Privacy Policy

Data Processing Notice for Contractual Partners

1. Preamble

The purpose of this notice is to properly inform data subjects about the data processing activities carried out by the data controller.

The Data Controller informs data subjects that, in the course of its data processing activities, it complies with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR"), as well as with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: "Information Act").

2. Details of the Data Controller

Name: Duna Aszfalt Zrt.
Registered seat/postal address: 6060 Tiszakécske, Béke u. 150., Hungary
E-mail address: adatvedelem@dunaaszfalt.hu
Website: www.dunaaszfalt.hu

3. Scope of Personal Data Processed, Purpose and Legal Basis of Processing

The Data Controller processes the following personal data relating to its contractual partners and their contractual employees, authorized representatives, and agents:

  • name, electronic contact details (e-mail, telephone number, fax) and postal address;
  • position/title;
  • chamber registration number or other registration numbers, where applicable, and the related identifiers.

The Data Controller sets out, in the table below, the purpose and legal basis of the data processing activities it carries out, as well as the retention period of the processing.

Data Processing Activity Purpose of Processing Legal Basis of Processing Retention Period
Personal data relating to the contractual partner, provided by the contractual partner. Performance of contracts concluded with contractual partners, and enforcement of claims arising therefrom. Processing necessary for the performance of a contract, GDPR Article 6(1)(b). A minimum of 5 years, but no later than the final deadline for enforceability of claims arising from the contract.
Personal data relating to the employees, authorized representatives and agents of contractual partners, provided by the contractual partners. Performance of contracts concluded with contractual partners, maintaining contact, and enforcement of claims arising from the contract. Processing based on legitimate interest1, GDPR Article 6(1)(f). A minimum of 5 years, but no later than the final deadline for enforceability of claims arising from the contract.
Identification data provided by contractual partners. Performance of activities necessary for compliance with legal obligations (e.g. bookkeeping, tax-related activities). Processing necessary for compliance with a legal obligation, GDPR Article 6(1)(c). Accounting documents and records: 8 years; other documents: no later than the final deadline for enforceability of claims arising from the contract.

4. Data Transfers (Recipients of Personal Data)

The Data Controller transfers the personal data of data subjects to the following recipients:

  • contractual partners and other companies belonging to the corporate group;
  • companies providing postal and parcel delivery services;
  • public authorities, in order to comply with reporting and disclosure obligations arising from law;
  • data processors.

The legal basis and purpose of the data transfers are set out in the table below:

Data Processing Activity Purpose of Processing Legal Basis of Processing
Data transfer to contractual partners and within the corporate group. Performance of contracts concluded with contractual partners, and enforcement of claims arising therefrom. Processing based on legitimate interest2, GDPR Article 6(1)(f).
Data transfer to organizations providing postal and parcel delivery services. Cooperative communication and the proper exercise of rights arising from the contract, in the course of contract performance. Processing necessary for the performance of a contract, GDPR Article 6(1)(b).
Data transfer required to comply with reporting and disclosure obligations arising from law. Performance of activities necessary for compliance with legal obligations (e.g. bookkeeping, tax matters, law enforcement activities). Processing necessary for compliance with a legal obligation, GDPR Article 6(1)(c).
Data transfer to a company carrying out data processing activities. Execution and performance of data processing within the purposes and system established by the Data Controller. Processing necessary for the performance of a contract, GDPR Article 6(1)(b).
Transfer to an independent insurance broker experienced in claims matters. Obtaining insurance expert opinions in connection with damage events arising during construction activities. Processing based on legitimate interest3, GDPR Article 6(1)(f).

In connection with data transfers to contractual partners and within the corporate group, data is transferred to companies that participate, as contracting partners (e.g. consortium partner, developer, etc.), in the construction activities of a given project and cooperate in the implementation under the relevant contract.

In connection with data transfers to organizations providing postal and parcel delivery services, data is transferred primarily to Magyar Posta (the Hungarian national postal service) and, secondarily, to other parcel delivery organizations.

In connection with the fulfilment of reporting and disclosure obligations arising from law, public authorities are those organizations that carry out public administrative functions in the performance of their statutory duties. Such organizations include, without limitation, local and central tax authorities, social security bodies, and other supervisory authorities and organizations.

The independent insurance broker experienced in claims matters is the person who mediates between the insurance companies and our company, as the insured party, in establishing the legitimacy of a claim for damages.

Data processing activities are carried out on our company's behalf by the company or companies engaged for this purpose, on the basis of a contractual agreement concluded between our company and the data processor.

Pursuant to Article 13(1)(f) of the GDPR, the Data Controller informs data subjects that it does not transfer the personal data it processes to any data controller located in a third country or to any international organization.

5. Rights of Data Subjects

Data subjects are informed that they may request access to the personal data concerning them, as well as its rectification, erasure, or restriction of processing, and may also exercise their right to data portability.

The content of these rights is described to data subjects as follows:

  • Right of access/right to information: the data subject is entitled to request information from the Data Controller regarding the scope of personal data processed and the manner of processing.
  • Right to data portability: the data subject may request to receive the data concerning them, which they have provided, in a structured, commonly used, machine-readable format, and is entitled to transmit that data to another data controller without hindrance from the original data controller.
  • Right to rectification: the data subject may indicate that the processed data is inaccurate and request that it be corrected.
  • Right to erasure ("right to be forgotten"): the data subject may request the erasure of their data at any time, as well as the removal of traces of the processing. If the Data Controller has made the data to be erased available to third parties, it must inform all those to whom the data subject's data was disclosed that they should delete any reference to it and any personal data stored by them.
  • Right to restriction of processing: in certain cases, the data subject may request the restriction of the processing of their personal data — for example, in an unresolved legal dispute, or where the processing is no longer necessary but the data subject still wishes the data to be retained. In such cases, the personal data may only be stored. In the event of restriction of processing, the Data Controller must also ensure that all recipients to whom the personal data was disclosed are notified accordingly.

If a data subject wishes to exercise their rights, they may contact our colleague at any of the contact details provided in Section 1 of this notice. Requests submitted electronically or in paper form will be examined without undue delay, and the data subject will be informed of the measures taken no later than one month following receipt of the request. Where the request is complex or additional information or measures are required to comply with it, this deadline may be extended by a further two months.

If a data subject disagrees with any data processing activity carried out by the Data Controller, they may lodge a complaint with the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), at the following contact details: address: 1055 Budapest, Falk Miksa utca 9-11, Hungary; postal address: 1363 Budapest, Pf.: 9, Hungary; e-mail: ugyfelszolgalat@naih.hu; telephone: +36 (1) 391-1400. In addition, the data subject has the right to bring a claim before the competent court in order to enforce their rights relating to their personal data.


1 The legitimate interest assessment test required to identify the legitimate interest relating to the personal data of the employees, authorized representatives and agents of contractual partners is contained in the annex to our Data Protection Policy.
2 The legitimate interest assessment test required to identify the legitimate interest relating to data transfers within the corporate group is contained in the annex to our Data Protection Policy.
3 The legitimate interest assessment test required to identify the legitimate interest relating to claims for damages is contained in the annex to our Data Protection Policy.

Date of issue: 5 October 2020

magnifiercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram