Privacy notice
This Privacy Notice governs the processing of certain personal data by VLK Newmark Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1134 Budapest, Váci út 45, Building D, 8th floor; tax number: 14275706-2-41; company registration number: 01-09-896701; represented by Kalaus Valter Levente and Takács Péter, managing directors acting independently) (hereinafter referred to as the “Data Controller”).
Introduction
The Data Controller acknowledges this Privacy Notice as binding upon itself and undertakes to process personal data at all times in compliance with the applicable legal regulations and the provisions set forth herein.
This Privacy Notice may be unilaterally amended and/or withdrawn by the Data Controller at any time, with simultaneous notification of the Data Subjects. Notification shall be effected by publication on the Website and, depending on the nature of the change, by direct notification of the Data Subjects.
Should you have any questions or comments regarding this Privacy Notice or data processing in general, please contact us at hungary@nmrk-global.com or by post at 1134 Budapest, Váci út 45, Building D, 8th floor.
I. Scope of the Privacy Notice
1. Personal Scope
This Privacy Notice applies to data processing activities carried out by the Data Controller in relation to the following natural persons (hereinafter collectively referred to as the “Data Subjects”):
a) persons who have submitted a curriculum vitae to the Data Controller for the purpose of establishing an employment relationship (hereinafter: “Applicant”);
b) the Data Controller’s natural person contractual partners, including sole proprietors (hereinafter: “Contractual Partner”);
c) contact persons and other representatives designated by the Data Controller’s non-natural person contractual partners (hereinafter collectively: “Contact Persons”);
d) other natural persons on a case-by-case basis.
Where personal data are not obtained directly from the Data Subject, the person providing such data is responsible for obtaining the Data Subject’s consent for disclosure of such data to the Data Controller.
2. Temporal Scope
This Privacy Notice shall enter into force on 1 January 2026 and shall remain in effect until amended or withdrawn. It shall also apply to data processing operations already in progress at the time of its entry into force.
3. Territorial Scope
This Privacy Notice applies to all data processing activities carried out by the Data Controller in any geographical location.
4. Material Scope
This Privacy Notice governs the data processing activities carried out by the Data Controller in relation to the Data Subjects, defining their purposes and legal bases, the tools and methods applied, as well as the security measures implemented.
II. Definitions
a) Personal data: any information relating to an identified or identifiable natural person (“Data Subject”);
b) Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. As a general rule, the Data Controller does not process special categories of data (e.g. health data). Such data may only be processed on the basis of the Data Subject’s explicit prior consent or a statutory authorization.
c) Consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
d) Processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
e) Data Controller: VLK Newmark Szolgáltató Korlátolt Felelősségű Társaság (contact: hungary@nmrk-global.com, tel.: +36-1-632-1400);
f) Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller;
g) Third party: a natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Processor and persons authorized to process personal data under the direct authority of the Data Controller or Processor.
All other terms used in this Privacy Notice shall have the meanings assigned to them in applicable legislation, in particular Regulation (EU) 2016/679 (GDPR) and Act CXII of 2011 (Infotv.). The Data Controller shall comply fully with all applicable legal requirements when processing personal data.
III. Principles
The Data Controller processes personal data in accordance with the following principles:
a) lawfulness, fairness and transparency;
b) purpose limitation;
c) data minimisation;
d) accuracy;
e) storage limitation;
f) integrity and confidentiality;
g) accountability.
The Data Controller has established and continuously reviews its procedures in accordance with the above principles and ensures data protection by design and by default.
IV. Specific Data Processing Purposes
1. Processing of CVs
|
Purpose of processing |
Categories of personal data |
Legal basis |
Retention period |
|
For the purpose of assessing the Applicant’s employment for the position applied for, maintaining contact, |
as per the CV |
consent (GDPR 6. article (1) a) point) |
until the closure of the application process at the latest |
|
and for the possible future employment of the Applicant, including contacting the Applicant with new job offers, the Applicant’s CV is also stored. |
as per the CV |
consent (GDPR 6. article (1) a) point) |
for a maximum period of one year from the submission of the CV |
No data are transferred to third parties. The Applicants’ data may be accessed exclusively by the Data Controller’s managing directors, company managers and the head of the department for which the Applicant has applied.
Possible legal consequences of failure to provide consent: in the absence of consent, the Data Controller is unable to employ the Applicant, as without the CV it cannot make a well-founded decision regarding employment.
