the property purchase agreement by OTP Bank Nyrt.
• Installation and operation of the Smart Home system and devices for home automation in residential properties.
• Processing the data of contractual partners, their contact persons and persons involved in performance and performance monitoring for the purpose of fulfilling a contract (day-to-day performance).
• Processing the data of contractual partners, their contact persons and persons involved in performance and performance monitoring for the purpose of handling compliance matters related to a contract, including seeking legal remedies required to ensure contractual rights.
• Data processing related to the enforcement of the data protection rights of individuals.
• Archiving the individuals’ consent to the data processing and any withdrawal of consent.
• Recording of personal data breaches (including documentation of steps taken in relation to the handling of the personal data breach).

If a processing purpose is based on the legitimate interests of Cordia or a third party, Cordia will provide the legitimate interest balancing test (also known as a “legitimate interest assessment”) used to determine the legitimate interest, upon request to any of the contact details listed above.

Cordia expressly draws individuals’ attention to their right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interests, including profiling carried out on this basis. In such cases, Cordia will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the individual, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

Where personal data is processed for direct marketing purposes, individuals have the right to object at any time to the processing of their personal data for such purposes, including profiling related to direct marketing.

When unsubscribing from marketing communications, individuals will receive a confirmation link at the email address they provided. They must confirm their request to unsubscribe by clicking the link. This confirmation is necessary so that Cordia can verify that the request was made by a real person, acting on their own behalf, using their own email address, and not by an automated system. The confirmation link is valid for 48 (forty-eight) hours. The unsubscription period begins once the request is confirmed. If the individual does not confirm within 48 hours, the link will expire and the individual will need to request a new one.

The duration of each processing operation are primarily determined by the following legislation:

• Accounting Act – Act C of 2000 on Accounting. Cordia must retain certain information, such as that contained in supporting accounting records or in documents relating to contracts between Cordia and its contractors (e.g. supply contracts, purchase orders), as well as invoices issued, must be retained by Cordia under the Accounting Act. The 8-year data retention period specified in the Accounting Act is calculated from the date on which the relevant accounting item arose or from the date the report/accounting relied on the data.

In practice:

• If the data relates to a contract under which multiple performances are delivered (e.g. multiple services under a single contract), the 8-year period is calculated separately for each performance, since separate invoices are issued and accounted for each transaction.
• If the data relates to a contract for a one-time transaction (e.g. sale of an item, where the contract is terminated upon performance), the transaction is recorded in the accounts for the relevant year based on the contract and invoice, and the 8-year period starts from that date.
• Advertising Act – Act XLVIII of 2008 on the General Requirements and Certain Restrictions of Commercial Advertising Activities.
• Civil Code – Act V of 2013 on the Civil Code. If the Data Protection Notice specifies the limitation period for enforcing a claim as the processing period, any act interrupting the limitation period extends the processing period until the new limitation period date (Section 6:25(2) of the Civil Code). If the limitation period is suspended, a claim may be enforced within one year, or, for limitation periods up to one year, within three months after the obstacle ceases, if the limitation period has already expired or less than one year (or less than three months for limitation periods up to one year) remained (Section 6:24(2) of the Civil Code).
• Taxation Act – Act CL of 2017 on the Rules of Taxation. Cordia must retain the data supporting tax documents.

5. Transfer of personal data to our contractual partners

In addition to the contractual partners specifically named in this Data Protection Notice, Cordia engages the following contractual partners to perform tasks related to the data processing operations:

• com EMEA Limited – hosting services.
• Attention CRM Consulting Kft. – website development and maintenance.
• Lead Generation Kft. – customer relations.
• DONE Digital Kft. – website development.
• Silver Frog Informatikai Kereskedelmi és Szolgáltató Kft. – hosting services.
• Hidden Design Kft. – hosting services.
• Wavemaker Hungary Média, Tartalom és Technológia Kft. – media planning and media buying tasks.
• Cordia sales staff – preparation of sales agreements.
• Business Solution Informatikai Zrt. – use of server virtualisation and hosting services.
• NK Services (Hungary) Infokommunikációs Megoldások és Szolgáltatások Korlátolt Felelősségű Társaság –server virtualisation and hosting services.
• Meta Ireland Limited, Google Ireland Limited: display of personalised advertisements.

Contractual partners act as so-called “data processors”: they process the personal data specified in this Data Protection Notice on behalf of Cordia. Cordia may only engage data processors that provide adequate guarantees, in particular regarding expertise, reliability, and resources, to implement technical and organisational measures ensuring compliance with the requirements of the GDPR, including the security of data processing. The specific tasks and responsibilities of the data processor are governed by the contract between Cordia and the data processor. After the data processing on behalf of Cordia, the data processor shall, at Cordia’s discretion, return or delete the personal data, unless the data retention is required under EU or Member State law.

