Privacy Policy

1. Introduction, Purpose of the Privacy Policy
This Privacy Policy serves to comply with the data protection requirements and in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council on General Data Protection (hereinafter: “General Data Protection Regulation” or “GDPR”).
Banking Advisory Kft (registered seat: 1065 Budapest Bajcsy-Zsilinszky Street 43. 3rd floor. 2. Tax number 14397002-2-42.), as data controller (hereinafter: “Banking Advisory” or the “Controller”) is committed to protect the personal data of natural persons who come into contact with the company
(hereinafter: “Data Subjects”) and considers it of utmost importance to respect the Data Subjects’ right to informational self-determination. As data controller, the Controller has implemented numerous technical, safety and organizational measures to ensure the most complete protection of
personal data processed. In view of the above, the purpose of this Privacy Policy is to ensure that natural persons who come into contact with Banking Advisory understand what type of personal data is processed in connection with them, how data processing is carried out, what mandatory data protection rules apply, what rights the Data Subjects have in order to protect their rights and legitimate interests, and for what purposes, in which cases and to whom the Controller may transfer their data.

2. Name, address and contact details of the Controller
Company Name: Banking Advisory Kft (“Controller”)
Headquarters: Bajcsy-Zsilinszky Street 43. 3rd floor. 2.
Company registration number: 01 09 918742
Managing Director and Contact Person: Fabio Giacometti
E-mail: info@bankingadvisory.hu
Phone: + 36 70 70 93457
Homepage: www.bankingadvisory.hu
The Controller does not appoint a Data Protection Officer.

3. Concepts
“Data Subject” means: an identified or identifiable natural person on the basis of any information, insofar as the personal data concerning him or her are in the possession of the Controller; “Personal data” means: Any information relating to the Data Subject; “Data of public interest’ means: information or knowledge that is managed by a body or person performing a state or local government task, as well as other public tasks defined by law and related
to its activities or generated in connection with the performance of its public tasks, which does not fall under the concept of personal data, recorded in any way or form, regardless of the way it is handled, independent of its separate or aggregate nature, in particular data relating to competence,

organizational structure, professional activity, effectiveness, types of data held and legislation governing the operation, as well as management, contracts concluded; “Data public for public reasons” means: all data not covered by the concept of data of public interest, the disclosure or accessibility of which is required by law in the public interest; “Identifiable natural person” means: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “Data deletion” means: rendering the data unrecognizable in such a way that it is no longer possible
to recover it; “Processing by processors” means: all processing operations carried out by a processor acting on behalf or at the disposal of the controller; “Data file” means: the totality of data processed in a register;
“Restriction of processing” means: marking of stored personal data with a view to limiting their future processing; “Filing system” means: a collection of personal data in any way, whether centralised, decentralised or
structured according to functional or geographical aspects, which is accessible on the basis of specific criteria; “Controller” means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Recipient” means: the natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not, shall not be regarded as recipients. The processing of those data by these public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; “Third party” means: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. “Consent of the data subject” means: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her.
“Personal data breach” means: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“Enterprise” means: any natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships and associations engaged in a regular economic activity; “Supervisory authority” means: an independent public authority established by a Member State in
accordance with Article 51 of the Regulation, the National Authority for Data Protection and Freedom of Information in Hungary;
“Cross-border processing of personal data” means:
a) processing of personal data in the Union in the context of activities carried out at establishments in more than one Member State by a controller or processor established in more than one Member State; or
b) processing of personal data in the Union in the context of activities carried out in a single establishment of the controller or processor with a significant impact on or likely to significantly affect Data Subjects in more than one Member State; “Information society service“ means: a service within the meaning of Article 1(1)(b) of Directive (EU)
2015/1535 of the European Parliament and of the Council.

4. Data Processing Principles applied by the Controller
The Controller declares that the processing of personal data is carried out in accordance with this Privacy Policy and complies with the requirements of the applicable law. The Controller shall, in particular, take into account the following:
 The processing of personal data shall be lawful, fair and transparent to the Data Subject.
 Personal data may only be collected for specified, explicit and legitimate purposes.
 The purpose of the processing of personal data shall be appropriate and relevant and should be limited to what is necessary.
 The personal data must be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
 The personal data must be stored in such a way as to allow identification of the Data Subjects for no longer than is necessary. The personal data may be stored for a longer period of time only if the personal data are stored for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
 Personal data shall be processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The principles of data protection apply to all information relating to a natural person identified or identifiable by the Controller, regardless of the means through which the information is obtained by the Controller.

5. Type of data processed, legal basis, purpose and duration of data processing
5.1. Data processing regarding data obtained via the Controller’s website or via other digital channels The Controller may process the Data Subject’s data for the purpose of contacting the Data Subject or transmitting proposals, as follows:

 Type of data processed: name, e-mail address, telephone number of the Data Subject;
 Purpose of data processing: establishing contact between the Data Subject and the Controller, transmitting proposals, sending newsletters;
 Legal basis of data processing: voluntary consent of the Data Subject [Article 6 (1) (a) of the GDPR];
 Duration of data processing: until the Data Subject’s request to deletion.
5.2. Data processing in relation to contractual relationship with the Controller and/or services provided by the Controller
The Controller may process the data of the Data Subject to meet obligations from a contractual relationship established with the Data Subject, and in particular in order to provide services to the Data Subject, as follows:
 Type of data processed: the personal data of the Data Subject relevant to the contractual relationship and the use of the services, as well as data necessary for invoicing the services, in particular: name, email address, address, tax identification number, tax number, citizenship, invoicing name, invoicing address, telephone number;
 Purpose of data processing: performance of obligations arising out of the contract between the Data Subject and the Controller, exercising rights, providing services by the Controller;
 Legal basis of data processing: contract between the Data Subject and the Controller, in particular contract to provide services [Article 6 (1) (b) of the GDPR], fulfilment of legal obligations (e.g. invoicing) [Article 6(1)(c) of the GDPR];
 Duration of data processing: until termination of the contractual relationship, or within the statutory time period provided by the relevant legislation.