2. Performance of Contracts and Obligations with Data Subjects
The Data Controller may enter into various types of contracts with Data Subjects (natural persons and sole proprietors), the conclusion and performance of which serve the interests of both parties. This chapter does not apply to employment contracts concluded with Applicants, which are governed by a separate Privacy Notice.
|
Purpose of processing |
Categories of personal data |
Legal basis |
Retention period |
|
Measures taken prior to the conclusion of a contract (e.g. making an offer); conclusion, establishment, amendment and termination of contracts/obligations |
Full name, permanent address, mother’s maiden name, place and date of birth, personal identification number; in the case of sole proprietors, additionally: registered office, tax identification number, bank account number, sole proprietor registration number, and contact details. |
contractual obligation (GDPR 6. article (1) b) point) |
General tax law limitation period (8 years following the termination of the contract) |
|
Statutory notifications related to the contract – where required by law |
Data required by statutory provisions (e.g. certificate numbers, tax identification number/tax number, social security number). |
legal obligation (GDPR 6. article (1) c) point) |
General tax law limitation period (8 years following the termination of the contract), unless a longer retention period is prescribed by law |
|
Determination and payment of remuneration and settlement of public charges |
Amount of remuneration, amount of public charges, certificate of performance, bank account number, tax identification number/tax number. |
contractual obligation (GDPR 6. article (1) b) point) Compliance with legal obligations – in particular tax law regulations – (GDPR 6. article (1) c) point) |
General tax law limitation period (8 years following the termination of the contract), unless a longer retention period is prescribed by law |
Data Transfers: in the case of certain contracts or obligations, personal data may be transferred to third parties. This includes, for example, the engaged accounting service provider in connection with the determination and payment of remuneration and the settlement of public charges (currently: Klein Consulting Könyvelőiroda Korlátolt Felelősségű Társaság, registered office: 1118 Budapest, Dayka Gábor utca 3, Building 107; tax number: 25468117-2-43; company registration number: 01-09-276904; represented by Rita Klein-Szedlár, Managing Director). The Data Controller ensures the security of the transferred data by appropriate safeguards and other measures (see Chapters V–VI).
In addition to the above, the Data Controller is entitled to transfer contact details (name, telephone number, address) to carriers. The carriers used by the Data Controller include:
Redda – Motor Kft – courier service
3. Processing of Contact Data in the Case of Contracts Concluded with Non-Natural Persons
For the purpose of performing contracts concluded by the Data Controller, the Data Controller is entitled to process certain personal data of employees and other agents of its (non-natural person) contractual partners.
|
Purpose of processing |
Categories of personal data |
Legal basis |
Retention period |
|
Maintaining contact with the contractual partner, making legal declarations and performing other actions necessary for the performance of the contract (e.g. delivery, handling of complaints, handover and acceptance procedures, etc.) |
name, name and address of workplace, job title, e-mail address, business telephone number |
The legitimate interest of the Data Controller and the contractual partner in the performance of the contract (GDPR 6. article (1) f) point) |
Termination of the contract or the Data Subject’s lawful objection |
|
Debt collection and enforcement of claims against the contractual partner |
name, name and address of workplace, job title, e-mail address, business telephone number |
The legitimate interest of the Data Controller and the contractual partner in the performance of the contract (GDPR 6. article (1) f) point) |
General civil law limitation period (5 years following the termination of the contract) or the Data Subject’s lawful objection |
4. Inspections Carried Out by the Data Controller – CCTV Surveillance
The Data Controller is entitled, in certain cases, to monitor the activities of the Data Subject carried out at the Data Controller’s registered office (1134 Budapest, Váci út 45, Building D, 8th floor). The methods applied serve to protect certain legitimate interests of the Data Controller (e.g. protection of property, protection of business secrets, etc.).
The Data Controller hereby informs the Data Subjects that CCTV surveillance is carried out at its Budapest registered office, located at 1134 Budapest, Váci út 45, Building D, for the purposes of property protection and security monitoring (areas outside the Data Controller’s exclusive premises). Such surveillance is carried out independently of the Data Controller by CPI Property Group, the operator of the office building located at 1134 Budapest, Váci út 45, Building D, in accordance with its own internal regulations. The Data Controller does not have access to, and does not process, the data recorded.
5. Data Processing via the Use of the Website; Cookies
The website available at https://nmrk.hu/
and other landing pages operated by the Data Controller (hereinafter collectively referred to as the “Website”) are the property of the Data Controller. The Website is a publicly accessible platform available to anyone.
The Website may be visited without providing any personal data. We store only access data in server log files, such as the names of the requested files, the date and time of the request, the volume of data transferred, the browser type, the IP address and the requesting service provider. These data are evaluated exclusively for the purpose of ensuring the smooth operation of the Website and improving our services, and do not allow any conclusions to be drawn about the person behind the user. In the event of concrete indications of unlawful use, we reserve the right to subsequently review such data.
When using certain functions and subpages of the Website, the following data processing activities take place:
|
Purpose of processing |
Categories of personal data |
Legal basis |
Retention period |
Purpose of processing |
|
Contact |
Name, e-mail, message; telephone number |
consent (GDPR 6. article (1) a) point) |
5 years, but no longer than until the withdrawal of consent |
hungary@nmrk-global.com |
|
social media platform usage (LinkedIn, youtube, Instagram) |
Name |
consent(GDPR 6. article (1) a) point) * |
withdrawal of consent |
hungary@nmrk-global.com |
*We kindly inform the Data Subjects that the data processing activities carried out by individual social media platforms are governed by the respective platforms’ own privacy notices.
The hosting service provider of the Website is IT & Coffee Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1239 Budapest, Kelep utca 60, Door 1; tax number: 13692335-2-43; company registration number: 01-09-868274; represented by Gábor Demeter and Ingrid Katalin Borbély, Managing Directors).
