Effective from 25 May 2018

The Garba-Royal Kft. (Headquarters: 1041 Budapest, Árpád út 39-43, VAT number: 13216841-2-41, hereinafter referred to as Data Manager) hereby informs the partners of the contractual customer about the treatment of the contact person’s personal data by the Data Manager, based on Regulation No 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation (hereinafter referred to as GDPR).

This Privacy Statement is an integral part of and an annex to the contract between the Data Manager and the client Partner.

The client partner is obliged to provide this data management prospectus to the contractual contact person and to justify it to the Data Manager.

1. What kinds of contact person’s personal data do we treat, how long do we handle them, what do we use them for and with what kind of authorization?

The legal basis of our data management is as follows:

(a) according to the Article 6 (1) (f) of the GDPR, data processing is necessary to enforce the legitimate interests of the data manager or of a third party.

The data manager and the contracted client partner have a common legitimate interest in handling the contact data as it is necessary to perform the contract between the Data Controller and the Contractor to be contracted, to send the Contractor a notification in connection with the Contract concluded. Only the absolutely necessary data of the contact person are handled by the Data Manager, so the fundamental rights and freedoms of the contact person shall not be affected by the data handling nor shall they take precedence over the legitimate interests of the data controller and the contracted partner.

The legal basis for data handling is defined below for each data category and data management purpose.

Treated data category Source of Data Purpose of data treatment Legal basis of data treatment Period of storage time, date of deletion

phone number

e-mail address


Contracted partner Contact

Performing a contract

Claim and enforcement


GDPR Article 6 (1)(f):

Legitimate interest

If the data are in the contract: 8 years from the date of termination of the contract.

If the data are not included in the contract: 5 years from the termination of the contract.

2. Who manages the contractual personal data, and who can access them?

2.1. The Data Manager

The data controller for personal data specified in point 1 is Garba-Royal Kft., whose contact details and company data are as follows:

Garba-Royal Kft.

Registered office: 1041 Budapest, Árpád út 39-43

BRN: 01-09-724111

VAT number: 13216841-2-41

Represented by: Managing Director Balázs Garami, contact details: office and telephone contact

Phone: + 36-1-444-9-554

E-mail address:


For the part of the Data manager, the data management employees have access to the data from the circle that is absolutely necessary to perform their work. The access rights to your personal data are recorded in strict internal policies. We use different businesses for managing and storing contact data with whom we have contracted a data processing contract. The following data processors are processing personal data:

2.2. Data processors

Data processor’s name and address Purpose of data processing Scope of data covered by data processing
TOPdesk Magyarország Kft. (1056 Budapest, Váci utca 81. 6. em., BRN: 01-09-912570, VAT number: 14628111241) Helpdesk system service Data listed under point 1


DoclerNet Hosting Kft. (1101 Budapest, Expo tér 5-7, BRN: 01-09-186097, VAT number: 24855608242) Server rental, server hosting Data listed under point 1


Rebell Telecommunication Zrt.

(2483 Gárdony, Vörösmarty utca 68, BRN: 07-10-001471, VAT number: 25770308207)

Telecommunication solutions Data listed under point 1


GLS General Logistics Systems Hungary Kft. (2351 Alsónémedi, GLS Europa utca 2, BRN: 13-09-111755, VAT number: 12369410244) Courier services Data listed under point 1


SICONTACT Kft. (1106 Budapest, Örs vezér tere 25/C 4. em., BRN: 01-09-714199, VAT number: 13004688242) Virus protection solutions Data listed under point 1 Kft. (1097 Budapest, Gyáli út 48, BRN: 01-09-917341, VAT number: 14734632243) Virus protection and other cloud based solutions Data listed under point 1


PROFITOUR Kft. (1137 Budapest, Szent István krt.18. fszt. 3/a, BRN: 01-09-265422, VAT number: 10860434241) Accounting and financial services Data listed under point 1


3. Who is the data controller’s Data Protection Officer and what are his/her contact details?

No Data Protection Officer was appointed for Data Controller in accordance with the requirements of the GDPR Regulation.

4. Who do we transfer the personal data to?

The personal data of the contact persons shall not be transmitted by the Data Controller to a third country party to the GDPR which is not part of the GDPR Regulation, but only to the data processors mentioned in section 2.2, as detailed therein.

5. What are the rights of the contact persons when managing your personal data and how do we ensure that they are exercised?

a) Right of Access: You can request information about what data we handle, for what purpose, how long, to whom it is to be transferred, where the data we are handling come from.

In the context of a request for information on access rights, we inform you that data treated solely on paper, where personal data of other persons are included, cannot be copied in accordance with Article 15 (3) and (4) of GDPR, because of their getting to a third party is a violation of the privacy and personal rights of those persons.

If the exercise of the right of access and the unjustified or repetitive nature of such an application are exaggerated (an overly informative request for more than 2 requests per calendar year is considered to be excessive for the same data area), and for each additional copy we charge an administrative fee of HUF 10,000 + VAT / occasion.

b) Right to Make Corrections: if your data change or are incorrectly recorded, you may request their rectification, correction, refinement.

c) Right of Cancellation: in the cases specified by law, you may request that we delete the data we manage.

d) Right to Restrict Data Processing: in the cases specified by law, you may request that data management be restricted.

e) Right to Objection: you may object to a legitimate interest in handling your data, in which case your data will not be handled further.

f) Right to Data Carrying: You may ask for carrying your data, so applying for your right you can request the disclosure of your data defined by the law or, if so requested and authorized by you, their handing over to any other provider designated by you, as far as it is technically possible. You can submit your requests electronically by e-mail to our Customer Service e-mail address ( or by postal mail sent to the Head Office of the Data Handler. If you submit such a request, we will act as specified in the law and inform you within one month of what measures we have taken based on your request.

g) Right to Withdraw Contribution: whenever your data are handled on the basis of your consent, you have the right to revoke it at any time, which does not affect the legitimacy of our data management prior to your consent being revoked. You can withdraw your consent electronically by e-mail sent to our customer service e-mail address ( or by postal mail sent to the Head Office.

h) Complaints law: If you suffered injury with regard to our data handling, you have the right to lodge a complaint with the competent supervisory authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság (National Privacy and Freedom Authority)


Postal address: 1530 Budapest, Pf .: 5.


Phone number: +36 (1) 391-1400

In addition, you may initiate an action against the Data Controller in the event of violation of personal data.

6. How do we ensure your data security?

6.1. Data security in IT infrastructure

Personal data are stored on servers and clouds hired by us, as well as on the hard drives of the company’s computers, which can only be accessed by a very limited number of personnel, employees, under strict eligibility rules.

Data, documents stored in the document management system are encrypted, access is only possible with password and permissions. The data on the internal IT network are also encrypted. Data on corporate mobile devices are only stored on encrypted storage. Our local machines are encrypted, local hard drive can only be unlocked with a password.

Access usernames and passwords are stored in a password safe or in another similarly secure way.

Our servers are located in professional server parks, in strictly guarded server rooms, where water, fire and intrusion protection is provided.

Our IT systems are tested and verified from time to time, repeatedly and regularly, to ensure and maintain data and IT security.

User workstations are password protected or fingerprinted and can only be used after successful authentication.

The system is protected against systematic and continuous malicious software covering all the system and system components of the Service Provider.

When designing and operating programs, applications and tools, we handle security features in a special and separate way.

The protection of data security (such as passwords, privileges, logs) is ensured when allocating access privileges.


The data are backed up daily and stored for 30 days. Our servers are redundant and represent a full backup. Backups can only be accessed by a narrow circle of entitled persons.

6.2. Data security in communication

Taking into account the transmission of messages and files transmitted electronically, we ensure the integrity of data for both the (communication) controller and the user data in order to meet the requirement of secure data exchange. We use fault-detecting and corrective procedures to avoid data loss and damage.

The protection we use will detect the occurrence of unauthorized modification, interception and repetition. Data loss and damage are prevented by error-detecting and corrective procedures and we ensure that non-negligence is guaranteed.

In the network used for data transfer, we ensure the security level to prevent illegal connections and interception.

6.3. Data security during records management

We also adhere to the data security requirements recorded in the regulation on the treatment of documents. The records are handled according to the eligibility levels specified in writing, according to the security standards applied to the confidentiality of each document. We have detailed and strict rules regarding the destruction, storage and publication of documents.

6.4. Physical data security

In order to create physical security, we ensure the proper closure and protection of our doors and windows, we apply strict visitor and entry requirements for visitors.

Paper-based documents containing personal data are placed in a closed cabinet with fire and property protection, which only specific personnel, having authority to handle them, can have access to.

Rooms for storing media devices have been designed to provide sufficient security against unauthorized or violent intrusion, fire or natural disasters. Data media used to transfer and save data, as well as to archive them, can only be stored in a reliably closed location.

7. What do we do if a privacy incident occurs at our site?

According to the law, we report the data protection incident to the supervisory authority within 72 hours of knowledge acquisition and we also keep records of data privacy incidents. In the cases defined by the law, we also inform the users concerned and proceed according to our incident management policy.

8. When and how do we modify this privacy statement?

If the scope of the data processed and other circumstances of the data management change, this Privacy Statement will be modified and published within 30 days in accordance with GDPRs at Please always read carefully the changes to the Privacy Policy as it may contain important information on how to handle your personal information.

Budapest, 15 May 2018