Contracting partners.

6. Personal data relating to children and third parties

Persons under the age of 16 may not provide personal data about themselves unless they have obtained permission from their parents.

By providing personal data, the individual declares and warrants that they will act in accordance with the above and that their capacity to act in relation to the provision of the information is not limited.

Where the individual does not have the legal right to provide any personal data, they must obtain the consent of the relevant third parties (e.g. legal representative, guardian, or another person on whose behalf they are acting) or provide another legal basis for the provision of the data. The individual must consider whether the consent of a third party is necessary for the provision of the personal data. Cordia may not have any personal contact with the relevant third party, in which case the individual is responsible for ensuring compliance with this provision, and Cordia shall not be liable in this regard. Notwithstanding this, Cordia is entitled at all times to verify that the appropriate legal basis for processing the personal data is available. For example, if the individual is acting on behalf of a third party, Cordia is entitled to request the relevant third party’s authorization and/or consent for the relevant processing.

Cordia will use all reasonable efforts to delete any information that has been unlawfully disclosed to it and will ensure that such information is not disclosed or used by Cordia for any other purpose (whether for advertising or otherwise). Cordia should be immediately informed if personal data about a child has been disclosed by themselves or if personal data about the individual has been unlawfully disclosed by a third party.

7. Data security measures

Cordia protects the personal data it processes by restricting access to the information. For example, only those persons who need the data to achieve the above-mentioned purposes have access to it.

8. Data protection rights and remedies

The detailed rights and remedies of the individuals are set forth in the applicable provisions of the GDPR (especially in Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and Cordia provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.

Please note that regarding the profiling described above in this Data Protection Notice (sending advertising materials and managing related property search preferences), you have the right to request human intervention from Cordia, to present your position as described in this section, and to object to any decision made by Cordia following the profiling. Cordia will then review the decision with human intervention, taking into account the information you provided, and will inform you of the outcome.

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the individual, information may also be provided verbally, provided that the identity of the individual is verified by other means.

Identity verification by electronic means is done by sending a confirmation link to the email address you provided, which you must use to confirm your request for information. Confirmation is important to ensure that the person requesting the information is not a robot, is acting on their own behalf, is confirming the request from their own email account, and is using a genuine email address. The confirmation link is valid for 48 hours. The information deadline begins upon confirmation. If you do not confirm your request for information within 48 hours, the link will expire, and you will need to request a new link.

Cordia will inform the individual about the measures taken upon their request for the exercise of legal rights (see Articles 15-22 of the GDPR) without undue delay but in any case, no later than one month after its receipt. This period may, if needed, be extended by a further two months in light of the complexity of the request and the number of requests to be processed. Cordia shall notify the individual about the extension and indicate its grounds within one month of the receipt of the request. Where the request has been submitted by electronic means, the response should likewise be sent electronically, unless the individual requests otherwise.

If Cordia does not take any measure upon the individual’s request, it shall notify the individual without undue delay, but by no means later than one month after the receipt thereof, stating why no measures will be taken. Additionally, Cordia shall inform the individual about the individual’s right to lodge a complaint with the data protection authority and to file an action for remedy with the courts.

8.1 The individual’s right of access

(1) The individual has the right to obtain confirmation from Cordia with regards to whether personal data concerning them is being processed. In such a case, the individual is entitled to have access to the relevant personal data and to the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data has been or will be disclosed, specifically including recipients in third countries and/or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the right of the individual to request from Cordia rectification or erasure of personal data, or restriction of processing of personal data concerning the individual, or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data is not collected from the individual, any available information as to its source;

h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for you.

(2) Where personal data is forwarded to a third country, the individual is entitled to obtain information concerning the adequate safeguards of the data transfer.

(3) Cordia provides a copy of the personal data undergoing processing to the individual. Cordia may charge a reasonable fee based on administrative costs for requested further copies thereof. Where the individual submitted their request by electronic means, the information will be provided to them in a commonly used electronic form unless otherwise requested by the individual.

8.2 Right to rectification

The individual has the right to request that Cordia rectify inaccurate personal data which concerns them without undue delay. In addition, the individual is also entitled to have incomplete personal data completed e.g. by a supplementary statement or otherwise.

