Data protection notice

The obligation to prepare and publish this notice is required by the EU General Data Protection Regulation 2016/679 (GDPR).

Data Controller Information and Contact Details

Data Controller

Name: Enigma Finance Kft.

Activity: Financial services intermediary

Tax number: 24173760-2-41

Company registration number: 01-09-993991

Head office: 1026 Budapest, Orsó u. 47.

Contact Details

 Phone: +36 30 5 484 199

Email:  info@enigmafinance.hu

Website: www.enigmafinance.hu

With this statement, the data controller informs its clients and contractual partners about its data processing practices and the rights that individuals (data subjects) have regarding the protection of their personal data.

The data controller is committed to protecting the personal data of its clients and partners, placing particular importance on respecting clients' informational self-determination rights. The personal data is handled confidentially, and all necessary security, technical, and organizational measures are taken to ensure the security of the data.

Purpose of Data Processing

The Data Controller processes data for the preparation, conclusion, execution, settlement, invoicing of the service fee, and enforcement of claims arising from contracts with clients who use the financial services intermediary and its contractual partners related to its activities.

The Data Controller’s activity involves creating (or intermediating) financial services for its clients involved in domestic and international financing solutions, between the client and the financial institution or other financial enterprise providing the service, to benefit the client.

Legal Basis for Data Processing

  • In the case of a contractual relationship, Article 6(1)(b) of the GDPR applies:

"Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract."

  • For invoicing, data processing is based on the provisions of the Act on Accounting and the Act on the Rules of Taxation.
  •  For the enforcement of potential legal claims, data processing is based on Article 6(1)(f) of the GDPR, which allows processing for the legitimate interests of the data controller or a third party.

Scope of Processed Data

  • Data necessary for concluding, executing, and fulfilling the contract for the creation, performance, and fulfillment of the contract.
  •  Mandatory information for invoicing as required by the Act on Accounting.
  • Data necessary for asserting legal claims.
  • For making contact via the website name and email address are required.

Recipients Authorized to Access the Data

The data may be accessed and processed by the Data Controller’s owner, employees, and authorized representatives (such as an accountant or legal representative). Additionally, the necessary personal data may be transferred to a credit institution or financial enterprise to facilitate the conclusion of a financial services contract.

Individuals lawfully authorized to access personal data must process it in accordance with the Data Controller’s instructions and legal regulations, acting within their respective roles as either data controllers or data processors. These individuals are bound by confidentiality obligations under contract or legal requirements, ensuring that they do not disclose personal data to any party without a lawful basis for processing under Article 6 of the GDPR.

Duration of Data Processing

  • Documents related to financial services must be retained for 5 years.
  • Issued invoices must be kept for 8 years in accordance with the Act on Accounting Act (Szmt.) and 5 years according to the Act on the Rules of Taxation (Árt.).
  • Data processed based on a contractual legal basis may be lawfully retained for 5 years after the termination of the contract, in accordance with the limitation period provided by the Civil Code (Ptk.).

Data Security

To ensure a level of data security that corresponds to the degree of risk the Data Controller implements appropriate technical and organizational measures, considering the nature, scope, circumstances, and purposes of data processing, as well as the varying probability and severity of risks to the rights and freedoms of Clients and Partners.

The Data Controller takes all necessary steps to ensure the security of the personal data provided by Clients, both during network communication and throughout data storage and retention.

The following organizational and security measures are applied:

1. The physical protection of documents and IT equipment containing data is ensured in a locked office.

2. Access to data managed and stored by IT tools is password-protected, access and IT operations are recorded in log files in a retrievable manner, the system is virus-protected.

3. The controller investigates the attack (incident) that caused the personal data breach and restores the lawful operation.

Visitor Data Processing on the Data Controller's Website – Use of Cookies

The website only uses so-called session cookies, which are technically necessary for the operation of the website and for which the consent of the data subject is not required.

Technical Data

Technical data refers to data that is mostly generated and recorded automatically during the operation of the Data Controller's systems. Some technical data is stored by the system without any specific declaration or action by the Data Subject and, in certain cases, is logged automatically. Technical data cannot directly identify the Data Subject; however, they can be linked to user data, thereby making identification theoretically possible. The Data Controller does not create such data links, except in cases where it is required to do so by law. Access to technical data is restricted to the Data Controller and its Data Processors.

Browser Cookie – HTTP Cookie

A HTTPA HTTP cookie is a small data packet created by the server of the visited website using the client’s web browser during the first visit, provided that cookies are enabled in the browser. Cookies are stored on the user’s computer in a predefined location that varies depending on the browser type. During subsequent visits, the browser sends the stored cookie back to the web server along with various pieces of information about the client.

Cookies allow the server to identify the user, collect various information about them, and perform analyses based on this data.

Main Functions of Cookies:

  • To collect information about visitors and their devices.
  • To remember visitors’ individual settings, which can be used, for example, during online transactions, eliminating the need to re-enter them.
  • To make website usage easier, simpler, more convenient, and smoother.
  • To eliminate the need to re-enter previously provided data.
  • To generally improve the user experience.

By Using Cookies, the Data Controller Carries Out Data Processing, the Main Ourposes of which are:

  • Identifying the user
  • Identifying individual sessions
  • Identifying the devices used for access
  • Storing certain provided data
  • Storing and transmitting tracking and location information
  • Storing and transmitting data required for analytics

Session cookies

The purpose of these cookies is to allow visitors to browse the Enigma Finance Kft. website seamlessly, use its functions, and access its available services without interruption. These types of cookies remain valid only for the duration of the session (browsing) and are automatically deleted from the computer or any other browsing device once the browser is closed.

Third party analytics cookies

The Data Controller’s website utilizes Google Analytics cookies as third-party cookies. By using the Google Analytics statistical service, the Data Controller’s server collects information about how visitors interact with the website. This data is used to improve the website and enhance the user experience. These cookies remain on the visitor’s computer or other browsing device in their browser until they expire, or the visitor deletes them. You can learn more about Google Analytics cookies here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Disabling Cookies and Managing Cookie Settings

Accepting and enabling cookies is not mandatory. Browsers allow users to configure settings to reject all cookies or to notify them whenever a cookie is being sent. Most browsers accept cookies by default, but this setting can be changed.

Before disabling all cookies, it is important to note that some website functions or services may not work properly without them. Guides for managing cookie settings in the most commonly used browsers can be found here:

  • Firefox: Firefox cookie information
  • Google Chrome: Google Chrome cookie information
  • Internet Explorer: Internet explorer information
  • Safari: Safari cookie information

Users can disable cookie storage by adjusting their browser settings. However, disabling cookies may come with restrictions, and some website functions may not be fully accessible.

To prevent Google from collecting and processing data related to website usage (including your IP address), you can download and install the browser add-on available at the following link: http://tools.google.com/dlpage/gaoptout?hl=hu

Data Protection Rights of Clients and Contractual Partners

In the course of its data processing activities, the Data Controller strives to act fairly, process personal data lawfully, and ensure that its data processing activities are transparent to clients.

The Data Controller also facilitates the exercise of the client's rights through the following information.

It is the responsibility of the Data Controller to demonstrate to authorities, courts, and clients that it complies with the Regulation (the principle of accountability).

The client may request information at any time about the data collected about them, the circumstances of the data processing, and may request the deletion of the name and email address provided for contact purposes on the website if no other legal grounds (such as a contract or its preparation) exist for the processing of personal data. If the data is deleted, the previous data processing will be considered lawful.

The client may object to the processing of their data if they believe it is not being processed lawfully. The data subject may request the correction, deletion, or destruction of their personal data if the conditions are met and may exercise other rights against the data controller.

The Data Controller will inform the client of the actions taken in response to the request without undue delay, but no later than within one month. This deadline may be extended by two additional months under the conditions outlined in the Regulation, and the client must be notified of this extension.

If the Data Controller takes no action, it must justify the refusal of the request. The client may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) and exercise their right to judicial remedy.

The information and actions are free of charge, but a fee may be charged in cases specified in the Regulation.

The Data Controller will inform all recipients with whom personal data has been shared of any rectifications, deletions, or restrictions on data processing, unless it proves impossible or would require disproportionate effort.

The data protection rights of Clients are listed in detail as follows:

  1. Transparent information, communication, and the facilitation of the exercise of the rights of the data subjects.
  2. Right to prior information.
  3. Right of access by the data subject.
  4. Right to rectification.
  5. Right to erasure (right to be forgotten).
  6. Right to restriction of processing.
  7. Notification obligation related to rectification, erasure, or restriction of processing.
  8. Right to data portability.
  9. Right to object.
  10. Automated decision-making, including profiling.
  11. Restrictions.
  12. Right to be informed about a data protection breach.
  13. Right to lodge a complaint with a supervisory authority.
  14. Right to an effective judicial remedy against a supervisory authority.
  15. Right to an effective judicial remedy against the controller or processor.

Users' data protection rights are set out in detail as follows:

  1. Providing transparent information, communication and facilitating the exercise of Clients rights.

The Client has the right to receive information about facts and details related to data processing before the processing begins.

The Data Controller undertakes to provide all necessary information regarding the processing of personal data in a clear and easily accessible manner at the Client's request (especially for any information addressed to children). The information must be provided in writing, either in a letter on paper or via email. Upon request, verbal information may also be given, provided that identity verification is ensured.

The detailed rules can be found in Article 12 of the Regulation.

  • Right to prior information.

The Client has the right to receive information about facts and details related to data processing before the processing begins.

As part of this, the Data Controller informs the Client through this notice about:

  1. the identity and contact details of the data controller and its representative,
  2. the contact details of the data protection officer (if applicable),
  3. the purpose of the intended processing of personal data and the legal basis for the processing,
  4. in the case of data processing based on legitimate interest, the legitimate interests of the data controller or a third party,
  5. the recipients of personal data – those to whom the personal data is disclosed – and the categories of recipients, if applicable,
  6. where relevant, the fact that the data controller intends to transfer personal data to a third country or an international organization,
  7. as well as the Client’s right to data portability.

The Client may request the Data Controller to grant access to, rectify, delete, or restrict the processing of personal data concerning them and may object to such processing. If data processing is based on the Client’s consent, the consent may be withdrawn at any time without justification, without affecting the lawfulness of the data processing carried out based on consent before its withdrawal.

By providing this notice, the Data Controller informs the Client whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract and whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing such data.

The Data Controller does not engage in automated decision-making or profiling.

If the Data Controller intends to process personal data for a purpose other than the original purpose of collection, the Users must be informed in advance about this different purpose and all relevant additional information.

The detailed rules regarding the right to prior information are contained in Article 13 of the Regulation. The Data Controller only processes data provided by the Client.

  • Right of access by the data subject.

The Client has the right to receive confirmation from the Data Controller as to whether their personal data is being processed. If such data processing is in progress, the Client is entitled to access the personal data and the related information specified in the previous section. (Article 15 of the Regulation).

The Data Controller does not transfer personal data to a third country or an international organization.

Upon request, the Data Controller will provide the Client with a copy of the personal data being processed. For any additional copies requested by the Client, the Data Controller may charge a reasonable fee based on administrative costs.

The detailed rules regarding the Client’s right of access are set out in Article 15 of the Regulation.

  • Right to rectification.

Upon the Client’s request, the Data Controller shall rectify any inaccurate personal data concerning them without undue delay. Considering the purpose of the data processing, the Client is entitled to request the completion of incomplete personal data. These rules are set out in Article 16 of the Regulation.

  • Right to erasure (right to be forgotten).

Upon the Client’s request, the Data Controller shall delete the personal data concerning them without undue delay if:

  1. the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
  2. the Client withdraws their consent, which served as the basis for the data processing, and there is no other legal basis for the processing;
  3. the Client objects to the processing, and there is no overriding legitimate reason for the processing;
  4. the personal data has been processed unlawfully;
  5. the personal data must be deleted to comply with a legal obligation under EU or Member State law applicable to the Data Controller;
  6. the personal data was collected in connection with the provision of information society services directly to a child.

The right to erasure cannot be exercised in cases covered by the exceptions set out in Article 17 of the Regulation.

The right to be forgotten means that when personal data has been made public or shared with other recipients, its deletion must be ensured by informing all additional data controllers to whom the Data Controller has disclosed the personal data of the obligation to delete it.

  • Right to restriction of processing.

In the case of a restriction on data processing, such personal data may only be processed - except for storage - with the Client’s consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for important public interest of the EU or a Member State.

The Client has the right to request that the Data Controller restrict data processing if any of the following conditions are met:

  1. The Client disputes the accuracy of the personal data; in this case, the restriction applies for the period necessary for the Data Controller to verify the accuracy of the personal data.
  2. The data processing is unlawful, and the Client opposes the deletion of the data and instead requests a restriction on its use.
  3. The Data Controller no longer needs the personal data for processing purposes, but the Client requires it for the establishment, exercise, or defense of legal claims.
  4. The Client has objected to data processing; in this case, the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the Client.

The Client must be informed in advance before the restriction on data processing is lifted.

The relevant rules are set out in Article 18 of the Regulation.

  • Right to data portability.

Under the conditions set out in the Regulation, the Client has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format. Furthermore, the Client has the right to transfer these data to another data controller without being hindered by the data controller to whom the personal data were originally given, provided that:

  1. the data processing is based on consent or a contract; and
  2. the data processing is carried out by automated means.

The Client may also request the direct transfer of personal data between data controllers.

The exercise of the right to data portability shall not infringe on the right to erasure (the right to be forgotten).

The detailed rules are set out in Article 20 of the Regulation.

  • Right to object.

The Client has the right to object to the processing of their personal data. In such a case, the data controller may no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override the Client’s interests, rights, and freedoms, or that relate to the establishment, exercise, or defense of legal claims. The Data Controller does not engage in direct marketing; therefore, data processing on this basis does not occur.

  1. Informing the Client of the data breach

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must inform the subject of the breach about the data breach without undue delay.

The detailed rules are set out in Article 34 of the Regulation.

  1.   The Client may lodge a complaint with the supervisory authority in the event of alleged or actual harm in the context of data processing.

Name, address and contact details of the authority:

National Authority for Data Protection and Freedom of Information (NAIH) 9-11 Falk Miksa Str., 1055 Budapest

www.naih.hu

E-mail: ugyfelszolgalat@naih.hu

Address for correspondence: 1363 Budapest, Pf: 9.

Tel: +36/30 683-5969,

        +36/30 549-6838,

        +36/ 1 391 1400

The NAIH is required to inform the Client about procedural developments and the outcome of their complaint, including the Client's right to seek judicial remedy.

  1. Right to an effective judicial remedy against a supervisory authority.

The complainant has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them. Every affected individual is also entitled to an effective judicial remedy if the competent supervisory authority does not handle their complaint or fails to inform them within three months about the procedural developments or the outcome of their submitted complaint.

These rules are set out in Article 78 of the Regulation.

  1. Right to an effective judicial remedy against the controller or processor.

Every Client has the right to an effective judicial remedy if they believe that the processing of their personal data does not comply with this Regulation and has consequently violated their rights under the Regulation.

These rules are set out in Article 79 of the Regulation. 

By publishing this notice on its website, the Data Controller also fulfills its information obligation as required under Section 4 of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.