on the processing of data by Shopper Park Plus Nyrt.
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter: “Info-Act”) Shopper Park Plus Nyilvánosan Működő Részvénytársaság (registered office: 1015 Budapest, Batthyány utca 3. fszt. 1.; company registration number: 01-10-140433; tax number: 27033498-2-44, hereinafter: “Controller“) informs persons who are data subjects under the GDPR (hereinafter: “Data Subjects”) of the processing of their personal data in this document (hereinafter: “Privacy Policy”).
1. General information of the Controller
The Controller is a public limited company registered in Hungary which, in accordance with its Articles of Association, carries out the following activities: leasing and operating its own and leased real estate, real estate development, sale and purchase of its own real estate, other real estate agency and management services, asset management (holding), and building management.
In the course of its activities, the Controller primarily processes the personal data of shareholders owning its shares (hereinafter: „Shareholders”) and the representatives of legal entity shareholders in compliance with the relevant data protection regulations, including the provisions of the GDPR and the Info-Act.
2. Data processing on the website of the Controller
Anyone is entitled to use the www.shopperparkplus.hu website, and the content on the website is freely accessible to everyone. By clicking on the „Contact” tab in the main menu of the www.shopperparkplus.hu website and filling out the form, visitors have the opportunity to contact the Controller.
The website uses Google Maps plug-in, which may transmit personal data to Google, Inc. (Mountain View, California) that cannot be used to directly identify visitors.
In this context, the Controller processes personal data as follows:
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Name Email address Other personal data provided by the visitor | Establishing and maintaining contacts Information about the Controller’s activities | GDPR Article 6. (1) b) (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) | From establishing contact to signing a contract, or in the absence of a contract, for one year from the date of establishing contact |
The data processing operations performed by the Controller in the case of the data processing operations described in this section are: collection, recording, storage, and organization.
3. Processing of Shareholders’ personal data
3.1. Ownership Identification
In the event of ownership identification, the Controller may obtain access to the data of the Shareholders. The Controller processes personal data made available to it by the central securities depository performing the ownership identification, KELER Central Depository Ltd., after the ownership identification has been performed.
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Name Birth name Place of birth (country, city), date Mother’s name Gender Citizenship Tax identification number Personal identification number Foreign private individual identification number Address (country, postal code, city, street, house number) Postal address (country, postal code, city, street, house number) Number of shares held by the shareholder on the record date Securities account details If the shares are held in a long-term investment account Owner identification | Ownership identification | GDPR Article 6(1)(f) (Legitimate interests of the Controller) | Until deletion from the Controller’s records |
The possibility of initiating owner identification is provided for by law, e.g. in connection with the holding of a general meeting or the payment of dividends. The Controller therefore has a legitimate interest in obtaining information about the identity of the Shareholders through owner identification and in ensuring that the general meeting is held in accordance with the rules. In the event of ownership identification, the Company’s Board of Directors, as the keeper of the share register, shall delete all data entered in the share register that is valid at the time of ownership identification and, at the same time, enter the data corresponding to the results of ownership identification in the share register. Regarding the Controller’s judgment, the owner identification procedure constitutes minimal interference with the privacy of the Shareholders, and a common interest can be established, as the Shareholders do not need proof of ownership to exercise their shareholder rights. The Controller has not identified any shareholder rights or interests that would be infringed or negatively affected by the data processing specified in this section.
The data processing operations performed by the Controller in the case of the data processing operations described in this section are: collection, recording, storage, conversion, and organization.
3.2. Identification of shareholders at general meetings
If the Shareholder wishes to participate in the Controller’s general meeting in person or through a representative who is a natural person, the Controller shall process personal data in connection with this as follows:
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| The data appearing on the document suitable for proving the identity of the Shareholder or its representative, or on its address card | Identification of the Shareholder or its representative | GDPR Article 6(1)(f) (Legitimate interests of the controller) | Given that identity verification is carried out by presenting a document suitable for proving identity or a residence card, data processing shall last until the personal documents are returned |
The Controller has a legitimate interest in ensuring that only the actual Shareholders of the Controller may participate in the general meeting, and for this purpose it shall verify the identity of the Shareholders attending the general meeting. Given that identity verification is carried out in accordance with the principle of data minimization, by presenting identity documents (ID card, driver’s license, passport, residence card – are presented, data processing has a minimal impact on the privacy of Shareholders, and therefore the legitimate interest of the Controller prevails over the related rights, freedoms and legitimate interests of Shareholders. Furthermore, in the opinion of the Controller, it is also in the interest of the Shareholders that only those entitled to participate in the general meeting may do so, thus there is a common interest.
Data processing operations carried out by the Controller in the case of data processing as described in this section: access.