8.3 Right to erasure (‘right to be forgotten’)

(1) The individual has the right to request that Cordia erase the personal data concerning them without delay where one of the following grounds applies:

a) the personal data is no longer required for the purposes for which it was collected or otherwise processed by Cordia;

b) the individual withdraws consent on which the processing is based, and there are no other legal grounds for the processing;

c) the individual objects to the processing and there are no overriding legitimate grounds for the processing;

d) the personal data has been unlawfully processed;

e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which Cordia is subject; or

f) the collection of the personal data occurred in connection with the offering of services regarding the information society.

The technical rules for deleting your account can be found under the relevant data processing purpose.

(2) If Cordia has made the personal data public and is obliged to erase it pursuant to paragraph (1), it shall take reasonable steps, taking into account available technology and the cost of implementation, , including technical measures, to inform data controllers who process the data that the individual has requested the deletion of any links to, or copies or replications of, that personal data.

(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:

a) for exercising the right of freedom of expression and information;

b) compliance with a legal obligation which requires processing by European Union or Member State law to which Cordia is subject;

c) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

d) the establishment, exercise, or defence of legal claims.

8.4 Right to restriction of processing

(1) The individual has the right to obtain a restriction of processing from Cordia where one of the following applies:

a) the accuracy of the data is contested by the individual, for a period enabling Cordia to verify the accuracy of the personal data;

b) the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of its use instead;

c) Cordia no longer needs the personal data for the purposes of the processing, but the individual requires it for the establishment, exercise or defence of legal claims; or

d) the individual has objected to processing pending the verification of whether the legitimate grounds of Cordia override those of the individual.

(2) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with consent of the individual or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) Cordia informs the individual whose request has served as grounds for the restriction based on the aforesaid, before the restriction of processing is lifted.

8.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Cordia will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. Upon request Cordia shall inform the individual about those recipients.

8.6 Right to data portability

(1) The individual has the right to receive the personal data concerning them, which they have provided to Cordia in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from Cordia, where:

a) the processing is based on consent or on a contract; and

b) the data processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph (1), the individual shall have the right to have the personal data transmitted directly from one controller to another (thus from Cordia to another controller), where technically feasible.

8.7 Right to object

(1) The individual has the right to object, on grounds relating to their personal situation, at any time to the processing of personal data concerning them for the purposes of legitimate interests. In such a case, Cordia will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise or defence of legal claims.

(2) Where the processing of personal data serves direct marketing purposes you are entitled to object to the processing of personal data, including profiling, in so far as the latter relates to direct marketing. When you unsubscribe from receiving promotional materials, you will receive a confirmation link at the e-mail address you provided. You must use this link to confirm your request to delete your account. The confirmation ensures that the request is genuine, coming from you and your e-mail account, and not from an automated system. The confirmation link is valid for 48 hours. The unsubscription becomes valid confirmation. If you do not confirm within 48 hours, the link expires, and a new request must be submitted.

(3) If the individual objects to the processing of personal data with the aim of direct marketing, then the personal data can no longer be processed for this purpose.

(4) In connection with the use of services related to information society, the individual may resort to their right of objection, with deviation from Directive No 2002/58/EC, by means of automated devices based on technical requirements.

(5) Where personal data is processed for scientific or historical research purposes or statistical purposes, the individual, on grounds relating to their personal situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.8 Right to lodge a complaint with a supervisory authority

The individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if they consider that the processing of personal data relating to them infringes the GDPR. In Hungary, the competent supervisory authority is the Hungarian Authority for Data Protection and Freedom of Information (http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; postal address:1363 Budapest, Pf.: 9; telephone: +36-1-391-1400; fax: +36-1-391-1410; email: ugyfelszolgalat@naih.hu).

8.10 Right to effective judicial remedy against the controller or processor

(1) You have the right to effective judicial remedy against a legally binding decision of the supervisory authority concerning you.

(2) You have the right to an effective judicial remedy if the competent supervisory authority does not deal with your complaint or does not inform you within three months of the progress or outcome of the complaint.

(3) Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.

8 .10 Right to effective judicial remedy against the controller or processor

(1) You have the right to an effective judicial remedy if you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in breach of the GDPR.

(2) Proceedings against the controller or processor shall be brought before the courts of the Member State where the controller or processor has its place of business. Such proceedings may also be brought before the courts of the Member State where the data subject has his or her habitual residence. In Hungary, such proceedings fall within the jurisdiction of the courts. The data subject may also bring proceedings before the court (törvényszék) with jurisdiction over their place of residence or place of stay, at their discretion. Information on the jurisdiction and contact details of the courts (törvényszékek) is available on the following website: www.birosag.hu.

Previous Data Protection Notices:
Last modification: 19 May 2025

30 July 2019
26 March 2019
23 May 2018
05 April 2018