Cookies Used by the Website
With regard to the cookies used by the Website, the terms of website use published at https://nmrk.hu/honlaphasznalat shall apply.
You may disable and delete cookies at any time in your browser settings; however, in such case, certain functions of the Website may be available only to a limited extent.
6. Data Processing for Marketing Purposes
|
Purpose of processing |
Categories of personal data |
Legal basis |
Retention period |
|
|
Sending newsletters to interested parties |
e-mail address |
consent (GDPR 6. article (1) a) point) |
withdrawal of consent |
Possible Legal Consequences of Failure to Provide Consent: if consent is not provided, the Data Subject will not receive information about promotions and new products. Granting consent is not a precondition for concluding a contract. In the case of newsletter services, the Data Subject may unsubscribe at any time by sending a request to the following e-mail address: hungary@nmrk-global.com.
Data transfers: The Data Controller is entitled to store these data in databases accessible to its employees/agents. In addition, personal data may be transferred to authorities on the basis of statutory requirements.
V. Access to Data, Disclosure to Third Parties and Data Storage
1. General Provisions
The Data Controller ensures data protection by default and by design. For this purpose, the Data Controller applies appropriate technical and organisational measures to:
- precisely regulate access to data;
- allow access only to persons for whom the data are necessary for the performance of their duties, and even then only to the minimum extent necessary;
- carefully select its processors and ensure data security through appropriate data processing agreements;
- ensure the integrity, authenticity and protection of the processed data.
2. Data Transfers, Processing and Access
The Data Controller seeks to avoid disclosure of Data Subject data to third parties; however, disclosure may be unavoidable in certain cases. Data may be disclosed primarily in the following circumstances:
- Transfers to authorities: In connection with the conclusion, performance and termination of contracts, the Data Controller may be subject to statutory reporting obligations. Accordingly, data are primarily transferred to the Hungarian National Tax and Customs Administration (NAV). Further disclosures may occur upon official request or suspicion of criminal activity.
- Disclosure of contact data: For the purpose of performing contracts, it may be necessary to maintain contact with clients, partners and other persons. Accordingly, the Data Controller may disclose the Data Subject’s business contact details (primarily name, business e-mail address, business telephone number, job title) to third parties, as specified in the underlying contract.
- Carriage: For the performance of contracts, the Data Controller uses carriers to whom certain recipient data (name, address, contact person, contact details) must be disclosed. The carriers used are listed in Sections IV/2 and IV/3 of this Notice.
Beyond the above cases, the Data Controller may also disclose data to third parties in compliance with applicable legal regulations.
3. Physical Storage of Data
Some data are processed and stored via servers located at the Data Controller’s registered office.
Transfers to third countries may occur only on the basis of an adequacy decision, appropriate safeguards, standard data protection clauses, statutory derogations applicable to the specific situation, or, ultimately, the Data Subject’s consent. Where the recipient country does not provide an adequate level of data protection, the Data Controller or another member of its corporate group ensures contractual safeguards of the strictness required by law. The Data Controller bears full responsibility for the lawfulness of data transfers and the security of the data.
Back-up copies are stored in Hungary.
4. Retention Period
The Data Controller stores Data Subject data for the periods specified above for each processing purpose, after which the data are deleted. Where statutory provisions require longer retention, data will be stored for the period prescribed by law.
VI. Measures Implemented by the Data Controller in the Field of Data Protection
The Data Controller applies reasonable physical, technical and organisational security measures to protect Data Subject data, in particular against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, use, access or processing. In the event of known unauthorised access to personal data involving a high risk to the Data Subject, the Data Controller shall notify the Data Subject without undue delay.
Where data transfer is necessary, the Data Controller ensures appropriate protection of the transferred data, for example by encrypting the datasets. The Data Controller bears full responsibility for data processing carried out by third parties.
The Data Controller also ensures regular and appropriate back-ups to protect Data Subject data against destruction or loss.
VII. Rights of the Data Subject
The Data Subject is entitled to the following rights in relation to data processing:
a) Right to transparent information
b) Right of access to stored data
c) Right to rectification
d) Right to erasure (“right to be forgotten”)
e) Right to object
f) Right to restriction of processing
g) Right to data portability
h) Right to withdraw consent
Requests may be submitted in writing to hungary@nmrk-global.com or by post to 1134 Budapest, Váci út 45, Building D, 8th floor. The Data Controller may verify the identity of the requester. Requests shall be handled without undue delay and no later than one month, free of charge unless manifestly unfounded or excessive.
The Data Subject may lodge complaints with the Data Controller and may also initiate judicial proceedings. In addition, complaints may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
- ugyfelszolgalat@naih.hu
- Tel.: +36 (30) 683-5969
- Address: 1055 Budapest, Falk Miksa utca 9-11 (1363 Budapest, P.O. Box 9)
During data processing, the accuracy, completeness and—where necessary in view of the purpose of processing—the up-to-dateness of the data must be ensured. Accordingly – The Data Controller requests that Data Subjects notify it without delay of any changes to their personal data to ensure accuracy and completeness.
***