6. Cookies (cookies)
We recommend that you accept “cookies” for the full use of some of the services of this website.
“Cookie” is a small text that contains personalised information and is stored by the Data Subject’s browser on the computer of the Data Subject. The purpose of cookies is to help recognise returning visitors and implement customised visitor functions. By using cookies, the Controller does not
process personal data.
 Data Subjects concerned: visitors of the website.
 Type of data concerned: unique identification number, time, setup data.
 Purpose of data processing: additional service, identification, tracking of visitors.
 Legal basis of data processing: no consent from the Data Subject is required if the use of cookies is absolutely required for the services.
The Data Subject has the option to delete cookies from the browsers at any time in the Settings menu. If you would like to know more about cookies, please visit the following link: filed https://europa.eu/youreurope/citizens/cookies/index_hu.htm.

7. Access to data, data transfer
The personal data provided by the Data Subject can only be accessed by the Controller’s managing director and its designated staff.
The Controller can only transfer personal data to third parties or public bodies and authorities in the case of the Data Subject's express consent, or in cases specified by law.

​

8. Rights of the Data Subject in relation to Data Processing
8.1. Right to information in a transparent manner

The Data Subject may request information from the Controller in writing, at any time, through the contact details provided in this Privacy Policy, so that the Data Controller can inform:
 what personal data,
 on what legal basis,
 for what purpose of data processing,
 from what source,
 how long has been handled,
 to whom, when, on the basis of what legislation, which personal data the Controller has granted access to or to whom the Controller has transferred the personal data.
The Controller shall fulfill the Data Subject's request within a maximum of 30 days, to the contact information provided by the Data Subject, in a transparent and clear manner.
8.2. Right to rectification

The Data Subject may request from the Controller in writing, at any time, through the contact details provided in this Privacy Policy, the rectification of personal data concerning him or her (e.g. change
of email address). Before fulfilling the request, the Controller may request appropriate confirmation of the change in personal data (e.g. change of address, change of surname).The Controller shall fulfill the request within a maximum of 30 days and notifies the Data Subject in a letter sent to the contact information provided by the Data Subject.
8.3. Right to erasure

The Data Subject may request the deletion of his personal data from the Controller in writing via the contact details provided in this Privacy Policy. The Controller will reject the deletion request if the law or an internal regulation obliges the Controller to continue storing personal data. However, if
there is no such obligation, the Controller shall comply with the request of the Data Subject within 30 days and inform the Data Subject about this by sending a letter to the contact details provided by the Data Subject.
8.4. Right to suspend processing
The Data Subject can request the Controller in writing, through the contact details provided in this Privacy Policy, to suspend processing his or her personal data. The suspension lasts as long as the
reason indicated by the Data Subject makes it necessary to store the data. The Data Subject may request blocking of the data, for example, if he believes that the Controller has handled the data illegally, however, for the sake of official or judicial proceedings initiated by the Data Subject, it is
necessary that the Controller does not delete the data. In this case, the Data Controller will continue to store the personal data until the authority or court is seised, and then delete the data.
8.5. Right to object
The Data Subject may object to data processing in writing via the contact details provided in this Privacy Policy, if the Controller forwards or uses his or her personal data for the purpose of direct business acquisition, public opinion polls or scientific research. Thus, for example, the Data Subject
may object to the use of his or her personal data for the purpose of scientific research, without his or her consent. The Data Subject shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a legal obligation or for the
establishment, exercise or defence of legal claims. For example, the Data Subject cannot object to a request containing his or her personal data transferred by the Controller to the authority in the course of an ongoing administrative procedure.

9. Enforcement rights regarding data processing
9.1. Complaints to the Controller
Each Data Subject shall have the right to make complaints to the Controller regarding the processing of his or her personal data, at the contact details provided in this Privacy Policy.
9.2. Notification to the Supervisory Authority
By means of a notification, the Data Subject may initiate an investigation on the grounds that the processing of his or her personal data has been violated or there is an imminent risk thereof:
National Authority for Data Protection and Freedom of Information:
1363 Budapest, Pf.: 9.
+ 36 1 391 1400
+ 36 1 391 1410 (fax)
ugyfelszolgalat@naih.hu
www.naih.hu
9.3. Initiation of judicial proceedings
In case of unlawful processing experienced by the Data Subject, he or she may initiate a civil procedure against the Controller. The court has jurisdiction to adjudicate on the case. Please see the
list and contact details of the tribunals at the following link:
https://birosag.hu/torvenyszekek
9.4. Compensation for damages
The Controller is obliged to compensate for any damage caused by the unlawful processing of the Data Subject’s data or by breach of the requirements of data security. The Controller shall not compensate for the damage if the damage results from the intentional or grossly negligent conduct of the Data Subject.
10. The legal basis for the processing of personal data
The processing of personal data contained in this Privacy Policy is based in particular on the following
laws:
 The Fundamental Laws of Hungary;
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC;
 Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
 Act CVIII of 2001 on certain aspects of electronic commerce services and information society
services;

 Act V of 2013 on the Civil Code.
Date of entry into force of this Privacy Policy: 2024. 07.01
The Controller reserves the right to change.