3.3. Audio and/or video recording at general meetings
If, in accordance with the Controller’s regulations, audio and/or video recordings are made of the general meeting, the Controller shall process personal data as follows:
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Image of the shareholder Motions and statements made at the general meeting (and personal data provided by the person making the motion or statement) | Preparation of accurate and factual minutes of general meetings | GDPR Article 6(1)(f) (Legitimate interests of the controller) | Until deletion from the Controller’s records |
The Controller has a legitimate interest in ensuring that minutes are taken of general meetings held in person, which accurately and factually record the events of the meeting, the decisions taken and the statements and proposals made. Given that the Shareholder also has an interest in ensuring that the minutes of the general meeting are prepared in accordance with the law, the Controller considers that there is a common interest, and in this context, the Controller has not identified any other shareholder interests or rights that would take precedence over the Controller’s legitimate interest.
The data processing operations performed by the Controller in the case of the data processing operations described in this section are: recording and storage.
3.4. Investor newsletter
The Controller sends newsletter to Shareholders who subscribe to it, containing information about the Controller published on the website www.shopperparkplus.hu, including information subject to mandatory disclosure, public financial data, investor presentations and other corporate information.
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Email address of the Shareholder or its representative | Sending the newsletter | GDPR Article 6(1)(a) (Consent of the Shareholder) | Until withdrawal of consent |
The data processing operations performed by the Controller in the case of the data processing operations described in this section are: recording, storage, use.
3.5. Payment of dividends
The Controller shall process personal data in connection with the payment of dividends to Shareholders as follows:
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Name Birth name Place of birth (country, city), date Mother’s name Gender Citizenship Tax identification number Personal identification number Foreign private party identification number Address (country, postal code, city, street, house number) Postal address (country, postal code, city, street, house number) Number of shares held by the shareholder on the record date Securities account details Are the shares held in a long-term investment account | Payment of dividends | GDPR Article 6(1)(c) (Compliance with a legal obligation) | Until the dividend payment is made |
| Name Address Tax identification number Foreign private individual identification number Number of shares Personal income tax deducted Net amount paid Date of payment Were the shares placed in a long-term investment account? | Issuing tax certificates | GDPR Article 6(1)(c) (Compliance with a legal obligation) | General limitation period (5 years from date of issue) |
The data processing operations performed by the Controller in the case of the data processing operations specified in this section: recording, storage, disclosure by means of transfer.
3.6. Contacting the representative of a legal entity
| Processed personal data | Purpose of data processing | Legal basis for data processing | Duration of data processing |
| Details of the authorized representative/contact person (name, birth name, mother’s name, permanent address, type and number of identity document), position, telephone number, email address designated for communication | Maintaining contact | GDPR Article 6(1)(f) (Legitimate interests of the Controller) | The Controller shall process the data until the Shareholder ceases to be a shareholder. If the representative changes, the Controller shall process the personal data of the new representative based on the Shareholder’s notification. |
Regarding communication between the Controller and the legal entity Shareholders, the processing of the personal data of the Shareholder’s representative is – in the Controller’s judgment – in the legitimate interest of both the Controller and the Shareholder, and therefore a common interest can be established. Without the processing of the personal data of the Shareholder’s representative, uninterrupted communication between the parties would be more difficult to ensure, and the personal data processed are essential for maintaining contact and represent minimal interference with the privacy of the data subject, in accordance with the principle of data minimization. The Controller has not identified any representative rights and interests that would be infringed or adversely affected by the data processing specified in this section.
The data processing operations performed by the Controller in the case of the data processing operations specified in this section are: collection, recording, storage, organization, and data transfer by means of communication.
4. Automated decision-making (including profiling):
No automated decision-making, including profiling, takes place during data processing.
5. Transfer of personal data, recipients of personal data and categories of recipients:
The Controller uses the following data processors in connection with data processing:
ViaCom Informatikai Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (seat: 2360 Gyál, Deák Ferenc utca 17., company registration number: 13-09-109794), which provides hosting services.
MailerLite Limited (seat: 88 Harcourt Street, Dublin 2, D02 DK18, Ireland), which provides a newsletter service called MailerLite.
KELER Central Depository Ltd. (seat: 1074 Budapest, Rákóczi út 70-72., company registration number: 01-10-042346), which acts as an agent in the implementation of ownership identification and dividend payments.
The Controller shall transfer the personal data specified in this Privacy Policy to its legal representative, Hümpfner Law Firm (seat: 1015 Budapest, Batthyány u. 3. fszt. 1., managing attorney: Dr. Viktória Hümpfner) for the purpose of performing legal work related to data processing. The legal basis for the transfer of data is the Controller’s legitimate interest in legal representation (GDPR Article 6(1)(f)).
6. Rights of the Data Subject
The Data Subject (including the Shareholder) may exercise the rights set out in Chapter III of the GDPR in connection with the data processing described in this Privacy Policy as follows:
Withdrawal of consent
The Data Subject has the right to withdraw his or her consent to the processing of his or her personal data at any time, without giving any reason, without this entailing any financial or other obligations for the Data Subject.
Right of access and information
The Data Subject has the right to receive confirmation as to whether or not personal data concerning him or her are being processed and, where such processing is the case, to have access to the personal data concerning him or her and to the following information: the purposes of the processing, the categories of personal data concerned, the source of the personal data, the existence of automated decision-making, including profiling, and the legal basis for the processing. The Data Subject may also request a copy of the personal data that is the subject of data processing.
Right of rectification
The Data Subject has the right to request the rectification or supplementation of his or her personal data processed by the Controller.
Right to deletion
The Data Subject has the right to request that the Controller delete the personal data processed by it if any of the following reasons apply:
– the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
– the Data Subject withdraws the consent on which the data processing is based and there is no other legal basis for the data processing;
– the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
– the personal data have been unlawfully processed;
– the personal data must be erased to comply with a legal obligation to which the data controller is subject under Union or Member State law;
– the personal data have been collected in relation to the offer of information society services.
However, the right to deletion is not unlimited and may be restricted by the provisions of relevant EU and domestic data protection legislation.
Right to restriction of processing
Data Subjects are entitled to request restriction of data processing in the following cases:
– the Data Subject disputes the accuracy of the personal data, in which case the restriction applies for a period enabling the Controller to verify the accuracy of the personal data;
– the processing is unlawful, and the Data Subject requests restriction of processing instead of erasure;
– the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims; or
– the Data Subject has objected to the processing; in this case, the restriction applies until it is determined whether the legitimate grounds of the Controller override those of the Data Subject.
Following the restriction of data processing, personal data subject to restriction may only be processed, with the exception of storage, with the consent of the data subjects or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Data Subject also has the right to receive their personal data provided to the Controller electronically and to transfer it to another data controller.
Right to object
The Data Subject has the right to object to the processing of his or her personal data if the processing is carried out for direct marketing purposes. In this case, the data subject may object to the processing of his or her personal data for direct marketing purposes.
In matters relating to their complaints, Data Subjects have the right to lodge a complaint with the competent data protection supervisory authority.
Given that the Controller is not a public authority or other body performing public tasks, does not carry out regular and systematic monitoring of Data Subjects on a large scale, and does not process data relating to criminal offences, the Controller does not have a data protection officer.
7. General rules on the exercise of rights of the Data Subject:
The Controller shall inform the Data Subject of the measures taken in response to the request without undue delay, but no later than 30 days from the date of receipt of the request. If necessary, considering the complexity of the request and the number of requests submitted by the Data Subjects, this deadline may be extended by a further two months. The Controller shall inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within 30 days of receipt of the request.
The Controller shall provide the information and take the measures free of charge to the Data Subject. If the Data Subject’s request is clearly unfounded or excessive, in particular because of its repetitive nature, the Controller, considering the administrative costs of providing the requested information or communication or taking the requested action, may
a) charge a reasonable fee, or
b) may refuse to act on the request.
The burden of proving that the request is clearly unfounded or excessive lies with the Controller.
If the Controller has reasonable doubts as to the identity of the natural person making the request, it may request further information necessary to confirm the identity of the Data Subject.
8. Enforcement options:
The Data Subject may contact the Controller’s representatives, Bárány Kristóf Péter, Németh Gábor, and Marton András, at any time regarding the processing of their personal data. The Controller’s representative can be contacted at:
e-mail address: info@shopperparkplus.hu
The Controller shall respond to requests received in the manner and within the time limits specified in Section 7 of this Notice.
In the event of a violation of their rights, the Data Subject may take legal action against the Controller. The court shall hear the case as a matter of priority. The Controller shall be responsible for proving that data processing complies with the provisions of the law. The court with jurisdiction to hear the case shall be the court of first instance, which in the capital city shall be the Fővárosi Törvényszék. The case may also be brought before the court of first instance of the place of residence or domicile of the Data Subject.
In the event of a complaint regarding the processing of personal data, the Data Subject may also contact the supervisory authority at the registered office of the Controller, the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, Dr. Péterfalvi Attila, President of the National Authority for Data Protection and Freedom of Information, postal address: Budapest, Falk Miksa u. 9-11, 1055, Hungary, telephone: +36 (30) 683-5969, email: ugyfelszolgalat@naih.hu, website: www.naih.hu). The Data Subject is also entitled to lodge his or her complaint in the Member State of his or her residence, place of work or place of the alleged infringement.