Wellis Magyarország Zrt. (registered office: 1118 Budapest, Budaörsi út 31/C., company registration number: 01-10-048882, tax number: 25584864-2-43, e-mail: [email protected], represented by: Chief Executive Officer Zolt Czafik, name and contact details of the data protection officer: Dr. Krisztián Bölcskei, available by post at the Data Controller’s registered office, by e-mail to the [email protected] address), as data controller, hereby informs you about the relevant details of data processing for sending newsletters and about other relevant facts:

Summary table of the privacy notice of data processed when sending newsletters
Purpose:regular information to the recipient (subscribed data subject) about the latest promotions, events, news of the Data Controller (and its Partners), essentially sending regular advertisements
Legal basis:Voluntary consent (Article 6 (1) a) of the GDPR and Section 6 (1) of the Advertising Act)
Data subjects:All natural persons who wish to be regularly informed about the news, promotions and discounts of the Data Controller; therefore, they subscribe to the newsletter service by providing their personal data
Source of data:data subjects
Scope of the processed dataPurposeStorage period
name*identification In active (sending) newsletter database: until the data subject unsubscribes or, if the Data Controller requests consent confirmation, the data are erased after the expiry of the deadline for providing confirmation
e-mail address*identification and sending newsletter
technical data: date of subscription* and unsubscription*subsequent evidencing
Data processor’s name:Contact details of the data processor:Task carried out by the data processor:
Pardot1.       The Landmark at One Market,2.       Suite 300,3.       San Francisco, CA 94105Phone: 1-800-667-6389storing the data of subscribed data subjects, sending newsletters, managing unsubscriptions, keeping statistics
Transfer of data:it basically does not happen, it can only take place to an authority or a court if necessary
Automated decision-making, profilingAutomated sending and automated unsubscribing, but no decision-making or profiling takes place

In connection with the data marked with *, the Data Controller draws the attention to the fact that they are essential elements of data processing, and all of them are necessary for data processing.

How does the Data Controller ensure data protection?

Within the scope of its tasks related to IT protection, the Data Controller shall in particular ensure the following:

  1. refusing access of unauthorised persons to data processing equipment (hereinafter: “data processing system”),
  2. preventing the unauthorised reading, copying, modification and removal of data carriers,
  3. preventing the unauthorised input of personal data into the data processing system and the unauthorised access, modification or erasure of personal data stored therein,
  4. preventing the use of data processing systems by unauthorised persons using data transfer equipment,
  5. that persons authorised to use the data processing system have access only to the personal data specified in the access authorisation,
  6. ensuring control and verification of which personal data were, or can be forwarded, or were made or can be made available to which recipient by using data transfer equipment,
  7. that it can be verified and established subsequently which personal data were entered into the data processing system, when and by whom
  8. preventing unauthorised reading, copying, modification or erasure of personal data upon data transfer or data carrier transportation
  9. that the data processing system can be recovered in the event of a breakdown.
  10. that the data processing system is operational, that errors in its operation are reported and that the stored personal data cannot be altered even by operating the malfunctioning system.

What rights do the data subjects have?

  1. The relationship between the data subjects’ rights and the legal basis/bases is shown in the table below to make it clear to the data subjects what rights they can exercise in the case of the legal basis used.
 Right to prior informationRight of accessRight to rectificationRight of erasureLimitationData portabilityObjectionWithdrawal of consent

Right of access (Article 15 of the GDPR)

The data subjects have the right to obtain feedback from the Data Controller as to whether or not their personal data are being processed, and if this is the case, they have the right to access the personal data and information about the circumstances of data processing. Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed about the appropriate safeguards pursuant to Article 46 relating to the transfer. The Data Controller makes a copy of the personal data – that are subject to data processing – available to the data subject if requested by the data subject.

Right to withdraw consent (Article 7 of the GDPR)

The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing that was carried out based on consent before its withdrawal.

Right to rectification (Article 16 of the GDPR)

The data subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object (Article 21 of the GDPR)

The data subjects have the right to object – at any time, on grounds relating to their particular situation – to the processing of their personal data based on Article 6 (1) e) or f) of the GDPR.

In this case, the Data Controller may not process the personal data further, unless it proves that the processing is justified by legitimate reasons which override the interests, rights and freedoms of the data subject.

Right to restrict data processing (Article 18 of the GDPR)

The data subject has the right to request the Data Controller to restrict data processing if any of the conditions specified in the GDPR is met, and in this case the Data Controller should not perform any operation on the data other than storage.

If the data subject objected to data processing; in this case, the restriction applies until it is established whether the Data Controller’s legitimate reasons override the data subject’s legitimate reasons.

Right to erasure (right to be forgotten) (Article 17 of the GDPR)

The data subjects have the right to ensure that the Data Controller erases the personal data concerning them without undue delay if the data processing has no purpose, they withdrew their consent and there is no other legal basis, in case of objection there is no overriding legitimate reason for data processing, or if the data have been processed unlawfully, furthermore the data must be erased in order to fulfill a legal obligation. Where the Data Controller has made the personal data public and is obliged to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to data portability (Article 20 of the GDPR)

The data subjects have the right to receive the personal data concerning them and made available to the Data Controller in a structured, widely used, machine-readable format as well as to transfer such data to another data controller without being hindered in this by the Data Controller to whom they provided the personal data, if the legal conditions (legal basis of automated data processing and consent or agreement) exist.

Where and how can the data subjects request detailed information on data processing and transfer, where and how can they exercise their rights?

The Data Controller draws the attention of the data subjects to the fact that they can send requests for information and they can exercise their right to access and other rights via a statement sent to the Data Controller by post (1118 Budapest, Budaörsi út 31/C) or e-mail ([email protected]) or addressed to the data protection officer. The Data Controller will examine and respond to the statement as soon as possible after receipt, and will take the necessary steps in accordance with the statement, the Internal Privacy Policy and the legal regulations.

Contact details of the authority in case of a complaint (Article 77 of the GDPR):

National Authority for Data Protection and Freedom of Information:

  • Address: 1055 Budapest, Falk Miksa utca 9-11.
  • Mailing address: 1363 Budapest, Pf. 9.
  • Phone number: +36 (1) 391-1400
  • Fax: +36 (1) 391-1410
  • www: http://www.naih.hu
  • e-mail: [email protected]

For more information on your rights and on the details of your complaint to be submitted to the authority, visit the following website: http://naih.hu/panaszuegyintezes-rendje.html.

Should the data subject rights be infringed, the data subjects may also turn to the court competent at their residence and may, inter alia, claim damages. You can find the court competent at your residence here: https://birosag.hu/birosag-kereso


The data subject may unsubscribe from the newsletter at any time at the bottom of the e-mails and by sending an unsubscription request to the [email protected] e-mail address.

You can unsubscribe from the newsletter via mail at the following address: Wellis Magyarország Zrt., 1118 Budapest, Budaörsi út 31/C,

The Data Controller revises the newsletter list every three years and requests confirmation consent to sending the newsletter after three years. The Data Controller erases from the active newsletter sending data file the data of the data subjects who fail to give the confirmation consent.

The Data Controller keeps statistics on the reading rate of the sent newsletters with the help of clicks on the links in the newsletters.

The Data Controller informs the data subjects that during sending the newsletter the Data Controller is entitled to forward not only its own, but also indirectly and directly the offers of its contracted Partners to the data subjects.

Completed: 07.02.2022.